[Freeipa-devel] [freeipa PR#504][opened] Add SHA256 fingerprints

tomaskrizek Fri, 24 Feb 2017 01:17:40 -0800

   URL: https://github.com/freeipa/freeipa/pull/504
Author: tomaskrizek
 Title: #504: Add SHA256 fingerprints
Action: opened


PR body:
"""
As discussed on the [devel 
list](https://www.redhat.com/archives/freeipa-devel/2017-February/msg01095.html),
 adding SHA256 fingerprints for certs and keeping SHA1 as well.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/504/head:pr504
git checkout pr504

From 690ff813eefec7a16a9c6c330fb005a47efbdb85 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkri...@redhat.com>
Date: Thu, 23 Feb 2017 17:03:01 +0100
Subject: [PATCH 1/2] Add SHA256 fingerprints for certs

https://fedorahosted.org/freeipa/ticket/6701
---
 install/ui/src/freeipa/certificate.js          | 5 +++++
 install/ui/test/data/cert_request.json         | 1 +
 install/ui/test/data/cert_show.json            | 1 +
 install/ui/test/data/service_show.json         | 1 +
 ipaserver/plugins/cert.py                      | 6 ++++++
 ipaserver/plugins/host.py                      | 4 ++++
 ipaserver/plugins/service.py                   | 6 ++++++
 ipatests/test_xmlrpc/test_host_plugin.py       | 1 +
 ipatests/test_xmlrpc/test_service_plugin.py    | 7 +++++++
 ipatests/test_xmlrpc/tracker/host_plugin.py    | 1 +
 ipatests/test_xmlrpc/tracker/service_plugin.py | 4 ++--
 11 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index b86c6cf..d7a50d7 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) {
             serial_number: result.serial_number,
             serial_number_hex: result.serial_number_hex,
             sha1_fingerprint: result.sha1_fingerprint,
+            sha256_fingerprint: result.sha256_fingerprint,
             subject: result.subject,
             valid_not_after: result.valid_not_after,
             valid_not_before: result.valid_not_before
@@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() {
     add_param('sha1_fingerprint',
                 text.get('@i18n:objects.cert.sha1_fingerprint'),
                 text.get('@i18n:objects.cert.sha1_fingerprint'));
+    add_param('sha256_fingerprint',
+                text.get('@i18n:objects.cert.sha256_fingerprint'),
+                text.get('@i18n:objects.cert.sha256_fingerprint'));
     add_param('certificate',
                 text.get('@i18n:objects.cert.certificate'),
                 text.get('@i18n:objects.cert.certificate'));
@@ -1755,6 +1759,7 @@ return {
                         'valid_not_before',
                         'valid_not_after',
                         'sha1_fingerprint',
+                        'sha256_fingerprint',
                         {
                             $type: 'revocation_reason',
                             name: 'revocation_reason'
diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json
index f8d8544..c610830 100644
--- a/install/ui/test/data/cert_request.json
+++ b/install/ui/test/data/cert_request.json
@@ -8,6 +8,7 @@
             "request_id": "1",
             "serial_number": "1",
             "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc",
+            "sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30",
             "subject": "CN=dev.example.com,O=EXAMPLE.COM",
             "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC",
             "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC"
diff --git a/install/ui/test/data/cert_show.json b/install/ui/test/data/cert_show.json
index 4942e63..6f1e9d3 100644
--- a/install/ui/test/data/cert_show.json
+++ b/install/ui/test/data/cert_show.json
@@ -7,6 +7,7 @@
             "issuer": "CN=Certificate Authority,O=EXAMPLE.COM",
             "serial_number": "1",
             "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc",
+            "sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30",
             "subject": "CN=dev.example.com,O=EXAMPLE.COM",
             "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC",
             "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC"
diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json
index 213dfff..597f3ad 100644
--- a/install/ui/test/data/service_show.json
+++ b/install/ui/test/data/service_show.json
@@ -50,6 +50,7 @@
             "serial_number": "1",
             "serial_number_hex": "0x1",
             "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc",
+            "sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30",
             "subject": "CN=dev.example.com,O=EXAMPLE.COM",
             "usercertificate": [
                 {
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 585a70e..ebf57e1 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -349,6 +349,10 @@ class BaseCertObject(Object):
             'sha1_fingerprint',
             label=_('Fingerprint (SHA1)'),
             flags={'no_create', 'no_update', 'no_search'},
+        Str(
+            'sha256_fingerprint',
+            label=_('Fingerprint (SHA256)'),
+            flags={'no_create', 'no_update', 'no_search'},
         ),
         Int(
             'serial_number',
@@ -390,6 +394,8 @@ def _parse(self, obj, full=True):
             if full:
                 obj['sha1_fingerprint'] = x509.to_hex_with_colons(
                     cert.fingerprint(hashes.SHA1()))
+                obj['sha256_fingerprint'] = x509.to_hex_with_colons(
+                    cert.fingerprint(hashes.SHA256()))
 
             general_names = x509.process_othernames(
                     x509.get_san_general_names(cert))
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 7ceec8e..dcadd54 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -514,6 +514,10 @@ class host(LDAPObject):
             label=_('Fingerprint (SHA1)'),
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
         ),
+        Str('sha256_fingerprint',
+            label=_('Fingerprint (SHA256)'),
+            flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
+        ),
         Str('revocation_reason?',
             label=_('Revocation reason'),
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 3349889..03271d6 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -276,6 +276,8 @@ def set_certificate_attrs(entry_attrs):
     entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after)
     entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons(
         cert.fingerprint(hashes.SHA1()))
+    entry_attrs['sha256_fingerprint'] = x509.to_hex_with_colons(
+        cert.fingerprint(hashes.SHA256()))
 
 def check_required_principal(ldap, principal):
     """
@@ -506,6 +508,10 @@ class service(LDAPObject):
             label=_('Fingerprint (SHA1)'),
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
         ),
+        Str('sha256_fingerprint',
+            label=_('Fingerprint (SHA256)'),
+            flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
+        ),
         Str('revocation_reason?',
             label=_('Revocation reason'),
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index e9a9623..e4d6ee9 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -235,6 +235,7 @@ def test_update_simple(self, host):
                         serial_number=fuzzy_digits,
                         serial_number_hex=fuzzy_hex,
                         sha1_fingerprint=fuzzy_hash,
+                        sha256_fingerprint=fuzzy_hash,
                         subject=DN(('CN', api.env.host), x509.subject_base()),
                         valid_not_before=fuzzy_date,
                         valid_not_after=fuzzy_date,
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index a2db6fc..514ca5b 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -466,6 +466,7 @@ class test_service(Declarative):
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     sha1_fingerprint=fuzzy_hash,
+                    sha256_fingerprint=fuzzy_hash,
                     issuer=fuzzy_issuer,
                 ),
             ),
@@ -488,6 +489,7 @@ class test_service(Declarative):
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     sha1_fingerprint=fuzzy_hash,
+                    sha256_fingerprint=fuzzy_hash,
                     issuer=fuzzy_issuer,
                 ),
             ),
@@ -524,6 +526,7 @@ class test_service(Declarative):
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     sha1_fingerprint=fuzzy_hash,
+                    sha256_fingerprint=fuzzy_hash,
                     issuer=fuzzy_issuer,
                 ),
             ),
@@ -552,6 +555,7 @@ class test_service(Declarative):
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     sha1_fingerprint=fuzzy_hash,
+                    sha256_fingerprint=fuzzy_hash,
                     issuer=fuzzy_issuer,
                 ),
             ),
@@ -576,6 +580,7 @@ class test_service(Declarative):
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     sha1_fingerprint=fuzzy_hash,
+                    sha256_fingerprint=fuzzy_hash,
                     issuer=fuzzy_issuer,
                     krbticketflags=[u'1048704'],
                     ipakrbokasdelegate=True,
@@ -603,6 +608,7 @@ class test_service(Declarative):
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     sha1_fingerprint=fuzzy_hash,
+                    sha256_fingerprint=fuzzy_hash,
                     issuer=fuzzy_issuer,
                     krbticketflags=[u'1048577'],
                 ),
@@ -628,6 +634,7 @@ class test_service(Declarative):
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     sha1_fingerprint=fuzzy_hash,
+                    sha256_fingerprint=fuzzy_hash,
                     issuer=fuzzy_issuer,
                     krbticketflags=[u'1'],
                     ipakrbokasdelegate=False,
diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py
index 9d25ae1..81aac9d 100644
--- a/ipatests/test_xmlrpc/tracker/host_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/host_plugin.py
@@ -27,6 +27,7 @@ class HostTracker(KerberosAliasMixin, Tracker):
         'krbprincipalname', 'managedby_host',
         'has_keytab', 'has_password', 'issuer',
         'serial_number', 'serial_number_hex', 'sha1_fingerprint',
+        'sha256_fingerprint',
         'subject', 'usercertificate', 'valid_not_after', 'valid_not_before',
         'macaddress', 'sshpubkeyfp', 'ipaallowedtoperform_read_keys_user',
         'memberof_hostgroup', 'memberofindirect_hostgroup',
diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py
index 1accb6d..58b3be0 100644
--- a/ipatests/test_xmlrpc/tracker/service_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/service_plugin.py
@@ -37,8 +37,8 @@ class ServiceTracker(KerberosAliasMixin, Tracker):
         u'dn', u'krbprincipalname', u'usercertificate', u'has_keytab',
         u'ipakrbauthzdata', u'ipaallowedtoperform', u'subject',
         u'managedby', u'serial_number', u'serial_number_hex', u'issuer',
-        u'valid_not_before', u'valid_not_after',
-        u'sha1_fingerprint', u'krbprincipalauthind', u'managedby_host',
+        u'valid_not_before', u'valid_not_after', u'sha1_fingerprint',
+        u'sha256_fingerprint', u'krbprincipalauthind', u'managedby_host',
         u'krbcanonicalname'}
     retrieve_all_keys = retrieve_keys | {
         u'ipaKrbPrincipalAlias', u'ipaUniqueID', u'krbExtraData',

From f26f6d11aed56bbc8054366fbf9e8201640e8380 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkri...@redhat.com>
Date: Thu, 23 Feb 2017 17:23:52 +0100
Subject: [PATCH 2/2] Use SHA256 for file digest instead of SHA1

https://fedorahosted.org/freeipa/ticket/6701
---
 install/share/copy-schema-to-ca.py | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
index 4daed6f..bb57af6 100755
--- a/install/share/copy-schema-to-ca.py
+++ b/install/share/copy-schema-to-ca.py
@@ -15,7 +15,7 @@
 import pwd
 import shutil
 
-from hashlib import sha1
+from hashlib import sha256
 
 from ipaplatform.paths import paths
 from ipapython import ipautil
@@ -55,9 +55,9 @@
 )
 
 
-def _sha1_file(filename):
+def _file_digest(filename):
     with open(filename, 'rb') as f:
-        return sha1(f.read()).hexdigest()
+        return sha256(f.read()).hexdigest()
 
 
 def add_ca_schema():
@@ -72,17 +72,17 @@ def add_ca_schema():
             root_logger.debug('File does not exist: %s', source_fname)
             continue
         if os.path.exists(target_fname):
-            target_sha1 = _sha1_file(target_fname)
-            source_sha1 = _sha1_file(source_fname)
-            if target_sha1 != source_sha1:
+            target_digest = _file_digest(target_fname)
+            source_digest = _file_digest(source_fname)
+            if target_digest != source_digest:
                 target_size = os.stat(target_fname).st_size
                 source_size = os.stat(source_fname).st_size
                 root_logger.info('Target file %s exists but the content is '
                                  'different', target_fname)
-                root_logger.info('\tTarget file: sha1: %s, size: %s B',
-                                 target_sha1, target_size)
-                root_logger.info('\tSource file: sha1: %s, size: %s B',
-                                 source_sha1, source_size)
+                root_logger.info('\tTarget file: sha256: %s, size: %s B',
+                                 target_digest, target_size)
+                root_logger.info('\tSource file: sha256: %s, size: %s B',
+                                 source_digest, source_size)
                 if not ipautil.user_input("Do you want replace %s file?" %
                                           target_fname, True):
                     continue

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][opened] Add SHA256 fingerprints

Reply via email to