pythongh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR

Per openssl/openssl#22966 , it is not valid to have a subjectKeyIdentifier or an authorityKeyIdentifier in a CSR. Up until openssl 3.2.0 this happened not to cause an error, but since a bugfix in 3.2.0 it does: 80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156: To fix this, when generating a signed certificate, let's always use req_x509_extensions_simple for the CSR, and use the specified req (usually req_x509_extensions_full) only when asking the CA to process the CSR and produce the final signed certificate. Signed-off-by: Adam Williamson <[email protected]>
AdamWill · Jun 20, 2024 · 3027a5c · 3027a5c
1 parent 1e48156
commit 3027a5c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/Lib/test/certdata/make_ssl_certs.py b/Lib/test/certdata/make_ssl_certs.py
@@ -125,6 +125,10 @@ def make_cert_key(hostname, sign=False, extra_san='',
         with tempfile.NamedTemporaryFile(delete=False) as f:
             tempnames.append(f.name)
     req_file, cert_file, key_file = tempnames
+    if sign:
+        reqext = 'req_x509_extensions_simple'
+    else:
+        reqext = ext
     try:
         req = req_template.format(
             hostname=hostname,
@@ -136,7 +140,7 @@ def make_cert_key(hostname, sign=False, extra_san='',
             f.write(req)
         args = ['req', '-new', '-nodes', '-days', '7000',
                 '-newkey', key, '-keyout', key_file,
-                '-extensions', ext,
+                '-extensions', reqext,
                 '-config', req_file]
         if sign:
             with tempfile.NamedTemporaryFile(delete=False) as f: