I'm designing a protocol that requests certificates for specific public
keys known to the client. (I.e., the client says, "give me all of the
certs you know that are for one of these public keys," and the server
responds with those certs.)
In order to keep the request size small, I'd like to include public
key fingerprints rather than full public keys in the request. Is there
a standard way to generate a fingerprint for a public key included in
X.509 and/or PKIX certificates? Or should I just roll my own?
(We're using 2048-bit RSA keys, BTW, but the ideal solution shouldn't be
restricted to that.)
If I do roll my own, I'm thinking that the SHA-1 hash
of the public key's DER representation (as generated by
i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert))) would do the trick. There
don't appear to be any particular security issues here, since I can
verify the certs themselves after receipt to have the actual public key
I'm looking for, and be signed correctly and all of that. Any thoughts?
cjs
--
Curt Sampson <c...@cynic.net> +81 90 7737 2974
It is easier to write an incorrect program than understand a correct one.
--Alan Perlis, Epigrams on Programming (#7)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
