1

In NodeJS, you can get the client certificate from an HTTPS connection with req.connection.getPeerCertificate(). This produces a structure like below (self-signed cert generated via this code):

{ subject:
   { C: 'US',
     ST: 'Utah',
     L: 'Provo',
     O: 'ACME App Client',
     CN: 'client.example.net' },
  issuer:
   { C: 'US',
     ST: 'Utah',
     L: 'Provo',
     O: 'ACME Signing Authority Inc',
     CN: 'example.com' },
  modulus: 'A1E576A9017A839A8986664FE3159A8E2199D35AFCD0D55F27E1169C8D2C9E90E634F353C143EB05C03C297390070F9AF0752727AA7F5212CACE5B2B503418584392F4CF3D2669EE394EE310572E0C26EAF1D9FF4AB14B7F1CF155AF4DBA48263357FDC99778E568F39F8D68AA34496F2D10A66CC1ED99EB17CDE8D10FBE850B386D593CC3AD42A8AF0FC25EFABB14018418EE7E56111E073D81447EE14D0D242F242B4507B2325F06D5ABF0FFCD986958D4E843D700FA97E88C6BBCB91958FCA142EFE4D85D6A0FBE8A0C74BBED001C6B9F4452C926AD77858C71057096A07E056BE33F8568B84373930CFD489C4E7FA1B09F63413114F2AC97EA0C0CF3B98B',
  exponent: '10001',
  valid_from: 'Jul  8 19:26:10 2015 GMT',
  valid_to: 'Jul  7 19:26:10 2018 GMT',
  fingerprint: 'F1:40:33:5E:D0:9F:1A:F0:07:3B:B9:6C:BA:90:26:33:3F:A0:2D:F0',
  serialNumber: 'FF164CD2E63BFDF7',
  raw: <Buffer 30 82 03 46 30 82 02 2e 02 09 00 ff 16 4c d2 e6 3b fd f7 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 67 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 ... > }

Which, if any, of these fields would it be appropriate to consider as a cryptographically secure identity of the client, the same way that my SSH public key might be considered my identity?

According to How do you test a public/private DSA keypair?, comparing the modulus ensures that the certificate matches the identity. This would lead me to believe that modulus would be the appropriate field to call the "identity", and agrees with RSA Encryption (Key generation) in which different keypairs will always have a different modulus. However, I have not found any solid information leading me to believe that the modulus is completely unique in all cases (for instance, the fingerprint should generally be unique, but since it's shorter it would be easier to find a collision [and fake an identity] if I considered the fingerprint as a UUID).

Ideally I'm looking for more information on the nature of the information contained in a certificate. Most of my search results have come up with info on how to use openssl, not the concepts involved.

Community
  • 1
  • 1
Ryan Kennedy
  • 3,275
  • 4
  • 30
  • 47

1 Answers1

0

fingerprint: 'F1:40:33:5E:D0:9F:1A:F0:07:3B:B9:6C:BA:90:26:33:3F:A0:2D:F0',

The fingerprint is unique for the certificate and is equivalent to the fingerprint of the key in SSH.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • The fingerprint isn't completely unique though, right? However slim, there's still a much greater chance you could create a duplicate certificate with the same fingerprint, than to create a duplicate certificate with the same private key. I want to find an attribute so that, if that attribute is the same on two certificates, it is **mathematically certain** that those certificates both have the same private key. – Ryan Kennedy Jul 08 '15 at 20:39
  • Actually it is more common to have certificates with the same public key than with the same fingerprint because the public key gets is often kept when reissuing a certificate or when a certificate gets cross-signed. But it usually still belongs to the same party. And if you need concepts etc you better ask at security.stackexchange.com. – Steffen Ullrich Jul 08 '15 at 20:53
  • Ok. So is the modulus the public key, then? I'm not trying to uniquely identify the _certificate_, I'm trying to uniquely identify the _client_. I'm going to post over at security.stackexchange.com per your suggestion. – Ryan Kennedy Jul 08 '15 at 22:30
  • @RyanMuller: the modulus is not the public key but highly related to it. See https://en.wikipedia.org/wiki/RSA_(cryptosystem) for details. But of course you will find it only with certificates using RSA, not with certificates using ECC. And again: this is the wrong forum for technical details, ask at security.stackexchange.com. – Steffen Ullrich Jul 09 '15 at 06:14