Add SubjectAltName and KeyUsage for localcertgen
Change-Id: I3919d392722a625dffe25c7dfe2ec3359f96e8a4 Co-Authored-By: Carlos D. Garza <carlos.garza@rackspace.com> Closes-Bug: 1494420
This commit is contained in:
parent
65ab10aa14
commit
a2f02d3ec7
|
@ -135,6 +135,26 @@ class LocalCertGenerator(cert_gen.CertGenerator):
|
|||
x509.BasicConstraints(ca=False, path_length=None),
|
||||
critical=True
|
||||
)
|
||||
cn_str = lo_req.subject.get_attributes_for_oid(
|
||||
x509.oid.NameOID.COMMON_NAME)[0].value
|
||||
new_cert = new_cert.add_extension(
|
||||
x509.SubjectAlternativeName([x509.DNSName(cn_str)]),
|
||||
critical=False
|
||||
)
|
||||
new_cert = new_cert.add_extension(
|
||||
x509.KeyUsage(
|
||||
digital_signature=True,
|
||||
key_encipherment=True,
|
||||
data_encipherment=True,
|
||||
key_agreement=True,
|
||||
content_commitment=False,
|
||||
key_cert_sign=False,
|
||||
crl_sign=False,
|
||||
encipher_only=False,
|
||||
decipher_only=False
|
||||
),
|
||||
critical=True
|
||||
)
|
||||
new_cert = new_cert.add_extension(
|
||||
x509.ExtendedKeyUsage([
|
||||
x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
|
||||
|
@ -177,12 +197,38 @@ class LocalCertGenerator(cert_gen.CertGenerator):
|
|||
csr = x509.CertificateSigningRequestBuilder().subject_name(
|
||||
x509.Name([
|
||||
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn),
|
||||
])).add_extension(
|
||||
])
|
||||
)
|
||||
csr = csr.add_extension(
|
||||
x509.BasicConstraints(
|
||||
ca=False, path_length=None), critical=True,
|
||||
).sign(pk, getattr(hashes, CONF.certificates.signing_digest.upper())(),
|
||||
backends.default_backend())
|
||||
return csr.public_bytes(serialization.Encoding.PEM)
|
||||
ca=False,
|
||||
path_length=None
|
||||
),
|
||||
critical=True
|
||||
)
|
||||
csr = csr.add_extension(
|
||||
x509.KeyUsage(
|
||||
digital_signature=True,
|
||||
key_encipherment=True,
|
||||
data_encipherment=True,
|
||||
key_agreement=True,
|
||||
content_commitment=False,
|
||||
key_cert_sign=False,
|
||||
crl_sign=False,
|
||||
encipher_only=False,
|
||||
decipher_only=False
|
||||
),
|
||||
critical=True
|
||||
)
|
||||
csr = csr.add_extension(
|
||||
x509.SubjectAlternativeName([x509.DNSName(cn)]),
|
||||
critical=False
|
||||
)
|
||||
signed_csr = csr.sign(
|
||||
pk,
|
||||
getattr(hashes, CONF.certificates.signing_digest.upper())(),
|
||||
backends.default_backend())
|
||||
return signed_csr.public_bytes(serialization.Encoding.PEM)
|
||||
|
||||
@classmethod
|
||||
def generate_cert_key_pair(cls, cn, validity, bit_length=2048,
|
||||
|
|
|
@ -57,7 +57,7 @@ class BaseLocalCSRTestCase(base.TestCase):
|
|||
super(BaseLocalCSRTestCase, self).setUp()
|
||||
|
||||
def test_generate_csr(self):
|
||||
cn = 'test_cn'
|
||||
cn = 'testCN'
|
||||
# Attempt to generate a CSR
|
||||
csr = self.cert_generator._generate_csr(
|
||||
cn=cn,
|
||||
|
@ -104,7 +104,7 @@ class BaseLocalCSRTestCase(base.TestCase):
|
|||
self.assertEqual(pko.key_size, bit_length)
|
||||
|
||||
def test_generate_cert_key_pair_mock(self):
|
||||
cn = 'test_cn'
|
||||
cn = 'testCN'
|
||||
|
||||
with mock.patch.object(self.cert_generator, 'sign_cert') as m:
|
||||
# Attempt to generate a cert/key pair
|
||||
|
|
|
@ -112,7 +112,7 @@ class TestLocalGenerator(local_csr.BaseLocalCSRTestCase):
|
|||
)
|
||||
|
||||
def test_generate_cert_key_pair(self):
|
||||
cn = 'test_cn'
|
||||
cn = 'testCN'
|
||||
bit_length = 512
|
||||
|
||||
# Attempt to generate a cert/key pair
|
||||
|
|
Loading…
Reference in New Issue