Switch to using fingerprint of cert for knownhosts

Some clients have their lives made more convenient by having the sha512 hash rather than the actual certificate. Prepend with 'sha512$' to allow for a future where different formats could be specified.
2024-11-22 09:32:21 +00:00 · 2014-05-19 14:34:13 -04:00 · 2014-05-19 14:34:13 -04:00 · 93aa6e3955
commit 93aa6e3955
parent 4dfcc8103f
1 changed files with 6 additions and 4 deletions
--- a/confluent_client/confluent/client.py
+++ b/confluent_client/confluent/client.py
@ -16,6 +16,7 @@

 import anydbm as dbm
 import errno
+import hashlib
 import os
 import socket
 import ssl
@ -29,12 +30,12 @@ def _parseserver(string):
        server, port = string[1:].split(']:')
    elif string[0] == '[':
        server = string[1:-1]
-        port = 4001
+        port = '4001'
    elif ':' in string:
        server, port = string.split(':')
    else:
        server = string
-        port = 4001
+        port = '4001'
    return server, port


@ -123,7 +124,8 @@ class Command(object):
            hostid = '@'.join((port,server))
            khf = dbm.open(os.path.join(clientcfgdir, "knownhosts"), 'c', 384)
            if hostid in khf:
-                if certdata == khf[hostid]:
+                fingerprint = 'sha512$' + hashlib.sha512(certdata).hexdigest()
+                if fingerprint == khf[hostid]:
                    return
                else:
                    replace = raw_input(
@ -131,7 +133,7 @@ class Command(object):
                    if replace not in ('y', 'Y'):
                        raise Exception("BAD CERTIFICATE")
            print 'Adding new key for %s:%s' % (server, port)
-            khf[hostid] = certdata
+            khf[hostid] = fingerprint