This is already tracked as https://github.com/cabforum/servercert/issues/190 and is waiting the completion of SC41v2 in the CA/Browser Forum Server Certificate Working Group before working on (along with a cluster of related .onion fixes)
On Thu, Feb 18, 2021 at 12:05 PM SXIA via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello, > > As required by CABForum guidelines, CAs must include the hash of an ASN.1 > SubjectPublicKey of the .onion service. For example, > https://crt.sh/?id=3526088262 shows the SHA256 of the public key of > archivev3qli37bju4rlh27glh24lljyezwxf4pokmrdbpefjlcrp5id.onion is > 08afa9604f4cd74a1a867f3ffcf61faacdb19785a9d4c378f72a54503f73dd65 > > Since this a v3 address, it is not difficult to extract the public key > from .onion domain. Below is the hexdump of hs_ed25519_public_key > > 3d 3d 20 65 64 32 35 35 31 39 76 31 2d 70 75 62 > 6c 69 63 3a 20 74 79 70 65 30 20 3d 3d 00 00 00 > 04 44 74 54 95 dc 16 8d fc 29 a7 22 b3 eb e6 59 > f5 c5 ad 38 26 6d 72 f1 ee 53 22 30 bc 85 4a c5 > > So the public key (32 bytes long) is just the last two lines of the > hexdump, and we can generate the public_key.pem from it, which is > > -----BEGIN PUBLIC KEY----- > MCowBQYDK2VwAyEABER0VJXcFo38Kacis+vmWfXFrTgmbXLx7lMiMLyFSsU= > -----END PUBLIC KEY----- > > We can also convert it to DER ($ openssl pkey -pubin -outform DER -out > public_key.der), and here comes the problem: I tried to hash the DER file, > and I got 141dcca6fea50f1c9f12c7150ca157a8e6e7bf7e79a6eb6f592a6235ab57ce23, > which is different from what I see in DigiCert's certificate. Any ideas why > this happened? > > Also, since the support of v2 .onion address will be removed from the Tor > code base on July 15th, 2021 and v3 .onion address contains the full public > key, I think it is meaningless to have 2.23.140.1.31 extension after that. > > Best, > Xia > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
