Use X509 v4.

2026-05-26 07:08:08 +00:00 · 2017-09-27 11:34:41 +02:00
parent 79bd074dae
commit 9eae13486e
1 changed files with 11 additions and 3 deletions
--- a/butterfly.server.py
+++ b/butterfly.server.py
@@ -189,13 +189,21 @@ if options.generate_certs:
        ca_pk.generate_key(crypto.TYPE_RSA, 2048)
        ca_cert = crypto.X509()
        ca_cert.get_subject().CN = 'Butterfly CA on %s' % socket.gethostname()
-        ca_cert.set_version(2)
+        ca_cert.set_version(3)
        fill_fields(ca_cert.get_subject())
        ca_cert.set_serial_number(uuid.uuid4().int)
        ca_cert.gmtime_adj_notBefore(0)  # From now
        ca_cert.gmtime_adj_notAfter(315360000)  # to 10y
        ca_cert.set_issuer(ca_cert.get_subject())  # Self signed
        ca_cert.set_pubkey(ca_pk)
+        ca_cert.add_extensions([
+            crypto.X509Extension(
+                'basicConstraints', True, 'CA:TRUE, pathlen:0'),
+            crypto.X509Extension(
+                'keyUsage', True, 'keyCertSign, cRLSign'),
+            crypto.X509Extension(
+                'subjectKeyIdentifier', False, 'hash', subject=ca_cert),
+        ])
        ca_cert.sign(ca_pk, 'sha512')

        write(ca, crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
@@ -214,7 +222,7 @@ if options.generate_certs:
    value = 'DNS:%s' % host
    server_cert.add_extensions([crypto.X509Extension(
        alt.encode('utf-8'), False, value.encode('utf-8'))])
-    server_cert.set_version(2)
+    server_cert.set_version(3)

    fill_fields(server_cert.get_subject())
    server_cert.set_serial_number(uuid.uuid4().int)
@@ -266,7 +274,7 @@ if (options.generate_current_user_pkcs or

    client_cert = crypto.X509()
    client_cert.get_subject().CN = user
-    client_cert.set_version(2)
+    client_cert.set_version(3)
    fill_fields(client_cert.get_subject())
    client_cert.set_serial_number(uuid.uuid4().int)
    client_cert.gmtime_adj_notBefore(0)  # From now