Commit b9ae4f73 authored by Łukasz Nowak's avatar Łukasz Nowak

Simpler OID in generated certificates with migration

Many software packages do not support 128 bits arcs in OIDs (see
https://misc.daniel-marschall.de/asn.1/oid_facts.html#chap4), use a
registered OID instead, which is:

OID 1.3.6.1.4.1.37476.9000.70.0 is for Caucase (https://oidref.com/1.3.6.1.4.1.37476.9000.70.0).

Original OID is automatically migrated to the new OID.

Mix of work by Vincent Pelletier <vincent@nexedi.com> and
Thomas Gambier <thomas.gambier@nexedi.com> finished by
Lukasz Nowak <luke@nexedi.com>
parent 7a737172
......@@ -411,11 +411,25 @@ class CertificateAuthority(object):
critical=False, # (no recommendations)
)
else:
if auto_signed == _AUTO_SIGNED_PASSTHROUGH:
# Caller is asking us to let all through, so do this.
policy_list = certificate_policies.value
else:
# Prevent any caucase extension from being smuggled, especiall the
policy_list = []
for policy in certificate_policies.value:
if policy.policy_identifier.dotted_string.startswith(
utils.CAUCASE_LEGACY_OID_TOP
):
# Always migrate CAUCASE_LEGACY_OID_TOP to CAUCASE_OID_TOP
# by copying current policy and replacing its prefix to the new
# OID prefix
identifier_suffix = policy.policy_identifier.dotted_string[
len(utils.CAUCASE_LEGACY_OID_TOP):
]
policy = x509.PolicyInformation(
x509.oid.ObjectIdentifier(utils.CAUCASE_OID_TOP + identifier_suffix),
policy.policy_qualifiers,
)
policy_list.append(policy)
if auto_signed != _AUTO_SIGNED_PASSTHROUGH:
# Prevent any caucase extension from being smuggled, especially the
# "auto-signed" one...
policy_list = [
x for x in certificate_policies.value
......
......@@ -55,8 +55,9 @@ del _checkDefaultDigestsAvailable
_cryptography_backend = default_backend()
# Registration-less OID under 2.25 tree (aka uuid tree)
CAUCASE_OID_TOP = '2.25.285541874270823339875695650038637483517'
# Registration-less OID under 1.3.6.1.4.1.37476.9000 tree (aka ViaThinkSoft
# tree for open source project: https://oidplus.viathinksoft.com )
CAUCASE_OID_TOP = '1.3.6.1.4.1.37476.9000.70.0'
CAUCASE_OID_AUTO_SIGNED = CAUCASE_OID_TOP + '.0'
# Reserved for tests: no meaning, always stripped but never specificaly
# checked for in the code.
......@@ -71,6 +72,15 @@ CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
),
]
)
# Registration-less OID under 2.25 tree (aka uuid tree)
# Sadly, many implementations break when encountering 128-bits OIDs, making
# these certificates difficult to use.
CAUCASE_LEGACY_OID_TOP = '2.25.285541874270823339875695650038637483517'
CAUCASE_LEGACY_OID_AUTO_SIGNED = CAUCASE_LEGACY_OID_TOP + '.0'
_CAUCASE_LEGACY_OID_AUTO_SIGNED = x509.oid.ObjectIdentifier(
CAUCASE_LEGACY_OID_AUTO_SIGNED,
)
def isCertificateAutoSigned(crt):
"""
......@@ -90,7 +100,10 @@ def isCertificateAutoSigned(crt):
pass
else:
for policy_information in extension.value:
if policy_information.policy_identifier == _CAUCASE_OID_AUTO_SIGNED:
if policy_information.policy_identifier in (
_CAUCASE_OID_AUTO_SIGNED,
_CAUCASE_LEGACY_OID_AUTO_SIGNED, # BBB
):
return True
return False
......
  • Simpler OID in generated certificates with migration

    Please reuse the first line of my commit message, to follow the pattern used in this repository.

    , which is:

    OID 1.3.6.1.4.1.37476.9000.70.0 is for Caucase (https://oidref.com/1.3.6.1.4.1.37476.9000.70.0).

    This just duplicates what is already visible in the patch, I think it is superfluous.

    Original OID is automatically migrated to the new OID.

    I would expand a tiny bit this sentence:

    Certificates emitted using the legacy OID are migrated to the new OID on renewal.
  • Also, is there a reason to not include the few test lines I added in my patch ?

  • I did the changes to the commit message.

    Also, is there a reason to not include the few test lines I added in my patch ?

    From this commit: 5e8308b4 ?

    I might cleaned up too much while removing not needed parts of our joint work. I am resurrecting this change.

Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment