URL: https://github.com/freeipa/freeipa/pull/500 Author: tomaskrizek Title: #500: Replace sha1 fingerprints with sha256 Action: opened
PR body: """ - we probably want to keep SHA1 for DNS SSHFP (along with SHA256) - removing SHA1 from RSA-OAEP probably doesn't have any benefits http://security.stackexchange.com/questions/112029/should-sha-1-be-used-with-rsa-oaep - SHA1 for otp will be handled in a separate PR """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/500/head:pr500 git checkout pr500
From 3ea80f8a1e831da8580019f22159ce8f4c29da86 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Thu, 23 Feb 2017 17:03:01 +0100 Subject: [PATCH 1/2] Replace SHA1 cert fingerprints with SHA256 https://fedorahosted.org/freeipa/ticket/6701 --- install/ui/src/freeipa/certificate.js | 13 +++++-------- install/ui/test/data/cert_request.json | 2 +- install/ui/test/data/cert_show.json | 2 +- install/ui/test/data/ipa_init.json | 1 - install/ui/test/data/service_show.json | 2 +- ipaserver/plugins/cert.py | 8 ++++---- ipaserver/plugins/host.py | 4 ++-- ipaserver/plugins/internal.py | 1 - ipaserver/plugins/service.py | 8 ++++---- ipatests/test_xmlrpc/test_host_plugin.py | 2 +- ipatests/test_xmlrpc/test_service_plugin.py | 14 +++++++------- ipatests/test_xmlrpc/tracker/host_plugin.py | 2 +- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 13 files changed, 28 insertions(+), 33 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b86c6cf..e02a08e 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -361,7 +361,6 @@ IPA.cert.view_dialog = function(spec) { that.issuer = IPA.cert.parse_dn(spec.certificate.issuer); that.issued_on = spec.certificate.valid_not_before || ''; that.expires_on = spec.certificate.valid_not_after || ''; - that.sha1_fingerprint = spec.certificate.sha1_fingerprint || ''; that.sha256_fingerprint = spec.certificate.sha256_fingerprint || ''; that.create_button({ @@ -426,8 +425,6 @@ IPA.cert.view_dialog = function(spec) { table_layout = that.create_layout().appendTo(that.container); - new_row('@i18n:objects.cert.sha1_fingerprint', that.sha1_fingerprint) - .appendTo(table_layout); new_row('@i18n:objects.cert.sha256_fingerprint', that.sha256_fingerprint) .appendTo(table_layout); }; @@ -570,7 +567,7 @@ IPA.cert.loader = function(spec) { revocation_reason: result.revocation_reason, serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, - sha1_fingerprint: result.sha1_fingerprint, + sha256_fingerprint: result.sha256_fingerprint, subject: result.subject, valid_not_after: result.valid_not_after, valid_not_before: result.valid_not_before @@ -1575,9 +1572,9 @@ exp.create_cert_metadata = function() { add_param('valid_not_after', text.get('@i18n:objects.cert.expires_on'), text.get('@i18n:objects.cert.expires_on')); - add_param('sha1_fingerprint', - text.get('@i18n:objects.cert.sha1_fingerprint'), - text.get('@i18n:objects.cert.sha1_fingerprint')); + add_param('sha256_fingerprint', + text.get('@i18n:objects.cert.sha256_fingerprint'), + text.get('@i18n:objects.cert.sha256_fingerprint')); add_param('certificate', text.get('@i18n:objects.cert.certificate'), text.get('@i18n:objects.cert.certificate')); @@ -1754,7 +1751,7 @@ return { }, 'valid_not_before', 'valid_not_after', - 'sha1_fingerprint', + 'sha256_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json index f8d8544..d0f09e5 100644 --- a/install/ui/test/data/cert_request.json +++ b/install/ui/test/data/cert_request.json @@ -7,7 +7,7 @@ "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", "request_id": "1", "serial_number": "1", - "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", + "sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/cert_show.json b/install/ui/test/data/cert_show.json index 4942e63..1108c8d 100644 --- a/install/ui/test/data/cert_show.json +++ b/install/ui/test/data/cert_show.json @@ -6,7 +6,7 @@ "certificate": "MIICAjCCAWugAwIBAgICBAswDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTAwNzIzMzk0NFoXDTE1MTAwNzIzMzk0NFowKDEMMAoGA1UECgwDSVBBMRgwFgYDVQQDDA9kZXYuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOTXyj8grVB7Rj95RFawgdwn9OYZ03LWHZ+HMYggu2/xCCrUrdThP14YBlVqZumjVJSclj6T4ACjjdPJq9JTTmx7gMizDTReus7IPlS6fCxb5v5whQJZsEksXL04OxUMl25euPRFkYcTK1rdW47+AkG10j1qeNW+B6CpdQGR6eM/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEASIhq723VL5xP0q51MYXFlGU1boD7pPD1pIQspD/MjCIEupcbH2kAo4wf+EiKsXR0rs+WZkaSgvFqaM4OQ2kWSFTiqmFXFDBEi6EFr68yLg7IpQpNTzVBXERd8B4GwNL9wrRw60jPXlUK29DPBsdGq8fDgX18l39wKkWXv7p1to4=", "issuer": "CN=Certificate Authority,O=EXAMPLE.COM", "serial_number": "1", - "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", + "sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC", "valid_not_before": "Wed Oct 13 01:59:32 2010 UTC" diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 2fe0ef4..7848594 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -302,7 +302,6 @@ "revoked_status": "REVOKED", "serial_number": "Serial Number", "serial_number_hex": "Serial Number (hex)", - "sha1_fingerprint": "SHA1 Fingerprint", "sha256_fingerprint": "SHA256 Fingerprint", "status": "Status", "superseded": "Superseded", diff --git a/install/ui/test/data/service_show.json b/install/ui/test/data/service_show.json index 213dfff..5044854 100644 --- a/install/ui/test/data/service_show.json +++ b/install/ui/test/data/service_show.json @@ -49,7 +49,7 @@ ], "serial_number": "1", "serial_number_hex": "0x1", - "sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc", + "sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30", "subject": "CN=dev.example.com,O=EXAMPLE.COM", "usercertificate": [ { diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 585a70e..8204764 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -346,8 +346,8 @@ class BaseCertObject(Object): flags={'no_create', 'no_update', 'no_search'}, ), Str( - 'sha1_fingerprint', - label=_('Fingerprint (SHA1)'), + 'sha256_fingerprint', + label=_('Fingerprint (SHA256)'), flags={'no_create', 'no_update', 'no_search'}, ), Int( @@ -388,8 +388,8 @@ def _parse(self, obj, full=True): obj['valid_not_after'] = x509.format_datetime( cert.not_valid_after) if full: - obj['sha1_fingerprint'] = x509.to_hex_with_colons( - cert.fingerprint(hashes.SHA1())) + obj['sha256_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.SHA256())) general_names = x509.process_othernames( x509.get_san_general_names(cert)) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 7ceec8e..5296856 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -510,8 +510,8 @@ class host(LDAPObject): label=_('Not After'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), - Str('sha1_fingerprint', - label=_('Fingerprint (SHA1)'), + Str('sha256_fingerprint', + label=_('Fingerprint (SHA256)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Str('revocation_reason?', diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py index e82e5fc..db3abf5 100644 --- a/ipaserver/plugins/internal.py +++ b/ipaserver/plugins/internal.py @@ -452,7 +452,6 @@ class i18n_messages(Command): "revoked_status": _("REVOKED"), "serial_number": _("Serial Number"), "serial_number_hex": _("Serial Number (hex)"), - "sha1_fingerprint": _("SHA1 Fingerprint"), "sha256_fingerprint": _("SHA256 Fingerprint"), "status": _("Status"), "superseded": _("Superseded"), diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 3349889..2d8b668 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -274,8 +274,8 @@ def set_certificate_attrs(entry_attrs): entry_attrs['valid_not_before'] = x509.format_datetime( cert.not_valid_before) entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after) - entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons( - cert.fingerprint(hashes.SHA1())) + entry_attrs['sha256_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.SHA256())) def check_required_principal(ldap, principal): """ @@ -502,8 +502,8 @@ class service(LDAPObject): label=_('Not After'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), - Str('sha1_fingerprint', - label=_('Fingerprint (SHA1)'), + Str('sha256_fingerprint', + label=_('Fingerprint (SHA256)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Str('revocation_reason?', diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index e9a9623..61c522a 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -234,7 +234,7 @@ def test_update_simple(self, host): issuer=fuzzy_issuer, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, subject=DN(('CN', api.env.host), x509.subject_base()), valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index a2db6fc..56a75bd 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -465,7 +465,7 @@ class test_service(Declarative): subject=randomissuer, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -487,7 +487,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -523,7 +523,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -551,7 +551,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -575,7 +575,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048704'], ipakrbokasdelegate=True, @@ -602,7 +602,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048577'], ), @@ -627,7 +627,7 @@ class test_service(Declarative): subject=DN(('CN',api.env.host),x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, - sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1'], ipakrbokasdelegate=False, diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py index 9d25ae1..6321725 100644 --- a/ipatests/test_xmlrpc/tracker/host_plugin.py +++ b/ipatests/test_xmlrpc/tracker/host_plugin.py @@ -26,7 +26,7 @@ class HostTracker(KerberosAliasMixin, Tracker): 'dn', 'fqdn', 'description', 'l', 'krbcanonicalname', 'krbprincipalname', 'managedby_host', 'has_keytab', 'has_password', 'issuer', - 'serial_number', 'serial_number_hex', 'sha1_fingerprint', + 'serial_number', 'serial_number_hex', 'sha256_fingerprint', 'subject', 'usercertificate', 'valid_not_after', 'valid_not_before', 'macaddress', 'sshpubkeyfp', 'ipaallowedtoperform_read_keys_user', 'memberof_hostgroup', 'memberofindirect_hostgroup', diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index 1accb6d..c94278e 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -38,7 +38,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): u'ipakrbauthzdata', u'ipaallowedtoperform', u'subject', u'managedby', u'serial_number', u'serial_number_hex', u'issuer', u'valid_not_before', u'valid_not_after', - u'sha1_fingerprint', u'krbprincipalauthind', u'managedby_host', + u'sha256_fingerprint', u'krbprincipalauthind', u'managedby_host', u'krbcanonicalname'} retrieve_all_keys = retrieve_keys | { u'ipaKrbPrincipalAlias', u'ipaUniqueID', u'krbExtraData', From a74522994676410a36fc364914c65b1b7859df17 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Thu, 23 Feb 2017 17:23:52 +0100 Subject: [PATCH 2/2] Use SHA256 for file digest instead of SHA1 https://fedorahosted.org/freeipa/ticket/6701 --- install/share/copy-schema-to-ca.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py index 4daed6f..bb57af6 100755 --- a/install/share/copy-schema-to-ca.py +++ b/install/share/copy-schema-to-ca.py @@ -15,7 +15,7 @@ import pwd import shutil -from hashlib import sha1 +from hashlib import sha256 from ipaplatform.paths import paths from ipapython import ipautil @@ -55,9 +55,9 @@ ) -def _sha1_file(filename): +def _file_digest(filename): with open(filename, 'rb') as f: - return sha1(f.read()).hexdigest() + return sha256(f.read()).hexdigest() def add_ca_schema(): @@ -72,17 +72,17 @@ def add_ca_schema(): root_logger.debug('File does not exist: %s', source_fname) continue if os.path.exists(target_fname): - target_sha1 = _sha1_file(target_fname) - source_sha1 = _sha1_file(source_fname) - if target_sha1 != source_sha1: + target_digest = _file_digest(target_fname) + source_digest = _file_digest(source_fname) + if target_digest != source_digest: target_size = os.stat(target_fname).st_size source_size = os.stat(source_fname).st_size root_logger.info('Target file %s exists but the content is ' 'different', target_fname) - root_logger.info('\tTarget file: sha1: %s, size: %s B', - target_sha1, target_size) - root_logger.info('\tSource file: sha1: %s, size: %s B', - source_sha1, source_size) + root_logger.info('\tTarget file: sha256: %s, size: %s B', + target_digest, target_size) + root_logger.info('\tSource file: sha256: %s, size: %s B', + source_digest, source_size) if not ipautil.user_input("Do you want replace %s file?" % target_fname, True): continue
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code