Merge "Add nsCertType and ExtendedKey usage extensions to CertGenerator"

2015-01-13 04:14:20 +00:00 · 2015-01-13 04:14:20 +00:00 · 53529188d0
commit 53529188d0
parent 58f3770848 19856c014e
2 changed files with 37 additions and 0 deletions
--- a/octavia/certificates/generator/local.py
+++ b/octavia/certificates/generator/local.py
@ -17,12 +17,14 @@ import os

 from OpenSSL import crypto
 from oslo.config import cfg
+import six

 from octavia.certificates.generator import cert_gen
 from octavia.common import exceptions
 from octavia.i18n import _LE, _LI
 from octavia.openstack.common import log as logging

+
 LOG = logging.getLogger(__name__)

 CONF = cfg.CONF
@ -94,12 +96,27 @@ class LocalCertGenerator(cert_gen.CertGenerator):
            lo_req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)

            new_cert = crypto.X509()
+            new_cert.set_version(2)
            new_cert.set_serial_number(LocalCertGenerator._new_serial())
            new_cert.gmtime_adj_notBefore(0)
            new_cert.gmtime_adj_notAfter(validity)
            new_cert.set_issuer(lo_cert.get_subject())
            new_cert.set_subject(lo_req.get_subject())
            new_cert.set_pubkey(lo_req.get_pubkey())
+            exts = [
+                crypto.X509Extension(
+                    six.b('basicConstraints'), True, six.b('CA:false')),
+                crypto.X509Extension(
+                    six.b('keyUsage'), True,
+                    six.b('digitalSignature, keyEncipherment')),
+                crypto.X509Extension(
+                    six.b('extendedKeyUsage'), False,
+                    six.b('clientAuth, serverAuth')),
+                crypto.X509Extension(
+                    six.b('nsCertType'), False,
+                    six.b('client, server'))
+            ]
+            new_cert.add_extensions(exts)
            new_cert.sign(lo_key, ca_digest)

            return crypto.dump_certificate(crypto.FILETYPE_PEM, new_cert)
--- a/octavia/tests/unit/certificates/generator/test_local.py
+++ b/octavia/tests/unit/certificates/generator/test_local.py
@ -14,6 +14,7 @@
 import datetime

 from OpenSSL import crypto
+import six

 import octavia.certificates.generator.local as local_cert_gen
 import octavia.tests.unit.base as base
@ -88,3 +89,22 @@ class TestLocalGenerator(base.TestCase):
                         datetime.timedelta(seconds=2 * 365 * 24 * 60 * 60))
        diff = should_expire - expires
        self.assertTrue(diff < datetime.timedelta(seconds=10))
+
+        # Use the openSSL highlevel text output to verify attributes
+        cert_text = crypto.dump_certificate(crypto.FILETYPE_TEXT, cert)
+
+        # Make sure this is a version 3 X509.
+        self.assertIn(six.b("Version: 3"), cert_text)
+
+        # Make sure this cert is marked as Server and Client Cert via the
+        # The extended Key Usage extension
+        self.assertIn(six.b("TLS Web Server Authentication"), cert_text)
+        self.assertIn(six.b("TLS Web Client Authentication"), cert_text)
+
+        # Make sure this cert has the nsCertType server, and client
+        # attributes set
+        self.assertIn(six.b("SSL Server"), cert_text)
+        self.assertIn(six.b("SSL Client"), cert_text)
+
+        # Make sure this cert can't sign other certs
+        self.assertIn(six.b("CA:FALSE"), cert_text)