From 4bed6363a3ae713007b2e340d1d1f49288eae319 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Wed, 16 May 2018 09:49:48 -0400
Subject: [PATCH] be specific about public key comparison

---
 docs/proposed/http-storage-node-protocol.rst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/proposed/http-storage-node-protocol.rst b/docs/proposed/http-storage-node-protocol.rst
index 9e51b4753..09f8ba89c 100644
--- a/docs/proposed/http-storage-node-protocol.rst
+++ b/docs/proposed/http-storage-node-protocol.rst
@@ -49,6 +49,7 @@ the client will take the following steps to gain confidence it has reached the i
   that the certificate itself is well-formed
   and that the signature it carries is valid.
 * It will compare the hash of the public key of the certificate to the expected public key.
+  The specifics of the comparison are the same as for the comparison specified by `RFC 7469`_ with "sha256" [#]_.
 
 To further clarify, consider this example.
 Alice operates a storage node.
@@ -274,3 +275,21 @@ For example::
       3: ["foo"],
       7: ["bar"]
   }
+
+
+.. _RFC 7469: https://tools.ietf.org/html/rfc7469#section-2.4
+
+.. [#]
+   More simply::
+
+    from hashlib import sha256
+    from cryptography.hazmat.primitives.serialization import (
+      Encoding,
+      SubjectPublicKeyInfo,
+    )
+    from foolscap import base32
+
+    spki_bytes = cert.public_key().public_bytes(DER, SubjectPublicKeyInfo)
+    spki_sha256 = sha256(spki_bytes).digest()
+    spki_digest32 = base32.encode(spki_sha256)
+    assert spki_digest32 == tub_id