diff --git a/doc/changelog.rst b/doc/changelog.rst index 23d5b2fc9e..14b257fdcc 100644 --- a/doc/changelog.rst +++ b/doc/changelog.rst @@ -10,10 +10,10 @@ PyMongo 4.17 brings a number of changes including: been deprecated and will be removed in PyMongo 5.0. These methods were deprecated in favor of the standard dictionary containment operator ``in`` and the ``keys()`` and ``values()`` methods, respectively. - - Added the :meth:`~pymongo.asynchronous.client_session.AsyncClientSession.bind` and :meth:`~pymongo.client_session.ClientSession.bind` methods that allow users to bind a session to all database operations within the scope of a context manager instead of having to explicitly pass the session to each individual operation. See for examples and more information. +- OCSP request certificate identifiers (CertID) now use the SHA-256 hashing algorithm instead of SHA-1. Changes in Version 4.16.0 (2026/01/07) -------------------------------------- diff --git a/pymongo/ocsp_support.py b/pymongo/ocsp_support.py index 41fdd7fda6..a0ec2c99aa 100644 --- a/pymongo/ocsp_support.py +++ b/pymongo/ocsp_support.py @@ -36,7 +36,7 @@ from cryptography.hazmat.primitives.asymmetric.x25519 import ( X25519PublicKey as _X25519PublicKey, ) -from cryptography.hazmat.primitives.hashes import SHA1 as _SHA1 +from cryptography.hazmat.primitives.hashes import SHA256 as _SHA256 from cryptography.hazmat.primitives.hashes import Hash as _Hash from cryptography.hazmat.primitives.serialization import Encoding as _Encoding from cryptography.hazmat.primitives.serialization import PublicFormat as _PublicFormat @@ -158,7 +158,7 @@ def _get_extension( def _public_key_hash(cert: Certificate) -> bytes: public_key = cert.public_key() # https://tools.ietf.org/html/rfc2560#section-4.2.1 - # "KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key + # "KeyHash ::= OCTET STRING -- SHA-256 hash of responder's public key # (excluding the tag and length fields)" # https://stackoverflow.com/a/46309453/600498 if isinstance(public_key, _RSAPublicKey): @@ -167,7 +167,7 @@ def _public_key_hash(cert: Certificate) -> bytes: pbytes = public_key.public_bytes(_Encoding.X962, _PublicFormat.UncompressedPoint) else: pbytes = public_key.public_bytes(_Encoding.DER, _PublicFormat.SubjectPublicKeyInfo) - digest = _Hash(_SHA1(), backend=_default_backend()) # noqa: S303 + digest = _Hash(_SHA256(), backend=_default_backend()) digest.update(pbytes) return digest.finalize() @@ -249,7 +249,7 @@ def _verify_response_signature(issuer: Certificate, response: OCSPResponse) -> i def _build_ocsp_request(cert: Certificate, issuer: Certificate) -> OCSPRequest: # https://cryptography.io/en/latest/x509/ocsp/#creating-requests builder = _OCSPRequestBuilder() - builder = builder.add_certificate(cert, issuer, _SHA1()) # noqa: S303 + builder = builder.add_certificate(cert, issuer, _SHA256()) return builder.build()