shithub: plan9front

ref: e72da62915b09d5673b0c0179ba8dfe045aeb8c3
dir: /sys/man/6/thumbprint/

View raw version
thumbprint \- public key thumbprints
Applications in Plan 9 that use public keys for authentication,
for example by calling
.B tlsClient
.B okThumbprint
.B okCertificate
.IR pushtls (2)),
check the remote side's public key by comparing against
thumbprints from a trusted list.
The list is maintained by people who set local policies
about which servers can be trusted for which applications,
thereby playing the role taken by certificate authorities
in PKI-based systems.
By convention, these lists are stored as files in
.B /sys/lib/tls/
and protected by normal file system permissions.
Such a thumbprint file comprises lines made up of
attribute/value pairs of the form
.IB attr = value
.IR attr .
The first attribute must be the application tag:
.B x509
for tls applications or
.B ssh
for ssh server fingerprints.
The second attribute must be a hash type of
.B sha1=
.BI sha256=
followed by the hex or base64 encoded hash of binary certificate
or public key.
All other attributes are treated as comments.
The file may also contain lines of the form
.B #include
.I file
For example, a web server might have thumbprint
x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*
.IR pushtls (2)