[dane] Extracting SPKI from a certificate/key

Tapio Sokura <tapio.sokura@iki.fi> Sun, 21 December 2014 22:55 UTC

Return-Path: <tapio.sokura@iki.fi>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 355031A89B5 for <dane@ietfa.amsl.com>; Sun, 21 Dec 2014 14:55:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.078
X-Spam-Status: No, score=0.078 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id aWWWlY8XnJei for <dane@ietfa.amsl.com>; Sun, 21 Dec 2014 14:55:51 -0800 (PST)
Received: from gw02.mail.saunalahti.fi (gw02.mail.saunalahti.fi []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D081A702F for <dane@ietf.org>; Sun, 21 Dec 2014 14:55:50 -0800 (PST)
Received: from woodstock.owlhill.net (a88-113-163-188.elisa-laajakaista.fi []) by gw02.mail.saunalahti.fi (Postfix) with ESMTP id 6A1A540017 for <dane@ietf.org>; Mon, 22 Dec 2014 00:55:46 +0200 (EET)
Received: from [IPv6:2001:14b8:14e:1:a05a:f9b3:645:fc7b] (unknown [IPv6:2001:14b8:14e:1:a05a:f9b3:645:fc7b]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by woodstock.owlhill.net (Postfix) with ESMTP id C17DF734B261 for <dane@ietf.org>; Mon, 22 Dec 2014 00:55:46 +0200 (EET)
Message-ID: <54974FEA.4070401@iki.fi>
Date: Mon, 22 Dec 2014 00:55:38 +0200
From: Tapio Sokura <tapio.sokura@iki.fi>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: dane@ietf.org
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/JQsXCRNLDewRYeLXMFkpDGxSxDw
Subject: [dane] Extracting SPKI from a certificate/key
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Dec 2014 22:55:55 -0000


I had some trouble finding out how to extract the SPKI from an x.509
certificate to use in TLSA records. I stumbled upon
https://www.huque.com/bin/gen_tlsa and based on matching the output, I
came up with the openssl/sha256sum command lines listed below. The first
one is based on the private key file and the second on an x.509
certificate that contains the same public key. Can someone verify these
produce the correct results for use with tlsa dane-ee spki sha-256
records? Naturally these exact syntaxes only work for RSA keys.

from private key:
openssl rsa -in private.key -outform der -pubout |sha256sum

from x509 certificate:
openssl x509 -in x509.crt -pubkey -noout|openssl rsa -pubin -outform