plan9fox/sys/man/6/thumbprint

.TH THUMBPRINT 6
.SH NAME
thumbprint \- public key thumbprints
.SH DESCRIPTION
.PP
Applications in Plan 9 that use public keys for authentication,
for example by calling
.B tlsClient
and
.B okThumbprint
or
.B okCertificate
(see
.IR pushtls (2)),
check the remote side's public key by comparing against
thumbprints from a trusted list.
The list is maintained by people who set local policies
about which servers can be trusted for which applications,
thereby playing the role taken by certificate authorities
in PKI-based systems.
By convention, these lists are stored as files in
.B /sys/lib/tls/
and protected by normal file system permissions.
.PP
Such a thumbprint file comprises lines made up of
attribute/value pairs of the form
.IB attr = value
or
.IR attr .
The first attribute must be the application tag:
.B x509
for tls applications or
.B ssh
for ssh server fingerprints.
The second attribute must be a hash type of
.B sha1=
or
.BI sha256=
followed by the hex or base64 encoded hash of binary certificate
or public key.
All other attributes are treated as comments.
The file may also contain lines of the form
.B #include
.I file
.PP
For example, a web server might have thumbprint
.EX
x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*.cs.bell-labs.com
.EE
.SH "SEE ALSO"
.IR pushtls (2)
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.TH THUMBPRINT 6`
			`.SH NAME`
			`thumbprint \- public key thumbprints`
			`.SH DESCRIPTION`
			`.PP`
			`Applications in Plan 9 that use public keys for authentication,`
			`for example by calling`
			`.B tlsClient`
			`and`
			`.B okThumbprint`
libsec: sha256 support for thumbprint files, use it in ssh as well initThumbprints() now takes an application tag argument so x509 and ssh can coexist. the thumbprint entries can now hold both sha1 and sha256 hashes. okThumbprint() now takes a len argument for the hash length used. the new function okCertificate() hashes the certificate with both and checks for any matches. on failure, okCertificate() returns 0 and sets error string. we also check for include loops now in thumbfiles, limiting the number of includes to 8. 2017-04-23 17:00:08 +00:00			`or`
			`.B okCertificate`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`(see`
			`.IR pushtls (2)),`
			`check the remote side's public key by comparing against`
			`thumbprints from a trusted list.`
			`The list is maintained by people who set local policies`
			`about which servers can be trusted for which applications,`
			`thereby playing the role taken by certificate authorities`
			`in PKI-based systems.`
			`By convention, these lists are stored as files in`
			`.B /sys/lib/tls/`
			`and protected by normal file system permissions.`
			`.PP`
			`Such a thumbprint file comprises lines made up of`
			`attribute/value pairs of the form`
			`.IB attr = value`
			`or`
			`.IR attr .`
libsec: sha256 support for thumbprint files, use it in ssh as well initThumbprints() now takes an application tag argument so x509 and ssh can coexist. the thumbprint entries can now hold both sha1 and sha256 hashes. okThumbprint() now takes a len argument for the hash length used. the new function okCertificate() hashes the certificate with both and checks for any matches. on failure, okCertificate() returns 0 and sets error string. we also check for include loops now in thumbfiles, limiting the number of includes to 8. 2017-04-23 17:00:08 +00:00			`The first attribute must be the application tag:`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.B x509`
libsec: sha256 support for thumbprint files, use it in ssh as well initThumbprints() now takes an application tag argument so x509 and ssh can coexist. the thumbprint entries can now hold both sha1 and sha256 hashes. okThumbprint() now takes a len argument for the hash length used. the new function okCertificate() hashes the certificate with both and checks for any matches. on failure, okCertificate() returns 0 and sets error string. we also check for include loops now in thumbfiles, limiting the number of includes to 8. 2017-04-23 17:00:08 +00:00			`for tls applications or`
			`.B ssh`
			`for ssh server fingerprints.`
			`The second attribute must be a hash type of`
			`.B sha1=`
			`or`
			`.BI sha256=`
			`followed by the hex or base64 encoded hash of binary certificate`
			`or public key.`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`All other attributes are treated as comments.`
			`The file may also contain lines of the form`
libsec: sha256 support for thumbprint files, use it in ssh as well initThumbprints() now takes an application tag argument so x509 and ssh can coexist. the thumbprint entries can now hold both sha1 and sha256 hashes. okThumbprint() now takes a len argument for the hash length used. the new function okCertificate() hashes the certificate with both and checks for any matches. on failure, okCertificate() returns 0 and sets error string. we also check for include loops now in thumbfiles, limiting the number of includes to 8. 2017-04-23 17:00:08 +00:00			`.B #include`
			`.I file`
Import sources from 2011-03-30 iso image - sys/man 2011-03-30 13:49:47 +00:00			`.PP`
			`For example, a web server might have thumbprint`
			`.EX`
			`x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*.cs.bell-labs.com`
			`.EE`
			`.SH "SEE ALSO"`
			`.IR pushtls (2)`