Fix the TLS verifier to support different fingerprint algos

It was hard baked to sha512. Now use sha256 if auto-adding, and use the stored algo as indicator instead.
2025-01-09 13:05:49 +00:00 · 2018-01-16 10:30:15 -05:00 · 2018-01-16 10:30:15 -05:00 · ea5165d2c5
commit ea5165d2c5
parent 30e24cc768
1 changed files with 3 additions and 2 deletions
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@ -124,7 +124,6 @@ class TLSCertVerifier(object):
        self.fieldname = fieldname

    def verify_cert(self, certificate):
-        fingerprint = get_fingerprint(certificate)
        storedprint = self.cfm.get_node_attributes(self.node, (self.fieldname,)
                                                   )
        if (self.fieldname not in storedprint[self.node] or
@ -142,13 +141,15 @@ class TLSCertVerifier(object):
                                         self.fieldname, 'newkey')
            # since the policy is not manual, go ahead and add new key
            # after logging to audit log
+            fingerprint = get_fingerprint(certificate, 'sha256')
            auditlog = log.Logger('audit')
            auditlog.log({'node': self.node, 'event': 'certautoadd',
                          'fingerprint': fingerprint})
            self.cfm.set_node_attributes(
                {self.node: {self.fieldname: fingerprint}})
            return True
-        elif storedprint[self.node][self.fieldname]['value'] == fingerprint:
+        elif cert_matches(storedprint[self.node][self.fieldname]['value'],
+                          certificate):
            return True
        raise cexc.PubkeyInvalid(
            'Mismatched certificate detected', certificate, fingerprint,