Hacker News new | ask | show | jobs
Ask HN: How the hash value get calculated from AWS CA? (amazontrust.com)
1 points by singlewind 1870 days ago
1 comments
singlewind 1870 days ago
In the CPS document it said this is SHA256 fingerprint. So I run the following command and the value doesn't match. I have asked AWS support. They said it is out of scope. Mostly like the support team doesn't know either.

openssl x509 -in AmazonRootCA1.pem -noout -fingerprint -sha256

link
wahern 1870 days ago
The fingerprint is the "SHA-256 Hash of Subject Public Key Information", not the entire [unsigned] certificate. Basically, the DER encoding of the PKIX SubjectPublicKeyInfo structure. See https://tools.ietf.org/html/rfc5280#section-4.1.2.7 and https://tools.ietf.org/html/rfc3279#section-2.3.1 for RSA; for ECC keys see https://tools.ietf.org/html/rfc5480 and https://tools.ietf.org/html/rfc8410.

Calculating this is generally easy from a typical WebPKI library; less straight-forward from the command line:

  % openssl x509 -pubkey -noout < ./AmazonRootCA1.pem | grep -v '^-' | base64 -d | shasum -a256
 
 fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2  -
(Note: That matches the AWS hash.)

The hash of the public key is often used as a stable identifier for entities. Hashes of certificates will, of course, change w/ the validity dates and serial number.

link