search

grindsa / acme2certifier

library implementing ACME server functionality
GNU General Public License v3.0
171 stars 36 forks source link

xca template doesn't work #58

Closed flosch-dev closed 3 years ago

flosch-dev commented 3 years ago

I've created a simple xca template which only includes extended key usage options, but cert issue fails with traceback. Template was referred in acme_srv.cfg using parameter: template_name: acme

If I don't use the template, everything works.

Traceback (most recent call last):
  File "./acme2certifier_wsgi.py", line 337, in application
    return callback(environ, start_response)
  File "./acme2certifier_wsgi.py", line 249, in order
    response_dic = eorder.parse(request_body)
  File "./acme/order.py", line 389, in parse
    (code, message, detail, certificate_name) = self._process(order_name, protected, payload)
  File "./acme/order.py", line 181, in _process
    (code, certificate_name, detail) = self._csr_process(order_name, payload['csr'])
  File "./acme/order.py", line 234, in _csr_process
    (error, detail) = certificate.enroll_and_store(certificate_name, csr)
  File "./acme/certificate.py", line 476, in enroll_and_store
    (error, certificate, certificate_raw, poll_identifier) = ca_handler.enroll(csr)
  File "./examples/ca_handler/xca_ca_handler.py", line 646, in enroll
    extension_list = self._extension_list_generate(template_dic, cert, ca_cert)
  File "./examples/ca_handler/xca_ca_handler.py", line 712, in _extension_list_generate
    extension_list.append(crypto.X509Extension(convert_string_to_byte('keyUsage'), kuc, convert_string_to_byte(ku_string)))
  File "/usr/local/lib/python3.8/dist-packages/OpenSSL/crypto.py", line 783, in __init__
    _raise_current_error()
  File "/usr/local/lib/python3.8/dist-packages/OpenSSL/_util.py", line 57, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.crypto.Error: [('X509 V3 routines', 'X509V3_parse_list', 'invalid null name'), ('X509 V3 routines', 'do_ext_nconf', 'invalid extension string'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]
[pid: 22|app: 0|req: 3/10] 172.29.0.1 () {44 vars in 678 bytes} [Wed May  5 17:33:06 2021] POST /acme/order/P36qQTtD8Dyo/finalize => generated 0 bytes in 398 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0)
grindsa commented 3 years ago

Your template does not contain 'keyUsage' extension (value 0 ). Thus, the function to generate the extension-list failed with the above error. I enhanced _kue_generate() to cover such cases by defaulting to digitalSignature, nonRepudiation, keyEncipherment, keyAgreement. Fix got already slotted into to 0.15 maintainance branch and will be available in master in a couple of days

flosch-dev commented 3 years ago

I've tested template with key-usage set and now it works. Is there an overview of default signing attributes for xca handler?

grindsa commented 3 years ago

Changes had been pushed to master. Default attributes are documented in the xca hander documentation