ca: Do not use a 128bits OID arc for caucase iternal use

Many software packages do not support 128 bits arcs in OIDs (see
https://misc.daniel-marschall.de/asn.1/oid_facts.html#chap4), use a
registered OID instead.

Original OID is still recognised, but not included in new certificates.
TODO: test that renewal of a legacy-style auto-issued certificate is given
the new extension, and that original one is stripped.

caucase/ca.py

@@ -415,14 +415,17 @@ class CertificateAuthority(object):
         # Caller is asking us to let all through, so do this.
         policy_list = certificate_policies.value
       else:
-        # Prevent any caucase extension from being smuggled, especiall the
+        # Prevent any caucase extension from being smuggled, especially the
         # "auto-signed" one...
-        policy_list = [
-          x for x in certificate_policies.value
-          if not x.policy_identifier.dotted_string.startswith(
-            utils.CAUCASE_OID_TOP,
-          )
-        ]
+        policy_list = []
+        for policy in certificate_policies.value:
+          startswith = policy.policy_identifier.dotted_string.startswith
+          if (
+            startswith(utils.CAUCASE_LEGACY_OID_TOP) or # BBB
+            startswith(utils.CAUCASE_OID_TOP)
+          ):
+            continue
+          policy_list.append(policy)
         if auto_signed == _AUTO_SIGNED_YES:
           # ...but do add auto-signed extension if we are auto-signing.
           policy_list.append(utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED)

caucase/test.py

@@ -1281,6 +1281,10 @@ class CaucaseTest(unittest.TestCase):
       x509.IPAddress(ipaddress.IPv6Network(u'::/64')),
     ])
     requested_policies = x509.CertificatePolicies([
+      x509.PolicyInformation(
+        x509.oid.ObjectIdentifier(utils.CAUCASE_LEGACY_OID_RESERVED),
+        None,
+      ),
       x509.PolicyInformation(
         x509.oid.ObjectIdentifier(utils.CAUCASE_OID_RESERVED),
         None,

caucase/utils.py

@@ -55,7 +55,8 @@ del _checkDefaultDigestsAvailable
 
 _cryptography_backend = default_backend()
 
-# Registration-less OID under 1.3.6.1.4.1.37476.9000 tree (aka ViaThinkSoft tree for open source project)
+# Registration-less OID under 1.3.6.1.4.1.37476.9000 tree (aka ViaThinkSoft
+# tree for open source project: https://oidplus.viathinksoft.com )
 CAUCASE_OID_TOP = '1.3.6.1.4.1.37476.9000.70.0'
 CAUCASE_OID_AUTO_SIGNED = CAUCASE_OID_TOP + '.0'
 # Reserved for tests: no meaning, always stripped but never specificaly
@@ -71,6 +72,25 @@ CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
     ),
   ]
 )
+# Registration-less OID under 2.25 tree (aka uuid tree)
+# Sadly, many implementations break when encountering 128-bits OIDs, making
+# these certificates difficult to use.
+CAUCASE_LEGACY_OID_TOP = '2.25.285541874270823339875695650038637483517'
+CAUCASE_LEGACY_OID_AUTO_SIGNED = CAUCASE_LEGACY_OID_TOP + '.0'
+CAUCASE_LEGACY_OID_RESERVED = CAUCASE_LEGACY_OID_TOP + '.999'
+_CAUCASE_LEGACY_OID_AUTO_SIGNED = x509.oid.ObjectIdentifier(
+  CAUCASE_LEGACY_OID_AUTO_SIGNED,
+)
+CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
+  _CAUCASE_LEGACY_OID_AUTO_SIGNED,
+  [
+    x509.UserNotice(
+      None,
+      'Auto-signed caucase certificate',
+    ),
+  ]
+)
+
 
 def isCertificateAutoSigned(crt):
   """
@@ -90,7 +110,10 @@ def isCertificateAutoSigned(crt):
     pass
   else:
     for policy_information in extension.value:
-      if policy_information.policy_identifier == _CAUCASE_OID_AUTO_SIGNED:
+      if policy_information.policy_identifier in (
+        _CAUCASE_OID_AUTO_SIGNED,
+        _CAUCASE_LEGACY_OID_AUTO_SIGNED, # BBB
+      ):
         return True
   return False