Google's Certificate Fingerprint doesn't match with the Fingerprints in the Chrome's "net-internals" configurations

Question

As you may know, you can query chrome's HSTS/PKP sets for a domain in the page chrome://net-internals as below:

As you see above, there are four SHA256 hash values (in the middle of page and in base64 format) for www.google.com.

If we convert those values to hex format, we will have the following values:

ebra@him:~$ echo "iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=" | base64 -d  | od -t x1 -w32
0000000 8a 27 b5 55 7b 4b ec 7c c0 30 5f bf 3d 53 d1 f7 1c d3 f3 49 10 c5 d6 5e 27 ec dd b8 20 77 ba 3d
ebra@him:~$ echo "h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU=" | base64 -d  | od -t x1 -w32
0000000 87 af 34 d6 6f b3 f2 fd f3 6e 09 11 1e 9a ba 2f 6f 44 b2 07 f3 86 3f 3d 0b 54 b2 50 23 90 9a a5
ebra@him:~$ echo "7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=" | base64 -d  | od -t x1 -w32
0000000 ec 72 29 69 cb 64 20 0a b6 63 8f 68 ac 53 8e 40 ab ab 5b 19 a6 48 56 61 04 2a 10 61 c4 61 27 76
ebra@him:~$ echo "IPMbDAjLVSGntGO3WP53X/zilCVndez5YJ2+vJvhJsA=" | base64 -d  | od -t x1 -w32
0000000 20 f3 1b 0c 08 cb 55 21 a7 b4 63 b7 58 fe 77 5f fc e2 94 25 67 75 ec f9 60 9d be bc 9b e1 26 c0

The question is that: why I can't see none of these values in the current loaded Google's certificate in the other tab?

Answer 1

The four hash values you see are SPKI hashes. While the fingerprint you see when looking at the certificate is computed over the whole certificate the SPKI hash is only computed over the SubjectPublicKeyInfo, i.e. the public key contained in the certificate. See Mozilla:HPKP for more details including ways to compute the SPKI hash using common tools.

Apart from that these SPKI hashes do not necessarily specify the leaf certificate (i.e. the one you were looking at). Instead at least one of the SPKI hashes for a site should match one of the certificates in the certificate chain, i.e. from leaf up to and including the locally trusted root certificate. This matches the behavior of the HPKP header which is described in RFC 7469 as follows:

... compute the SPKI Fingerprints for each certificate in the Pinned Host's validated certificate chain ... check that the set of these SPKI Fingerprints intersects the set of SPKI Fingerprints in that Pinned Host's Pinning Metadata

To manually do the checks one might export every certificate from the browser, compute the SPKI hash (see first link on how to do this) and then check if it is in the list of preloaded SPKI hashes. For the connection I get to www.google.com I get the following chain (note that I get a different leaf certificate):

[0] www.google.com
cert fingerprint: 27:4C:3B:05:9F:30:5C:C3:C7:EE:23:98:E5:33:21:EE:56:34:E0:40:96:09:1E:87:BE:F0:9D:AF:A7:44:39:12
SPKI hash: He1hxIXPpsnamgIS9IH1HC45P2yj45Py1fi0/JI6JBo=

[1] Google Internet Authority G3
cert fingerprint: BE:0C:CD:54:D4:CE:CD:A1:BD:5E:5D:9E:CC:85:A0:4C:2C:1F:93:A5:22:0D:77:FD:E8:8F:E9:AD:08:1F:64:1B
SPKI hash: f8NnEFZxQ4ExFOhSN7EiFWtiudZQVD2oY60uauV/n78=

[builtin] GlobalSign Root CA - R2
cert fingerprint: CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
SPKI hash: iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=

As you can see, the last SPKI hash from the builtin root CA intersects with the preloaded SPKI hashes which means that the validation was successful.

If you want to know what the other SPKI hashes are for you might have a look at the source code for Chromium where it shows the following definition for the PIN set used for the Google domains:

  "name": "google",
  "static_spki_hashes": [
    "GoogleBackup2048",
    "GoogleG2",
    "GeoTrustGlobal",
    "GlobalSignRootCA_R2"
  ],

The last item GlobalSignRootCA_R2 is the one found in the current chain.