From 93aa6e3955c1d01e8978722769a5a7e6dc3f1be6 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jbjohnso@us.ibm.com>
Date: Mon, 19 May 2014 14:34:13 -0400
Subject: [PATCH] Switch to using fingerprint of cert for knownhosts

Some clients have their lives made more convenient by having the
sha512 hash rather than the actual certificate.  Prepend with 'sha512$'
to allow for a future where different formats could be specified.
---
 confluent_client/confluent/client.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/confluent_client/confluent/client.py b/confluent_client/confluent/client.py
index 4f08f2e8..362364b7 100644
--- a/confluent_client/confluent/client.py
+++ b/confluent_client/confluent/client.py
@@ -16,6 +16,7 @@
 
 import anydbm as dbm
 import errno
+import hashlib
 import os
 import socket
 import ssl
@@ -29,12 +30,12 @@ def _parseserver(string):
         server, port = string[1:].split(']:')
     elif string[0] == '[':
         server = string[1:-1]
-        port = 4001
+        port = '4001'
     elif ':' in string:
         server, port = string.split(':')
     else:
         server = string
-        port = 4001
+        port = '4001'
     return server, port
 
 
@@ -123,7 +124,8 @@ class Command(object):
             hostid = '@'.join((port,server))
             khf = dbm.open(os.path.join(clientcfgdir, "knownhosts"), 'c', 384)
             if hostid in khf:
-                if certdata == khf[hostid]:
+                fingerprint = 'sha512$' + hashlib.sha512(certdata).hexdigest()
+                if fingerprint == khf[hostid]:
                     return
                 else:
                     replace = raw_input(
@@ -131,7 +133,7 @@ class Command(object):
                     if replace not in ('y', 'Y'):
                         raise Exception("BAD CERTIFICATE")
             print 'Adding new key for %s:%s' % (server, port)
-            khf[hostid] = certdata
+            khf[hostid] = fingerprint