x509 icon indicating copy to clipboard operation
x509 copied to clipboard
verified publisher icon voltone

Include thumbprint functions

Open victorolinasc opened this issue 5 years ago • 2 comments

I think it is quite common to work with thumbprints when handling x509. For example, JWKS has the following standard claims among others:

  • x5t: thumbprint using sha1
  • x5t#S256: thumbprint using sha256

We can, currently, generate a thumbprint by doing something like:

:crypto.hash(:sha, X509.Certificate.to_der(cert)) |> Base.url_encode64(padding: false)

I've spent a while trying to find how openssl generates the thumbprint with some confusing answers. It would be great if this was built-in to avoid confusing implementations.

Thanks for your wonderful work!

victorolinasc avatar Nov 24 '20 18:11 victorolinasc

Essentially these fingerprints are always some hash over the DER encoded certificate. The question is which hash, and how to represent it: hex (lowercase or uppercase?), base64 (regular or url-safe? with or without padding)?

To be honest I'm not sure if adding a handful of variants would help, or would just cause more confusion when people are trying to match them with yet another variant that their browser or CLI tool displays...

voltone avatar Dec 02 '20 14:12 voltone

You are totally right! Forgot about the mess in browsers about this concept. The differences does indeed exist.

I came here from the JWKS specification which specifies the encoding to be base64_url https://tools.ietf.org/html/rfc7515#page-12 so, at least in some places, the encoding is standardized.

Please, feel free to close this if you think is not needed/wanted. Thanks again for your attention :)

victorolinasc avatar Dec 02 '20 15:12 victorolinasc