Mercurial > hg
changeset 29262:dfc4f08aa160
sslutil: calculate host fingerprints from additional algorithms
Currently, we only support defining host fingerprints with SHA-1.
A future patch will introduce support for defining fingerprints
using other hashing algorithms. In preparation for that, we
rewrite the fingerprint verification code to support multiple
fingerprints, namely SHA-256 and SHA-512 fingerprints.
We still only display the SHA-1 fingerprint. We'll have to revisit
this code once we support defining fingerprints with other hash
functions.
As part of this, I snuck in a change to use range() instead of
xrange() because xrange() isn't necessary for such small values.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 28 May 2016 11:58:28 -0700 |
| parents | 1eff545cef52 |
| children | 817ee3cfe862 |
| files | mercurial/sslutil.py |
| diffstat | 1 files changed, 9 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Sat May 28 12:57:28 2016 -0700 +++ b/mercurial/sslutil.py Sat May 28 11:58:28 2016 -0700 @@ -327,13 +327,18 @@ # If a certificate fingerprint is pinned, use it and only it to # validate the remote cert. - peerfingerprint = util.sha1(peercert).hexdigest() - nicefingerprint = ":".join([peerfingerprint[x:x + 2] - for x in xrange(0, len(peerfingerprint), 2)]) + peerfingerprints = { + 'sha1': util.sha1(peercert).hexdigest(), + 'sha256': util.sha256(peercert).hexdigest(), + 'sha512': util.sha512(peercert).hexdigest(), + } + nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2] + for x in range(0, len(peerfingerprints['sha1']), 2)]) + if settings['certfingerprints']: fingerprintmatch = False for hash, fingerprint in settings['certfingerprints']: - if peerfingerprint.lower() == fingerprint: + if peerfingerprints[hash].lower() == fingerprint: fingerprintmatch = True break if not fingerprintmatch: