feature request - ssh public key fingerprints

[user3472g]

Perhaps the feature is there but I cannot find it.

Is there a way to obtain the md5 or sha256 fingerprint of a public key?

With ed25519 it can be done as:

hashlib.md5(key.public_bytes_raw()).hexdigest()

Other format do not support Raw encoding.

Seems wasteful to have to base64 or DER decode the key bytes, again, to get the raw bytes for hashing.

thank you

[alex]

I'm not familiar with the exact format of SSH public key fingerprints, but in general if they're a hash of some serialization of the key, then you need to compute the serialization.

Several key types, e.g. RSA, do not have a "raw bytes" notion at all.

[user3472g]

thank you for your reply.

By fingerprint what is meant is the md5 or sha256 hash of the base64 decoded bytes. What you get from command as: ssh-keygen -lf /path/to/key.pub or ssh-keygen -l -E md5 -f /path/to/key.pub for md5.

cryptography could provide this, as a convenience to the user, by hashing the memoryview passed into the load_public calls in the various private SSHFormat classes and making the hash value available in the class returned from load_ssh_public_ calls.

Several key types, e.g. RSA, do not have a "raw bytes" notion at all.

By, "raw bytes", am referring to formats such as those defined in RFC4523 and implemented in the serialization/ssh.py module

The "ssh-rsa" key format has the following specific encoding:

  string    "ssh-rsa"
  mpint     e
  mpint     n

[alex]

Ok. I think it'd be reasonable to add an API to the ssh module that returns the fingerprint -- this should be able to reuse the existing key serialization logic from `encode_public`. Would you be interested in submitting a PR for this?

…

On Thu, Dec 12, 2024 at 9:45 AM user3472g ***@***.***> wrote: thank you for your reply. By fingerprint what is meant is the md5 or sha256 hash of the base64 decoded bytes. What you get from command as: ssh-keygen -lf /path/to/key.pub or ssh-keygen -l -E md5 -f /path/to/key.pub for md5. cryptography could provide this, as a convenience to the user, by hashing the memoryview passed into the load_public calls in the various private *SSHFormat classes and making the hash value available in the class returned from load_ssh_public* calls. Alternatively, the user could get back to the original "raw" key bytes by using the "encode_public" methods and prepending the key type and length original = b'\x07ssh-rsa' + key.encode_public() which they could then hash themselves, if the user had access to the encode_public methods. — Reply to this email directly, view it on GitHub <#12132 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBGKI4KB6BF5P4FAEJT2FGOSPAVCNFSM6AAAAABTODHQ7WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZZGE2TMMRYGU> . You are receiving this because you commented.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[alex]

Does #12673 address the use case here?