Obtain the fingerprint of an OpenSSL RSA public key

Question

I've been playing with openssl in order to try to obtain an RSA public key fingerprint. Example:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxzYuc22QSst/dS7geYYK
5l5kLxU0tayNdixkEQ17ix+CUcUbKIsnyftZxaCYT46rQtXgCaYRdJcbB3hmyrOa
vkhTpX79xJZnQmfuamMbZBqitvscxW9zRR9tBUL6vdi/0rpoUwPMEh8+Bw7CgYR0
FK0DhWYBNDfe9HKcyZEv3max8Cdq18htxjEsdYO0iwzhtKRXomBWTdhD5ykd/fAC
VTr4+KEY+IeLvubHVmLUhbE5NgWXxrRpGasDqzKhCTmsa2Ysf712rl57SlH0Wz/M
r3F7aM9YpErzeYLrl0GhQr9BVJxOvXcVd4kmY+XkiCcrkyS1cnghnllh+LCwQu1s
YwIDAQAB
-----END PUBLIC KEY-----

I used:

openssl pkey -pubin -in public1 -pubout | openssl sha256 -c

And this is the output:

(stdin)= 06:83:07:a4:50:60:e1:45:7a:4a:43:e7:1a:8e:e9:81:84:20:45:be:4f:d1:c5:eb:a4:28:aa:73:26:3f:36:9b

Is this the fingerprint? If yes, will it work for various openssl keys? How is it being calculated? (I'm asking because I would like to implement it with Python)

Answer 1

I think it's better to digest only the binary contents of Publickey as fingerprint. You can directly decode base64 contents and pipe to openssl sha256:

# Don't forget remove header line and bottom line
sed '1d;$d' ./pub.key | base64 -D | openssl sha256

BTW, openssl pkey -pubin -in ./pub.key -pubout (pubin and pubout) will output same content with your pub.key file like your first example.

I think you want to convert with pkey from pem to der (so that you can avoid maually format and decode base64)

openssl pkey -pubin -in pub.key -outform DER | openssl dgst -sha256 -c