From 12a489768a6bb2c13e16e54617139c980f99a658 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <smirnov.andrey@gmail.com>
Date: Wed, 11 Nov 2020 20:59:09 +0300
Subject: [PATCH] feat: add support for SPKI fingerprint generation and
 matching

This can be used to allow only specific certificates with TLS.

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
---
 .conform.yaml                    |  34 ++++++++
 .dockerignore                    |   4 +-
 .drone.yml                       |  57 +++++++-------
 .markdownlint.json               |   9 +++
 Dockerfile                       |  24 ++++--
 Makefile                         |  24 +++---
 hack/git-chglog/CHANGELOG.tpl.md |  26 +++++++
 hack/git-chglog/config.yaml      |  32 ++++++++
 hack/release.sh                  |  60 ++++++++++++++
 tls/provider.go                  |   2 +
 x509/fingerprint.go              |  94 ++++++++++++++++++++++
 x509/fingerprint_test.go         | 129 +++++++++++++++++++++++++++++++
 12 files changed, 448 insertions(+), 47 deletions(-)
 create mode 100644 .conform.yaml
 create mode 100644 .markdownlint.json
 create mode 100644 hack/git-chglog/CHANGELOG.tpl.md
 create mode 100644 hack/git-chglog/config.yaml
 create mode 100755 hack/release.sh
 create mode 100644 x509/fingerprint.go
 create mode 100644 x509/fingerprint_test.go

diff --git a/.conform.yaml b/.conform.yaml
new file mode 100644
index 0000000..2fb0ad7
--- /dev/null
+++ b/.conform.yaml
@@ -0,0 +1,34 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2020-11-11T19:39:46Z by kres latest.
+
+policies:
+- type: commit
+  spec:
+    dco: true
+    gpg: false
+    spellcheck:
+      locale: US
+    maximumOfOneCommit: true
+    header:
+      length: 89
+      imperative: true
+      case: lower
+      invalidLastCharacters: .
+    body:
+      required: true
+    conventional:
+      types: ["chore","docs","perf","refactor","style","test","release"]
+      scopes: ["*"]
+- type: license
+  spec:
+    skipPaths:
+      - .git/
+    includeSuffixes:
+      - .go
+    excludeSuffixes:
+      - .pb.go
+    header: |
+      // This Source Code Form is subject to the terms of the Mozilla Public
+      // License, v. 2.0. If a copy of the MPL was not distributed with this
+      // file, You can obtain one at http://mozilla.org/MPL/2.0/.
diff --git a/.dockerignore b/.dockerignore
index 95eee5d..b4ebd2d 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-17T13:49:58Z by kres 3d35a96-dirty.
+# Generated on 2020-11-11T19:39:46Z by kres latest.
 
 **
 !tls
@@ -8,3 +8,5 @@
 !go.mod
 !go.sum
 !.golangci.yml
+!README.md
+!.markdownlint.json
diff --git a/.drone.yml b/.drone.yml
index ee3d9a2..fbfea58 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1,7 +1,7 @@
 ---
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-13T17:14:02Z by kres f4c4987.
+# Generated on 2020-11-11T19:40:41Z by kres latest.
 
 kind: pipeline
 type: kubernetes
@@ -29,10 +29,10 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
 
 - name: base
   pull: always
@@ -44,29 +44,12 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
-  depends_on:
-  - setup-ci
-
-- name: lint
-  pull: always
-  image: autonomy/build-container:latest
-  commands:
-  - make lint
-  volumes:
-  - name: outer-docker-socket
-    path: /var/outer-run
-  - name: docker-socket
-    path: /var/run
   - name: ssh
     path: /root/.ssh
-  - name: buildx
-    path: /root/.docker/buildx
   depends_on:
-  - base
+  - setup-ci
 
 - name: unit-tests
   pull: always
@@ -78,10 +61,10 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
   depends_on:
   - base
 
@@ -95,10 +78,10 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
   depends_on:
   - base
 
@@ -115,12 +98,29 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
+  - name: buildx
+    path: /root/.docker/buildx
   - name: ssh
     path: /root/.ssh
+  depends_on:
+  - unit-tests
+
+- name: lint
+  pull: always
+  image: autonomy/build-container:latest
+  commands:
+  - make lint
+  volumes:
+  - name: outer-docker-socket
+    path: /var/outer-run
+  - name: docker-socket
+    path: /var/run
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
   depends_on:
-  - unit-tests
+  - base
 
 services:
 - name: docker
@@ -132,17 +132,16 @@ services:
   - --dns=8.8.4.4
   - --mtu=1500
   - --log-level=error
-  - --insecure-registry=http://registry.ci.svc:5000
   privileged: true
   volumes:
   - name: outer-docker-socket
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
 
 volumes:
 - name: outer-docker-socket
diff --git a/.markdownlint.json b/.markdownlint.json
new file mode 100644
index 0000000..efa6cbb
--- /dev/null
+++ b/.markdownlint.json
@@ -0,0 +1,9 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2020-11-11T19:39:46Z by kres latest.
+
+{
+    "MD013": false,
+    "MD033": false,
+    "default": true
+  }
diff --git a/Dockerfile b/Dockerfile
index e1b62cf..4e7d7c4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,10 +2,19 @@
 
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-17T13:49:58Z by kres 3d35a96-dirty.
+# Generated on 2020-11-11T19:39:46Z by kres latest.
 
 ARG TOOLCHAIN
 
+# runs markdownlint
+FROM node:14.8.0-alpine AS lint-markdown
+RUN npm i -g markdownlint-cli@0.23.2
+RUN npm i sentences-per-line@0.2.1
+WORKDIR /src
+COPY .markdownlint.json .
+COPY ./README.md ./README.md
+RUN markdownlint --ignore "**/node_modules/**" --ignore '**/hack/chglog/**' --rules /node_modules/sentences-per-line/index.js .
+
 # base toolchain image
 FROM ${TOOLCHAIN} AS toolchain
 RUN apk --update --no-cache add bash curl build-base
@@ -14,6 +23,7 @@ RUN apk --update --no-cache add bash curl build-base
 FROM toolchain AS tools
 ENV GO111MODULE on
 ENV CGO_ENABLED 0
+ENV GOPATH /go
 RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b /bin v1.30.0
 ARG GOFUMPT_VERSION
 RUN cd $(mktemp -d) \
@@ -26,11 +36,11 @@ FROM tools AS base
 WORKDIR /src
 COPY ./go.mod .
 COPY ./go.sum .
-RUN go mod download
-RUN go mod verify
+RUN --mount=type=cache,target=/go/pkg go mod download
+RUN --mount=type=cache,target=/go/pkg go mod verify
 COPY ./tls ./tls
 COPY ./x509 ./x509
-RUN go list -mod=readonly all >/dev/null
+RUN --mount=type=cache,target=/go/pkg go list -mod=readonly all >/dev/null
 
 # runs gofumpt
 FROM base AS lint-gofumpt
@@ -41,17 +51,17 @@ RUN FILES="$(gofumports -l -local github.com/talos-systems/crypto .)" && test -z
 FROM base AS lint-golangci-lint
 COPY .golangci.yml .
 ENV GOGC 50
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/root/.cache/golangci-lint golangci-lint run --config .golangci.yml
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/root/.cache/golangci-lint --mount=type=cache,target=/go/pkg golangci-lint run --config .golangci.yml
 
 # runs unit-tests with race detector
 FROM base AS unit-tests-race
 ARG TESTPKGS
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/tmp CGO_ENABLED=1 go test -v -race -count 1 ${TESTPKGS}
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg --mount=type=cache,target=/tmp CGO_ENABLED=1 go test -v -race -count 1 ${TESTPKGS}
 
 # runs unit-tests
 FROM base AS unit-tests-run
 ARG TESTPKGS
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/tmp go test -v -covermode=atomic -coverprofile=coverage.txt -count 1 ${TESTPKGS}
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg --mount=type=cache,target=/tmp go test -v -covermode=atomic -coverprofile=coverage.txt -count 1 ${TESTPKGS}
 
 FROM scratch AS unit-tests
 COPY --from=unit-tests-run /src/coverage.txt /coverage.txt
diff --git a/Makefile b/Makefile
index 98dc5c5..81a91b9 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-13T17:14:02Z by kres f4c4987.
+# Generated on 2020-11-11T19:40:41Z by kres latest.
 
 # common variables
 
@@ -8,13 +8,13 @@ SHA := $(shell git describe --match=none --always --abbrev=8 --dirty)
 TAG := $(shell git describe --tag --always --dirty)
 BRANCH := $(shell git rev-parse --abbrev-ref HEAD)
 ARTIFACTS := _out
-REGISTRY ?= docker.io
-USERNAME ?= autonomy
+REGISTRY ?= ghcr.io
+USERNAME ?= talos-systems
 REGISTRY_AND_USERNAME ?= $(REGISTRY)/$(USERNAME)
 GOFUMPT_VERSION ?= abc0db2c416aca0f60ea33c23c76665f6e7ba0b6
 GO_VERSION ?= 1.14
 TESTPKGS ?= ./...
-KRES_IMAGE ?= autonomy/kres:latest
+KRES_IMAGE ?= ghcr.io/talos-systems/kres:latest
 
 # docker build settings
 
@@ -34,7 +34,7 @@ COMMON_ARGS += --build-arg=USERNAME=$(USERNAME)
 COMMON_ARGS += --build-arg=TOOLCHAIN=$(TOOLCHAIN)
 COMMON_ARGS += --build-arg=GOFUMPT_VERSION=$(GOFUMPT_VERSION)
 COMMON_ARGS += --build-arg=TESTPKGS=$(TESTPKGS)
-TOOLCHAIN ?= docker.io/golang:1.14-alpine
+TOOLCHAIN ?= docker.io/golang:1.15-alpine
 
 # help menu
 
@@ -69,7 +69,7 @@ respectively.
 
 endef
 
-all: lint unit-tests
+all: unit-tests lint
 
 .PHONY: clean
 clean:  ## Cleans up all artifacts.
@@ -98,9 +98,6 @@ fmt:  ## Formats the source code
 base:  ## Prepare base toolchain
 	@$(MAKE) target-$@
 
-.PHONY: lint
-lint: lint-golangci-lint lint-gofumpt  ## Run all linters for the project.
-
 .PHONY: unit-tests
 unit-tests:  ## Performs unit tests
 	@$(MAKE) local-$@ DEST=$(ARTIFACTS)
@@ -113,10 +110,17 @@ unit-tests-race:  ## Performs unit tests with race detection enabled.
 coverage:  ## Upload coverage data to codecov.io.
 	bash -c "bash <(curl -s https://codecov.io/bash) -f $(ARTIFACTS)/coverage.txt -X fix"
 
+.PHONY: lint-markdown
+lint-markdown:  ## Runs markdownlint.
+	@$(MAKE) target-$@
+
+.PHONY: lint
+lint: lint-golangci-lint lint-gofumpt lint-markdown  ## Run all linters for the project.
+
 .PHONY: rekres
 rekres:
 	@docker pull $(KRES_IMAGE)
-	@docker run --rm -v $(PWD):/src -w /src $(KRES_IMAGE)
+	@docker run --rm -v $(PWD):/src -w /src -e GITHUB_TOKEN $(KRES_IMAGE)
 
 .PHONY: help
 help:  ## This help menu.
diff --git a/hack/git-chglog/CHANGELOG.tpl.md b/hack/git-chglog/CHANGELOG.tpl.md
new file mode 100644
index 0000000..cb7ce74
--- /dev/null
+++ b/hack/git-chglog/CHANGELOG.tpl.md
@@ -0,0 +1,26 @@
+<!-- THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. -->
+<!--  -->
+<!-- Generated on 2020-11-11T19:39:46Z by kres latest. -->
+
+{{ range .Versions }}
+<a name="{{ .Tag.Name }}"></a>
+## {{ if .Tag.Previous }}[{{ .Tag.Name }}]({{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}){{ else }}{{ .Tag.Name }}{{ end }} ({{ datetime "2006-01-02" .Tag.Date }})
+
+{{ range .CommitGroups -}}
+### {{ .Title }}
+
+{{ range .Commits -}}
+* {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+
+{{- if .NoteGroups -}}
+{{ range .NoteGroups -}}
+### {{ .Title }}
+
+{{ range .Notes }}
+{{ .Body }}
+{{ end }}
+{{ end -}}
+{{ end -}}
+{{ end -}}
diff --git a/hack/git-chglog/config.yaml b/hack/git-chglog/config.yaml
new file mode 100644
index 0000000..85d849a
--- /dev/null
+++ b/hack/git-chglog/config.yaml
@@ -0,0 +1,32 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2020-11-11T19:39:46Z by kres latest.
+
+style: github
+template: CHANGELOG.tpl.md
+info:
+  title: CHANGELOG
+  repository_url: https://github.com/talos-systems/crypto
+options:
+  commits:
+    # filters:
+    #   Type:
+    #     - feat
+    #     - fix
+    #     - perf
+    #     - refactor
+  commit_groups:
+    # title_maps:
+    #   feat: Features
+    #   fix: Bug Fixes
+    #   perf: Performance Improvements
+    #   refactor: Code Refactoring
+  header:
+    pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s]*)\\))?\\:\\s(.*)$"
+    pattern_maps:
+      - Type
+      - Scope
+      - Subject
+  notes:
+    keywords:
+      - BREAKING CHANGE
diff --git a/hack/release.sh b/hack/release.sh
new file mode 100755
index 0000000..72b496c
--- /dev/null
+++ b/hack/release.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2020-11-11T19:39:46Z by kres latest.
+
+
+set -e
+
+function changelog {
+  if [ "$#" -eq 1 ]; then
+    git-chglog --output CHANGELOG.md -c ./hack/git-chglog/config.yaml --tag-filter-pattern "^${1}" "${1}.0-alpha.0.."
+  elif [ "$#" -eq 0 ]; then
+    git-chglog --output CHANGELOG.md -c ./hack/git-chglog/config.yaml
+  else
+    echo 1>&2 "Usage: $0 changelog [tag]"
+    exit 1
+  fi
+}
+
+function release-notes {
+  git-chglog --output ${1} -c ./hack/git-chglog/config.yaml "${2}"
+}
+
+function cherry-pick {
+  if [ $# -ne 2 ]; then
+    echo 1>&2 "Usage: $0 cherry-pick <commit> <branch>"
+    exit 1
+  fi
+
+  git checkout $2
+  git fetch
+  git rebase upstream/$2
+  git cherry-pick -x $1
+}
+
+function commit {
+  if [ $# -ne 1 ]; then
+    echo 1>&2 "Usage: $0 commit <tag>"
+    exit 1
+  fi
+
+  git commit -s -m "release($1): prepare release" -m "This is the official $1 release."
+}
+
+if declare -f "$1" > /dev/null
+then
+  cmd="$1"
+  shift
+  $cmd "$@"
+else
+  cat <<EOF
+Usage:
+  commit:       Create the official release commit message.
+  cherry-pick:  Cherry-pick a commit into a release branch.
+  changelog:    Update the specified CHANGELOG.
+EOF
+
+  exit 1
+fi
diff --git a/tls/provider.go b/tls/provider.go
index 4a08a95..80ef0e9 100644
--- a/tls/provider.go
+++ b/tls/provider.go
@@ -145,6 +145,8 @@ func (p *certificateProvider) manageUpdates(ctx context.Context) (err error) {
 				crt, err = x509.ParseCertificate(c.Certificate[0])
 
 				if err == nil {
+					log.Printf("issued certificate with fingerprint %s\n", talosx509.SPKIFingerprint(crt))
+
 					nextRenewal = time.Until(crt.NotAfter) / 2
 				} else {
 					log.Println("failed to parse current leaf certificate")
diff --git a/x509/fingerprint.go b/x509/fingerprint.go
new file mode 100644
index 0000000..ddaaac4
--- /dev/null
+++ b/x509/fingerprint.go
@@ -0,0 +1,94 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package x509
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+)
+
+// Fingerprint represents SPKI certificate fingerprint.
+type Fingerprint []byte
+
+func (f Fingerprint) String() string {
+	return base64.StdEncoding.EncodeToString(f)
+}
+
+// Equal checks is Fingerprints match.
+func (f Fingerprint) Equal(other Fingerprint) bool {
+	return bytes.Equal(f, other)
+}
+
+// ParseFingerprint parses string representation of the fingerprint.
+func ParseFingerprint(s string) (Fingerprint, error) {
+	return base64.StdEncoding.DecodeString(s)
+}
+
+// SPKIFingerprintFromPEM computes SPKI certificate fingerprint from PEM representation of the x509 certificate.
+func SPKIFingerprintFromPEM(certPEM []byte) (Fingerprint, error) {
+	block, _ := pem.Decode(certPEM)
+
+	if block == nil {
+		return nil, fmt.Errorf("failed parsing PEM block")
+	}
+
+	return SPKIFingerprintFromDER(block.Bytes)
+}
+
+// SPKIFingerprintFromDER computes SPKI certificate fingerprint from ASN.1 DER representation of the x509 certificate.
+func SPKIFingerprintFromDER(certDER []byte) (Fingerprint, error) {
+	cert, err := x509.ParseCertificate(certDER)
+	if err != nil {
+		return nil, err
+	}
+
+	return SPKIFingerprint(cert), nil
+}
+
+// SPKIFingerprint computes SPKI certificate fingerprint.
+func SPKIFingerprint(cert *x509.Certificate) Fingerprint {
+	hash := sha256.New()
+	hash.Write(cert.RawSubjectPublicKeyInfo) //nolint: errcheck
+
+	return Fingerprint(hash.Sum(nil))
+}
+
+// MatchSPKIFingerprints can be injected as tls.Config.VerifyConnection handler to deny connection if peer certificates don't match the fingerprints.
+func MatchSPKIFingerprints(fingerprints ...Fingerprint) func(tls.ConnectionState) error {
+	return func(connState tls.ConnectionState) error {
+		if len(connState.PeerCertificates) == 0 {
+			return fmt.Errorf("no peer certificates found")
+		}
+
+		peerCert := connState.PeerCertificates[0] // leaf certificate
+
+		matched := false
+
+		for _, fingerprint := range fingerprints {
+			if fingerprint.Equal(SPKIFingerprint(peerCert)) {
+				matched = true
+
+				break
+			}
+		}
+
+		if !matched {
+			fingerpintStrings := make([]string, len(fingerprints))
+
+			for i := range fingerprints {
+				fingerpintStrings[i] = fingerprints[i].String()
+			}
+
+			return fmt.Errorf("leaf peer certificate doesn't match the provided fingerprints: %v", fingerpintStrings)
+		}
+
+		return nil
+	}
+}
diff --git a/x509/fingerprint_test.go b/x509/fingerprint_test.go
new file mode 100644
index 0000000..9da3f87
--- /dev/null
+++ b/x509/fingerprint_test.go
@@ -0,0 +1,129 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package x509_test
+
+import (
+	"crypto/tls"
+	stdx509 "crypto/x509"
+	"encoding/pem"
+	"testing"
+
+	"github.com/talos-systems/crypto/x509"
+)
+
+const certPEM1 = `
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
+BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
+cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
+WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
+TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
+bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
+5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
+7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
+BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
+BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
+LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
+cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
+BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
+AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
+L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
+gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
+TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
+0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
+RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
+yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
+-----END CERTIFICATE-----`
+
+const certPEM2 = `
+-----BEGIN CERTIFICATE-----
+MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
+EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
+bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
+VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
+h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
+ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
+EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
+DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
+qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
+K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
+KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
+ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
+BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
+/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
+zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
+HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
+WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
+yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
+-----END CERTIFICATE-----`
+
+func TestSPKIFingerprints(t *testing.T) {
+	fingerprint1, err := x509.SPKIFingerprintFromPEM([]byte(certPEM1))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected, err := x509.ParseFingerprint("pnduMqbUZ/sQyDW1o4kP6c1u1PoB2gRQu8KEV38guAM=")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !fingerprint1.Equal(expected) {
+		t.Fatalf("expected %s != %s", expected, fingerprint1)
+	}
+
+	fingerprint2, err := x509.SPKIFingerprintFromPEM([]byte(certPEM2))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if fingerprint1.Equal(fingerprint2) {
+		t.Fatalf("shouldn't be equal %s %s", fingerprint2, fingerprint1)
+	}
+
+	block1, _ := pem.Decode([]byte(certPEM1))
+
+	cert1, err := stdx509.ParseCertificate(block1.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	block2, _ := pem.Decode([]byte(certPEM2))
+
+	cert2, err := stdx509.ParseCertificate(block2.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = x509.MatchSPKIFingerprints(fingerprint1)(tls.ConnectionState{
+		PeerCertificates: []*stdx509.Certificate{cert1, cert2},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = x509.MatchSPKIFingerprints(fingerprint1)(tls.ConnectionState{
+		PeerCertificates: []*stdx509.Certificate{cert2, cert1},
+	})
+	if err == nil {
+		t.Fatal("non-leaf certificate fingerprint should be rejected")
+	}
+
+	err = x509.MatchSPKIFingerprints(fingerprint1, fingerprint2)(tls.ConnectionState{
+		PeerCertificates: []*stdx509.Certificate{cert2, cert1},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = x509.MatchSPKIFingerprints(fingerprint1, fingerprint2)(tls.ConnectionState{})
+	if err == nil {
+		t.Fatal("connection without peer certificates should be rejected")
+	}
+}