Home > Blockchain >  How to get SHA1 fingerprint of a certificate
How to get SHA1 fingerprint of a certificate

Time:01-21

My aim is to achieve SHA1 fingerprint of a third party website's certificate. I am able to get it successfully using openssl command line however, it's not getting same when I tried to achieve it using python code. The SHA1 fingerprint obtained using python code is totally different than the one obtained via openssl.

openssl steps -->

openssl s_client -servername token.actions.githubusercontent.com -showcerts -connect token.actions.githubusercontent.com:443

The above command output contains chain and root certificate;

Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.actions.githubusercontent.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
MIIG9jCCBd6gAwIBAgIQCFCR4fqbkQJJbzQZsc87qzANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAxMTEwMDAwMDBa

Save the chain certificate with .crt extension as MaingithubOIDC.crt and running below command gives SHA1 fingerprint;

❯ openssl x509 -in MaingithubOIDC.crt -fingerprint -noout
SHA1 Fingerprint=15:E2:91:08:71:81:11:E5:9B:3D:AD:31:95:46:47:E3:C3:44:A2:31

Reference link - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

Python code (version 3.8/3.9) -->

import ssl
import socket
import hashlib
 
addr = 'token.actions.githubusercontent.com'
 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
wrappedSocket = ssl.wrap_socket(sock)
 
try:
  wrappedSocket.connect((addr, 443))
  print (wrappedSocket)
except:
  response = False
else:
  der_cert = wrappedSocket.getpeercert(True)
  pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True))
  print(pem_cert)
 
  #Print SHA1 Thumbprint
  thumb_sha1 = hashlib.sha1(der_cert).hexdigest()
  print("SHA1: "   thumb_sha1)

Python code output; SHA1: 55a7ef500a3a99f64c99c665daaf3f07403cff3d

So, the SHA1 fingerprint doesn't match with the one obtained using openssl. Am I missing something in python code?

CodePudding user response:

The problem is not the wrong fingerprint calculation from the certificate but that you get the wrong certificate. The server in question is a multi-domain setup which will return different certificates based on the server_name given in the TLS handshake - see Server Name Indication.

The following code will not provide a server_name, which results in a certificate returned for *.azureedge.net, not *.actions.githubusercontent.com as the openssl s_client code gets:

wrappedSocket = ssl.wrap_socket(sock)
 
try:
  wrappedSocket.connect((addr, 443))

To fix this the server_name need to be given:

ctx = ssl.create_default_context()
wrappedSocket = ctx.wrap_socket(sock, 
  server_hostname='token.actions.githubusercontent.com')

try:
  wrappedSocket.connect((addr, 443))

With this change the expected certificate is send by the server and the fingerprint is properly calculated on it.

Page link:https//www.codepudding.com/Blockchain/270038.html

Prev:Retrieving Tktinter Entry Values where GUI is Variable
Next:Async Await not returning value as expected
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding