Update TLS_CLIENT_HASH format

michael-lazar · Nov 30, 2020 · 8d384b4 · 8d384b4
1 parent 4ba3cc6
commit 8d384b4
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,12 @@
 - The server will stop redirecting the root URL "gemini://example.com" to
   "gemini://example.com/". These URLs are cannonically the same per the url RFC
   definition and should both return successful responses.
-
+- The CGI variable TLS_CLIENT_HASH now formats the certificate hash as
+  "SHA256:\<HASH\>" where \<HASH\> is uppercase hexidecimal. The old base64
+  fingerprint will still be available as TLS_CLIENT_HASH_B64 to help migrate
+  existing CGI scripts, but it's recommended that you support the new hash
+  format moving forward.
+
 ### v0.6.0 (2020-07-30)
 
 #### Bugfixes

diff --git a/README.md b/README.md
@@ -278,8 +278,8 @@ Additional CGI variables will be included only when the client connection uses a
 
 <dt>TLS_CLIENT_HASH</dt>
 <dd>
-  A base64-encoded fingerprint that can be used to uniquely identify the certificate.<br>
-  <em>Example: "hjQftIC/4zPDQ1MNdav5nRQ39pM482xoTIgxtjyZOpY="</em>
+  A SHA fingerprint that can be used to uniquely identify the certificate.<br>
+  <em>Example: "SHA256:86341FB480BFE333C343530D75ABF99D1437F69338F36C684C8831B63C993A96"</em>
 </dd>
 
 <dt>TLS_CLIENT_NOT_BEFORE</dt>

diff --git a/jetforce/protocol.py b/jetforce/protocol.py
@@ -211,6 +211,7 @@ def build_environ(self) -> typing.Dict[str, typing.Any]:
                     "AUTH_TYPE": "CERTIFICATE",
                     "REMOTE_USER": cert_data["common_name"],
                     "TLS_CLIENT_HASH": cert_data["fingerprint"],
+                    "TLS_CLIENT_HASH_B64": cert_data["fingerprint_b64"],
                     "TLS_CLIENT_NOT_BEFORE": cert_data["not_before"],
                     "TLS_CLIENT_NOT_AFTER": cert_data["not_after"],
                     "TLS_CLIENT_SERIAL_NUMBER": cert_data["serial_number"],

diff --git a/jetforce/tls.py b/jetforce/tls.py
@@ -23,7 +23,8 @@ def inspect_certificate(cert: x509) -> dict:
     common_name = name_attrs[0].value if name_attrs else ""
 
     fingerprint_bytes = cert.fingerprint(hashes.SHA256())
-    fingerprint = base64.urlsafe_b64encode(fingerprint_bytes).decode()
+    fingerprint = f"SHA256:{fingerprint_bytes.hex().zfill(64).upper()}"
+    fingerprint_b64 = base64.urlsafe_b64encode(fingerprint_bytes).decode()
 
     not_before = cert.not_valid_before.strftime("%Y-%m-%dT%H:%M:%SZ")
     not_after = cert.not_valid_after.strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -33,6 +34,7 @@ def inspect_certificate(cert: x509) -> dict:
     data = {
         "common_name": common_name,
         "fingerprint": fingerprint,
+        "fingerprint_b64": fingerprint_b64,
         "not_before": not_before,
         "not_after": not_after,
         "serial_number": serial_number,