URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Don't count service/host/user cert md5 fprints in FIPS Action: opened
PR body: """ To be "backward compatible" we cannot remove `md5_fingerprint` so we at least supply the reason why it can't be counted. https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/482/head:pr482 git checkout pr482
From 24550d5b26adae722c154c98949479e51d03fee7 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 6 Jan 2017 09:08:52 +0100 Subject: [PATCH] Don't count service/host/user cert md5 fprints in FIPS https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/plugins/cert.py | 7 +++++-- ipaserver/plugins/service.py | 9 +++++++-- ipatests/test_xmlrpc/test_host_plugin.py | 6 +++--- ipatests/test_xmlrpc/test_service_plugin.py | 18 ++++++++++-------- ipatests/test_xmlrpc/xmlrpc_test.py | 6 +++++- 5 files changed, 30 insertions(+), 16 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 0852197..595bed7 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -393,8 +393,11 @@ def _parse(self, obj, full=True): obj['valid_not_after'] = x509.format_datetime( cert.not_valid_after) if full: - obj['md5_fingerprint'] = x509.to_hex_with_colons( - cert.fingerprint(hashes.MD5())) + if not self.api.env.fips_mode: + obj['md5_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.MD5())) + else: + obj['md5_fingerprint'] = _("Not available in FIPS mode") obj['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 0c49808..a898eb6 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -49,6 +49,7 @@ from ipalib import output from ipapython import kerberos from ipapython.dn import DN +from ipaplatform.tasks import tasks if six.PY3: @@ -274,8 +275,12 @@ def set_certificate_attrs(entry_attrs): entry_attrs['valid_not_before'] = x509.format_datetime( cert.not_valid_before) entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after) - entry_attrs['md5_fingerprint'] = x509.to_hex_with_colons( - cert.fingerprint(hashes.MD5())) + if not tasks.is_fips_enabled(): + entry_attrs['md5_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.MD5())) + else: + entry_attrs['md5_fingerprint'] = ('md5 fingerprints are disabled in ' + 'FIPS mode') entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index d4384e1..1c082ad 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -35,8 +35,8 @@ from ipapython.dn import DN from ipapython.dnsutil import DNSName from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test, - fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_date, fuzzy_issuer, - fuzzy_hex, raises_exact) + fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_md5_hash, fuzzy_date, + fuzzy_issuer, fuzzy_hex, raises_exact) from ipatests.test_xmlrpc.test_user_plugin import get_group_dn from ipatests.test_xmlrpc import objectclasses from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker @@ -232,7 +232,7 @@ def test_update_simple(self, host): description=[u'Updated host 1'], usercertificate=[base64.b64decode(host_cert)], issuer=fuzzy_issuer, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index f3940f4..965183e 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -22,7 +22,9 @@ """ from ipalib import api, errors, x509 -from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash +from ipatests.test_xmlrpc.xmlrpc_test import ( + Declarative, fuzzy_uuid, fuzzy_hash, fuzzy_md5_hash +) from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test from ipatests.test_xmlrpc import objectclasses @@ -465,7 +467,7 @@ class test_service(Declarative): subject=randomissuer, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -488,7 +490,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -525,7 +527,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -554,7 +556,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), @@ -579,7 +581,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048704'], @@ -607,7 +609,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048577'], @@ -633,7 +635,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - md5_fingerprint=fuzzy_hash, + md5_fingerprint=fuzzy_md5_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1'], diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py index 67565b0..449f056 100644 --- a/ipatests/test_xmlrpc/xmlrpc_test.py +++ b/ipatests/test_xmlrpc/xmlrpc_test.py @@ -31,7 +31,7 @@ import six from ipatests.util import assert_deepequal, Fuzzy -from ipalib import api, request, errors +from ipalib import api, request, errors, _ from ipapython.version import API_VERSION @@ -105,6 +105,10 @@ def test(xs): # Matches a hash signature, not enforcing length fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_types) +if api.env.fips_mode: + fuzzy_md5_hash = fuzzy_hash +else: + fuzzy_md5_hash = _('Not available in FIPS mode') # Matches a date, like Tue Apr 26 17:45:35 2016 UTC fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code