crlite icon indicating copy to clipboard operation
crlite copied to clipboard

Published 20 hours ago verified publisher icon mozilla

Document the exact filter "key" format

Open jcjones opened this issue 6 years ago • 1 comments
trafficstars

This line shows that the keys of the bloom filter are the binary concatenation of two binary data fields:

https://github.com/mozilla/crlite/blob/d0b57d3319aa9e2ddc1a0c76b41c28860d9ccdd2/create_filter_cascade/certs_to_crlite.py#L63

sha256(DER-encoded issuer SPKI) || DER-encoded serial number

The first part, being SHA256, is 256-bits long, whereas the remaining bits are the binary serial number in DER-encoding.

SHA256 Hash of DER Subject Public Key Information

The DER-encoded SPKI of the certificate's issuer is then run through the sha256 algorithm.

So

   * A) signing (probably-intermediate) Certificate Authority
   |
   +--------->  B) End Entity in question

We'd be taking the DER-encoded SPKI of (A), taking sha256 of it, and using that.

Serial

serial is the DER-encoded SerialNumber field from the certificate TBSCertificate data structure.

This issue should save this documentation in-tree.

Examples

One per line. Note that the first 256 bits are the SHA256 of the issuer's SPKI, and the remaining bits are the DER-encoded serial number.

VYZwGiJkq3NNo1YRI2RGiSTI1mqTWG8zDcRf1/KAN6IA4yCQuuNtGYIAAAAAVM+Zvw==
VYZwGiJkq3NNo1YRI2RGiSTI1mqTWG8zDcRf1/KAN6IAyakQEgaRVjEAAAAAVM3usw==
9frFyfDp+D9WCFjQblKwXUi5EgVRtx22594YJETOc/ZsYbPf7Xs6sf0eNzRY/mNvbLIp9g==
Slt48iBVTjuRQJTjbzopminRrHSGtndY0/sj0lFf9QlRgn9Fue01RWA5VHAY0fug
Slt48iBVTjuRQJTjbzopminRrHSGtndY0/sj0lFf9QkSf162P2BT6Wry7y01ERiH
Slt48iBVTjuRQJTjbzopminRrHSGtndY0/sj0lFf9QlEWoJId+CLHv/n0y+Px1hf
SDG5orEv8iX6MNenIAxa8nQFNpROB/6+llsZdXHZNqsN3w8Vsrce7ZCm3os1cLa3
tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb518mCjbYqWeCF+TI/6F+TydHhe4aA==

jcjones avatar Jul 26 '19 22:07 jcjones

CRLite Filter Diagram - Identifier(2)

jcjones avatar Jan 06 '20 23:01 jcjones