Show SPKI fingerprint in addition to the regular CertFP fingerprint

On EsperNet, CertFP does not work unless the SPKI fingerprint is added to NickServ.

11:58 <txtsd> Is it not possible to authenticate via CertFP?
11:58 <txtsd> I've added a cert and its 3 fingerprints, however, I'm not identified when I connect.
12:06 <@kbuck_> I don't see a certificate in your /whois; it might not be getting transmitted properly (or it's not shown in whois and I'm mistaken).
12:06 <@kbuck_> another possibility is that you have to add the SPKI fingerprint (instead of the normal one); our servers are configured to generate SPKI hashes due to how our link authentication works
12:07 <@kbuck_> (our server-to-server links are all certificate authenticated instead of password-based)
12:08 <@kbuck_> tbh, probably more likely to be the SPKI thing.
12:08 <@kbuck_> if the SPKI hash doesn't appear in whois for you, you can generate it with:
12:10 <@kbuck_> openssl x509 -pubkey -noout -in <certfile> | openssl pkey -pubin -outform DER | sha256sum | sed -r -e 's/^/SPKI:SHA2-256:/' | sed -e 's/ -//'
Assigned to
1 year, 10 months ago
1 year, 10 months ago
No labels applied.

~emersion REPORTED FIXED 1 year, 10 months ago

Sounds like by "SPKI hash" they mean SHA256, which is already in the output. Try to use the string "SPKI:SHA2-256:" with the SHA256 <hash> returned by soju.

~txtsd 1 year, 10 months ago

It doesn't work even when I prepend that string :(

~txtsd 1 year, 10 months ago*

03:58 <@kbuck_> txtsd: my command first extracts only the public key, then hashes it, then prefixes it with that
03:58 <@kbuck_> basically, only a portion of the entire cert is being hashed for the fingerprint, instead of the whole thing

~emersion FIXED REPORTED 1 year, 10 months ago

~emersion 1 year, 10 months ago

Oh. Sigh.

Register here or Log in to comment, or comment via email.