Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add default extensions for host and user role as defined by RFC 5280 #21

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

add default extensions for host and user role as defined by RFC 5280 #21

wants to merge 4 commits into from

Conversation

zolfariot
Copy link
Member

Description

X.509 v3 extensions keyUsage and extendedKeyUsage should be set always
according to RFC 5280 for TLS communications.

Last OpenVPN version use these extensions to enforce server and client
role, without this settings users must disable server verification.

Here also the nsCertType extension is set, even if deprecated by recent
versions of OpenVPN, for back-compatibility with older version of OpenVPN
server and client.

Testing

I did some testing with python==3.8.2 and peewee==2.10.2.
Certificate generation works as expected, but i got failure while listing cas, requests or certificates from ./ca-sheel.

(CA Manager)> ls_cas
Traceback (most recent call last):
  File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2353, in iterator
    yield self.iterate()
  File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2345, in iterate
    raise StopIteration
StopIteration

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "./ca-shell", line 20, in <module>
    CAManagerShell(ca_manager).cmdloop()
  File "/usr/lib/python3.8/cmd.py", line 138, in cmdloop
    stop = self.onecmd(line)
  File "/usr/lib/python3.8/cmd.py", line 217, in onecmd
    return func(arg)
  File "/home/lorenzo/Repos/ca_manager/ca_manager/shell.py", line 30, in do_ls_cas
    for i, authority in enumerate(self.ca_manager.ca):
RuntimeError: generator raised StopIteration

I fear this could because of some incompatibility between older peewee (version 3 is excluded by the requirement peewee<3 as it doesn't contain extension gfk) and newer Python.

@zolfariot
add default extensions as defined by RFC 5280
1d91fba 
x509 v3 extensions keyUsage and extendedKeyUsage should be set always
according to RFC 5280 for TLS communications.

Last OpenVPN version use these extensions to enforce server and client
role, without this settings users must disable server verification.

Here also the nsCertType extension is set, even if deprecated by recent
versions of OpenVPN, for back-compatibility with older version of OpenVPN
server and client.
@zolfariot zolfariot force-pushed the rfc5280 branch 2 times, most recently from 69cf69f to 1bc9185 Compare April 12, 2020 15:35
@zolfariot
set correct v3 extensions for cas
cd537f0
@zolfariot
improved handling of x509 exts
796bcfc 
Each root CA, intermediate CA, host Certificate and user Certificate
will be set up with proper x509_v3 extensions.

Default Key format is ED25519, options are available for RSA and EC.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slash3g slash3g Awaiting requested review from slash3g

@edoput edoput Awaiting requested review from edoput

@cimbalo cimbalo Awaiting requested review from cimbalo

Assignees

@slash3g slash3g

@edoput edoput

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zolfariot @slash3g @edoput