changeset 29262:dfc4f08aa160

sslutil: calculate host fingerprints from additional algorithms Currently, we only support defining host fingerprints with SHA-1. A future patch will introduce support for defining fingerprints using other hashing algorithms. In preparation for that, we rewrite the fingerprint verification code to support multiple fingerprints, namely SHA-256 and SHA-512 fingerprints. We still only display the SHA-1 fingerprint. We'll have to revisit this code once we support defining fingerprints with other hash functions. As part of this, I snuck in a change to use range() instead of xrange() because xrange() isn't necessary for such small values.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sat, 28 May 2016 11:58:28 -0700
parents 1eff545cef52
children 817ee3cfe862
files mercurial/sslutil.py
diffstat 1 files changed, 9 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Sat May 28 12:57:28 2016 -0700
+++ b/mercurial/sslutil.py	Sat May 28 11:58:28 2016 -0700
@@ -327,13 +327,18 @@
 
     # If a certificate fingerprint is pinned, use it and only it to
     # validate the remote cert.
-    peerfingerprint = util.sha1(peercert).hexdigest()
-    nicefingerprint = ":".join([peerfingerprint[x:x + 2]
-        for x in xrange(0, len(peerfingerprint), 2)])
+    peerfingerprints = {
+        'sha1': util.sha1(peercert).hexdigest(),
+        'sha256': util.sha256(peercert).hexdigest(),
+        'sha512': util.sha512(peercert).hexdigest(),
+    }
+    nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2]
+        for x in range(0, len(peerfingerprints['sha1']), 2)])
+
     if settings['certfingerprints']:
         fingerprintmatch = False
         for hash, fingerprint in settings['certfingerprints']:
-            if peerfingerprint.lower() == fingerprint:
+            if peerfingerprints[hash].lower() == fingerprint:
                 fingerprintmatch = True
                 break
         if not fingerprintmatch: