1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Embed OCSP responder URL in certificate

This commit is contained in:
Lauri Võsandi 2017-07-08 12:08:39 +00:00
parent 47d2d37684
commit d44b6035c2
3 changed files with 40 additions and 21 deletions

View File

@ -67,7 +67,8 @@ REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allo
CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime") CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime") SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url") AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
CERTIFICATE_CRL_URL = cp.get("signature", "revoked url") AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed") CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")
REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime") REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")

View File

@ -99,6 +99,18 @@ class SignHandler(asynchat.async_chat):
extended_key_usage_flags.append( # OpenVPN client extended_key_usage_flags.append( # OpenVPN client
ExtendedKeyUsageOID.CLIENT_AUTH) ExtendedKeyUsageOID.CLIENT_AUTH)
aia = [
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(config.AUTHORITY_CERTIFICATE_URL))
]
if config.AUTHORITY_OCSP_URL:
aia.append(
x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(config.AUTHORITY_OCSP_URL)))
builder = x509.CertificateBuilder( builder = x509.CertificateBuilder(
).subject_name( ).subject_name(
x509.Name([common_name]) x509.Name([common_name])
@ -142,24 +154,7 @@ class SignHandler(asynchat.async_chat):
request.public_key()), request.public_key()),
critical=False critical=False
).add_extension( ).add_extension(
x509.AuthorityInformationAccess([ x509.AuthorityInformationAccess(aia),
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(
config.AUTHORITY_CERTIFICATE_URL)
)
]),
critical=False
).add_extension(
x509.CRLDistributionPoints([
x509.DistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
config.CERTIFICATE_CRL_URL)],
relative_name=None,
crl_issuer=None,
reasons=None)
]),
critical=False critical=False
).add_extension( ).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key( x509.AuthorityKeyIdentifier.from_issuer_public_key(
@ -167,6 +162,20 @@ class SignHandler(asynchat.async_chat):
critical=False critical=False
) )
if config.AUTHORITY_CRL_URL:
builder = builder.add_extension(
x509.CRLDistributionPoints([
x509.DistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
config.AUTHORITY_CRL_URL)],
relative_name=None,
crl_issuer=None,
reasons=None)
]),
critical=False
)
# OpenVPN uses CN while StrongSwan uses SAN # OpenVPN uses CN while StrongSwan uses SAN
if server_flags: if server_flags:
builder = builder.add_extension( builder = builder.add_extension(

View File

@ -58,11 +58,14 @@ autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# Simple Certificate Enrollment Protocol enabled subnets # Simple Certificate Enrollment Protocol enabled subnets
scep subnets = scep subnets =
;scep subnets = 0.0.0.0/0
# Online Certificate Status Protocol enabled subnets # Online Certificate Status Protocol enabled subnets
ocsp subnets = ocsp subnets =
;ocsp subnets = 0.0.0.0/0
# Certificate Revocation lists can be accessed from anywhere by default # Certificate Revocation lists can be accessed from anywhere by default
;crl subnets =
crl subnets = 0.0.0.0/0 crl subnets = 0.0.0.0/0
[logging] [logging]
@ -92,10 +95,16 @@ revocation list lifetime = 24
# URL where CA certificate can be fetched from # URL where CA certificate can be fetched from
authority certificate url = {{ certificate_url }} authority certificate url = {{ certificate_url }}
# Strongswan can be configured to automatically fetch CRL # Strongswan can automatically fetch CRL if
# in that case CRL URL has to be embedded in the certificate # CRL distribution point extension is included in the certificate
;revoked url =
revoked url = {{ revoked_url }} revoked url = {{ revoked_url }}
# StrongSwan can automatically query OCSP responder if
# AIA extension includes OCSP responder URL
responder url =
;responder url = {{ responder_url }}
# If certificate renewal is allowed clients can request a certificate # If certificate renewal is allowed clients can request a certificate
# for the same public key with extended lifetime # for the same public key with extended lifetime
renewal allowed = false renewal allowed = false