Include thumbprint functions #40
Comments
|
Essentially these fingerprints are always some hash over the DER encoded certificate. The question is which hash, and how to represent it: hex (lowercase or uppercase?), base64 (regular or url-safe? with or without padding)? To be honest I'm not sure if adding a handful of variants would help, or would just cause more confusion when people are trying to match them with yet another variant that their browser or CLI tool displays... |
|
You are totally right! Forgot about the mess in browsers about this concept. The differences does indeed exist. I came here from the JWKS specification which specifies the encoding to be base64_url https://tools.ietf.org/html/rfc7515#page-12 so, at least in some places, the encoding is standardized. Please, feel free to close this if you think is not needed/wanted. Thanks again for your attention :) |
I think it is quite common to work with thumbprints when handling x509. For example, JWKS has the following standard claims among others:
x5t: thumbprint using sha1x5t#S256: thumbprint using sha256We can, currently, generate a thumbprint by doing something like:
I've spent a while trying to find how openssl generates the thumbprint with some confusing answers. It would be great if this was built-in to avoid confusing implementations.
Thanks for your wonderful work!
The text was updated successfully, but these errors were encountered: