Commit 03807a53 authored by Vincent Pelletier's avatar Vincent Pelletier

caucase.ca: Add Authority Key Identifier extension in produced CRLs.

This extension is required by rfc5280 (see section 5.2.1) but was
overlooked.
parent 256f9455
Pipeline #13361 passed with stage
in 0 seconds
......@@ -744,9 +744,10 @@ class CertificateAuthority(object):
crl_pem = self._storage.getCertificateRevocationList()
if crl_pem is None:
ca_key_pair = self._getCurrentCAKeypair()
ca_crt = ca_key_pair['crt']
now = datetime.datetime.utcnow()
crl = x509.CertificateRevocationListBuilder(
issuer_name=ca_key_pair['crt'].issuer,
issuer_name=ca_crt.issuer,
last_update=now,
next_update=now + self._crl_life_time,
extensions=[
......@@ -756,6 +757,14 @@ class CertificateAuthority(object):
),
critical=False, # "MUST mark this extension as non-critical"
),
Extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
ca_crt.extensions.get_extension_for_class(
x509.SubjectKeyIdentifier,
).value,
),
critical=False, # No mention in RFC5280 5.2.1
),
],
revoked_certificates=[
x509.RevokedCertificateBuilder(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment