Re: [dane] Extracting SPKI from a certificate/key

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 21 December 2014 23:07 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FB761A6F2C for <dane@ietfa.amsl.com>; Sun, 21 Dec 2014 15:07:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpX0QWbS5Bnz for <dane@ietfa.amsl.com>; Sun, 21 Dec 2014 15:07:47 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113CC1A702F for <dane@ietf.org>; Sun, 21 Dec 2014 15:07:47 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D0809284ADB; Sun, 21 Dec 2014 23:07:45 +0000 (UTC)
Date: Sun, 21 Dec 2014 23:07:45 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141221230745.GY24649@mournblade.imrryr.org>
References: <54974FEA.4070401@iki.fi>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="48TaNjbzBVislYPb"
Content-Disposition: inline
In-Reply-To: <54974FEA.4070401@iki.fi>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/3AWi6BTeoohnzkdH3xAGKv3sN_Q
Subject: Re: [dane] Extracting SPKI from a certificate/key
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Dec 2014 23:07:49 -0000

On Mon, Dec 22, 2014 at 12:55:38AM +0200, Tapio Sokura wrote:

> Can someone verify these
> produce the correct results for use with tlsa dane-ee spki sha-256
> records? Naturally these exact syntaxes only work for RSA keys.
> 
> from private key:
>
> openssl rsa -in private.key -outform der -pubout |
>	sha256sum
> 
> from x509 certificate:
>
> openssl x509 -in x509.crt -pubkey -noout |
>	openssl rsa -pubin -outform der |
>	sha256sum

Basically correct.  In notices I send to sites whose TLSA records
are not right, I include the text below:

    ----- Snip -----
    To generate a TLSA "3 1 1" record from a certificate file in PEM
    format (using OpenSSL 1.0.0 or later):

	printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' \
	    $(uname -n) \
	    $(openssl x509 -in cert.pem -noout -pubkey |
		openssl pkey -pubin -outform DER |
		openssl dgst -sha256 -binary |
		hexdump -ve '/1 "%02x"')

    you can use the attached tlsagen script if you prefer,

	$ ./tlsagen cert.pem $(uname -n) 3 1 1

    or use the website:

	https://www.huque.com/bin/gen_tlsa
    ----- Snip -----

The above is not RSA-specific and works equally well for ECDSA
keys.  However, it requires OpenSSL 1.0.0 or later.  One really
should not be using OpenSSL 0.9.8 or earlier at this point, and
even 1.0.0 is reaching end-of-life.

-- 
	Viktor.