Instantly share code, notes, and snippets.

@woodrow /hpkp_hashes.sh
Created Feb 21, 2014

Embed
What would you like to do?
Download ZIP
Public key pinning digest generation
Raw
hpkp_hashes.sh
# get the SHA-1 digest of the subjectPublicKeyInfo of a certificate as used by Chromium's preloaded public key pinning
# http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.h?r1=191212&r2=191211&pathrev=191212
curl -s https://pki.google.com/GIAG2.crt | openssl x509 -inform der -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha1
# (stdin)= 43dad630ee53f8a980ca6efd85f46aa37990e0ea
# get the base64-encoded SHA-256 digest of the subjectPublicKeyInfo of a certificate as used by HTTP Public Key Pinning
# (http://tools.ietf.org/html/draft-ietf-websec-key-pinning-11)
curl -s https://pki.google.com/GIAG2.crt | openssl x509 -inform der -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
# 7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=
@DavisNT

This comment has been minimized.

Sign in to view

DavisNT commented Jul 9, 2014

Make base64-encoded SHA-256 digest of the subjectPublicKeyInfo from local certificate file in PEM format (certificate.pem):

openssl x509 -inform pem -pubkey -noout < certificate.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Make base64-encoded SHA-256 digest of the subjectPublicKeyInfo from local certificate file in DER format (certificate.crt):

openssl x509 -inform der -pubkey -noout < certificate.crt | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Make base64-encoded SHA-256 digest of the subjectPublicKeyInfo from local CSR file in PEM format (csr.pem):

openssl req -inform pem -pubkey -noout < csr.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment