diff options
author | Tobias Nießen <tniessen@tnie.de> | 2022-04-01 13:35:27 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-01 13:35:27 +0300 |
commit | d484cba6a061a20663b8a5b33f50c7d89277bc96 (patch) | |
tree | b1859cb41a602fb672f582eda971aada6c63b142 /doc/api/crypto.md | |
parent | 8dbdca8ed3f56c458436229bc0e441457860d319 (diff) |
doc: guide towards x509.fingerprint256
Recommend using x509.fingerprint256 instead of x509.fingerprint and
x509.fingerprint512 and suggest using it instead of x509.serialNumber
in order to uniquely identify certificates.
PR-URL: https://github.com/nodejs/node/pull/42516
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tierney Cyren <hello@bnb.im>
Diffstat (limited to 'doc/api/crypto.md')
-rw-r--r-- | doc/api/crypto.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/api/crypto.md b/doc/api/crypto.md index ff35c136d8a..2de0fb82347 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -2627,6 +2627,10 @@ added: v15.6.0 The SHA-1 fingerprint of this certificate. +Because SHA-1 is cryptographically broken and because the security of SHA-1 is +significantly worse than that of algorithms that are commonly used to sign +certificates, consider using [`x509.fingerprint256`][] instead. + ### `x509.fingerprint256` <!-- YAML @@ -2649,6 +2653,12 @@ added: The SHA-512 fingerprint of this certificate. +Because computing the SHA-256 fingerprint is usually faster and because it is +only half the size of the SHA-512 fingerprint, [`x509.fingerprint256`][] may be +a better choice. While SHA-512 presumably provides a higher level of security in +general, the security of SHA-256 matches that of most algorithms that are +commonly used to sign certificates. + ### `x509.infoAccess` <!-- YAML @@ -2738,6 +2748,10 @@ added: v15.6.0 The serial number of this certificate. +Serial numbers are assigned by certificate authorities and do not uniquely +identify certificates. Consider using [`x509.fingerprint256`][] as a unique +identifier instead. + ### `x509.subject` <!-- YAML @@ -6137,6 +6151,7 @@ See the [list of SSL OP Flags][] for details. [`util.promisify()`]: util.md#utilpromisifyoriginal [`verify.update()`]: #verifyupdatedata-inputencoding [`verify.verify()`]: #verifyverifyobject-signature-signatureencoding +[`x509.fingerprint256`]: #x509fingerprint256 [caveats when using strings as inputs to cryptographic APIs]: #using-strings-as-inputs-to-cryptographic-apis [certificate object]: tls.md#certificate-object [encoding]: buffer.md#buffers-and-character-encodings |