caucase.ca: Add Authority Key Identifier extension in produced CRLs.

This extension is required by rfc5280 (see section 5.2.1) but was overlooked.

caucase.ca: Add Authority Key Identifier extension in produced CRLs.
This extension is required by rfc5280 (see section 5.2.1) but was overlooked.
03807a53 · Vincent Pelletier · 256f9455 · 03807a53
Commit 03807a53 authored Jan 29, 2021 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

caucase/ca.py caucase/ca.py +10 -1

No files found.
--- a/caucase/ca.py
+++ b/caucase/ca.py
@@ -744,9 +744,10 @@ class CertificateAuthority(object):
    crl_pem = self._storage.getCertificateRevocationList()
    if crl_pem is None:
      ca_key_pair = self._getCurrentCAKeypair()
+      ca_crt = ca_key_pair['crt']
      now = datetime.datetime.utcnow()
      crl = x509.CertificateRevocationListBuilder(
-        issuer_name=ca_key_pair['crt'].issuer,
+        issuer_name=ca_crt.issuer,
        last_update=now,
        next_update=now + self._crl_life_time,
        extensions=[
@@ -756,6 +757,14 @@ class CertificateAuthority(object):
            ),
            critical=False, # "MUST mark this extension as non-critical"
          ),
+          Extension(
+            x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+              ca_crt.extensions.get_extension_for_class(
+                x509.SubjectKeyIdentifier,
+              ).value,
+            ),
+            critical=False, # No mention in RFC5280 5.2.1
+          ),
        ],
        revoked_certificates=[
          x509.RevokedCertificateBuilder(