From b123b46f2e2a674cef3fffb4fc56082f2b1136d6 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sun, 4 Jul 2021 21:37:33 +0200 Subject: pki: T3642: Add standard extensions to generated certificates --- python/vyos/pki.py | 17 ++++++++++++++--- src/op_mode/pki.py | 6 +++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/python/vyos/pki.py b/python/vyos/pki.py index 80efe26b2..a575ac16a 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -124,7 +124,14 @@ def create_certificate_request(subject, private_key): .subject_name(subject_obj) \ .sign(private_key, hashes.SHA256()) -def create_certificate(cert_req, ca_cert, ca_private_key, valid_days=365, cert_type='server', is_ca=False): +def add_key_identifier(ca_cert): + try: + ski_ext = ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier) + return x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext.value) + except: + return x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_cert.public_key()) + +def create_certificate(cert_req, ca_cert, ca_private_key, valid_days=365, cert_type='server', is_ca=False, is_sub_ca=False): ext_key_usage = [] if is_ca: ext_key_usage = [ExtendedKeyUsageOID.CLIENT_AUTH, ExtendedKeyUsageOID.SERVER_AUTH] @@ -141,8 +148,7 @@ def create_certificate(cert_req, ca_cert, ca_private_key, valid_days=365, cert_t .not_valid_before(datetime.datetime.utcnow()) \ .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=int(valid_days))) - builder = builder.add_extension(x509.BasicConstraints(ca=is_ca, path_length=None), critical=True) - builder = builder.add_extension(x509.ExtendedKeyUsage(ext_key_usage), critical=True) + builder = builder.add_extension(x509.BasicConstraints(ca=is_ca, path_length=0 if is_sub_ca else None), critical=True) builder = builder.add_extension(x509.KeyUsage( digital_signature=True, content_commitment=False, @@ -153,6 +159,11 @@ def create_certificate(cert_req, ca_cert, ca_private_key, valid_days=365, cert_t crl_sign=is_ca, encipher_only=False, decipher_only=False), critical=True) + builder = builder.add_extension(x509.ExtendedKeyUsage(ext_key_usage), critical=False) + builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(cert_req.public_key()), critical=False) + + if not is_ca or is_sub_ca: + builder = builder.add_extension(add_key_identifier(ca_cert), critical=False) for ext in cert_req.extensions: builder = builder.add_extension(ext, critical=False) diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index d84aa2618..d7bb0d6ae 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -276,12 +276,12 @@ def generate_certificate_request(private_key=None, key_type=None, return_request print(encode_certificate(cert_req) + "\n") install_certificate(name, private_key=private_key, key_type=key_type, key_passphrase=passphrase, is_ca=False) -def generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=False): +def generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=False, is_sub_ca=False): valid_days = ask_input('Enter how many days certificate will be valid:', default='365' if not is_ca else '1825', numeric_only=True) cert_type = None if not is_ca: cert_type = ask_input('Enter certificate type: (client, server)', default='server', valid_responses=['client', 'server']) - return create_certificate(cert_req, ca_cert, ca_private_key, valid_days, cert_type, is_ca) + return create_certificate(cert_req, ca_cert, ca_private_key, valid_days, cert_type, is_ca, is_sub_ca) def generate_ca_certificate(name, install=False): private_key, key_type = generate_private_key() @@ -347,7 +347,7 @@ def generate_ca_certificate_sign(name, ca_name, install=False): print("Invalid certificate request") return None - cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=True) + cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=True, is_sub_ca=True) passphrase = ask_passphrase() if not install: -- cgit v1.2.3