URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Don't count service/host/user cert md5 fprints in FIPS Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/482/head:pr482 git checkout pr482
From 52c0822be0f0a2f338612a790b298284b46a89ec Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 6 Jan 2017 09:08:52 +0100 Subject: [PATCH] Remove md5_fingerprints from IPA MD5 is a grandpa and FIPS does not like it at all. https://fedorahosted.org/freeipa/ticket/5695 --- install/ui/src/freeipa/certificate.js | 8 -------- install/ui/test/data/cert_request.json | 1 - install/ui/test/data/cert_show.json | 1 - install/ui/test/data/ipa_init.json | 1 - install/ui/test/data/service_show.json | 1 - ipaserver/plugins/cert.py | 7 ------- ipaserver/plugins/host.py | 4 ---- ipaserver/plugins/internal.py | 1 - ipaserver/plugins/service.py | 6 ------ ipatests/test_xmlrpc/test_host_plugin.py | 1 - ipatests/test_xmlrpc/test_service_plugin.py | 7 ------- ipatests/test_xmlrpc/tracker/host_plugin.py | 2 +- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 13 files changed, 2 insertions(+), 40 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index 4666b1a..b86c6cf 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -361,7 +361,6 @@ IPA.cert.view_dialog = function(spec) { that.issuer = IPA.cert.parse_dn(spec.certificate.issuer); that.issued_on = spec.certificate.valid_not_before || ''; that.expires_on = spec.certificate.valid_not_after || ''; - that.md5_fingerprint = spec.certificate.md5_fingerprint || ''; that.sha1_fingerprint = spec.certificate.sha1_fingerprint || ''; that.sha256_fingerprint = spec.certificate.sha256_fingerprint || ''; @@ -427,8 +426,6 @@ IPA.cert.view_dialog = function(spec) { table_layout = that.create_layout().appendTo(that.container); - new_row('@i18n:objects.cert.md5_fingerprint', that.md5_fingerprint) - .appendTo(table_layout); new_row('@i18n:objects.cert.sha1_fingerprint', that.sha1_fingerprint) .appendTo(table_layout); new_row('@i18n:objects.cert.sha256_fingerprint', that.sha256_fingerprint) @@ -570,7 +567,6 @@ IPA.cert.loader = function(spec) { var certificate = { issuer: result.issuer, certificate: result.certificate, - md5_fingerprint: result.md5_fingerprint, revocation_reason: result.revocation_reason, serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, @@ -1579,9 +1575,6 @@ exp.create_cert_metadata = function() { add_param('valid_not_after', text.get('@i18n:objects.cert.expires_on'), text.get('@i18n:objects.cert.expires_on')); - add_param('md5_fingerprint', - text.get('@i18n:objects.cert.md5_fingerprint'), - text.get('@i18n:objects.cert.md5_fingerprint')); add_param('sha1_fingerprint', text.get('@i18n:objects.cert.sha1_fingerprint'), text.get('@i18n:objects.cert.sha1_fingerprint')); @@ -1762,7 +1755,6 @@ return { 'valid_not_before', 'valid_not_after', 'sha1_fingerprint', - 'md5_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json index 127183a..f8d8544 100644 --- a/install/ui/test/data/cert_request.json +++ b/install/ui/test/data/cert_request.json @@ -5,7 +5,6 @@ "result": { "certificate": "MIICAjCCAWugAwIBAgICBAswDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTAwNzIzMzk0NFoXDTE1MTAwNzIzMzk0NFowKDEMMAoGA1UECgwDSVBBMRgwFgYDVQQDDA9kZXYuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOTXyj8grVB7Rj95RFawgdwn9OYZ03LWHZ+HMYggu2/xCCrUrdThP14YBlVqZumjVJSclj6T4ACjjdPJq9JTTmx7gMizDTReus7IPlS6fCxb5v5whQJZsEksXL04OxUMl25euPRFkYcTK1rdW47+AkG10j1qeNW+B6CpdQGR6eM/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEASIhq723VL5xP0q51MYXFlGU1boD7pPD1pIQspD/MjCIEupcbH2kAo4wf+EiKsXR0rs+WZkaSgvFqaM4OQ2kWSFTiqmFXFDBEi6EFr68yLg7IpQpNTzVBXERd8B4GwNL9wrRw60jPXlUK29DPBsdGq8fDgX18l39wKkWXv7p1to4=", "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", - "md5_fingerprint": "08:86:a9:f9:87:af:0d:d7:42:01:e0:5f:12:9b:32:7f", "request_id": "1", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", diff --git a/install/ui/test/data/cert_show.json b/install/ui/test/data/cert_show.json index 3e8a8ab..4942e63 100644 --- a/install/ui/test/data/cert_show.json +++ b/install/ui/test/data/cert_show.json @@ -5,7 +5,6 @@ "result": { "certificate": "MIICAjCCAWugAwIBAgICBAswDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTAwNzIzMzk0NFoXDTE1MTAwNzIzMzk0NFowKDEMMAoGA1UECgwDSVBBMRgwFgYDVQQDDA9kZXYuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOTXyj8grVB7Rj95RFawgdwn9OYZ03LWHZ+HMYggu2/xCCrUrdThP14YBlVqZumjVJSclj6T4ACjjdPJq9JTTmx7gMizDTReus7IPlS6fCxb5v5whQJZsEksXL04OxUMl25euPRFkYcTK1rdW47+AkG10j1qeNW+B6CpdQGR6eM/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEASIhq723VL5xP0q51MYXFlGU1boD7pPD1pIQspD/MjCIEupcbH2kAo4wf+EiKsXR0rs+WZkaSgvFqaM4OQ2kWSFTiqmFXFDBEi6EFr68yLg7IpQpNTzVBXERd8B4GwNL9wrRw60jPXlUK29DPBsdGq8fDgX18l39wKkWXv7p1to4=", "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", - "md5_fingerprint": "08:86:a9:f9:87:af:0d:d7:42:01:e0:5f:12:9b:32:7f", "serial_number": "1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", "subject": "CN=dev.example.com,O=EXAMPLE.COM", diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 6d11e73..2fe0ef4 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -277,7 +277,6 @@ "issued_on": "Issued On", "issued_to": "Issued To", "key_compromise": "Key Compromise", - "md5_fingerprint": "MD5 Fingerprint", "missing": "No Valid Certificate", "new_certificate": "New Certificate", "new_cert_format": "Certificate in base64 or PEM format", diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json index 37b85df..213dfff 100644 --- a/install/ui/test/data/service_show.json +++ b/install/ui/test/data/service_show.json @@ -47,7 +47,6 @@ "managedby_host": [ "dev.example.com" ], - "md5_fingerprint": "08:86:a9:f9:87:af:0d:d7:42:01:e0:5f:12:9b:32:7f", "serial_number": "1", "serial_number_hex": "0x1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 0852197..585a70e 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -346,11 +346,6 @@ class BaseCertObject(Object): flags={'no_create', 'no_update', 'no_search'}, ), Str( - 'md5_fingerprint', - label=_('Fingerprint (MD5)'), - flags={'no_create', 'no_update', 'no_search'}, - ), - Str( 'sha1_fingerprint', label=_('Fingerprint (SHA1)'), flags={'no_create', 'no_update', 'no_search'}, @@ -393,8 +388,6 @@ def _parse(self, obj, full=True): obj['valid_not_after'] = x509.format_datetime( cert.not_valid_after) if full: - obj['md5_fingerprint'] = x509.to_hex_with_colons( - cert.fingerprint(hashes.MD5())) obj['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 58e711f..7ceec8e 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -510,10 +510,6 @@ class host(LDAPObject): label=_('Not After'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), - Str('md5_fingerprint', - label=_('Fingerprint (MD5)'), - flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, - ), Str('sha1_fingerprint', label=_('Fingerprint (SHA1)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py index 0a8139e..e82e5fc 100644 --- a/ipaserver/plugins/internal.py +++ b/ipaserver/plugins/internal.py @@ -427,7 +427,6 @@ class i18n_messages(Command): "issued_on": _("Issued On"), "issued_to": _("Issued To"), "key_compromise": _("Key Compromise"), - "md5_fingerprint": _("MD5 Fingerprint"), "missing": _("No Valid Certificate"), "new_certificate": _("New Certificate"), "new_cert_format": _("Certificate in base64 or PEM format"), diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 0c49808..3349889 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -274,8 +274,6 @@ def set_certificate_attrs(entry_attrs): entry_attrs['valid_not_before'] = x509.format_datetime( cert.not_valid_before) entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after) - entry_attrs['md5_fingerprint'] = x509.to_hex_with_colons( - cert.fingerprint(hashes.MD5())) entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) @@ -504,10 +502,6 @@ class service(LDAPObject): label=_('Not After'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), - Str('md5_fingerprint', - label=_('Fingerprint (MD5)'), - flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, - ), Str('sha1_fingerprint', label=_('Fingerprint (SHA1)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index d4384e1..e9a9623 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -232,7 +232,6 @@ def test_update_simple(self, host): description=[u'Updated host 1'], usercertificate=[base64.b64decode(host_cert)], issuer=fuzzy_issuer, - md5_fingerprint=fuzzy_hash, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index f3940f4..a2db6fc 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -465,7 +465,6 @@ class test_service(Declarative): subject=randomissuer, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -488,7 +487,6 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -525,7 +523,6 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -554,7 +551,6 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -579,7 +575,6 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048704'], @@ -607,7 +602,6 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048577'], @@ -633,7 +627,6 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1'], diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py index d980177..9d25ae1 100644 --- a/ipatests/test_xmlrpc/tracker/host_plugin.py +++ b/ipatests/test_xmlrpc/tracker/host_plugin.py @@ -25,7 +25,7 @@ class HostTracker(KerberosAliasMixin, Tracker): retrieve_keys = { 'dn', 'fqdn', 'description', 'l', 'krbcanonicalname', 'krbprincipalname', 'managedby_host', - 'has_keytab', 'has_password', 'issuer', 'md5_fingerprint', + 'has_keytab', 'has_password', 'issuer', 'serial_number', 'serial_number_hex', 'sha1_fingerprint', 'subject', 'usercertificate', 'valid_not_after', 'valid_not_before', 'macaddress', 'sshpubkeyfp', 'ipaallowedtoperform_read_keys_user', diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index e0756a8..1accb6d 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -37,7 +37,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): u'dn', u'krbprincipalname', u'usercertificate', u'has_keytab', u'ipakrbauthzdata', u'ipaallowedtoperform', u'subject', u'managedby', u'serial_number', u'serial_number_hex', u'issuer', - u'valid_not_before', u'valid_not_after', u'md5_fingerprint', + u'valid_not_before', u'valid_not_after', u'sha1_fingerprint', u'krbprincipalauthind', u'managedby_host', u'krbcanonicalname'} retrieve_all_keys = retrieve_keys | {
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
