URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504
From 3ee0bda061ec5c51b31a35a9b23f4870dd8709a0 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Thu, 23 Feb 2017 17:03:01 +0100 Subject: [PATCH] Add SHA256 fingerprints for certs https://fedorahosted.org/freeipa/ticket/6701 --- install/ui/src/freeipa/certificate.js | 6 +++++- install/ui/test/data/service_show.json | 1 + ipaserver/plugins/cert.py | 7 +++++++ ipaserver/plugins/host.py | 4 ++++ ipaserver/plugins/service.py | 6 ++++++ ipatests/test_xmlrpc/test_host_plugin.py | 1 + ipatests/test_xmlrpc/test_service_plugin.py | 7 +++++++ ipatests/test_xmlrpc/tracker/host_plugin.py | 1 + ipatests/test_xmlrpc/tracker/service_plugin.py | 4 ++-- 9 files changed, 34 insertions(+), 3 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b86c6cf..0cb43c7 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) { serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, sha1_fingerprint: result.sha1_fingerprint, + sha256_fingerprint: result.sha256_fingerprint, subject: result.subject, valid_not_after: result.valid_not_after, valid_not_before: result.valid_not_before @@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() { add_param('sha1_fingerprint', text.get('@i18n:objects.cert.sha1_fingerprint'), text.get('@i18n:objects.cert.sha1_fingerprint')); + add_param('sha256_fingerprint', + text.get('@i18n:objects.cert.sha256_fingerprint'), + text.get('@i18n:objects.cert.sha256_fingerprint')); add_param('certificate', text.get('@i18n:objects.cert.certificate'), text.get('@i18n:objects.cert.certificate')); @@ -1755,6 +1759,7 @@ return { 'valid_not_before', 'valid_not_after', 'sha1_fingerprint', + 'sha256_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' @@ -1871,7 +1876,6 @@ IPA.cert.details_facet = function(spec, no_init) { that.create_refresh_command = function() { var command = that.details_facet_create_refresh_command(); - delete command.options.all; delete command.options.rights; command.options = command.options || {}; diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json index 213dfff..597f3ad 100644 --- a/install/ui/test/data/service_show.json +++ b/install/ui/test/data/service_show.json @@ -50,6 +50,7 @@ "serial_number": "1", "serial_number_hex": "0x1", "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", + "sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "usercertificate": [ { diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 585a70e..a60dc41 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -350,6 +350,11 @@ class BaseCertObject(Object): label=_('Fingerprint (SHA1)'), flags={'no_create', 'no_update', 'no_search'}, ), + Str( + 'sha256_fingerprint', + label=_('Fingerprint (SHA256)'), + flags={'no_create', 'no_update', 'no_search'}, + ), Int( 'serial_number', label=_('Serial number'), @@ -390,6 +395,8 @@ def _parse(self, obj, full=True): if full: obj['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) + obj['sha256_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.SHA256())) general_names = x509.process_othernames( x509.get_san_general_names(cert)) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 7ceec8e..dcadd54 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -514,6 +514,10 @@ class host(LDAPObject): label=_('Fingerprint (SHA1)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), + Str('sha256_fingerprint', + label=_('Fingerprint (SHA256)'), + flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, + ), Str('revocation_reason?', label=_('Revocation reason'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 3349889..03271d6 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -276,6 +276,8 @@ def set_certificate_attrs(entry_attrs): entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after) entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) + entry_attrs['sha256_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.SHA256())) def check_required_principal(ldap, principal): """ @@ -506,6 +508,10 @@ class service(LDAPObject): label=_('Fingerprint (SHA1)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), + Str('sha256_fingerprint', + label=_('Fingerprint (SHA256)'), + flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, + ), Str('revocation_reason?', label=_('Revocation reason'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index e9a9623..e4d6ee9 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -235,6 +235,7 @@ def test_update_simple(self, host): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, subject=DN(('CN', api.env.host), x509.subject_base()), valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index a2db6fc..514ca5b 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -466,6 +466,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -488,6 +489,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -524,6 +526,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -552,6 +555,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -576,6 +580,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048704'], ipakrbokasdelegate=True, @@ -603,6 +608,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048577'], ), @@ -628,6 +634,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1'], ipakrbokasdelegate=False, diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py index 9d25ae1..81aac9d 100644 --- a/ipatests/test_xmlrpc/tracker/host_plugin.py +++ b/ipatests/test_xmlrpc/tracker/host_plugin.py @@ -27,6 +27,7 @@ class HostTracker(KerberosAliasMixin, Tracker): 'krbprincipalname', 'managedby_host', 'has_keytab', 'has_password', 'issuer', 'serial_number', 'serial_number_hex', 'sha1_fingerprint', + 'sha256_fingerprint', 'subject', 'usercertificate', 'valid_not_after', 'valid_not_before', 'macaddress', 'sshpubkeyfp', 'ipaallowedtoperform_read_keys_user', 'memberof_hostgroup', 'memberofindirect_hostgroup', diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index 1accb6d..58b3be0 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -37,8 +37,8 @@ class ServiceTracker(KerberosAliasMixin, Tracker): u'dn', u'krbprincipalname', u'usercertificate', u'has_keytab', u'ipakrbauthzdata', u'ipaallowedtoperform', u'subject', u'managedby', u'serial_number', u'serial_number_hex', u'issuer', - u'valid_not_before', u'valid_not_after', - u'sha1_fingerprint', u'krbprincipalauthind', u'managedby_host', + u'valid_not_before', u'valid_not_after', u'sha1_fingerprint', + u'sha256_fingerprint', u'krbprincipalauthind', u'managedby_host', u'krbcanonicalname'} retrieve_all_keys = retrieve_keys | { u'ipaKrbPrincipalAlias', u'ipaUniqueID', u'krbExtraData',
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
