1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-22 16:25:17 +00:00

Embed OCSP responder URL in certificate

This commit is contained in:
Lauri Võsandi 2017-07-08 12:08:39 +00:00
parent 47d2d37684
commit d44b6035c2
3 changed files with 40 additions and 21 deletions

View File

@ -67,7 +67,8 @@ REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allo
CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
CERTIFICATE_CRL_URL = cp.get("signature", "revoked url")
AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")
REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")

View File

@ -99,6 +99,18 @@ class SignHandler(asynchat.async_chat):
extended_key_usage_flags.append( # OpenVPN client
ExtendedKeyUsageOID.CLIENT_AUTH)
aia = [
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(config.AUTHORITY_CERTIFICATE_URL))
]
if config.AUTHORITY_OCSP_URL:
aia.append(
x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(config.AUTHORITY_OCSP_URL)))
builder = x509.CertificateBuilder(
).subject_name(
x509.Name([common_name])
@ -142,24 +154,7 @@ class SignHandler(asynchat.async_chat):
request.public_key()),
critical=False
).add_extension(
x509.AuthorityInformationAccess([
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(
config.AUTHORITY_CERTIFICATE_URL)
)
]),
critical=False
).add_extension(
x509.CRLDistributionPoints([
x509.DistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
config.CERTIFICATE_CRL_URL)],
relative_name=None,
crl_issuer=None,
reasons=None)
]),
x509.AuthorityInformationAccess(aia),
critical=False
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(
@ -167,6 +162,20 @@ class SignHandler(asynchat.async_chat):
critical=False
)
if config.AUTHORITY_CRL_URL:
builder = builder.add_extension(
x509.CRLDistributionPoints([
x509.DistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
config.AUTHORITY_CRL_URL)],
relative_name=None,
crl_issuer=None,
reasons=None)
]),
critical=False
)
# OpenVPN uses CN while StrongSwan uses SAN
if server_flags:
builder = builder.add_extension(

View File

@ -58,11 +58,14 @@ autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# Simple Certificate Enrollment Protocol enabled subnets
scep subnets =
;scep subnets = 0.0.0.0/0
# Online Certificate Status Protocol enabled subnets
ocsp subnets =
;ocsp subnets = 0.0.0.0/0
# Certificate Revocation lists can be accessed from anywhere by default
;crl subnets =
crl subnets = 0.0.0.0/0
[logging]
@ -92,10 +95,16 @@ revocation list lifetime = 24
# URL where CA certificate can be fetched from
authority certificate url = {{ certificate_url }}
# Strongswan can be configured to automatically fetch CRL
# in that case CRL URL has to be embedded in the certificate
# Strongswan can automatically fetch CRL if
# CRL distribution point extension is included in the certificate
;revoked url =
revoked url = {{ revoked_url }}
# StrongSwan can automatically query OCSP responder if
# AIA extension includes OCSP responder URL
responder url =
;responder url = {{ responder_url }}
# If certificate renewal is allowed clients can request a certificate
# for the same public key with extended lifetime
renewal allowed = false