Now use SHA256 for OCI IAM instance principal fingerprint

Author: connelly38

CHANGELOG.md

@@ -15,6 +15,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/).
     - nosqldb.Config.RateLimiterPercentage can control how much of a table's full limits this client handle can consume (default = 100%).
     - Result classes now have a GetRateLimitDelayed() method to return the amount of time an operation was delayed due to internal rate limiting.
 
+### Changed
+- Now uses SHA256 for OCI IAM instance principal fingerprint
+
 ## 1.2.1 - 2020-08-14
 
 ### Added

nosqldb/auth/iam/federation_client.go

@@ -237,7 +237,7 @@ func (client *authClient) Call(request *http.Request) (*http.Response, error) {
 func (c *x509FederationClient) KeyID() (string, error) {
 	tenancy := c.tenancyID
 	fingerprint := fingerprint(c.leafCertificateRetriever.Certificate())
-	return fmt.Sprintf("%s/fed-x509/%s", tenancy, fingerprint), nil
+	return fmt.Sprintf("%s/fed-x509-sha256/%s", tenancy, fingerprint), nil
 }
 
 // For authClient to sign requests to X509 Federation Endpoint
@@ -403,6 +403,8 @@ type x509FederationRequest struct {
 	Certificate              string   `json:"certificate,omitempty"`
 	IntermediateCertificates []string `json:"intermediateCertificates,omitempty"`
 	PublicKey                string   `json:"publicKey,omitempty"`
+	FingerprintAlgorithm     string   `json:"fingerprintAlgorithm,omitempty"`
+	Purpose                  string   `json:"purpose,omitempty"`
 }
 
 // type X509FederationRequest struct {
@@ -438,6 +440,8 @@ func (c *x509FederationClient) makeX509FederationRequest() *x509FederationReques
 		Certificate:              certificate,
 		IntermediateCertificates: intermediateCertificates,
 		PublicKey:                publicKey,
+		FingerprintAlgorithm:     `SHA256`,
+		Purpose:                  `DEFAULT`,
 		// },
 	}
 }

nosqldb/auth/iam/federation_client_test.go

@@ -21,9 +21,9 @@ import (
 func TestX509FederationClient_VeryFirstSecurityToken(t *testing.T) {
 	authServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Verify request
-		expectedKeyID := fmt.Sprintf("%s/fed-x509/%s", tenancyID, leafCertFingerprint)
+		expectedKeyID := fmt.Sprintf("%s/fed-x509-sha256/%s", tenancyID, leafCertFingerprint)
 		assert.True(t, strings.HasPrefix(r.Header.Get("Authorization"), fmt.Sprintf(`Signature version="1",headers="date (request-target) content-length content-type x-content-sha256",keyId="%s",algorithm="rsa-sha256",signature=`, expectedKeyID)))
-		expectedBody := fmt.Sprintf(`{"certificate":"%s","intermediateCertificates":["%s"],"publicKey":"%s"}`,
+		expectedBody := fmt.Sprintf(`{"certificate":"%s","intermediateCertificates":["%s"],"publicKey":"%s","fingerprintAlgorithm":"SHA256","purpose":"DEFAULT"}`,
 			leafCertBodyNoNewLine, intermediateCertBodyNoNewLine, sessionPublicKeyBodyNoNewLine)
 
 		var buf bytes.Buffer
@@ -72,10 +72,10 @@ func TestX509FederationClient_VeryFirstSecurityToken(t *testing.T) {
 func TestX509FederationClient_RenewSecurityToken(t *testing.T) {
 	authServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Verify request
-		expectedKeyID := fmt.Sprintf("%s/fed-x509/%s", tenancyID, leafCertFingerprint)
+		expectedKeyID := fmt.Sprintf("%s/fed-x509-sha256/%s", tenancyID, leafCertFingerprint)
 		assert.True(t, strings.HasPrefix(r.Header.Get("Authorization"), fmt.Sprintf(`Signature version="1",headers="date (request-target) content-length content-type x-content-sha256",keyId="%s",algorithm="rsa-sha256",signature=`, expectedKeyID)))
 
-		expectedBody := fmt.Sprintf(`{"certificate":"%s","intermediateCertificates":["%s"],"publicKey":"%s"}`,
+		expectedBody := fmt.Sprintf(`{"certificate":"%s","intermediateCertificates":["%s"],"publicKey":"%s","fingerprintAlgorithm":"SHA256","purpose":"DEFAULT"}`,
 			leafCertBodyNoNewLine, intermediateCertBodyNoNewLine, sessionPublicKeyBodyNoNewLine)
 		var buf bytes.Buffer
 		buf.ReadFrom(r.Body)
@@ -430,7 +430,12 @@ ysvMnQwaC0432ceRJ3r6vPAI2EPRd9KOE7Va1IFNJNmOuIkmRx8t`
 	//	certPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: newCertBytes})
 	//	return
 	//}
-	leafCertFingerprint  = `52:3c:9d:93:8b:b8:07:21:ce:36:30:98:ba:fc:e2:4a:bc:3a:2e:0b`
+
+	// old SHA-1 fingerprint
+	//leafCertFingerprint  = `52:3c:9d:93:8b:b8:07:21:ce:36:30:98:ba:fc:e2:4a:bc:3a:2e:0b`
+
+	// new SHA-256 fingerprint
+	leafCertFingerprint  = `0c:1e:d8:13:80:d4:30:cc:2c:62:13:57:2a:fe:d5:4e:75:be:54:32:59:12:8f:2f:96:78:f8:b1:f3:62:78:bc`
 	intermediateCertBody = `MIIC4TCCAcmgAwIBAgIRAK7jQKVEO6ssUBICuPw4OwQwDQYJKoZIhvcNAQELBQAw
 KjEoMCYGA1UEAxMfUEtJU1ZDIElkZW50aXR5IEludGVybWVkaWF0ZSByMjAeFw0x
 NzExMzAwMDE0MDhaFw0xODExMzAwMDE0MDhaMCoxKDAmBgNVBAMTH1BLSVNWQyBJ

nosqldb/auth/iam/helpers.go

@@ -6,7 +6,7 @@ package iam
 import (
 	"bytes"
 	"crypto/rsa"
-	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -104,11 +104,11 @@ func extractTenancyIDFromCertificate(cert *x509.Certificate) string {
 }
 
 func fingerprint(certificate *x509.Certificate) string {
-	fingerprint := sha1.Sum(certificate.Raw)
+	fingerprint := sha256.Sum256(certificate.Raw)
 	return colonSeparatedString(fingerprint)
 }
 
-func colonSeparatedString(fingerprint [sha1.Size]byte) string {
+func colonSeparatedString(fingerprint [sha256.Size]byte) string {
 	spaceSeparated := fmt.Sprintf("% x", fingerprint)
 	return strings.Replace(spaceSeparated, " ", ":", -1)
 }

nosqldb/types/types.go

@@ -206,6 +206,7 @@ func (ttl TimeToLive) ToDuration() time.Duration {
 
 // ISO8601Layout represents the ISO 8601 format of Go's reference time.
 const ISO8601Layout = "2006-01-02T15:04:05.999999999"
+
 // ISO8601ZLayout includes literal "Z"
 const ISO8601ZLayout = "2006-01-02T15:04:05.999999999Z"