[Python-checkins] gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR (GH-125045)

Mon, 07 Oct 2024 08:38:12 -0700 

https://github.com/python/cpython/commit/744caa8ef42ab67c6aa20cd691e078721e72e22a
commit: 744caa8ef42ab67c6aa20cd691e078721e72e22a
branch: main
author: Petr Viktorin <[email protected]>
committer: encukou <[email protected]>
date: 2024-10-07T17:37:52+02:00
summary:

gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR 
(GH-125045)

gh-120762: make_ssl_certs: Don't set extensions for the CSR

`openssl req` fails with openssl 3.2.2 because the config line

    authorityKeyIdentifier = keyid:always,issuer:always

is not supported for certificate signing requests (since the issuing
certificate authority is not known).

David von Oheimb, the OpenSSL dev that made the change, commented in:
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 :

> This problem did not show up in older OpenSSL versions because of a bug:
> the `req` app ignored the `-extensions` option unless `-x505` is given,
> which I fixed in https://github.com/openssl/openssl/pull/16865.

(I assume `-x505` is a typo for `-x509`.)

In our `make_cert_key` function:

If `sign` is true:
- We don't pass `-x509` to `req`, so in this case it should be safe to
  omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL
  fails on it.)
- The extensions are passed to the `ca` call later in the function.
  There they take effect, and `authorityKeyIdentifier` is valid.

If `sign` is false, this commit has no effect except rearranging the
CLI arguments.

files:
M Lib/test/certdata/make_ssl_certs.py

diff --git a/Lib/test/certdata/make_ssl_certs.py 
b/Lib/test/certdata/make_ssl_certs.py
index 48f980124e1198..198c64035c5044 100644
--- a/Lib/test/certdata/make_ssl_certs.py
+++ b/Lib/test/certdata/make_ssl_certs.py
@@ -139,7 +139,6 @@ def make_cert_key(cmdlineargs, hostname, sign=False, 
extra_san='',
             f.write(req)
         args = ['req', '-new', '-nodes', '-days', cmdlineargs.days,
                 '-newkey', key, '-keyout', key_file,
-                '-extensions', ext,
                 '-config', req_file]
         if sign:
             with tempfile.NamedTemporaryFile(delete=False) as f:
@@ -148,7 +147,7 @@ def make_cert_key(cmdlineargs, hostname, sign=False, 
extra_san='',
             args += ['-out', reqfile ]
 
         else:
-            args += ['-x509', '-out', cert_file ]
+            args += ['-extensions', ext, '-x509', '-out', cert_file ]
         check_call(['openssl'] + args)
 
         if sign:

_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: [email protected]

Reply via email to