3737By default the fingerprint calculated is the SHA-256 hash with raw Base64 encoding
3838of the ASN.1 BIT STRING of the subjectPublicKey defined in RFC 5280.
3939
40- Using the flag **--ssh** the fingerprint would be based on the SSH encoding of
41- the public key.
40+ Using the **--pkix** flag, the fingerprint is calculated from the PKIX encoding
41+ of the public key. Using the **--ssh** flag, the fingerprint is calculated from
42+ the SSH encoding.
4243
4344Note that for certificates and certificate request, the fingerprint would be
4445based only on the public key embedded in the certificate. To get the certificate
@@ -62,6 +63,11 @@ Print the fingerprint of a public key:
6263$ step crypto key fingerprint pub.pem
6364'''
6465
66+ Print the fingerprint of the PKIX format of public key:
67+ '''
68+ $ step crypto key fingerprint --pkix pub.pem
69+ '''
70+
6571Print the fingerprint of the public key using the SSH marshaling:
6672'''
6773$ step crypto key fingerprint --ssh pub.pem
@@ -94,6 +100,10 @@ $ step crypto key fingerprint --password-file pass.txt priv.pem
94100 Name : "sha1" ,
95101 Usage : "Use the SHA-1 hash with hexadecimal format. The result will be equivalent to the Subject Key Identifier in a X.509 certificate." ,
96102 },
103+ cli.BoolFlag {
104+ Name : "pkix" ,
105+ Usage : "Use the PKIX marshaling format instead of X.509." ,
106+ },
97107 cli.BoolFlag {
98108 Name : "ssh" ,
99109 Usage : "Use the SSH marshaling format instead of X.509." ,
@@ -127,16 +137,22 @@ func fingerprintAction(ctx *cli.Context) error {
127137 }
128138
129139 var (
130- raw = ctx .Bool ("raw" )
131- sha1 = ctx .Bool ("sha1" )
132- encSSH = ctx .Bool ("ssh" )
133- format = ctx .String ("format" )
140+ raw = ctx .Bool ("raw" )
141+ sha1 = ctx .Bool ("sha1" )
142+ encPKIX = ctx .Bool ("pkix" )
143+ encSSH = ctx .Bool ("ssh" )
144+ format = ctx .String ("format" )
134145
135146 defaultFmt = "base64"
136147 prefix = "SHA256:"
137148 hash = crypto .SHA256
138149 )
139150
151+ // SSH and PKIX are mutually exclusive.
152+ if encPKIX && encSSH {
153+ return errs .MutuallyExclusiveFlags (ctx , "pkix" , "ssh" )
154+ }
155+
140156 // Keep backwards compatibility for SHA1.
141157 if sha1 {
142158 defaultFmt = "hex"
@@ -189,9 +205,12 @@ func fingerprintAction(ctx *cli.Context) error {
189205 key = k .Public ()
190206 }
191207
192- if encSSH {
208+ switch {
209+ case encSSH :
193210 b , err = sshFingerprintBytes (key )
194- } else {
211+ case encPKIX :
212+ b , err = pkixFingerprintBytes (key )
213+ default :
195214 b , err = x509FingerprintBytes (key )
196215 }
197216 if err != nil {
@@ -218,11 +237,19 @@ type subjectPublicKeyInfo struct {
218237 SubjectPublicKey asn1.BitString
219238}
220239
221- func x509FingerprintBytes (pub crypto.PublicKey ) ([]byte , error ) {
240+ func pkixFingerprintBytes (pub crypto.PublicKey ) ([]byte , error ) {
222241 b , err := x509 .MarshalPKIXPublicKey (pub )
223242 if err != nil {
224243 return nil , errors .Wrap (err , "error marshaling public key" )
225244 }
245+ return b , nil
246+ }
247+
248+ func x509FingerprintBytes (pub crypto.PublicKey ) ([]byte , error ) {
249+ b , err := pkixFingerprintBytes (pub )
250+ if err != nil {
251+ return nil , err
252+ }
226253 var info subjectPublicKeyInfo
227254 if _ , err = asn1 .Unmarshal (b , & info ); err != nil {
228255 return nil , errors .Wrap (err , "error unmarshaling public key" )
0 commit comments