Include thumbprint functions

[victorolinasc]

I think it is quite common to work with thumbprints when handling x509. For example, JWKS has the following standard claims among others:

• x5t: thumbprint using sha1
• x5t#S256: thumbprint using sha256

We can, currently, generate a thumbprint by doing something like:

:crypto.hash(:sha, X509.Certificate.to_der(cert)) |> Base.url_encode64(padding: false)

I've spent a while trying to find how openssl generates the thumbprint with some confusing answers. It would be great if this was built-in to avoid confusing implementations.

Thanks for your wonderful work!

[voltone]

Essentially these fingerprints are always some hash over the DER encoded certificate. The question is which hash, and how to represent it: hex (lowercase or uppercase?), base64 (regular or url-safe? with or without padding)?

To be honest I'm not sure if adding a handful of variants would help, or would just cause more confusion when people are trying to match them with yet another variant that their browser or CLI tool displays...

[victorolinasc]

You are totally right! Forgot about the mess in browsers about this concept. The differences does indeed exist.

I came here from the JWKS specification which specifies the encoding to be base64_url https://tools.ietf.org/html/rfc7515#page-12 so, at least in some places, the encoding is standardized.

Please, feel free to close this if you think is not needed/wanted. Thanks again for your attention :)