Did you ever get anywhere on this? I’m also looking for a function to generate a fingerprint (either MD5 or SHA-1 digest) over a public key DER string.
Thanks. On Aug 15, 2012, at 2:53 AM, Curt Sampson <c...@cynic.net> wrote: > I'm designing a protocol that requests certificates for specific public > keys known to the client. (I.e., the client says, "give me all of the > certs you know that are for one of these public keys," and the server > responds with those certs.) > > In order to keep the request size small, I'd like to include public > key fingerprints rather than full public keys in the request. Is there > a standard way to generate a fingerprint for a public key included in > X.509 and/or PKIX certificates? Or should I just roll my own? > > (We're using 2048-bit RSA keys, BTW, but the ideal solution shouldn't be > restricted to that.) > > If I do roll my own, I'm thinking that the SHA-1 hash > of the public key's DER representation (as generated by > i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert))) would do the trick. There > don't appear to be any particular security issues here, since I can > verify the certs themselves after receipt to have the actual public key > I'm looking for, and be signed correctly and all of that. Any thoughts? > > cjs ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
