WIP: ca: Migrate to new registered OID

WIP: Add test covering this migration.

WIP: ca: Migrate to new registered OID
WIP: Add test covering this migration.
bdf0703d · Łukasz Nowak · 5e8308b4 · bdf0703d · bdf0703d
Commit bdf0703d authored Apr 30, 2019 by Łukasz Nowak
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 8 deletions

caucase/ca.py caucase/ca.py +20 -8

caucase/test.py caucase/test.py +7 -0

No files found.
--- a/caucase/ca.py
+++ b/caucase/ca.py
@@ -411,18 +411,30 @@ class CertificateAuthority(object):
          critical=False, # (no recommendations)
        )
    else:
-      if auto_signed == _AUTO_SIGNED_PASSTHROUGH:
-        # Caller is asking us to let all through, so do this.
-        policy_list = certificate_policies.value
-      else:
+      policy_list = []
+      for policy in certificate_policies.value:
+        if policy.policy_identifier.dotted_string.startswith(
+          utils.CAUCASE_LEGACY_OID_TOP
+        ):
+          # Always migrate CAUCASE_LEGACY_OID_TOP to CAUCASE_OID_TOP
+          # by copying current policy and replacing its prefix to the new
+          # OID prefix
+          identifier_suffix = policy.policy_identifier.dotted_string[
+            len(utils.CAUCASE_LEGACY_OID_TOP):
+          ]
+          policy = x509.PolicyInformation(
+            x509.oid.ObjectIdentifier(utils.CAUCASE_OID_TOP + identifier_suffix),
+            policy.policy_qualifiers,
+          )
+        policy_list.append(policy)
+
+      if auto_signed != _AUTO_SIGNED_PASSTHROUGH:
        # Prevent any caucase extension from being smuggled, especially the
        # "auto-signed" one...
        policy_list = []
        for policy in certificate_policies.value:
-          startswith = policy.policy_identifier.dotted_string.startswith
-          if (
-            startswith(utils.CAUCASE_LEGACY_OID_TOP) or # BBB
-            startswith(utils.CAUCASE_OID_TOP)
+          if policy.policy_identifier.dotted_string.startswith(
+            utils.CAUCASE_OID_TOP
          ):
            continue
          policy_list.append(policy)

--- a/caucase/test.py
+++ b/caucase/test.py
@@ -1201,6 +1201,13 @@ class CaucaseTest(unittest.TestCase):
    )
    self.assertRaises(TypeError, self._createFirstUser)

+  def testCRTMigration(self):
+    """
+    Verify that cetificates generated with CAUCASE_LEGACY_OID_TOP are correctly
+    migrated to CAUCASE_OID_TOP during their renewal
+    """
+    raise NotImplementedError
+
  def testCSRFiltering(self):
    """
    Verify that requester cannot get any extension or extension value they