Skip to content

CP-49116: Add Sha1 support to external_certificate_thumbprint_of_master. #5670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 2, 2024
Merged

CP-49116: Add Sha1 support to external_certificate_thumbprint_of_master. #5670

merged 1 commit into from
Jul 2, 2024

Conversation

snwoods
Copy link
Contributor

@snwoods snwoods commented Jun 3, 2024

CP-49116: Add Sha1 support to external_certificate_thumbprint_of_master.

This change meant that the pp_hash function needed to be moved from certificates.ml to helpers.ml to prevent a circular dependency.

@snwoods snwoods requested a review from mg12 June 3, 2024 21:03
@snwoods snwoods force-pushed the private/stevenwo/CP-49116 branch from 9cdb27a to b8182f0 Compare June 3, 2024 21:08
contificate
contificate reviewed Jun 4, 2024
View reviewed changes
lindig
lindig approved these changes Jun 4, 2024
View reviewed changes
psafont
psafont requested changes Jun 4, 2024
View reviewed changes
mg12
mg12 reviewed Jun 6, 2024
View reviewed changes
mg12
mg12 reviewed Jun 6, 2024
View reviewed changes
@snwoods snwoods force-pushed the private/stevenwo/CP-49116 branch 2 times, most recently from 23a6d5e to b80230a Compare June 27, 2024 10:57
psafont
psafont reviewed Jun 27, 2024
View reviewed changes
psafont
psafont reviewed Jun 27, 2024
View reviewed changes
psafont
psafont reviewed Jun 27, 2024
View reviewed changes
@snwoods snwoods force-pushed the private/stevenwo/CP-49116 branch from b80230a to 47e22b5 Compare June 27, 2024 14:59
psafont
psafont reviewed Jun 27, 2024
View reviewed changes
Copy link
Member

@psafont psafont left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks readonable now, have you tested it on a host?

@snwoods snwoods force-pushed the private/stevenwo/CP-49116 branch from 47e22b5 to ca4a63a Compare June 28, 2024 14:14
@snwoods
Copy link
Contributor Author

snwoods commented Jul 1, 2024
edited
Loading

This looks readonable now, have you tested it on a host?

Yep, it's all working, sha256 and sha1 are returned when there is a HOST_IS_SLAVE error and the appropriate header is given, and no header is returned otherwise, as shown below (where xrtmia-05-26 is slave and xrtmia-05-31 is master):

curl -H "x-xenapi-request-host-certificate-thumbprint: sha-256:master" -d @test-rpc -v http://xrtmia-05-26.xenrt.citrite.net/
< HTTP/1.1 200 OK
< x-xenapi-response-host-certificate-thumbprint: 9F:2A:02:73:50:2A:79:D3:3F:95:FB:AC:94:2D:7A:EB:A4:20:0A:99:5B:22:9A:97:DE:F4:44:5F:5D:FF:B0:C2
<?xml version="1.0"?><methodResponse><params><param><value><struct><member><name>Status</name><value>Failure</value></member><member><name>ErrorDescription</name><value><array><data><value>HOST_IS_SLAVE</value><value>10.62.49.31</value></data></array></value></member></struct></value></param></params></methodResponse>

curl -H "x-xenapi-request-host-certificate-thumbprint: sha-1:master" -d @test-rpc -v http://xrtmia-05-26.xenrt.citrite.net/
< HTTP/1.1 200 OK
< x-xenapi-response-host-certificate-thumbprint: 9C:09:F3:29:09:38:D4:4E:2F:9E:8F:74:11:C1:0A:62:F0:B7:82:39
<?xml version="1.0"?><methodResponse><params><param><value><struct><member><name>Status</name><value>Failure</value></member><member><name>ErrorDescription</name><value><array><data><value>HOST_IS_SLAVE</value><value>10.62.49.31</value></data></array></value></member></struct></value></param></params></methodResponse>

curl -H "x-xenapi-request-host-certificate-thumbprint: sha-123:master" -d @test-rpc -v http://xrtmia-05-26.xenrt.citrite.net/
< HTTP/1.1 200 OK
<?xml version="1.0"?><methodResponse><params><param><value><struct><member><name>Status</name><value>Failure</value></member><member><name>ErrorDescription</name><value><array><data><value>HOST_IS_SLAVE</value><value>10.62.49.31</value></data></array></value></member></struct></value></param></params></methodResponse>

curl -H "x-xenapi-request-host-certificate-thumbprint: sha-1:master" -d @test-rpc -v http://xrtmia-05-31.xenrt.citrite.net/
< HTTP/1.1 200 OK
<?xml version="1.0"?><methodResponse><params><param><value><struct><member><name>Status</name><value>Success</value></member><member><name>Value</name><value>OpaqueRef:ab8afd54-2aa1-dd69-d6eb-5c7d031ff26a</value></member></struct></value></param></params></methodResponse>

psafont
psafont reviewed Jul 1, 2024
View reviewed changes
@snwoods snwoods force-pushed the private/stevenwo/CP-49116 branch 2 times, most recently from 5b16918 to 72e5a74 Compare July 1, 2024 14:01
lindig
lindig approved these changes Jul 1, 2024
View reviewed changes
@snwoods
CP-49116: Replace fingerprint in certificate DB with sha256 and sha1
5e51f8e 
equivalents.

This allows support to be added to external_certificate_thumbprint_of_master for Sha1 fingerprints.

Signed-off-by: Steven Woods <steven.woods@citrix.com>
@snwoods snwoods force-pushed the private/stevenwo/CP-49116 branch from 72e5a74 to 5e51f8e Compare July 1, 2024 14:21
@snwoods snwoods merged commit f11657e into xapi-project:master Jul 2, 2024
14 checks passed
@snwoods snwoods deleted the private/stevenwo/CP-49116 branch July 2, 2024 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mg12 mg12 mg12 left review comments

@contificate contificate contificate left review comments

@lindig lindig lindig approved these changes

@psafont psafont psafont approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@snwoods @mg12 @lindig @psafont @contificate