Add SubjectAltName and KeyUsage for localcertgen

Change-Id: I3919d392722a625dffe25c7dfe2ec3359f96e8a4
Co-Authored-By: Carlos D. Garza <carlos.garza@rackspace.com>
Closes-Bug: 1494420
This commit is contained in:
Adam Harwell 2016-02-03 18:17:39 -06:00
parent 65ab10aa14
commit a2f02d3ec7
3 changed files with 54 additions and 8 deletions

View File

@ -135,6 +135,26 @@ class LocalCertGenerator(cert_gen.CertGenerator):
x509.BasicConstraints(ca=False, path_length=None),
critical=True
)
cn_str = lo_req.subject.get_attributes_for_oid(
x509.oid.NameOID.COMMON_NAME)[0].value
new_cert = new_cert.add_extension(
x509.SubjectAlternativeName([x509.DNSName(cn_str)]),
critical=False
)
new_cert = new_cert.add_extension(
x509.KeyUsage(
digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False
),
critical=True
)
new_cert = new_cert.add_extension(
x509.ExtendedKeyUsage([
x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
@ -177,12 +197,38 @@ class LocalCertGenerator(cert_gen.CertGenerator):
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn),
])).add_extension(
])
)
csr = csr.add_extension(
x509.BasicConstraints(
ca=False, path_length=None), critical=True,
).sign(pk, getattr(hashes, CONF.certificates.signing_digest.upper())(),
backends.default_backend())
return csr.public_bytes(serialization.Encoding.PEM)
ca=False,
path_length=None
),
critical=True
)
csr = csr.add_extension(
x509.KeyUsage(
digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False
),
critical=True
)
csr = csr.add_extension(
x509.SubjectAlternativeName([x509.DNSName(cn)]),
critical=False
)
signed_csr = csr.sign(
pk,
getattr(hashes, CONF.certificates.signing_digest.upper())(),
backends.default_backend())
return signed_csr.public_bytes(serialization.Encoding.PEM)
@classmethod
def generate_cert_key_pair(cls, cn, validity, bit_length=2048,

View File

@ -57,7 +57,7 @@ class BaseLocalCSRTestCase(base.TestCase):
super(BaseLocalCSRTestCase, self).setUp()
def test_generate_csr(self):
cn = 'test_cn'
cn = 'testCN'
# Attempt to generate a CSR
csr = self.cert_generator._generate_csr(
cn=cn,
@ -104,7 +104,7 @@ class BaseLocalCSRTestCase(base.TestCase):
self.assertEqual(pko.key_size, bit_length)
def test_generate_cert_key_pair_mock(self):
cn = 'test_cn'
cn = 'testCN'
with mock.patch.object(self.cert_generator, 'sign_cert') as m:
# Attempt to generate a cert/key pair

View File

@ -112,7 +112,7 @@ class TestLocalGenerator(local_csr.BaseLocalCSRTestCase):
)
def test_generate_cert_key_pair(self):
cn = 'test_cn'
cn = 'testCN'
bit_length = 512
# Attempt to generate a cert/key pair