waldek
/
jetforce
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update TLS_CLIENT_HASH format

This commit is contained in:
Michael Lazar 2020-11-30 00:09:46 -05:00
parent 4ba3cc6c23
commit 8d384b424d
4 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -8,6 +8,11 @@
- The server will stop redirecting the root URL "gemini://example.com" to - The server will stop redirecting the root URL "gemini://example.com" to
"gemini://example.com/". These URLs are cannonically the same per the url RFC "gemini://example.com/". These URLs are cannonically the same per the url RFC
definition and should both return successful responses. definition and should both return successful responses.
- The CGI variable TLS_CLIENT_HASH now formats the certificate hash as
"SHA256:\<HASH\>" where \<HASH\> is uppercase hexidecimal. The old base64
fingerprint will still be available as TLS_CLIENT_HASH_B64 to help migrate
existing CGI scripts, but it's recommended that you support the new hash
format moving forward.
### v0.6.0 (2020-07-30) ### v0.6.0 (2020-07-30)

4
README.md
View File

@ -278,8 +278,8 @@ Additional CGI variables will be included only when the client connection uses a
<dt>TLS_CLIENT_HASH</dt> <dt>TLS_CLIENT_HASH</dt>
<dd> <dd>
A base64-encoded fingerprint that can be used to uniquely identify the certificate.<br> A SHA fingerprint that can be used to uniquely identify the certificate.<br>
<em>Example: "hjQftIC/4zPDQ1MNdav5nRQ39pM482xoTIgxtjyZOpY="</em> <em>Example: "SHA256:86341FB480BFE333C343530D75ABF99D1437F69338F36C684C8831B63C993A96"</em>
</dd> </dd>
<dt>TLS_CLIENT_NOT_BEFORE</dt> <dt>TLS_CLIENT_NOT_BEFORE</dt>

1
jetforce/protocol.py
View File

@ -211,6 +211,7 @@ class GeminiProtocol(LineOnlyReceiver):
"AUTH_TYPE": "CERTIFICATE", "AUTH_TYPE": "CERTIFICATE",
"REMOTE_USER": cert_data["common_name"], "REMOTE_USER": cert_data["common_name"],
"TLS_CLIENT_HASH": cert_data["fingerprint"], "TLS_CLIENT_HASH": cert_data["fingerprint"],
"TLS_CLIENT_HASH_B64": cert_data["fingerprint_b64"],
"TLS_CLIENT_NOT_BEFORE": cert_data["not_before"], "TLS_CLIENT_NOT_BEFORE": cert_data["not_before"],
"TLS_CLIENT_NOT_AFTER": cert_data["not_after"], "TLS_CLIENT_NOT_AFTER": cert_data["not_after"],
"TLS_CLIENT_SERIAL_NUMBER": cert_data["serial_number"], "TLS_CLIENT_SERIAL_NUMBER": cert_data["serial_number"],

4
jetforce/tls.py
View File

@ -23,7 +23,8 @@ def inspect_certificate(cert: x509) -> dict:
common_name = name_attrs[0].value if name_attrs else "" common_name = name_attrs[0].value if name_attrs else ""
fingerprint_bytes = cert.fingerprint(hashes.SHA256()) fingerprint_bytes = cert.fingerprint(hashes.SHA256())
fingerprint = base64.urlsafe_b64encode(fingerprint_bytes).decode() fingerprint = f"SHA256:{fingerprint_bytes.hex().zfill(64).upper()}"
fingerprint_b64 = base64.urlsafe_b64encode(fingerprint_bytes).decode()
not_before = cert.not_valid_before.strftime("%Y-%m-%dT%H:%M:%SZ") not_before = cert.not_valid_before.strftime("%Y-%m-%dT%H:%M:%SZ")
not_after = cert.not_valid_after.strftime("%Y-%m-%dT%H:%M:%SZ") not_after = cert.not_valid_after.strftime("%Y-%m-%dT%H:%M:%SZ")
@ -33,6 +34,7 @@ def inspect_certificate(cert: x509) -> dict:
data = { data = {
"common_name": common_name, "common_name": common_name,
"fingerprint": fingerprint, "fingerprint": fingerprint,
"fingerprint_b64": fingerprint_b64,
"not_before": not_before, "not_before": not_before,
"not_after": not_after, "not_after": not_after,
"serial_number": serial_number, "serial_number": serial_number,