>From 748666bf88b38a9eac6d82dcd865250f5d01d6c7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Oct 2014 01:58:15 -0400 Subject: [PATCH] Enable Authority Key Identifier CRL extension by default RFC 5280 states: Conforming CRL issuers are REQUIRED to include the authority key identifier (Section 5.2.1) and the CRL number (Section 5.2.3) extensions in all CRLs issued. Accordingly, update CS.cfg so that the Authority Key Identifier extension is enabled by default. Also add an upgrade script to enable it on existing instances. --- base/ca/shared/conf/CS.cfg.in | 2 +- .../server/upgrade/10.2.2/01-EnableCRLAKIExtension | 46 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100755 base/server/upgrade/10.2.2/01-EnableCRLAKIExtension diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..f5469408b5a2da26321871d64e76da8e07344aeb 100644 --- a/base/ca/shared/conf/CS.cfg.in +++ b/base/ca/shared/conf/CS.cfg.in @@ -604,7 +604,7 @@ ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false -ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=true ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension ca.crl.MasterCRL.extension.CRLNumber.critical=false diff --git a/base/server/upgrade/10.2.2/01-EnableCRLAKIExtension b/base/server/upgrade/10.2.2/01-EnableCRLAKIExtension new file mode 100755 index 0000000000000000000000000000000000000000..85e4f33cad3ca961c94a84ce97128cbbdb251068 --- /dev/null +++ b/base/server/upgrade/10.2.2/01-EnableCRLAKIExtension @@ -0,0 +1,46 @@ +#!/usr/bin/python +# Authors: +# Fraser Tweedale +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2014 Red Hat, Inc. +# All rights reserved. + +import os + +import pki.server.upgrade + +class EnableCRLAKIExtension(pki.server.upgrade.PKIServerUpgradeScriptlet): + def __init__(self): + self.message = "Enable CRL AuthorityKeyIdentifier extension" + + def upgrade_subsystem(self, instance, subsystem): + cfg_path = os.path.join(instance.base_dir, 'conf', subsystem.name, 'CS.cfg') + + lines = [] + with open(cfg_path) as f: + lines = f.readlines() + + prop = "ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable" + + try: + prop_index = lines.index(prop + "=false\n") + except ValueError: + prop_index = None + + if prop_index is not None: + lines[prop_index] = prop + "=true\n" + with open(cfg_path, 'w') as f: + f.writelines(lines) -- 1.9.3