remove support for HTTP public key pinning

mathiasertl · Aug 24, 2023 · 4f8ba27 · 4f8ba27
1 parent 46d3044
commit 4f8ba27
Show file tree

Hide file tree

Showing 13 changed files with 3 additions and 172 deletions.
diff --git a/ca/django_ca/admin.py b/ca/django_ca/admin.py
@@ -79,7 +79,7 @@
 from django_ca.querysets import CertificateQuerySet
 from django_ca.signals import post_issue_cert
 from django_ca.typehints import CRLExtensionType, X509CertMixinTypeVar
-from django_ca.utils import SERIAL_RE, add_colons, format_name
+from django_ca.utils import SERIAL_RE, add_colons
 
 log = logging.getLogger(__name__)
 
@@ -222,12 +222,6 @@ def has_delete_permission(self, request: HttpRequest, obj: Optional[models.Model
         # pylint: disable=missing-function-docstring,unused-argument; Django standard
         return False
 
-    def hpkp_pin(self, obj: X509CertMixinTypeVar) -> str:
-        """Property showing the HPKP bin (only adds a short description)."""
-        return obj.hpkp_pin
-
-    hpkp_pin.short_description = _("HPKP pin")  # type: ignore[attr-defined] # django standard
-
     @admin.display(description=_("Primary name"))
     def primary_name(self, obj: X509CertMixinTypeVar) -> "StrOrPromise":
         extensions = obj.x509_extensions
@@ -354,7 +348,6 @@ class CertificateAuthorityAdmin(CertificateMixin[CertificateAuthority], Certific
                     "serial_field",
                     "parent",
                     "issuer_field",
-                    "hpkp_pin",
                     "caa_identity",
                     "website",
                     "terms_of_service",
@@ -417,7 +410,6 @@ class CertificateAuthorityAdmin(CertificateMixin[CertificateAuthority], Certific
         "pub_pem",
         "parent",
         "expires",
-        "hpkp_pin",
     )
     x509_fieldset_index = 4
 
@@ -597,7 +589,6 @@ class CertificateAdmin(DjangoObjectActions, CertificateMixin[Certificate], Certi
         "revoked_date",
         "revoked_reason",
         "ca",
-        "hpkp_pin",
         "profile",
         "oid_2_5_29_17",  # SubjectAlternativeName
     ]
@@ -618,7 +609,6 @@ class CertificateAdmin(DjangoObjectActions, CertificateMixin[Certificate], Certi
                     "issuer_field",
                     ("expires", "autogenerated"),
                     "watchers",
-                    "hpkp_pin",
                     "profile",
                 ],
             },

diff --git a/ca/django_ca/forms.py b/ca/django_ca/forms.py
@@ -83,15 +83,6 @@ def __init__(self, *args: Any, **kwargs: Any) -> None:
             'Certificate bundle: <a href="%s?format=PEM">as PEM</a>'
         ) % (url, url, bundle_url)
 
-    class Meta:
-        help_texts = {
-            "hpkp_pin": _(
-                """SHA-256 HPKP pin of this certificate. See also
-<a href="https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning">HTTP Public Key Pinning</a>
-on Wikipedia."""
-            ),
-        }
-
 
 class CertificateAuthorityForm(X509CertMixinAdminForm):
     """Admin form for :py:class:`django_ca.models.CertificateAuthority`."""

diff --git a/ca/django_ca/management/base.py b/ca/django_ca/management/base.py
@@ -555,7 +555,6 @@ def output_header(self, cert: X509CertMixin) -> None:
         self.stdout.write(f"* Valid from: {cert.not_before.isoformat(' ')}")
         self.stdout.write(f"* Valid until: {cert.not_after.isoformat(' ')}")
         self.output_status(cert)
-        self.stdout.write(f"* HPKP pin: {cert.hpkp_pin}")
 
     def output_footer(self, cert: X509CertMixin, pem: bool, wrap: bool = True) -> None:
         """Output digest and PEM in footer."""

diff --git a/ca/django_ca/models.py b/ca/django_ca/models.py
@@ -16,7 +16,6 @@
 .. seealso:: https://docs.djangoproject.com/en/dev/topics/db/models/
 """
 
-import base64
 import hashlib
 import itertools
 import json
@@ -393,21 +392,6 @@ def get_revocation(self) -> x509.RevokedCertificate:
 
         return revoked_cert.build()
 
-    @property
-    def hpkp_pin(self) -> str:
-        """The HPKP public key pin for this certificate.
-
-        Inspired by https://github.com/luisgf/hpkp-python/blob/master/hpkp.py.
-
-        .. seealso:: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
-        """
-
-        public_key_raw = self.pub.loaded.public_key().public_bytes(
-            encoding=Encoding.DER, format=PublicFormat.SubjectPublicKeyInfo
-        )
-        public_key_hash = hashlib.sha256(public_key_raw).digest()
-        return base64.b64encode(public_key_hash).decode("utf-8")
-
     @property
     def issuer(self) -> x509.Name:
         """The certificate issuer field as :py:class:`~cg:cryptography.x509.Name`."""

diff --git a/ca/django_ca/static/django_ca/admin/css/base.css b/ca/django_ca/static/django_ca/admin/css/base.css
@@ -56,7 +56,6 @@ body.app-django_ca .django-ca-extension .django-ca-extension-value li {
  */
 table#result_list td.field-serial_field,
 div.field-serial_field div.readonly,
-div.field-hpkp_pin div.readonly,
 div.field-authority_key_identifier div.readonly p,
 body.app-django_ca .django-ca-serial,
 div.field-subject_key_identifier div.readonly

diff --git a/ca/django_ca/tests/base/__init__.py b/ca/django_ca/tests/base/__init__.py
@@ -135,7 +135,6 @@ def _load_pub(data: Dict[Any, Any]) -> PubDict:
     "valid_until": "2028-08-01 23:59:59",
     "ca": "root",
     "serial": "7DD9FE07CFA81EB7107967FBA78934C6",
-    "hpkp": "AjyBzOjnxk+pQtPBUEhwfTXZu1uH9PVExb8bxWQ68vo=",
     "md5": "A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9",
     "sha1": "85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F",
     "sha256": "83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E:DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B",  # noqa: E501
@@ -160,7 +159,6 @@ def _load_pub(data: Dict[Any, Any]) -> PubDict:
     "valid_until": "2019-01-24 23:59:59",
     "ca": "root",
     "serial": "92529ABD85F0A6A4D6C53FD1C91011C1",
-    "hpkp": "bkunFfRSda4Yhz7UlMUaalgj0Gcus/9uGVp19Hceczg=",
     "md5": "D6:76:03:E9:4F:3B:B0:F1:F7:E3:A1:40:80:8E:F0:4A",
     "sha1": "71:BD:B8:21:80:BD:86:E8:E5:F4:2B:6D:96:82:B2:EF:19:53:ED:D3",
     "sha256": "1D:8E:D5:41:E5:FF:19:70:6F:65:86:A9:A3:6F:DF:DE:F8:A0:07:22:92:71:9E:F1:CD:F8:28:37:39:02:E0:A1",  # NOQA

diff --git a/ca/django_ca/tests/commands/test_resign_cert.py b/ca/django_ca/tests/commands/test_resign_cert.py
@@ -53,7 +53,6 @@ def assertResigned(  # pylint: disable=invalid-name
         # assert various properties
         self.assertEqual(new_ca, new.ca)
         self.assertEqual(issuer, new.issuer)
-        self.assertEqual(old.hpkp_pin, new.hpkp_pin)
 
     def assertEqualExt(  # pylint: disable=invalid-name
         self, old: Certificate, new: Certificate, new_ca: Optional[CertificateAuthority] = None