diff options
| author | Petr Viktorin <encukou@gmail.com> | 2024-10-07 15:37:52 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-07 15:37:52 (GMT) |
| commit | 744caa8ef42ab67c6aa20cd691e078721e72e22a (patch) | |
| tree | 98b5893a79918751da3061510e1de7f5b8780f67 | |
| parent | da071fa3e8e01e0cacf13d632aae0835a2203eb2 (diff) | |
| download | cpython-744caa8ef42ab67c6aa20cd691e078721e72e22a.zip cpython-744caa8ef42ab67c6aa20cd691e078721e72e22a.tar.gz cpython-744caa8ef42ab67c6aa20cd691e078721e72e22a.tar.bz2 | |
gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR (GH-125045)
gh-120762: make_ssl_certs: Don't set extensions for the CSR
`openssl req` fails with openssl 3.2.2 because the config line
authorityKeyIdentifier = keyid:always,issuer:always
is not supported for certificate signing requests (since the issuing
certificate authority is not known).
David von Oheimb, the OpenSSL dev that made the change, commented in:
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 :
> This problem did not show up in older OpenSSL versions because of a bug:
> the `req` app ignored the `-extensions` option unless `-x505` is given,
> which I fixed in https://github.com/openssl/openssl/pull/16865.
(I assume `-x505` is a typo for `-x509`.)
In our `make_cert_key` function:
If `sign` is true:
- We don't pass `-x509` to `req`, so in this case it should be safe to
omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL
fails on it.)
- The extensions are passed to the `ca` call later in the function.
There they take effect, and `authorityKeyIdentifier` is valid.
If `sign` is false, this commit has no effect except rearranging the
CLI arguments.
| -rw-r--r-- | Lib/test/certdata/make_ssl_certs.py | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/Lib/test/certdata/make_ssl_certs.py b/Lib/test/certdata/make_ssl_certs.py index 48f9801..198c640 100644 --- a/Lib/test/certdata/make_ssl_certs.py +++ b/Lib/test/certdata/make_ssl_certs.py @@ -139,7 +139,6 @@ def make_cert_key(cmdlineargs, hostname, sign=False, extra_san='', f.write(req) args = ['req', '-new', '-nodes', '-days', cmdlineargs.days, '-newkey', key, '-keyout', key_file, - '-extensions', ext, '-config', req_file] if sign: with tempfile.NamedTemporaryFile(delete=False) as f: @@ -148,7 +147,7 @@ def make_cert_key(cmdlineargs, hostname, sign=False, extra_san='', args += ['-out', reqfile ] else: - args += ['-x509', '-out', cert_file ] + args += ['-extensions', ext, '-x509', '-out', cert_file ] check_call(['openssl'] + args) if sign: |