CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)

[Michael Lazar]

On Thu, Jun 11, 2020 at 1:37 PM solderpunk <solderpunk at sdf.org> wrote:
>
> On Wed, Jun 10, 2020 at 06:58:38PM -0400, Michael Lazar wrote:
>
> > Ok I'll walk that back. It's too late to make changes *unless* there's a good
> > reason to do so. I don't want to break CGI variables on a whim anymore, but if
> > we all agree on a standard then I will follow suit.
>
> You're not storing these hashes in some kind of database for
> Astrobotany?  Wouldn't changing how you calcultate the TLS_CLIENT_HASH
> variable break a lot of accounts?

I am storing them in the database as base64-encoded strings. But it would not
be hard to convert between the two text formats as long as the fingerprint
bytes are the same. What we're discussing here (to my knowledge) is two
different text representations of the same SHA256 digest of the public x509
certificate DER [0][1]. That's the standard way to do certificate
fingerprinting from what I can tell.

Even if we do pick a different hashing algorithm for the CGI variable,
astrobotany is implemented as a jetforce "application" where the python code is
invoked directly inside the server's interpreter. So it has full access to the
raw client certificate and can generate whichever hash it needs. I think this
is similar to what GLV-1.12556 does with allowing custom LUA "handlers".

[0] https://github.com/michael-lazar/jetforce/blob/ea7d8c6f4cbc3db14f62c01bf12c375abfe98e7e/jetforce/tls.py#L25
[1] https://github.com/pyca/cryptography/blob/f5735cf25acd08222368a1db615bbf61d36b8007/src/cryptography/hazmat/backends/openssl/x509.py#L47