Mercurial: mercurial/sslutil.py comparison

comparison mercurial/sslutil.py @ 29267:f0ccb6cde3e5

sslutil: allow fingerprints to be specified in [hostsecurity] We introduce the [hostsecurity] config section. It holds per-host security settings. Currently, the section only contains a "fingerprints" option, which behaves like [hostfingerprints] but supports specifying the hashing algorithm. There is still some follow-up work, such as changing some error messages.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Sat, 28 May 2016 12:37:36 -0700
parents	dfc4f08aa160
children	f200b58497f1

comparison

equal deleted inserted replaced

-:b3a677c82a35
+:f0ccb6cde3e5
 # SSLContext.load_verify_locations().
 'cafile': None,
 # ssl.CERT_* constant used by SSLContext.verify_mode.
 'verifymode': None,
 }
+# Look for fingerprints in [hostsecurity] section. Value is a list
+# of <alg>:<fingerprint> strings.
+fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
+[])
+for fingerprint in fingerprints:
+if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
+raise error.Abort(_('invalid fingerprint for %s: %s') % (
+hostname, fingerprint),
+hint=_('must begin with "sha1:", "sha256:", '
+'or "sha512:"'))
+alg, fingerprint = fingerprint.split(':', 1)
+fingerprint = fingerprint.replace(':', '').lower()
+s['certfingerprints'].append((alg, fingerprint))
 # Fingerprints from [hostfingerprints] are always SHA-1.
 for fingerprint in ui.configlist('hostfingerprints', hostname, []):
 fingerprint = fingerprint.replace(':', '').lower()
 s['certfingerprints'].append(('sha1', fingerprint))

Mercurial > hg

comparison mercurial/sslutil.py @ 29267:f0ccb6cde3e5