diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-07-06 12:21:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-06 12:21:46 +0200 |
| commit | 511253635a9b67396788d24bacafd237594e0e12 (patch) | |
| tree | 32a97fa2f6bf334f22d6a7e255f438af2777e3a8 /python/vyos/pki.py | |
| parent | 50b8d38abdb1525243a78896eff784744cfd5c44 (diff) | |
| parent | a5cd877a0a4a43644a6d91e6b95fe938b9b2726b (diff) | |
| download | vyos-1x-511253635a9b67396788d24bacafd237594e0e12.tar.gz vyos-1x-511253635a9b67396788d24bacafd237594e0e12.zip | |
Merge pull request #911 from sarthurdev/pki_san
pki: ipsec: T3642: T1210: T2816: Add SANs to generated certificates, more IPSec remote-access features and fixes
Diffstat (limited to 'python/vyos/pki.py')
| -rw-r--r-- | python/vyos/pki.py | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/python/vyos/pki.py b/python/vyos/pki.py index a575ac16a..1c6282d84 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import datetime +import ipaddress from cryptography import x509 from cryptography.exceptions import InvalidSignature @@ -112,7 +113,7 @@ def create_private_key(key_type, key_size=None): private_key = ec.generate_private_key(curve) return private_key -def create_certificate_request(subject, private_key): +def create_certificate_request(subject, private_key, subject_alt_names=[]): subject_obj = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, subject['country']), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, subject['state']), @@ -120,9 +121,20 @@ def create_certificate_request(subject, private_key): x509.NameAttribute(NameOID.ORGANIZATION_NAME, subject['organization']), x509.NameAttribute(NameOID.COMMON_NAME, subject['common_name'])]) - return x509.CertificateSigningRequestBuilder() \ - .subject_name(subject_obj) \ - .sign(private_key, hashes.SHA256()) + builder = x509.CertificateSigningRequestBuilder() \ + .subject_name(subject_obj) + + if subject_alt_names: + alt_names = [] + for obj in subject_alt_names: + if isinstance(obj, ipaddress.IPv4Address) or isinstance(obj, ipaddress.IPv6Address): + alt_names.append(x509.IPAddress(obj)) + elif isinstance(obj, str): + alt_names.append(x509.DNSName(obj)) + if alt_names: + builder = builder.add_extension(x509.SubjectAlternativeName(alt_names), critical=False) + + return builder.sign(private_key, hashes.SHA256()) def add_key_identifier(ca_cert): try: @@ -166,7 +178,7 @@ def create_certificate(cert_req, ca_cert, ca_private_key, valid_days=365, cert_t builder = builder.add_extension(add_key_identifier(ca_cert), critical=False) for ext in cert_req.extensions: - builder = builder.add_extension(ext, critical=False) + builder = builder.add_extension(ext.value, critical=False) return builder.sign(ca_private_key, hashes.SHA256()) |