How to consistently hash a certificate #28
Comments
|
Sorry for a lot of text. Writing down the problem is bringing me closer to the solution. On the second though shall I do this instead:
Am I reinventing the wheel here? Due to my lack of knowledge I am not sure if this is correct or I am trying to work around the fact that |
Every time you call that function, we basically generate a new certificate. For generation, certificates have to be signed, which involves a random component. That's part of the standard how signatures work, and it's why it's slightly different each time you call that function. So yeah the hash will be different each time. Also note that you should NEVER have to send anyone's private keys anywhere. In modern versions of TLS, it's mandatory to derive session keys anyways. So you should keep the private key to the server/client.
It's not. What you want is called certificate fingerprint, which is a hash of the DER encoded certificate, not the key. Anyways, what exactly do you want to do in the first place? |
|
Thanks for your time! I have a process that generates a certificate on the first run. On consecutive runs it reads generated certificate from disk to establish TLS session. Before establishing the session I want to exchange public keys (certificate fingerprint?) and I want each peer to hash public certificate (certificate fingerprint) to generate a unique peer ID for later use. The way I started doing it is:
tls_config.set_single_client_cert(
vec![rustls::Certificate(cert.serialize_der()?)],
rustls::PrivateKey(cert.serialize_private_key_der()),
)
Does Given the flow should I save certificate fingerprint to disk the first time I generate it and later read and send it instead of calling |
|
You are using
Yes.
No just store the serialized der content instead of the fingerprint. Use that instead of anything else. |
|
No, I use Then when I need the certificate I read it from disk with Do I understand you correctly that instead of reconstructing a |
|
Alright. I think I figured it out. Thanks a lot for the help! Do you know any user forums / chat rooms where I can discuss these topics? |
Hi! I don't know if this is the best place for questions. If not feel free to close this.
I am implementing TLS authentication between two peers. On each peer I generate a
Certificateand serialize it to disk withcert.serialize_private_key_pem().Later I exchange peers' certificates
cert.serialize_der()and then userustlsfor establishing TLS session.Everything works out well. The problem I am having is that I want to generate a hash (unique peer ID) from public certificate and keep it the same for each peer on each run. I've noticed that every time I call
cert.serialize_der()it generates a slightly different output.It seems that underlying key pair's public key remains the same so I can consistently generate a hash on each peer but then when TLS session is established I would like each peer to generate hash again from
rustls::Session::get_peer_certificates().What am I missing? What should I use as an input for hash generation? Is
KeyPair::public_key_der()a good candidate? If yes, how do get it fromrustls::Session?My issues are most likely due to the lack of knowledge about certificates and encryption in general.
The text was updated successfully, but these errors were encountered: