diff options
| author | Nataliia Solomko <natalirs1985@gmail.com> | 2026-05-13 17:10:46 +0300 |
|---|---|---|
| committer | Nataliia Solomko <natalirs1985@gmail.com> | 2026-05-13 19:52:04 +0300 |
| commit | 0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd (patch) | |
| tree | dfffa8e236e36681903bf0402b8d867b1eed99ec /python | |
| parent | 1dd997d724449e941c6bf42be98529372d9f1530 (diff) | |
| download | vyos-1x-0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd.tar.gz vyos-1x-0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd.zip | |
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
Previously generated CRLs were missing the Authority Key Identifier and
CRL Number extensions required by strongSwan for certificate revocation
validation. Without these extensions, strongSwan silently ignores the CRL,
allowing revoked certificates to authenticate successfully.
The migration regenerates existing CRLs for all CAs that have a private
key available. CAs with passphrase-protected keys are skipped with a
warning, as the passphrase cannot be provided non-interactively
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/pki.py | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/python/vyos/pki.py b/python/vyos/pki.py index 4598c5daa..17fa97223 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -207,7 +207,16 @@ def create_certificate_revocation_list(ca_cert, ca_private_key, serial_numbers=[ builder = x509.CertificateRevocationListBuilder() \ .issuer_name(ca_cert.subject) \ .last_update(datetime.datetime.today()) \ - .next_update(datetime.datetime.today() + datetime.timedelta(1, 0, 0)) + .next_update(datetime.datetime.today() + datetime.timedelta(1, 0, 0)) \ + .add_extension(add_key_identifier(ca_cert), critical=False) \ + .add_extension( + x509.CRLNumber( + int( + datetime.datetime.now(datetime.timezone.utc).timestamp() * 1_000_000 + ) + ), + critical=False, + ) for serial_number in serial_numbers: revoked_cert = x509.RevokedCertificateBuilder() \ |
