[tor-dev] [tor-assistants] Python metrics-lib

Beck Chen csybeck at gmail.com
Sun May 13 07:04:12 UTC 2012

Hi Karsten & Damian,

I've been trying to port function determineKeyHash() from
VerifyDescriptors.java to stem, and it turned out to be more
complicated than I thought due to my unfamiliarity to many
cryptography terms and standards. I finally figured out a way to do it
by using a light-weighted library called Python-RSA, and it solved my
problem in no more than 5 lines of code. I realized that I should get
better understanding of some basic stuff before I move on.

Here's the python code that verifies the key hash:
>> import rsa, hashlib
>> pubkey = rsa.PublicKey.load_pkcs1(desc.signing_key)
>> der_encoded = pubkey.save_pkcs1(format = "DER")
>> hashlib.sha1(der_encoded).hexdigest() == desc.fingerprint.lower()

1. Specs says signing key is "a public key in PEM format" [1], but
what standard does it use? I tried to use M2Crypto, a Python wrapper
for OpenSSL, to import this key, but failed. Then I found out that
OpenSSL uses X.509 for its public keys, thus M2Crypto only supports
X.509 public keys. Then I looked at the Java code for
determineKeyHash() and it suggests that the key uses PKCS standard. It
seems that PKCS#1 is the final answer, but the javadoc page of
PEMReader in BouncyCastle says it can read "OpenSSL PEM encoded
streams containing X509 certificates, PKCS8 encoded keys and PKCS7
objects" [2]. So is it PKCS#1 or PKCS#8? And what's the difference?

2. Specs says fingerprint is "a HASH_LEN-byte of asn1 encoded public
key, encoded in hex" [1]. But to me, it seems to be "a SHA1 digest of
DER encoded public key, encoded in hex". Specifically, is it necessary
to specify the length of fingerprint? And ASN1 is a standard with
several possible encoding rules, do we always use DER?

I know that's a lot of questions...thanks!


PS. Are you guys getting email updates from ticket #5810? I'm doubting
that you two are not actually CCed since no one is replying...
PSS. Do we need to keep Ravi in this conversation?
PSSS. Should I wrap up my email to 78 words per line?

[1]. https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=dir-spec.txt
[2]. http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/openssl/PEMReader.html

More information about the tor-dev mailing list