Cutlery/calibre
1
0
Fork 0
mirror of https://github.com/kovidgoyal/calibre.git synced 2025-07-08 10:44:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add authority and subject key identifiers to self signed certificates

Browse Source
This commit is contained in:
Kovid Goyal 2024-08-16 15:04:28 +05:30
parent 6d4d11dc9e
commit ee92957837
No known key found for this signature in database
GPG Key ID: 06BC317B515ACE7C
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/calibre/srv/tests/loop.py
View File

@ -201,8 +201,6 @@ class LoopTest(BaseTest):
cert_file, key_file, ca_file = map(lambda x:os.path.join(tdir, x), 'cka') cert_file, key_file, ca_file = map(lambda x:os.path.join(tdir, x), 'cka')
create_server_cert(address, ca_file, cert_file, key_file, key_size=2048) create_server_cert(address, ca_file, cert_file, key_file, key_size=2048)
ctx = ssl.create_default_context(cafile=ca_file) ctx = ssl.create_default_context(cafile=ca_file)
# python 3.13 added this flag to validate stricter RFC compliance. It is unneeded complexity for the testsuite.
ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT
with TestServer( with TestServer(
lambda data:(data.path[0] + data.read().decode('utf-8')), lambda data:(data.path[0] + data.read().decode('utf-8')),
ssl_certfile=cert_file, ssl_keyfile=key_file, listen_on=address, port=0) as server: ssl_certfile=cert_file, ssl_keyfile=key_file, listen_on=address, port=0) as server:

14
src/calibre/utils/certgen.c
View File

@ -269,6 +269,20 @@ static PyObject* create_rsa_cert(PyObject *self, PyObject *args) {
if (!PubKey) { set_error("X509_REQ_get_pubkey"); goto error; } if (!PubKey) { set_error("X509_REQ_get_pubkey"); goto error; }
if (!X509_REQ_verify(req, PubKey)) { set_error("X509_REQ_verify"); goto error; } if (!X509_REQ_verify(req, PubKey)) { set_error("X509_REQ_verify"); goto error; }
if (!X509_set_pubkey(Cert, PubKey)) { set_error("X509_set_pubkey"); goto error; } if (!X509_set_pubkey(Cert, PubKey)) { set_error("X509_set_pubkey"); goto error; }
if (!req_is_for_CA_cert) {
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, Cert, Cert, NULL, NULL, 0);
X509V3_set_ctx_nodb(&ctx);
X509_EXTENSION *ex;
ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash");
if (!ex) { set_error("creating subject key identifier failed"); goto error; }
X509_add_ext(Cert, ex, -1);
X509_EXTENSION_free(ex);
ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_authority_key_identifier, "keyid:always");
if (!ex) { set_error("creating authority key identifier failed"); goto error; }
X509_add_ext(Cert, ex, -1);
X509_EXTENSION_free(ex);
}
Py_BEGIN_ALLOW_THREADS; Py_BEGIN_ALLOW_THREADS;
signature_length = X509_sign(Cert, CA_key, EVP_sha256()); signature_length = X509_sign(Cert, CA_key, EVP_sha256());
Py_END_ALLOW_THREADS; Py_END_ALLOW_THREADS;