mirror of
https://github.com/python/cpython.git
synced 2026-01-04 14:32:21 +00:00
744caa8ef4
gh-120762: make_ssl_certs: Don't set extensions for the CSR
`openssl req` fails with openssl 3.2.2 because the config line
authorityKeyIdentifier = keyid:always,issuer:always
is not supported for certificate signing requests (since the issuing
certificate authority is not known).
David von Oheimb, the OpenSSL dev that made the change, commented in:
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 :
> This problem did not show up in older OpenSSL versions because of a bug:
> the `req` app ignored the `-extensions` option unless `-x505` is given,
> which I fixed in https://github.com/openssl/openssl/pull/16865.
(I assume `-x505` is a typo for `-x509`.)
In our `make_cert_key` function:
If `sign` is true:
- We don't pass `-x509` to `req`, so in this case it should be safe to
omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL
fails on it.)
- The extensions are passed to the `ca` call later in the function.
There they take effect, and `authorityKeyIdentifier` is valid.
If `sign` is false, this commit has no effect except rearranging the
CLI arguments.
|
||
|---|---|---|
| .. | ||
| capath | ||
| allsans.pem | ||
| badcert.pem | ||
| badkey.pem | ||
| cert3.pem | ||
| ffdh3072.pem | ||
| idnsans.pem | ||
| keycert.passwd.pem | ||
| keycert.pem | ||
| keycert.pem.reference | ||
| keycert2.pem | ||
| keycert3.pem | ||
| keycert3.pem.reference | ||
| keycert4.pem | ||
| keycertecc.pem | ||
| leaf-missing-aki.ca.pem | ||
| leaf-missing-aki.keycert.pem | ||
| make_ssl_certs.py | ||
| nokia.pem | ||
| nosan.pem | ||
| nullbytecert.pem | ||
| nullcert.pem | ||
| pycacert.pem | ||
| pycakey.pem | ||
| revocation.crl | ||
| secp384r1.pem | ||
| selfsigned_pythontestdotnet.pem | ||
| ssl_cert.pem | ||
| ssl_key.passwd.pem | ||
| ssl_key.pem | ||
| talos-2019-0758.pem | ||