SPKI questions (computing, overlapping values)

I recently added some SPKI tracking to my client, and have gotten myself a bit confused after finding a weird situation.

I hope someone here is able/willing to set me straight on two questions.

Using the retired LetsEncrypt X1 Certificate as an example: certsplainer: x509 certificate viewer

1. The SPKI Hash

  • Mozilla shows a spki hash as 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
  • Mozilla shows a "hpkp pin-sha256" YLH1DUR9Y6KJA30RRAN7JKNBQG/UETLMKBGFF2FUIHG=

I have been under the impression the YLH... computation was the SPKI hash. It looks like the 60B... is just hash before b64 encoding. Does anyone know why mozilla is breaking this up?

The YLH.... computation comes from the following, which I thought was correct based on RFCs and various other projects using it...

via OpenSSL

openssl x509 -pubkey -noout -in {CERT_FILEPATH} | \
openssl {key_technology} -pubout -outform DER -pubin | \
openssl dgst -sha256 -binary | \
openssl enc -base64

via Python

from OpenSSL import crypto
from cryptography.hazmat.primitives import serialization
import hashlib
import base64

CERT_PEM = """-----BEGIN CERTIFICATE-----""" ...

cert = crypto.load_certificate(crypto.FILETYPE_PEM, CERT_PEM)
cryptography_cert = cert.to_cryptography()
cryptography_publickey = cryptography_cert.public_key()
_public_bytes = cryptography_publickey.public_bytes(
_spki_hash = hashlib.sha256(_public_bytes).digest()
spki_sha256 = base64.b64encode(_spki_hash)

2. hpkp hash overlap.

While I expect Xn + Xn[Cross] certs should have the same values, somehow I'm seeing X1&X3 sharing the same value, and X2+X4 also sharing a value. I don't see this with any of the other leaf certs. Does anyone have insight on this?

edit: I realized one value is just the other before b64 encoding.

1 Like

I believe this answers your remaining question.


THANK YOU. That was driving me crazy.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.