Search code examples
javadelphix509delphi-5indy-9

TIdX509 calculates cert fingerprint 16 bytes instead of 20

I have a little program in java and in delphi 5, both of them were design to handle certificate.

In delphi i'm using an indy 9 component: TIdX509, in this object there is a method to get the Fingerprint as String, i didn't find anywhere how does TIdX509 calculates. I could just find that it shouldn't have 16 bytes, example:

72:7F:8D:DF:8D:5F:61:A3:9E:DF:38:CA:C5:5B:18:0A 16 groups of 2.

So i tested in Java to see what fingerprint would be calculated, i did my function based on this answer How to calculate X.509 certificate's SHA-1 fingerprint? 

    public static String generateFingerPrint(X509Certificate cert)
        throws CertificateEncodingException, NoSuchAlgorithmException {

    MessageDigest digest = MessageDigest.getInstance("SHA-1");
    byte[] hash = digest.digest(cert.getEncoded());

    final char delimiter = ':';
    // Calculate the number of characters in our fingerprint
    // ('# of bytes' * 2) chars + ('# of bytes' - 1) chars for delimiters
    final int len = hash.length * 2 + hash.length - 1;
    // Typically SHA-1 algorithm produces 20 bytes, i.e. len should be 59
    StringBuilder fingerprint = new StringBuilder(len);

    for (int i = 0; i < hash.length; i++) {
        // Step 1: unsigned byte
        hash[i] &= 0xff;

        // Steps 2 & 3: byte to hex in two chars
        // Lower cased 'x' at '%02x' enforces lower cased char for hex
        // value!
        fingerprint.append(String.format("%02x", hash[i]));

        // Step 4: put delimiter
        if (i < hash.length - 1) {
            fingerprint.append(delimiter);
        }
    }

    return fingerprint.toString();

}

The result I get from this is something like: 56:ee:54:2b:cb:d3:8a:e2:1d:13:e1:f3:9c:f6:8f:3b:69:18:95:0a - 20 groups of 2

I also found this website: Calculate Fingerprint and it also generate the fingerprint with 20 groups of 2 and not 16.

So, my question is: Why does the indy component TIdX509 generates the fingerprint with just 16 groups of 2 when it should be 20?

Solution

  • The result of SHA-1 is supposed to be 160 bit or 20 bytes, and that is what you are getting from your Java program, no surprises.

    Quick google finds that the Delphi component you are using is calculating message digest: http://www.e-iter.net/Knowledge/Indy9/007901.html#0000, that most likely means MD5 digest, which is 128 bits or 16 bytes as expected.

    Basically changing MessageDigest.getInstance("SHA-1") to MessageDigest.getInstance("MD5") should do what you want.