From a302a723798aaac609428624ccc9dbb92d63a887 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 18 Jan 2023 19:40:24 +0100 Subject: [PATCH] crypto: fallback when no SAN values are given Signed-off-by: Jens Langhammer --- authentik/crypto/builder.py | 2 +- authentik/providers/oauth2/views/jwks.py | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/authentik/crypto/builder.py b/authentik/crypto/builder.py index 6166e6c0c..b3ffc9e55 100644 --- a/authentik/crypto/builder.py +++ b/authentik/crypto/builder.py @@ -58,7 +58,7 @@ class CertificateBuilder: self.__private_key = self.generate_private_key() self.__public_key = self.__private_key.public_key() alt_names: list[x509.GeneralName] = [] - for alt_name in subject_alt_names: + for alt_name in subject_alt_names or []: if alt_name.strip() != "": alt_names.append(x509.DNSName(alt_name)) self.__builder = ( diff --git a/authentik/providers/oauth2/views/jwks.py b/authentik/providers/oauth2/views/jwks.py index 2a1d3bea8..b6b397e66 100644 --- a/authentik/providers/oauth2/views/jwks.py +++ b/authentik/providers/oauth2/views/jwks.py @@ -96,14 +96,16 @@ class JWKSView(View): else: return key_data key_data["x5c"] = [b64encode(key.certificate.public_bytes(Encoding.DER)).decode("utf-8")] - key_data["x5t"] = urlsafe_b64encode( - key.certificate.fingerprint(hashes.SHA1()) - ).decode( # nosec - "utf-8" - ).rstrip("=") - key_data["x5t#S256"] = urlsafe_b64encode( - key.certificate.fingerprint(hashes.SHA256()) - ).decode("utf-8").rstrip("=") + key_data["x5t"] = ( + urlsafe_b64encode(key.certificate.fingerprint(hashes.SHA1())) # nosec + .decode("utf-8") + .rstrip("=") + ) + key_data["x5t#S256"] = ( + urlsafe_b64encode(key.certificate.fingerprint(hashes.SHA256())) + .decode("utf-8") + .rstrip("=") + ) return key_data def get(self, request: HttpRequest, application_slug: str) -> HttpResponse: