certs: add subject key identifier extension

Add the subject key identifier extension to the certificate generated by Magnum. Which should permit Kubernetes clusters to have certificates that include authority key identifier extension which appears to be a requirement in Python 3.13 and newer. Closes-Bug: #2097094 Change-Id: I13bbb97c8b17fbba2f5f1acfac9d597f12925818 (cherry picked from commit 89f185b197) Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
2025-01-31 10:55:02 +00:00
parent c73ef055b1
commit aa954f9adb
3 changed files with 33 additions and 0 deletions
--- a/magnum/common/x509/operations.py
+++ b/magnum/common/x509/operations.py
@@ -223,6 +223,12 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
        builder = builder.add_extension(extention.value,
                                        critical=extention.critical)

+    subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key(
+        csr.public_key())
+    builder = builder.add_extension(
+            subject_key_identifier, critical=False
+    )
+
    certificate = builder.sign(
        private_key=ca_key, algorithm=hashes.SHA256(),
    ).public_bytes(serialization.Encoding.PEM).strip()
--- a/magnum/tests/unit/common/x509/test_sign.py
+++ b/magnum/tests/unit/common/x509/test_sign.py
@@ -233,6 +233,26 @@ class TestX509(base.BaseTestCase):
        self.assertEqual(certificate,
                         certificate.strip())

+    # If a subject key identifier is given in the CSR, ensure it is added
+    @mock.patch('cryptography.x509.load_pem_x509_csr')
+    def test_sign_subject_key_identifier(self, mock_load_pem):
+        ca_key = self._generate_private_key()
+        private_key = self._generate_private_key()
+        csr_obj = self._build_csr(private_key)
+        csr = csr_obj.public_bytes(serialization.Encoding.PEM)
+        csr = csr.decode('utf-8')
+
+        mock_load_pem.return_value = csr_obj
+        certificate = operations.sign(csr, self.issuer_name,
+                                      ca_key, skip_validation=True)
+
+        # Ensure the Subject Key Identifier extension is present
+        cert = c_x509.load_pem_x509_certificate(certificate)
+        ext_ski = [ext for ext in cert.extensions
+                   if cert.extensions[0].oid ==
+                   c_x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER]
+        self.assertEqual(len(ext_ski), 1)
+
    def test_sign_with_invalid_csr(self):
        ca_key = self._generate_private_key()
        csr = 'test'
--- a/releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml
+++ b/releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add subject key identifier extension to x509 operations
+    signing function. Allows for magnum Kubernetes clusters
+    to generate certificates with authority key
+    identifier extension.