Skip to content

Commit

Permalink
Merge pull request #3246 from ashie/fix-broken-nscerttype
Browse files Browse the repository at this point in the history
Fix creating TLS certification files which include broken extensions
  • Loading branch information
repeatedly authored Feb 16, 2021
2 parents 435b304 + 8797c1a commit d5d6bc7
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 6 deletions.
9 changes: 6 additions & 3 deletions lib/fluent/command/ca_generate.rb
Original file line number Diff line number Diff line change
Expand Up @@ -75,14 +75,16 @@ def self.generate_ca_pair(opts={})

digest = OpenSSL::Digest::SHA256.new

factory = OpenSSL::X509::ExtensionFactory.new

cert = OpenSSL::X509::Certificate.new
cert.not_before = Time.at(0)
cert.not_after = Time.now + 5 * 365 * 86400 # 5 years after
cert.public_key = key
cert.serial = 1
cert.issuer = issuer
cert.subject = subject
cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(true)]))
cert.add_extension(factory.create_extension('basicConstraints', 'CA:TRUE'))
cert.sign(key, digest)

return cert, key
Expand Down Expand Up @@ -111,8 +113,9 @@ def self.generate_server_pair(opts={})
cert.issuer = issuer
cert.subject = subject

cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(false)]))
cert.add_extension OpenSSL::X509::Extension.new('nsCertType', 'server')
factory = OpenSSL::X509::ExtensionFactory.new
server_cert.add_extension(factory.create_extension('basicConstraints', 'CA:FALSE'))
server_cert.add_extension(factory.create_extension('nsCertType', 'server'))

cert.sign ca_key, digest

Expand Down
4 changes: 3 additions & 1 deletion test/plugin_helper/test_http_server_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,9 @@ def start_https_request(addr, port, verify: true, cert_path: nil, selfsigned: tr
error = e
end

resp = Response.new(response.status.to_s, response.body.read, response.headers)
if response
resp = Response.new(response.status.to_s, response.body.read, response.headers)
end
end

if error
Expand Down
5 changes: 3 additions & 2 deletions test/plugin_helper/test_server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -832,8 +832,9 @@ def create_server_pair_chained_with_root_ca(ca_cert_path, ca_key_path, ca_key_pa
chain_cert.sign(root_key, "sha256")

server_cert, server_key, _ = CertUtil.cert_option_generate_pair(create_server_options, chain_cert.subject)
server_cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(false)]))
server_cert.add_extension OpenSSL::X509::Extension.new('nsCertType', 'server')
factory = OpenSSL::X509::ExtensionFactory.new
server_cert.add_extension(factory.create_extension('basicConstraints', 'CA:FALSE'))
server_cert.add_extension(factory.create_extension('nsCertType', 'server'))
server_cert.sign(chain_key, "sha256")

# write chained cert
Expand Down

0 comments on commit d5d6bc7

Please sign in to comment.