Snowflex.Transport.Http.KeyFingerprint (Snowflex v1.5.0)

View Source

Computes the Snowflake key-pair-auth public-key fingerprint from an RSA private (or public) key PEM.

Snowflake stores this value per user as RSA_PUBLIC_KEY_FP (visible via DESC USER <name>;). It is defined as:

base64(sha256(DER-encoded SubjectPublicKeyInfo of the RSA public key))

and reproduces this OpenSSL pipeline:

openssl rsa -in rsa_key.p8 -pubout -outform DER \
  | openssl dgst -sha256 -binary \
  | openssl base64

Notes

  • It is the SubjectPublicKeyInfo (SPKI), not PKCS#1, that Snowflake hashes (-----BEGIN PUBLIC KEY-----, the RSA key wrapped in an AlgorithmIdentifier). Hashing the bare PKCS#1 key would yield a plausible-but-wrong fingerprint.
  • Snowflake key-pair auth is RSA only. EC/DSA keys surface loudly as {:error, {:unsupported_key, _}}.

Summary

Functions

Computes the bare-base64 Snowflake public-key fingerprint from a PEM.

Like fingerprint/2, but returns the fingerprint string or raises.

Functions

error_message(arg1)

@spec error_message(term()) :: String.t()

fingerprint(pem, password \\ ~c"")

@spec fingerprint(binary(), charlist() | binary()) ::
  {:ok, String.t()} | {:error, term()}

Computes the bare-base64 Snowflake public-key fingerprint from a PEM.

Accepts a private key PEM (derives the public key) or a public key PEM (SPKI). password is the charlist password for an encrypted private key; pass ~c"" (the default) for an unencrypted key.

fingerprint!(pem, password \\ ~c"")

@spec fingerprint!(binary(), charlist() | binary()) :: String.t()

Like fingerprint/2, but returns the fingerprint string or raises.