Commit 03807a53 authored by Vincent Pelletier's avatar Vincent Pelletier

caucase.ca: Add Authority Key Identifier extension in produced CRLs.

This extension is required by rfc5280 (see section 5.2.1) but was
overlooked.
parent 256f9455
...@@ -744,9 +744,10 @@ class CertificateAuthority(object): ...@@ -744,9 +744,10 @@ class CertificateAuthority(object):
crl_pem = self._storage.getCertificateRevocationList() crl_pem = self._storage.getCertificateRevocationList()
if crl_pem is None: if crl_pem is None:
ca_key_pair = self._getCurrentCAKeypair() ca_key_pair = self._getCurrentCAKeypair()
ca_crt = ca_key_pair['crt']
now = datetime.datetime.utcnow() now = datetime.datetime.utcnow()
crl = x509.CertificateRevocationListBuilder( crl = x509.CertificateRevocationListBuilder(
issuer_name=ca_key_pair['crt'].issuer, issuer_name=ca_crt.issuer,
last_update=now, last_update=now,
next_update=now + self._crl_life_time, next_update=now + self._crl_life_time,
extensions=[ extensions=[
...@@ -756,6 +757,14 @@ class CertificateAuthority(object): ...@@ -756,6 +757,14 @@ class CertificateAuthority(object):
), ),
critical=False, # "MUST mark this extension as non-critical" critical=False, # "MUST mark this extension as non-critical"
), ),
Extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
ca_crt.extensions.get_extension_for_class(
x509.SubjectKeyIdentifier,
).value,
),
critical=False, # No mention in RFC5280 5.2.1
),
], ],
revoked_certificates=[ revoked_certificates=[
x509.RevokedCertificateBuilder( x509.RevokedCertificateBuilder(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment