From 8d384b424dc0afa5027cab82f4429adb34ad5a0f Mon Sep 17 00:00:00 2001 From: Michael Lazar Date: Mon, 30 Nov 2020 00:09:46 -0500 Subject: [PATCH] Update TLS_CLIENT_HASH format --- CHANGELOG.md | 7 ++++++- README.md | 4 ++-- jetforce/protocol.py | 1 + jetforce/tls.py | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac512bb..d8546e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,12 @@ - The server will stop redirecting the root URL "gemini://example.com" to "gemini://example.com/". These URLs are cannonically the same per the url RFC definition and should both return successful responses. - +- The CGI variable TLS_CLIENT_HASH now formats the certificate hash as + "SHA256:\" where \ is uppercase hexidecimal. The old base64 + fingerprint will still be available as TLS_CLIENT_HASH_B64 to help migrate + existing CGI scripts, but it's recommended that you support the new hash + format moving forward. + ### v0.6.0 (2020-07-30) #### Bugfixes diff --git a/README.md b/README.md index aa9a22f..deade11 100644 --- a/README.md +++ b/README.md @@ -278,8 +278,8 @@ Additional CGI variables will be included only when the client connection uses a
TLS_CLIENT_HASH
- A base64-encoded fingerprint that can be used to uniquely identify the certificate.
- Example: "hjQftIC/4zPDQ1MNdav5nRQ39pM482xoTIgxtjyZOpY=" + A SHA fingerprint that can be used to uniquely identify the certificate.
+ Example: "SHA256:86341FB480BFE333C343530D75ABF99D1437F69338F36C684C8831B63C993A96"
TLS_CLIENT_NOT_BEFORE
diff --git a/jetforce/protocol.py b/jetforce/protocol.py index 3cd18b0..03c9146 100644 --- a/jetforce/protocol.py +++ b/jetforce/protocol.py @@ -211,6 +211,7 @@ class GeminiProtocol(LineOnlyReceiver): "AUTH_TYPE": "CERTIFICATE", "REMOTE_USER": cert_data["common_name"], "TLS_CLIENT_HASH": cert_data["fingerprint"], + "TLS_CLIENT_HASH_B64": cert_data["fingerprint_b64"], "TLS_CLIENT_NOT_BEFORE": cert_data["not_before"], "TLS_CLIENT_NOT_AFTER": cert_data["not_after"], "TLS_CLIENT_SERIAL_NUMBER": cert_data["serial_number"], diff --git a/jetforce/tls.py b/jetforce/tls.py index 0cbbef7..745b320 100644 --- a/jetforce/tls.py +++ b/jetforce/tls.py @@ -23,7 +23,8 @@ def inspect_certificate(cert: x509) -> dict: common_name = name_attrs[0].value if name_attrs else "" fingerprint_bytes = cert.fingerprint(hashes.SHA256()) - fingerprint = base64.urlsafe_b64encode(fingerprint_bytes).decode() + fingerprint = f"SHA256:{fingerprint_bytes.hex().zfill(64).upper()}" + fingerprint_b64 = base64.urlsafe_b64encode(fingerprint_bytes).decode() not_before = cert.not_valid_before.strftime("%Y-%m-%dT%H:%M:%SZ") not_after = cert.not_valid_after.strftime("%Y-%m-%dT%H:%M:%SZ") @@ -33,6 +34,7 @@ def inspect_certificate(cert: x509) -> dict: data = { "common_name": common_name, "fingerprint": fingerprint, + "fingerprint_b64": fingerprint_b64, "not_before": not_before, "not_after": not_after, "serial_number": serial_number,