[PATCH RFC] sslutil: use base64 for key fingerprints (BC)

Matt Mackall mpm at selenic.com
Wed Jul 6 12:20:59 EDT 2016


On Tue, 2016-07-05 at 23:36 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1467786847 25200
> #      Tue Jul 05 23:34:07 2016 -0700
> # Node ID 6873eb9a931da6cfcb40b2aba2f75260db5a8200
> # Parent  73b0a50ff97787557e517779a33644149d25d0a8
> sslutil: use base64 for key fingerprints (BC)
> 
> When I initially implemented support for SHA-256 and SHA-512
> certificate pinning, I copied the strategy used for SHA-1 fingerprints,
> which was to use hex fingerprints. SHA-256 and SHA-512 hashes are much
> longer. Using base 16 to represent the hash can be cumbersome.
> 
> This patch switches the fingerprints for newer fingerprints (read:
> everything in [hostsecurity]) to base64. The resulting strings are
> smaller and easier on the eyes in error messages.

I've found it very useful to be able to check the fingerprint with my laptop's
browser. My browser's trust database is generally newer and more reliable than
the equivalent database (if any!) available to Mercurial on a random old server.
Breaking that seems like a bigger loss than is gained by compactness.

For the sake of discussion, the current fingerprint size is:

 n/4 + n/8 - 1

 160: 59
 256: 95
 512: 191

With base-64, it's going to be:

 int(n/24.0 + .5) * 4

 160: 28
 256: 44
 512: 84

..so we're not entirely saved from the awkward line length issue.

-- 
Mathematics is the supreme nostalgia of our time.



More information about the Mercurial-devel mailing list