Technically this doesn't matter, because it's client-side, but it's good habit.

This commit is contained in:
Itamar Turner-Trauring 2022-03-25 10:45:54 -04:00
parent be0ff08275
commit e50d88f46d

View File

@ -35,6 +35,7 @@ from .http_common import (
get_spki_hash, get_spki_hash,
) )
from .common import si_b2a from .common import si_b2a
from ..util.hashutil import timing_safe_compare
def _encode_si(si): # type: (bytes) -> str def _encode_si(si): # type: (bytes) -> str
@ -103,9 +104,8 @@ class _TLSContextFactory(CertificateOptions):
19, # X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19, # X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
) )
# TODO can we do this once instead of multiple times? # TODO can we do this once instead of multiple times?
if ( if errno in things_are_ok and timing_safe_compare(
errno in things_are_ok get_spki_hash(cert.to_cryptography()), expected_spki_hash
and get_spki_hash(cert.to_cryptography()) == expected_spki_hash
): ):
return 1 return 1
# TODO: log the details of the error, because otherwise they get # TODO: log the details of the error, because otherwise they get