Update TLS_CLIENT_HASH format

This commit is contained in:
Michael Lazar 2020-11-30 00:09:46 -05:00
parent 4ba3cc6c23
commit 8d384b424d
4 changed files with 12 additions and 4 deletions

View File

@ -8,7 +8,12 @@
- The server will stop redirecting the root URL "gemini://example.com" to
"gemini://example.com/". These URLs are cannonically the same per the url RFC
definition and should both return successful responses.
- The CGI variable TLS_CLIENT_HASH now formats the certificate hash as
"SHA256:\<HASH\>" where \<HASH\> is uppercase hexidecimal. The old base64
fingerprint will still be available as TLS_CLIENT_HASH_B64 to help migrate
existing CGI scripts, but it's recommended that you support the new hash
format moving forward.
### v0.6.0 (2020-07-30)
#### Bugfixes

View File

@ -278,8 +278,8 @@ Additional CGI variables will be included only when the client connection uses a
<dt>TLS_CLIENT_HASH</dt>
<dd>
A base64-encoded fingerprint that can be used to uniquely identify the certificate.<br>
<em>Example: "hjQftIC/4zPDQ1MNdav5nRQ39pM482xoTIgxtjyZOpY="</em>
A SHA fingerprint that can be used to uniquely identify the certificate.<br>
<em>Example: "SHA256:86341FB480BFE333C343530D75ABF99D1437F69338F36C684C8831B63C993A96"</em>
</dd>
<dt>TLS_CLIENT_NOT_BEFORE</dt>

View File

@ -211,6 +211,7 @@ class GeminiProtocol(LineOnlyReceiver):
"AUTH_TYPE": "CERTIFICATE",
"REMOTE_USER": cert_data["common_name"],
"TLS_CLIENT_HASH": cert_data["fingerprint"],
"TLS_CLIENT_HASH_B64": cert_data["fingerprint_b64"],
"TLS_CLIENT_NOT_BEFORE": cert_data["not_before"],
"TLS_CLIENT_NOT_AFTER": cert_data["not_after"],
"TLS_CLIENT_SERIAL_NUMBER": cert_data["serial_number"],

View File

@ -23,7 +23,8 @@ def inspect_certificate(cert: x509) -> dict:
common_name = name_attrs[0].value if name_attrs else ""
fingerprint_bytes = cert.fingerprint(hashes.SHA256())
fingerprint = base64.urlsafe_b64encode(fingerprint_bytes).decode()
fingerprint = f"SHA256:{fingerprint_bytes.hex().zfill(64).upper()}"
fingerprint_b64 = base64.urlsafe_b64encode(fingerprint_bytes).decode()
not_before = cert.not_valid_before.strftime("%Y-%m-%dT%H:%M:%SZ")
not_after = cert.not_valid_after.strftime("%Y-%m-%dT%H:%M:%SZ")
@ -33,6 +34,7 @@ def inspect_certificate(cert: x509) -> dict:
data = {
"common_name": common_name,
"fingerprint": fingerprint,
"fingerprint_b64": fingerprint_b64,
"not_before": not_before,
"not_after": not_after,
"serial_number": serial_number,