Skip to content

A simple Python function that extracts the SPKI Fingerprint and PIN from a PEM certificate.

License

Notifications You must be signed in to change notification settings

mikeym88/HPKP-Pin-extraction

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HTTP Public Key Pinning (HPKP) - SPKI Fingerprint Generation using Python

This is an implementation of converting the a PEM certificate's Subject Public Key Info (SPKI) into a pin.

Information on the structure

The pin directive (as indicated in the IETF's RFC 7469 Sesction 2.1.1) is a shown in the diagram below where the token is the name of the hashing algorithm. Currently only SHA256 is supported.

Summary of the Pin directive diagram: pin-token = value

A full example being: pin-sha256="8RoC2kEF47SCVwX8Er+UBJ44pDfDZY6Ku5mm9bSXT3o=";. However, the Python code in this repository outputs the PKP in the format: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=. This is consistent with how pins are accepte in other languages/frameworks, such as OkHttp3 (see the Add() method for its CertificatePinner.Builder class)

In section 2.4 of the RFC the SPKI Fingerprint is defined as:

The output of a known cryptographic hash algorithm whose input is the DER-encoded ASN.1 representation of the Subject Public Key Info (SPKI) of an X.509 certificate.

A pin is defined as:

The combination of the known algorithm identifier and the SPKI Fingerprint computed using that algorithm.

Notes

Risks

NOTE: There are warnings against using public key pinning due to its risks:

Resources

Here are some resources I used:

About

A simple Python function that extracts the SPKI Fingerprint and PIN from a PEM certificate.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages