javasslsha256rsa-sha256

sha256 hash from public key


I am trying to read sha256 has from a public key certificates. The certificate is shown below.

I am running following command to read sha256 hash but it is not giving proper result:

openssl x509 -in test.crt -pubkey -noout | openssl rsa -pubin -outform der | \
  openssl dgst -sha256 -binary | openssl enc -base64

I am getting some wrong value RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=

Correct values are:

sha256/i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
sha256/7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=
sha256/h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU=

I am wondering how three values came in, yes only one is correct but to validate these values i do run sample program given below:

public class Main {

    public static void main(String[] args) throws IOException {
        HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor();
        interceptor.setLevel(HttpLoggingInterceptor.Level.BODY);
        String hostName = "www.google.com";
        CertificatePinner certificatePinner = new CertificatePinner.Builder()
                .add(hostName, "sha256/pqrmt")
                .build();
        OkHttpClient client = new OkHttpClient.Builder()
                .addNetworkInterceptor(interceptor)
                .certificatePinner(certificatePinner)
                .build();
        Request request = new Request.Builder()
                .url("https://" + hostName)
                .build();
        client.newCall(request).execute();

    }
}

Adding wrong key hash give me proper one on error logs, and using proper one allows me to communicate with ease.


-----BEGIN CERTIFICATE-----
MIIISDCCBzCgAwIBAgIILbxyxVw1oQAwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODAyMTk0NTM5WhcNMTcxMDI1MTkyMzAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvqjgh7NP
S0DNdmqg94u9ecHsxtCCNH5K7RQDbT7stPZaftCBuCXEDbhmqP44ne7kKkKyHqVx
OxzDyMrvMly/qDvd17X33kXjEdte3YOWTENQ7R//LIQ2qwxOCd7LcDhRLnbhV61k
yDJIPzjM79BX8b0u9+e2KAYfhYFANB+iZrk0/sLXmlv+T+E1bm4D19H55BstEPM8
SOTUj0cntYaN+5Rcy1s9p5CjWb1Sy/JXyBv+QLkrbj2JyQ+KlG2Fil4ue3ooF2iA
LZM+k2OgCizz5Kh6za1oKkL08/wJCaqHQJMhxX1ajXW93DwyojOqt40+6tF43rEU
Uxy87Joi+ZZNOQIDAQABo4IFFTCCBREwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIID4QYDVR0RBIID2DCCA9SCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghQqLmRiODMzOTUzLmdvb2dsZS5jboIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIW
Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMu
Y29tgg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdv
b2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2
dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNo
aW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggcqLnl0LmJl
ggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5jb22CC2FuZHJv
aWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMu
YW5kcm9pZC5nb29nbGUuY26CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGlj
cy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIYc291cmNlLmFu
ZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29vLmdsggh5b3V0dS5i
ZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tggV5dC5iZTBoBggr
BgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9H
SUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29t
L29jc3AwHQYDVR0OBBYEFJsK+1wBuADqH695FkUxvBBxBD13MAwGA1UdEwEB/wQC
MAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAM
BgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8v
cGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCWfamc
vElR0WkzwdaofPD66PsmqihYbgMAEOJBtt4isDLcVqG0tE8xwAYZO+EksklR6nXq
Pi8021W/qgh2XDmyGajc/psjSBdfAi2bw/kIMcXpQsJSR33n0kLJe4/5z5YwSJEt
M7f6DKlBzxalGrHc2rnkOw4xZEKYZ+nJQ5E3Lms0NKHFPxj3c5QvUYfiWhC4lY1m
RZRPIDQc9Bmcu+gJseRGYd8g+USo0829CMq42KaQM7nshxmwexXPv9ic9nV6f+Qi
nw1hL6RdI3+yHRSZCBPnlfpQfLLJatJmpwddP2ibT56zDDT4BQsP4/QeAbEOJ+Bp
0nJ0S+1OpCbjQXYL
-----END CERTIFICATE-----

Solution

  • sha256/i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=

    This pin matches the leaf certificate returned when accessing www.google.com:

    $ openssl s_client -connect www.google.com:443 |\
       openssl x509  -pubkey -noout |\
       openssl pkey -pubin -outform der |\
       openssl dgst -sha256 -binary |\
       openssl enc -base64
    ...
    depth=0 ... CN = www.google.com
    i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
    

    But, if you have a closer look at the certificate returned when accessing www.google.com you see that is has a CN of www.google.com. Instead the certificate you've included in your question has a CN of *.google.com, i.e. is a different certificate. This certificate is returned for example if you access google.com instead of www.google.com:

    $ openssl s_client -connect google.com:443 |\
       openssl x509  -pubkey -noout |\
       openssl pkey -pubin -outform der |\
       openssl dgst -sha256 -binary |\
       openssl enc -base64
    ...
    depth=0 ... CN = *.google.com
    RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=
    

    As you can see, the public key fingerprint you had computed was the correct one. Only your assumptions about the correct fingerprints where incorrect because you've checked these against the wrong site.