Search code examples
azuregobase64fingerprinthexdump

how to generate x5t header value in golang

I have a bash command (from medium) to generate base64 of fingerprint of a certificate.

echo $(openssl x509 -in cert.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64

I want to write similar code in golang. I am facing problem in xxd -r -ps , how can I implement this xxd in golang?

The output of the command is used as x5t header in Azure.

Code which is implemented -

data := `-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUDXiUCBmejBrKJeaF5xUltTKShokwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA5MjAxMjA1MzdaFw0zMDA5
MTgxMjA1MzdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDgZq1ucYX2Oi63TilhD8YPImV7CGPsjCPuIrsgaEV6
0fLVMp0lvDtnVsDWu4QGeBQN8cusOQclOje43AVmvUpAxKcXTRRvhxURpxnZqxXM
yYN7S+X5mO7sEj0DsAxpH8/Mo5awMi9e7rdEu2Q+IBQI0gZu+d3gv/svcKzPtwAj
kaZdsBhZr55vRigEJSaWTq8oRUdihQZVz9wqvwdIehh0SU61Awk8jmoDQ3+SocZo
cFEqsCqHasjKhXUOdQw24AsGIPjVN7IpBBWsQBgSVRY683ERKXE/pjGUDQJDuoEh
QVnWa3sf9/18tlnk+faCUjGAGsxZg1WJUez7fygQ+h0rAgMBAAGjUzBRMB0GA1Ud
DgQWBBROF0gDDord4phH0R8mtd/vTF2SgDAfBgNVHSMEGDAWgBROF0gDDord4phH
0R8mtd/vTF2SgDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDQ
hHU8RaekKQ332pq09TqIU1PvYb5/DTkPTftPX32g5/QPrIu1lSxdkByO1jK9MI/w
JECViCJdISK2FxW/74meXt4kALrebLc6HrLwYTqOR8PTAdtrGaPinKzrcjjB3oDK
Ni+qtW2GOGQ4MIqIgcVIqWNyuzVQ22BpKVbEvpzoMV1AcFAaHv4GpFxlKYrpxy4G
u0D84FHf95DPx6Jf79MRVh1WiEbsdWak8W1KAokRMp1AFktkZYDPGZvjuYD7jNfx
vcMgUpzdA0MYq54/OzypmN1tZ658EBkH6pCS8abtv6cZbEggQWI47TVov/THtBls
ySRtrOZbmIvnSs2ZMMsz
-----END CERTIFICATE-----
`
    derBytes, _ := pem.Decode([]byte(data))
    cert, err := x509.ParseCertificate(derBytes.Bytes)
    if err != nil {
        fmt.Println("err ParseCertificate", err)
    }
    fingerprint := sha1.Sum(cert.Raw)

    var buf bytes.Buffer
    for i, f := range fingerprint {
        if i > 0 {
            fmt.Fprintf(&buf, "")
        }
        fmt.Fprintf(&buf, "%02X", f)
    }
    fp := buf.String()
    fmt.Printf("Fingerprint : %s\n", fp) //04B9B0BCB18EF20440DE0ACEC010F6AD9F1B3A94

    // convert fp to byte and then enc in b64
    sEnc := base64.StdEncoding.EncodeToString([]byte(fp))
    fmt.Println(sEnc) //MDRCOUIwQkNCMThFRjIwNDQwREUwQUNFQzAxMEY2QUQ5RjFCM0E5NA==

The output of openssl cmd is BLmwvLGO8gRA3grOwBD2rZ8bOpQ= and the output the program is MDRCOUIwQkNCMThFRjIwNDQwREUwQUNFQzAxMEY2QUQ5RjFCM0E5NA==

Solution

  • You are building up a bytes buffer with the hexadecimal representation and base64 encoding that string. Instead, you need to base64 encode the raw bytes of the fingerprint.

    The hexadecimal representation is just a nicety by openssl, no operations are done on the hexadecimal representation of the data.

    Replace the code after computing the fingerprint with the following:

    fingerprint := sha1.Sum(cert.Raw)

fmt.Printf("%x\n", fingerprint)
// 04b9b0bcb18ef20440de0acec010f6ad9f1b3a94

b64 := base64.StdEncoding.EncodeToString(fingerprint[:])
fmt.Println(b64)
// BLmwvLGO8gRA3grOwBD2rZ8bOpQ=

    We can still print the fingerprint in hexadecimal notation, we just use the %x verb. The only slightly annoying thing is that we need to use fingerprint[:] to turn the array into a slice.