ca: Do not use a 128bits OID arc for caucase internal use

Many software packages do not support 128 bits arcs in OIDs (see
https://misc.daniel-marschall.de/asn.1/oid_facts.html#chap4), use a
registered OID instead.

Certificates emitted using the legacy OID are migrated to the new OID on
renewal.

Mix of work by Vincent Pelletier <vincent@nexedi.com> and
Thomas Gambier <thomas.gambier@nexedi.com> finished by
Lukasz Nowak <luke@nexedi.com>

caucase/ca.py

@@ -411,14 +411,28 @@ class CertificateAuthority(object):
           critical=False, # (no recommendations)
         )
     else:
-      if auto_signed == _AUTO_SIGNED_PASSTHROUGH:
-        # Caller is asking us to let all through, so do this.
-        policy_list = certificate_policies.value
-      else:
-        # Prevent any caucase extension from being smuggled, especiall the
+      policy_list = []
+      for policy in certificate_policies.value:
+        if policy.policy_identifier.dotted_string.startswith(
+          utils.CAUCASE_LEGACY_OID_TOP
+        ):
+          # Always migrate CAUCASE_LEGACY_OID_TOP to CAUCASE_OID_TOP
+          # by copying current policy and replacing its prefix to the new
+          # OID prefix
+          identifier_suffix = policy.policy_identifier.dotted_string[
+            len(utils.CAUCASE_LEGACY_OID_TOP):
+          ]
+          policy = x509.PolicyInformation(
+            x509.oid.ObjectIdentifier(utils.CAUCASE_OID_TOP + identifier_suffix),
+            policy.policy_qualifiers,
+          )
+        policy_list.append(policy)
+
+      if auto_signed != _AUTO_SIGNED_PASSTHROUGH:
+        # Prevent any caucase extension from being smuggled, especially the
         # "auto-signed" one...
         policy_list = [
-          x for x in certificate_policies.value
+          x for x in policy_list
           if not x.policy_identifier.dotted_string.startswith(
             utils.CAUCASE_OID_TOP,
           )

caucase/test.py

@@ -1281,6 +1281,10 @@ class CaucaseTest(unittest.TestCase):
       x509.IPAddress(ipaddress.IPv6Network(u'::/64')),
     ])
     requested_policies = x509.CertificatePolicies([
+      x509.PolicyInformation(
+        x509.oid.ObjectIdentifier(utils.CAUCASE_LEGACY_OID_RESERVED),
+        None,
+      ),
       x509.PolicyInformation(
         x509.oid.ObjectIdentifier(utils.CAUCASE_OID_RESERVED),
         None,

caucase/utils.py

@@ -55,8 +55,9 @@ del _checkDefaultDigestsAvailable
 
 _cryptography_backend = default_backend()
 
-# Registration-less OID under 2.25 tree (aka uuid tree)
-CAUCASE_OID_TOP = '2.25.285541874270823339875695650038637483517'
+# Registration-less OID under 1.3.6.1.4.1.37476.9000 tree (aka ViaThinkSoft
+# tree for open source project: https://oidplus.viathinksoft.com )
+CAUCASE_OID_TOP = '1.3.6.1.4.1.37476.9000.70.0'
 CAUCASE_OID_AUTO_SIGNED = CAUCASE_OID_TOP + '.0'
 # Reserved for tests: no meaning, always stripped but never specificaly
 # checked for in the code.
@@ -71,6 +72,16 @@ CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
     ),
   ]
 )
+# Registration-less OID under 2.25 tree (aka uuid tree)
+# Sadly, many implementations break when encountering 128-bits OIDs, making
+# these certificates difficult to use.
+CAUCASE_LEGACY_OID_TOP = '2.25.285541874270823339875695650038637483517'
+CAUCASE_LEGACY_OID_AUTO_SIGNED = CAUCASE_LEGACY_OID_TOP + '.0'
+CAUCASE_LEGACY_OID_RESERVED = CAUCASE_LEGACY_OID_TOP + '.999'
+_CAUCASE_LEGACY_OID_AUTO_SIGNED = x509.oid.ObjectIdentifier(
+  CAUCASE_LEGACY_OID_AUTO_SIGNED,
+)
+
 
 def isCertificateAutoSigned(crt):
   """
@@ -90,7 +101,10 @@ def isCertificateAutoSigned(crt):
     pass
   else:
     for policy_information in extension.value:
-      if policy_information.policy_identifier == _CAUCASE_OID_AUTO_SIGNED:
+      if policy_information.policy_identifier in (
+        _CAUCASE_OID_AUTO_SIGNED,
+        _CAUCASE_LEGACY_OID_AUTO_SIGNED, # BBB
+      ):
         return True
   return False