diff options
| author | Tomas Krizek <tkrizek@redhat.com> | 2017-02-23 17:03:01 +0100 |
|---|---|---|
| committer | Tomas Krizek <tkrizek@redhat.com> | 2017-03-07 19:52:43 +0100 |
| commit | a06c71b1268850e485e89049ed3654f893edff0b (patch) | |
| tree | 75415d2b13a973c7a05368c1f46e26be5329aa66 | |
| parent | 3ba0375c831eca673c2df146b565a32dbc03fdb3 (diff) | |
| download | freeipa-a06c71b1268850e485e89049ed3654f893edff0b.tar.gz freeipa-a06c71b1268850e485e89049ed3654f893edff0b.tar.xz freeipa-a06c71b1268850e485e89049ed3654f893edff0b.zip | |
Add SHA256 fingerprints for certs
https://fedorahosted.org/freeipa/ticket/6701
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
| -rwxr-xr-x | install/ui/src/freeipa/certificate.js | 6 | ||||
| -rw-r--r-- | ipaserver/plugins/cert.py | 7 | ||||
| -rw-r--r-- | ipaserver/plugins/host.py | 4 | ||||
| -rw-r--r-- | ipaserver/plugins/service.py | 6 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_host_plugin.py | 1 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_service_plugin.py | 7 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/tracker/host_plugin.py | 1 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/tracker/service_plugin.py | 4 |
8 files changed, 33 insertions, 3 deletions
diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b86c6cfa1..0cb43c718 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -571,6 +571,7 @@ IPA.cert.loader = function(spec) { serial_number: result.serial_number, serial_number_hex: result.serial_number_hex, sha1_fingerprint: result.sha1_fingerprint, + sha256_fingerprint: result.sha256_fingerprint, subject: result.subject, valid_not_after: result.valid_not_after, valid_not_before: result.valid_not_before @@ -1578,6 +1579,9 @@ exp.create_cert_metadata = function() { add_param('sha1_fingerprint', text.get('@i18n:objects.cert.sha1_fingerprint'), text.get('@i18n:objects.cert.sha1_fingerprint')); + add_param('sha256_fingerprint', + text.get('@i18n:objects.cert.sha256_fingerprint'), + text.get('@i18n:objects.cert.sha256_fingerprint')); add_param('certificate', text.get('@i18n:objects.cert.certificate'), text.get('@i18n:objects.cert.certificate')); @@ -1755,6 +1759,7 @@ return { 'valid_not_before', 'valid_not_after', 'sha1_fingerprint', + 'sha256_fingerprint', { $type: 'revocation_reason', name: 'revocation_reason' @@ -1871,7 +1876,6 @@ IPA.cert.details_facet = function(spec, no_init) { that.create_refresh_command = function() { var command = that.details_facet_create_refresh_command(); - delete command.options.all; delete command.options.rights; command.options = command.options || {}; diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index b53caf493..fb16f5b97 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -348,6 +348,11 @@ class BaseCertObject(Object): label=_('Fingerprint (SHA1)'), flags={'no_create', 'no_update', 'no_search'}, ), + Str( + 'sha256_fingerprint', + label=_('Fingerprint (SHA256)'), + flags={'no_create', 'no_update', 'no_search'}, + ), Int( 'serial_number', label=_('Serial number'), @@ -388,6 +393,8 @@ class BaseCertObject(Object): if full: obj['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) + obj['sha256_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.SHA256())) general_names = x509.process_othernames( x509.get_san_general_names(cert)) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 7ceec8eb4..dcadd54a1 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -514,6 +514,10 @@ class host(LDAPObject): label=_('Fingerprint (SHA1)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), + Str('sha256_fingerprint', + label=_('Fingerprint (SHA256)'), + flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, + ), Str('revocation_reason?', label=_('Revocation reason'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 3349889e0..03271d685 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -276,6 +276,8 @@ def set_certificate_attrs(entry_attrs): entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after) entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons( cert.fingerprint(hashes.SHA1())) + entry_attrs['sha256_fingerprint'] = x509.to_hex_with_colons( + cert.fingerprint(hashes.SHA256())) def check_required_principal(ldap, principal): """ @@ -506,6 +508,10 @@ class service(LDAPObject): label=_('Fingerprint (SHA1)'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), + Str('sha256_fingerprint', + label=_('Fingerprint (SHA256)'), + flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, + ), Str('revocation_reason?', label=_('Revocation reason'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index e9a962352..e4d6ee963 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -235,6 +235,7 @@ class TestCRUD(XMLRPC_test): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, subject=DN(('CN', api.env.host), x509.subject_base()), valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index a2db6fccb..514ca5b26 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -466,6 +466,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -488,6 +489,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -524,6 +526,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -552,6 +555,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), @@ -576,6 +580,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048704'], ipakrbokasdelegate=True, @@ -603,6 +608,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048577'], ), @@ -628,6 +634,7 @@ class test_service(Declarative): serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, + sha256_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1'], ipakrbokasdelegate=False, diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py index 9d25ae1d9..81aac9dff 100644 --- a/ipatests/test_xmlrpc/tracker/host_plugin.py +++ b/ipatests/test_xmlrpc/tracker/host_plugin.py @@ -27,6 +27,7 @@ class HostTracker(KerberosAliasMixin, Tracker): 'krbprincipalname', 'managedby_host', 'has_keytab', 'has_password', 'issuer', 'serial_number', 'serial_number_hex', 'sha1_fingerprint', + 'sha256_fingerprint', 'subject', 'usercertificate', 'valid_not_after', 'valid_not_before', 'macaddress', 'sshpubkeyfp', 'ipaallowedtoperform_read_keys_user', 'memberof_hostgroup', 'memberofindirect_hostgroup', diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index 1accb6d6e..58b3be018 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -37,8 +37,8 @@ class ServiceTracker(KerberosAliasMixin, Tracker): u'dn', u'krbprincipalname', u'usercertificate', u'has_keytab', u'ipakrbauthzdata', u'ipaallowedtoperform', u'subject', u'managedby', u'serial_number', u'serial_number_hex', u'issuer', - u'valid_not_before', u'valid_not_after', - u'sha1_fingerprint', u'krbprincipalauthind', u'managedby_host', + u'valid_not_before', u'valid_not_after', u'sha1_fingerprint', + u'sha256_fingerprint', u'krbprincipalauthind', u'managedby_host', u'krbcanonicalname'} retrieve_all_keys = retrieve_keys | { u'ipaKrbPrincipalAlias', u'ipaUniqueID', u'krbExtraData', |