Support for sha256 fingerprint.

Fixes #7628

src/common/config.py

@@ -354,6 +354,7 @@ class Config:
                     'warn_when_insecure_ssl_connection': [ opt_bool, True, _('Show a warning dialog before using standard SSL library.') ],
                     'warn_when_insecure_password': [ opt_bool, True, _('Show a warning dialog before sending PLAIN password over a plain connection.') ],
                     'ssl_fingerprint_sha1': [ opt_str, '', '', True ],
+                    'ssl_fingerprint_sha256': [ opt_str, '', '', True ],
                     'ignore_ssl_errors': [ opt_str, '', _('Space separated list of ssl errors to ignore.') ],
                     'use_srv': [ opt_bool, True, '', True ],
                     'use_custom_host': [ opt_bool, False, '', True ],

src/common/connection.py

@@ -1408,27 +1408,46 @@ class Connection(CommonConnection, ConnectionHandlers):
                 text += _('\nSSL Error: <b>%s</b>') % ssl_error[errnum]
             else:
                 text += _('\nUnknown SSL error: %d') % errnum
-            fingerprint = cert.digest('sha1').decode('utf-8')
+            fingerprint_sha1 = cert.digest('sha1').decode('utf-8')
+            fingerprint_sha256 = cert.digest('sha256').decode('utf-8')
             pem = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,
                 cert).decode('utf-8')
             gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
                 error_text=text, error_num=errnum, cert=pem,
-                fingerprint=fingerprint, certificate=cert))
+                fingerprint_sha1=fingerprint_sha1,
+                fingerprint_sha256=fingerprint_sha256, certificate=cert))
             return True
         if cert:
-            fingerprint = cert.digest('sha1').decode('utf-8')
+            fingerprint_sha1 = cert.digest('sha1').decode('utf-8')
-            saved_fingerprint = gajim.config.get_per('accounts', self.name,
+            fingerprint_sha256 = cert.digest('sha256').decode('utf-8')
+            saved_fingerprint_sha1 = gajim.config.get_per('accounts', self.name,
                 'ssl_fingerprint_sha1')
-            if saved_fingerprint:
+            if saved_fingerprint_sha1:
                 # Check sha1 fingerprint
-                if fingerprint != saved_fingerprint:
+                if fingerprint_sha1 != saved_fingerprint_sha1:
                     gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
                         conn=self, certificate=cert,
-                        new_fingerprint=fingerprint))
+                        new_fingerprint_sha1=fingerprint_sha1,
+                        new_fingerprint_sha256=fingerprint_sha256))
                     return True
             else:
                 gajim.config.set_per('accounts', self.name,
-                    'ssl_fingerprint_sha1', fingerprint)
+                    'ssl_fingerprint_sha1', fingerprint_sha1)
+
+            saved_fingerprint_sha256 = gajim.config.get_per('accounts', self.name,
+                'ssl_fingerprint_sha256')
+            if saved_fingerprint_sha256:
+                # Check sha256 fingerprint
+                if fingerprint_sha256 != saved_fingerprint_sha256:
+                    gajim.nec.push_incoming_event(FingerprintErrorEvent(None,
+                        conn=self, certificate=con.Connection.ssl_certificate,
+                        new_fingerprint_sha1=fingerprint_sha1,
+                        new_fingerprint_sha256=fingerprint_sha256))
+                    return True
+            else:
+                gajim.config.set_per('accounts', self.name,
+                    'ssl_fingerprint_sha256', fingerprint_sha256)
+
             if not check_X509.check_certificate(cert, hostname) and \
             '100' not in gajim.config.get_per('accounts', self.name,
             'ignore_ssl_errors').split():
@@ -1439,7 +1458,8 @@ class Connection(CommonConnection, ConnectionHandlers):
                     hostname
                 gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
                     error_text=txt, error_num=100, cert=pem,
-                    fingerprint=fingerprint, certificate=cert))
+                    fingerprint_sha1=fingerprint_sha1,
+                    fingerprint_sha256=fingerprint_sha256, certificate=cert))
                 return True
 
         self._register_handlers(con, con_type)

src/common/connection_handlers_events.py

@@ -1639,12 +1639,14 @@ class NewAccountConnectedEvent(nec.NetworkIncomingEvent):
             self.ssl_msg = ssl_error.get(er, _('Unknown SSL error: %d') % \
                 self.errnum)
         self.ssl_cert = ''
-        self.ssl_fingerprint = ''
+        self.ssl_fingerprint_sha1 = ''
+        self.ssl_fingerprint_sha256 = ''
         if self.conn.connection.Connection.ssl_certificate:
             cert = self.conn.connection.Connection.ssl_certificate
             self.ssl_cert = OpenSSL.crypto.dump_certificate(
                 OpenSSL.crypto.FILETYPE_PEM, cert).decode('utf-8')
-            self.ssl_fingerprint = cert.digest('sha1').decode('utf-8')
+            self.ssl_fingerprint_sha1 = cert.digest('sha1').decode('utf-8')
+            self.ssl_fingerprint_sha256 = cert.digest('sha256').decode('utf-8')
         return True
 
 class NewAccountNotConnectedEvent(nec.NetworkIncomingEvent):

src/config.py

@@ -3784,7 +3784,9 @@ class AccountCreationWizardWindow:
                     f.write(self.ssl_cert + '\n\n')
                     f.close()
                     gajim.connections[self.account].new_account_info[
-                        'ssl_fingerprint_sha1'] = self.ssl_fingerprint
+                        'ssl_fingerprint_sha1'] = self.ssl_fingerprint_sha1
+                    gajim.connections[self.account].new_account_info[
+                        'ssl_fingerprint_sha256'] = self.ssl_fingerprint_sha256
             self.notebook.set_current_page(4) # show fom page
         elif cur_page == 4:
             if self.is_form:
@@ -3859,7 +3861,8 @@ class AccountCreationWizardWindow:
             self.forward_button.set_sensitive(False)
             self.notebook.set_current_page(4) # show form page
             return
-        self.ssl_fingerprint = obj.ssl_fingerprint
+        self.ssl_fingerprint_sha1 = obj.ssl_fingerprint_sha1
+        self.ssl_fingerprint_sha256 = obj.ssl_fingerprint_sha256
         self.ssl_cert = obj.ssl_cert
         if obj.ssl_msg:
             # An SSL warning occured, show it
@@ -3873,8 +3876,9 @@ class AccountCreationWizardWindow:
                 'hostname': hostname, 'error': obj.ssl_msg})
             if obj.errnum in (18, 27):
                 text = _('Add this certificate to the list of trusted '
-                    'certificates.\nSHA1 fingerprint of the certificate:\n%s') \
+                    'certificates.\nSHA1 fingerprint of the certificate:\n%s'
-                    % obj.ssl_fingerprint
+                    '\nSHA256 fingerprint of the certificate:\n%s') \
+                    % (obj.ssl_fingerprint_sha1, obj.ssl_fingerprint_sha256)
                 self.xml.get_object('ssl_checkbutton').set_label(text)
             else:
                 self.xml.get_object('ssl_checkbutton').set_no_show_all(True)

src/dialogs.py

@@ -5448,14 +5448,18 @@ Issued on: %(io)s
 Expires on: %(eo)s
 
 <b>Fingerprint</b>
-SHA1 Fingerprint: %(sha1)s''') % {
+SHA1 Fingerprint: %(sha1)s
+
+SHA256 Fingerprint: %(sha256)s
+''') % {
             'scn': subject.commonName, 'sorg': subject.organizationName,
             'sou': subject.organizationalUnitName,
             'sn': cert.get_serial_number(), 'icn': issuer.commonName,
             'iorg': issuer.organizationName,
             'iou': issuer.organizationalUnitName,
             'io': cert.get_notBefore(), 'eo': cert.get_notAfter(),
-            'sha1': cert.digest('sha1')})
+            'sha1': cert.digest('sha1'),
+            'sha256': cert.digest('sha256')})
         self.set_transient_for(parent)
         self.set_title(_('Certificate for account %s') % account)
 

src/gui_interface.py

@@ -1300,7 +1300,7 @@ class Interface:
             obj.exchange_items_list, obj.fjid)
 
     def handle_event_ssl_error(self, obj):
-        # ('SSL_ERROR', account, (text, errnum, cert, sha1_fingerprint))
+        # ('SSL_ERROR', account, (text, errnum, cert, sha1_fingerprint, sha256_fingerprint))
         account = obj.conn.name
         server = gajim.config.get_per('accounts', account, 'hostname')
 
@@ -1323,7 +1323,9 @@ class Interface:
                     f.write(obj.cert + '\n\n')
                     f.close()
             gajim.config.set_per('accounts', account, 'ssl_fingerprint_sha1',
-                obj.fingerprint)
+                obj.fingerprint_sha1)
+            gajim.config.set_per('accounts', account, 'ssl_fingerprint_sha256',
+                obj.fingerprint_sha256)
             if is_checked[1]:
                 ignore_ssl_errors = gajim.config.get_per('accounts', account,
                     'ignore_ssl_errors').split()
@@ -1344,8 +1346,9 @@ class Interface:
             'server?') % {'error': obj.error_text}
         if obj.error_num in (18, 27):
             checktext1 = _('Add this certificate to the list of trusted '
-            'certificates.\nSHA1 fingerprint of the certificate:\n%s') % \
+            'certificates.\nSHA1 fingerprint of the certificate:\n%s'
-            obj.fingerprint
+            '\nSHA256 fingerprint of the certificate:\n%s') % \
+            (obj.fingerprint_sha1, obj.fingerprint_sha256)
         else:
             checktext1 = ''
         checktext2 = _('Ignore this error for this certificate.')
@@ -1359,12 +1362,14 @@ class Interface:
             _('SSL Certificate Verification for %s') % account)
 
     def handle_event_fingerprint_error(self, obj):
-        # ('FINGERPRINT_ERROR', account, (new_fingerprint,))
+        # ('FINGERPRINT_ERROR', account, (new_fingerprint_sha1,new_fingerprint_sha256,))
         account = obj.conn.name
         def on_yes(is_checked):
             del self.instances[account]['online_dialog']['fingerprint_error']
             gajim.config.set_per('accounts', account, 'ssl_fingerprint_sha1',
-                obj.new_fingerprint)
+                obj.new_fingerprint_sha1)
+            gajim.config.set_per('accounts', account, 'ssl_fingerprint_sha256',
+                obj.new_fingerprint_sha256)
             # Reset the ignored ssl errors
             gajim.config.set_per('accounts', account, 'ignore_ssl_errors', '')
             obj.conn.ssl_certificate_accepted()
@@ -1377,11 +1382,16 @@ class Interface:
 
         pritext = _('SSL certificate error')
         sectext = _('It seems the SSL certificate of account %(account)s has '
-            'changed or your connection is being hacked.\nOld fingerprint: '
+            'changed or your connection is being hacked.\n\nOld SHA-1 fingerprint: '
-            '%(old)s\nNew fingerprint: %(new)s\n\nDo you still want to connect '
+            '%(old_sha1)s\nOld SHA-256 fingerprint: %(old_sha256)s\n\n'
+            'New SHA-1 fingerprint: %(new_sha1)s\nNew SHA-256 fingerprint: '
+            '%(new_sha256)s\n\nDo you still want to connect '
             'and update the fingerprint of the certificate?') % \
-            {'account': account, 'old': gajim.config.get_per('accounts',
+            {'account': account, 
-            account, 'ssl_fingerprint_sha1'), 'new': obj.new_fingerprint}
+            'old_sha1': gajim.config.get_per('accounts', account, 'ssl_fingerprint_sha1'),
+            'old_sha256': gajim.config.get_per('accounts', account, 'ssl_fingerprint_sha256'),
+            'new_sha1': obj.new_fingerprint_sha1,
+            'new_sha256': obj.new_fingerprint_sha256}
         if 'fingerprint_error' in self.instances[account]['online_dialog']:
             self.instances[account]['online_dialog']['fingerprint_error'].\
                 destroy()