Compare commits
32 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
|
d270246030 | ||
|
548f2ef935 | ||
|
bf5e92b161 | ||
|
|
7faeea4dee | ||
|
|
1b2d56b090 | ||
|
|
888381edf8 | ||
| 335c0b425d | |||
| 9210c1eb06 | |||
|
|
758ff91e3d | ||
| 09830c201e | |||
|
|
bb8bd7a21d | ||
| e7f0c5f65d | |||
|
|
d41b430602 | ||
| f6da47d308 | |||
| 8729bbe2c0 | |||
|
|
4f6112c02b | ||
| c2d45b9828 | |||
|
|
bb0990f49e | ||
| 91a571c843 | |||
|
|
95ae89d8be | ||
|
62408d85ba | ||
|
75815b3135 | ||
|
|
470ac40f02 | ||
|
|
11cb80bfd7 | ||
| a1a681bb5c | |||
|
|
7380db970e | ||
|
|
c27168bf87 | ||
|
|
c1f708c416 | ||
|
|
a463f7601c | ||
|
|
1e88d735b7 | ||
| a154ab5611 | |||
| 3ebdbbaf64 |
@ -1,96 +0,0 @@
|
||||
From 84e347d9221e304f0158330e5101d23969d424d0 Mon Sep 17 00:00:00 2001
|
||||
From: Illia Volochii <illia.volochii@gmail.com>
|
||||
Date: Wed, 27 Mar 2024 11:45:41 +0000
|
||||
Subject: [PATCH 1/3] Add AKI to child CA certificates
|
||||
|
||||
---
|
||||
src/trustme/__init__.py | 14 +++++++++++---
|
||||
tests/test_trustme.py | 5 +++++
|
||||
2 files changed, 16 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py
|
||||
index 5fb24fb..0db1bb0 100644
|
||||
--- a/src/trustme/__init__.py
|
||||
+++ b/src/trustme/__init__.py
|
||||
@@ -250,14 +250,22 @@ def __init__(
|
||||
sign_key = parent_cert._private_key
|
||||
parent_certificate = parent_cert._certificate
|
||||
issuer = parent_certificate.subject
|
||||
-
|
||||
- self._certificate = (
|
||||
+ ski_ext = parent_certificate.extensions.get_extension_for_class(
|
||||
+ x509.SubjectKeyIdentifier)
|
||||
+ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext.value)
|
||||
+ else:
|
||||
+ aki = None
|
||||
+ cert_builder = (
|
||||
_cert_builder_common(name, issuer, self._private_key.public_key())
|
||||
.add_extension(
|
||||
x509.BasicConstraints(ca=True, path_length=path_length),
|
||||
critical=True,
|
||||
)
|
||||
- .add_extension(
|
||||
+ )
|
||||
+ if aki:
|
||||
+ cert_builder = cert_builder.add_extension(aki, critical=False)
|
||||
+ self._certificate = (
|
||||
+ cert_builder.add_extension(
|
||||
x509.KeyUsage(
|
||||
digital_signature=True, # OCSP
|
||||
content_commitment=False,
|
||||
diff --git a/tests/test_trustme.py b/tests/test_trustme.py
|
||||
index 1d901ad..581716e 100644
|
||||
--- a/tests/test_trustme.py
|
||||
+++ b/tests/test_trustme.py
|
||||
@@ -200,6 +200,11 @@ def test_intermediate() -> None:
|
||||
assert_is_ca(child_ca_cert)
|
||||
assert child_ca_cert.issuer == ca_cert.subject
|
||||
assert _path_length(child_ca_cert) == 8
|
||||
+ aki = child_ca_cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
|
||||
+ assert aki.critical is False
|
||||
+ expected_aki_key_id = ca_cert.extensions.get_extension_for_class(
|
||||
+ x509.SubjectKeyIdentifier).value.digest
|
||||
+ assert aki.value.key_identifier == expected_aki_key_id
|
||||
|
||||
child_server = child_ca.issue_cert("test-host.example.org")
|
||||
assert len(child_server.cert_chain_pems) == 2
|
||||
|
||||
From f507a28e0f4d97d63716aa5a81669bb747235f07 Mon Sep 17 00:00:00 2001
|
||||
From: Illia Volochii <illia.volochii@gmail.com>
|
||||
Date: Wed, 27 Mar 2024 12:02:59 +0000
|
||||
Subject: [PATCH 2/3] Fix a typing issue
|
||||
|
||||
---
|
||||
src/trustme/__init__.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py
|
||||
index 0db1bb0..d126180 100644
|
||||
--- a/src/trustme/__init__.py
|
||||
+++ b/src/trustme/__init__.py
|
||||
@@ -246,6 +246,7 @@ def __init__(
|
||||
)
|
||||
issuer = name
|
||||
sign_key = self._private_key
|
||||
+ aki: Optional[x509.AuthorityKeyIdentifier]
|
||||
if parent_cert is not None:
|
||||
sign_key = parent_cert._private_key
|
||||
parent_certificate = parent_cert._certificate
|
||||
|
||||
From cdd2fd61aae9c92f902932bacd6b39189ecde4b1 Mon Sep 17 00:00:00 2001
|
||||
From: Illia Volochii <illia.volochii@gmail.com>
|
||||
Date: Wed, 27 Mar 2024 12:09:38 +0000
|
||||
Subject: [PATCH 3/3] Add a news entry
|
||||
|
||||
---
|
||||
newsfragments/642.bugfix.rst | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
create mode 100644 newsfragments/642.bugfix.rst
|
||||
|
||||
diff --git a/newsfragments/642.bugfix.rst b/newsfragments/642.bugfix.rst
|
||||
new file mode 100644
|
||||
index 0000000..9d75e7a
|
||||
--- /dev/null
|
||||
+++ b/newsfragments/642.bugfix.rst
|
||||
@@ -0,0 +1 @@
|
||||
+Add the Authority Key Identifier extension to child CA certificates.
|
||||
@ -1,17 +0,0 @@
|
||||
Author: Bernhard M. Wiedemann <bwiedemann suse de>
|
||||
Date: 2023-01-14
|
||||
Subject: Fix tests of python-aiosmtplib after 2038
|
||||
|
||||
Index: trustme-1.0.0/src/trustme/__init__.py
|
||||
===================================================================
|
||||
--- trustme-1.0.0.orig/src/trustme/__init__.py
|
||||
+++ trustme-1.0.0/src/trustme/__init__.py
|
||||
@@ -37,7 +37,7 @@ __all__ = ["CA"]
|
||||
# Some versions of cryptography on 32-bit platforms fail if you give
|
||||
# them dates after ~2038-01-19:
|
||||
# https://github.com/pyca/cryptography/pull/4658
|
||||
-DEFAULT_EXPIRY = datetime.datetime(2038, 1, 1)
|
||||
+DEFAULT_EXPIRY = datetime.datetime(2098, 1, 1)
|
||||
|
||||
def _name(name: str, organization_name: Optional[str] = None, common_name: Optional[str] = None) -> x509.Name:
|
||||
name_pieces = [
|
||||
BIN
trustme-1.1.0.tar.gz
(Stored with Git LFS)
BIN
trustme-1.1.0.tar.gz
(Stored with Git LFS)
Binary file not shown.
Loading…
Reference in New Issue
Block a user