Skip to content

Latest commit

 

History

History
executable file
·
53 lines (36 loc) · 2.82 KB

README.md

File metadata and controls

executable file
·
53 lines (36 loc) · 2.82 KB

HTTP Public Key Pinning (HPKP) - SPKI Fingerprint Generation using Python

This is an implementation of converting the a PEM certificate's Subject Public Key Info (SPKI) into a pin.

Information on the structure

The pin directive (as indicated in the IETF's RFC 7469 Sesction 2.1.1) is a shown in the diagram below where the token is the name of the hashing algorithm. Currently only SHA256 is supported.

Summary of the Pin directive diagram: pin-token = value

A full example being: pin-sha256="8RoC2kEF47SCVwX8Er+UBJ44pDfDZY6Ku5mm9bSXT3o=";. However, the Python code in this repository outputs the PKP in the format: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=. This is consistent with how pins are accepte in other languages/frameworks, such as OkHttp3 (see the Add() method for its CertificatePinner.Builder class)

In section 2.4 of the RFC the SPKI Fingerprint is defined as:

The output of a known cryptographic hash algorithm whose input is the DER-encoded ASN.1 representation of the Subject Public Key Info (SPKI) of an X.509 certificate.

A pin is defined as:

The combination of the known algorithm identifier and the SPKI Fingerprint computed using that algorithm.

Notes

Risks

NOTE: There are warnings against using public key pinning due to its risks:

Resources

Here are some resources I used: