From ea5165d2c5e6aef59ba6c8378c2c383e18a7eac9 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 16 Jan 2018 10:30:15 -0500
Subject: [PATCH] Fix the TLS verifier to support different fingerprint algos

It was hard baked to sha512.  Now use sha256 if auto-adding,
and use the stored algo as indicator instead.
---
 confluent_server/confluent/util.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/util.py b/confluent_server/confluent/util.py
index 10069b24..d717ea00 100644
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@@ -124,7 +124,6 @@ class TLSCertVerifier(object):
         self.fieldname = fieldname
 
     def verify_cert(self, certificate):
-        fingerprint = get_fingerprint(certificate)
         storedprint = self.cfm.get_node_attributes(self.node, (self.fieldname,)
                                                    )
         if (self.fieldname not in storedprint[self.node] or
@@ -142,13 +141,15 @@ class TLSCertVerifier(object):
                                          self.fieldname, 'newkey')
             # since the policy is not manual, go ahead and add new key
             # after logging to audit log
+            fingerprint = get_fingerprint(certificate, 'sha256')
             auditlog = log.Logger('audit')
             auditlog.log({'node': self.node, 'event': 'certautoadd',
                           'fingerprint': fingerprint})
             self.cfm.set_node_attributes(
                 {self.node: {self.fieldname: fingerprint}})
             return True
-        elif storedprint[self.node][self.fieldname]['value'] == fingerprint:
+        elif cert_matches(storedprint[self.node][self.fieldname]['value'],
+                          certificate):
             return True
         raise cexc.PubkeyInvalid(
             'Mismatched certificate detected', certificate, fingerprint,