From 3ba27a114725f9703387286e5699dfe9c5e46bf7 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Wed, 19 Jun 2024 14:11:33 -0700 Subject: [PATCH] gh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR Per https://github.com/openssl/openssl/issues/22966 , it is not valid to have a subjectKeyIdentifier or an authorityKeyIdentifier in a CSR. Up until openssl 3.2.0 this happened not to cause an error, but since a bugfix in 3.2.0 it does: 80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156: This fixes it by always using req_x509_extensions_simple for the CSR, when generated a signed certificate, and using the specified req (usually req_x509_extensions_full) only when asking the CA to process the CSR and produce the final signed certificate. Signed-off-by: Adam Williamson --- Lib/test/certdata/make_ssl_certs.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Lib/test/certdata/make_ssl_certs.py b/Lib/test/certdata/make_ssl_certs.py index 6626b93976a585c..b87b159cc737d33 100644 --- a/Lib/test/certdata/make_ssl_certs.py +++ b/Lib/test/certdata/make_ssl_certs.py @@ -125,6 +125,10 @@ def make_cert_key(hostname, sign=False, extra_san='', with tempfile.NamedTemporaryFile(delete=False) as f: tempnames.append(f.name) req_file, cert_file, key_file = tempnames + if sign: + reqext = 'req_x509_extensions_simple' + else: + reqext = ext try: req = req_template.format( hostname=hostname, @@ -136,7 +140,7 @@ def make_cert_key(hostname, sign=False, extra_san='', f.write(req) args = ['req', '-new', '-nodes', '-days', '7000', '-newkey', key, '-keyout', key_file, - '-extensions', ext, + '-extensions', reqext, '-config', req_file] if sign: with tempfile.NamedTemporaryFile(delete=False) as f: