Commit 5e8308b4 authored by Vincent Pelletier's avatar Vincent Pelletier Committed by Łukasz Nowak

ca: Do not use a 128bits OID arc for caucase iternal use

Many software packages do not support 128 bits arcs in OIDs (see
https://misc.daniel-marschall.de/asn.1/oid_facts.html#chap4), use a
registered OID instead.

Original OID is still recognised, but not included in new certificates.
TODO: test that renewal of a legacy-style auto-issued certificate is given
the new extension, and that original one is stripped.
parent 2fea00e9
...@@ -415,14 +415,17 @@ class CertificateAuthority(object): ...@@ -415,14 +415,17 @@ class CertificateAuthority(object):
# Caller is asking us to let all through, so do this. # Caller is asking us to let all through, so do this.
policy_list = certificate_policies.value policy_list = certificate_policies.value
else: else:
# Prevent any caucase extension from being smuggled, especiall the # Prevent any caucase extension from being smuggled, especially the
# "auto-signed" one... # "auto-signed" one...
policy_list = [ policy_list = []
x for x in certificate_policies.value for policy in certificate_policies.value:
if not x.policy_identifier.dotted_string.startswith( startswith = policy.policy_identifier.dotted_string.startswith
utils.CAUCASE_OID_TOP, if (
) startswith(utils.CAUCASE_LEGACY_OID_TOP) or # BBB
] startswith(utils.CAUCASE_OID_TOP)
):
continue
policy_list.append(policy)
if auto_signed == _AUTO_SIGNED_YES: if auto_signed == _AUTO_SIGNED_YES:
# ...but do add auto-signed extension if we are auto-signing. # ...but do add auto-signed extension if we are auto-signing.
policy_list.append(utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED) policy_list.append(utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED)
......
...@@ -1281,6 +1281,10 @@ class CaucaseTest(unittest.TestCase): ...@@ -1281,6 +1281,10 @@ class CaucaseTest(unittest.TestCase):
x509.IPAddress(ipaddress.IPv6Network(u'::/64')), x509.IPAddress(ipaddress.IPv6Network(u'::/64')),
]) ])
requested_policies = x509.CertificatePolicies([ requested_policies = x509.CertificatePolicies([
x509.PolicyInformation(
x509.oid.ObjectIdentifier(utils.CAUCASE_LEGACY_OID_RESERVED),
None,
),
x509.PolicyInformation( x509.PolicyInformation(
x509.oid.ObjectIdentifier(utils.CAUCASE_OID_RESERVED), x509.oid.ObjectIdentifier(utils.CAUCASE_OID_RESERVED),
None, None,
......
...@@ -55,7 +55,8 @@ del _checkDefaultDigestsAvailable ...@@ -55,7 +55,8 @@ del _checkDefaultDigestsAvailable
_cryptography_backend = default_backend() _cryptography_backend = default_backend()
# Registration-less OID under 1.3.6.1.4.1.37476.9000 tree (aka ViaThinkSoft tree for open source project) # Registration-less OID under 1.3.6.1.4.1.37476.9000 tree (aka ViaThinkSoft
# tree for open source project: https://oidplus.viathinksoft.com )
CAUCASE_OID_TOP = '1.3.6.1.4.1.37476.9000.70.0' CAUCASE_OID_TOP = '1.3.6.1.4.1.37476.9000.70.0'
CAUCASE_OID_AUTO_SIGNED = CAUCASE_OID_TOP + '.0' CAUCASE_OID_AUTO_SIGNED = CAUCASE_OID_TOP + '.0'
# Reserved for tests: no meaning, always stripped but never specificaly # Reserved for tests: no meaning, always stripped but never specificaly
...@@ -71,6 +72,25 @@ CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation( ...@@ -71,6 +72,25 @@ CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
), ),
] ]
) )
# Registration-less OID under 2.25 tree (aka uuid tree)
# Sadly, many implementations break when encountering 128-bits OIDs, making
# these certificates difficult to use.
CAUCASE_LEGACY_OID_TOP = '2.25.285541874270823339875695650038637483517'
CAUCASE_LEGACY_OID_AUTO_SIGNED = CAUCASE_LEGACY_OID_TOP + '.0'
CAUCASE_LEGACY_OID_RESERVED = CAUCASE_LEGACY_OID_TOP + '.999'
_CAUCASE_LEGACY_OID_AUTO_SIGNED = x509.oid.ObjectIdentifier(
CAUCASE_LEGACY_OID_AUTO_SIGNED,
)
CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
_CAUCASE_LEGACY_OID_AUTO_SIGNED,
[
x509.UserNotice(
None,
'Auto-signed caucase certificate',
),
]
)
def isCertificateAutoSigned(crt): def isCertificateAutoSigned(crt):
""" """
...@@ -90,7 +110,10 @@ def isCertificateAutoSigned(crt): ...@@ -90,7 +110,10 @@ def isCertificateAutoSigned(crt):
pass pass
else: else:
for policy_information in extension.value: for policy_information in extension.value:
if policy_information.policy_identifier == _CAUCASE_OID_AUTO_SIGNED: if policy_information.policy_identifier in (
_CAUCASE_OID_AUTO_SIGNED,
_CAUCASE_LEGACY_OID_AUTO_SIGNED, # BBB
):
return True return True
return False return False
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment