cpython/Lib/test/certdata
Petr Viktorin 744caa8ef4
gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR (GH-125045)
gh-120762: make_ssl_certs: Don't set extensions for the CSR

`openssl req` fails with openssl 3.2.2 because the config line

    authorityKeyIdentifier = keyid:always,issuer:always

is not supported for certificate signing requests (since the issuing
certificate authority is not known).

David von Oheimb, the OpenSSL dev that made the change, commented in:
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 :

> This problem did not show up in older OpenSSL versions because of a bug:
> the `req` app ignored the `-extensions` option unless `-x505` is given,
> which I fixed in https://github.com/openssl/openssl/pull/16865.

(I assume `-x505` is a typo for `-x509`.)

In our `make_cert_key` function:

If `sign` is true:
- We don't pass `-x509` to `req`, so in this case it should be safe to
  omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL
  fails on it.)
- The extensions are passed to the `ca` call later in the function.
  There they take effect, and `authorityKeyIdentifier` is valid.

If `sign` is false, this commit has no effect except rearranging the
CLI arguments.
2024-10-07 17:37:52 +02:00
..
capath
allsans.pem
badcert.pem
badkey.pem
cert3.pem gh-118658: Modify cert generation script to extract cert3.pem (GH-124598) 2024-10-04 13:15:08 +02:00
ffdh3072.pem
idnsans.pem
keycert.passwd.pem
keycert.pem
keycert.pem.reference
keycert2.pem
keycert3.pem
keycert3.pem.reference
keycert4.pem
keycertecc.pem
leaf-missing-aki.ca.pem
leaf-missing-aki.keycert.pem
make_ssl_certs.py gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR (GH-125045) 2024-10-07 17:37:52 +02:00
nokia.pem
nosan.pem
nullbytecert.pem
nullcert.pem
pycacert.pem
pycakey.pem
revocation.crl
secp384r1.pem
selfsigned_pythontestdotnet.pem
ssl_cert.pem
ssl_key.passwd.pem
ssl_key.pem
talos-2019-0758.pem