325 raise error.Abort(_('%s certificate error: ' |
325 raise error.Abort(_('%s certificate error: ' |
326 'no certificate received') % host) |
326 'no certificate received') % host) |
327 |
327 |
328 # If a certificate fingerprint is pinned, use it and only it to |
328 # If a certificate fingerprint is pinned, use it and only it to |
329 # validate the remote cert. |
329 # validate the remote cert. |
330 peerfingerprint = util.sha1(peercert).hexdigest() |
330 peerfingerprints = { |
331 nicefingerprint = ":".join([peerfingerprint[x:x + 2] |
331 'sha1': util.sha1(peercert).hexdigest(), |
332 for x in xrange(0, len(peerfingerprint), 2)]) |
332 'sha256': util.sha256(peercert).hexdigest(), |
|
333 'sha512': util.sha512(peercert).hexdigest(), |
|
334 } |
|
335 nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2] |
|
336 for x in range(0, len(peerfingerprints['sha1']), 2)]) |
|
337 |
333 if settings['certfingerprints']: |
338 if settings['certfingerprints']: |
334 fingerprintmatch = False |
339 fingerprintmatch = False |
335 for hash, fingerprint in settings['certfingerprints']: |
340 for hash, fingerprint in settings['certfingerprints']: |
336 if peerfingerprint.lower() == fingerprint: |
341 if peerfingerprints[hash].lower() == fingerprint: |
337 fingerprintmatch = True |
342 fingerprintmatch = True |
338 break |
343 break |
339 if not fingerprintmatch: |
344 if not fingerprintmatch: |
340 raise error.Abort(_('certificate for %s has unexpected ' |
345 raise error.Abort(_('certificate for %s has unexpected ' |
341 'fingerprint %s') % (host, nicefingerprint), |
346 'fingerprint %s') % (host, nicefingerprint), |