summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorNataliia Solomko <natalirs1985@gmail.com>2026-05-13 17:10:46 +0300
committerNataliia Solomko <natalirs1985@gmail.com>2026-05-13 19:52:04 +0300
commit0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd (patch)
treedfffa8e236e36681903bf0402b8d867b1eed99ec /python
parent1dd997d724449e941c6bf42be98529372d9f1530 (diff)
downloadvyos-1x-0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd.tar.gz
vyos-1x-0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd.zip
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
Previously generated CRLs were missing the Authority Key Identifier and CRL Number extensions required by strongSwan for certificate revocation validation. Without these extensions, strongSwan silently ignores the CRL, allowing revoked certificates to authenticate successfully. The migration regenerates existing CRLs for all CAs that have a private key available. CAs with passphrase-protected keys are skipped with a warning, as the passphrase cannot be provided non-interactively
Diffstat (limited to 'python')
-rw-r--r--python/vyos/pki.py11
1 files changed, 10 insertions, 1 deletions
diff --git a/python/vyos/pki.py b/python/vyos/pki.py
index 4598c5daa..17fa97223 100644
--- a/python/vyos/pki.py
+++ b/python/vyos/pki.py
@@ -207,7 +207,16 @@ def create_certificate_revocation_list(ca_cert, ca_private_key, serial_numbers=[
builder = x509.CertificateRevocationListBuilder() \
.issuer_name(ca_cert.subject) \
.last_update(datetime.datetime.today()) \
- .next_update(datetime.datetime.today() + datetime.timedelta(1, 0, 0))
+ .next_update(datetime.datetime.today() + datetime.timedelta(1, 0, 0)) \
+ .add_extension(add_key_identifier(ca_cert), critical=False) \
+ .add_extension(
+ x509.CRLNumber(
+ int(
+ datetime.datetime.now(datetime.timezone.utc).timestamp() * 1_000_000
+ )
+ ),
+ critical=False,
+ )
for serial_number in serial_numbers:
revoked_cert = x509.RevokedCertificateBuilder() \