Switch to URL-safe base64 for SPKI hash, for nicer usage in NURLs.

2024-12-20 05:28:04 +00:00 · 2022-04-06 09:37:18 -04:00 · 2022-04-06 09:37:18 -04:00 · 2e934574f0
commit 2e934574f0
parent 5972a13457
2 changed files with 5 additions and 3 deletions
--- a/src/allmydata/storage/http_common.py
+++ b/src/allmydata/storage/http_common.py
@ -3,7 +3,7 @@ Common HTTP infrastructure for the storge server.
 """

 from enum import Enum
-from base64 import b64encode
+from base64 import urlsafe_b64encode, b64encode
 from hashlib import sha256
 from typing import Optional

@ -44,8 +44,10 @@ def get_spki_hash(certificate: Certificate) -> bytes:
    """
    Get the public key hash, as per RFC 7469: base64 of sha256 of the public
    key encoded in DER + Subject Public Key Info format.
+
+    We use the URL-safe base64 variant, since this is typically found in NURLs.
    """
    public_key_bytes = certificate.public_key().public_bytes(
        Encoding.DER, PublicFormat.SubjectPublicKeyInfo
    )
-    return b64encode(sha256(public_key_bytes).digest()).strip().rstrip(b"=")
+    return urlsafe_b64encode(sha256(public_key_bytes).digest()).strip().rstrip(b"=")
--- a/src/allmydata/test/test_storage_https.py
+++ b/src/allmydata/test/test_storage_https.py
@ -42,7 +42,7 @@ class HTTPSNurlTests(SyncTestCase):
                openssl asn1parse -noout -inform pem -out public.key
            openssl dgst -sha256 -binary public.key | openssl enc -base64
        """
-        expected_hash = b"JIj6ezHkdSBlHhrnezAgIC/mrVQHy4KAFyL+8ZNPGPM"
+        expected_hash = b"JIj6ezHkdSBlHhrnezAgIC_mrVQHy4KAFyL-8ZNPGPM"
        certificate_text = b"""\
 -----BEGIN CERTIFICATE-----
 MIIDWTCCAkECFCf+I+3oEhTfqt+6ruH4qQ4Wst1DMA0GCSqGSIb3DQEBCwUAMGkx