SafetyNet documentation (https://developer.android.com/training/safetynet/attestation) states that field returned in attestation token called apkCertificateDigestSha256 is Base-64 encoded representation(s) of the SHA-256 hash of the calling app's signing certificate(s).
I might be misunderstanding what it means, since my data doesn't match. If I investigate my certificate fingerprints I have field SHA256, which has 32 bytes of length. When I try to encode it in base64 I get even longer string. This is sample result made with string hello world sha256 hashed and then encoded to base64:
Yjk0ZDI3Yjk5MzRkM2UwOGE1MmU1MmQ3ZGE3ZGFiZmFjNDg0ZWZlMzdhNTM4MGVlOTA4OGY3YWNlMmVmY2RlOQ==
Meanwhile google attestation token returns much shorter hashes that decoded from base64 show seemingly random values. For example this:
EmGH9u67SiSyLuvZCoAN+R+NU/yHP29gSmoUgvNtehk=
Which is nothing sensible after decoding.
How do I get to the same results as google gets based on my certificate? Why is their sha256 hash not 32 bytes long?
As by Michael's suggestion in the comments the problem was I was using text representation of the fingerprint instead of binary data. By changing this one detail I managed to get the same results as Google returns.