ensure we don't generate an empty SAN certificate
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
e3f8afcf80
commit
fdc445e6a1
|
@ -235,9 +235,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
|
|||
data = CertificateGenerationSerializer(data=request.data)
|
||||
if not data.is_valid():
|
||||
return Response(data.errors, status=400)
|
||||
raw_san = data.validated_data.get("subject_alt_name", "")
|
||||
sans = raw_san.split(",") if raw_san != "" else []
|
||||
builder = CertificateBuilder(data.validated_data["common_name"])
|
||||
builder.build(
|
||||
subject_alt_names=data.validated_data.get("subject_alt_name", "").split(","),
|
||||
subject_alt_names=sans,
|
||||
validity_days=int(data.validated_data["validity_days"]),
|
||||
)
|
||||
instance = builder.save()
|
||||
|
|
|
@ -57,7 +57,10 @@ class CertificateBuilder:
|
|||
one_day = datetime.timedelta(1, 0, 0)
|
||||
self.__private_key = self.generate_private_key()
|
||||
self.__public_key = self.__private_key.public_key()
|
||||
alt_names: list[x509.GeneralName] = [x509.DNSName(x) for x in subject_alt_names or []]
|
||||
alt_names: list[x509.GeneralName] = []
|
||||
for alt_name in subject_alt_names:
|
||||
if alt_name.strip() != "":
|
||||
alt_names.append(x509.DNSName(alt_name))
|
||||
self.__builder = (
|
||||
x509.CertificateBuilder()
|
||||
.subject_name(
|
||||
|
@ -76,12 +79,15 @@ class CertificateBuilder:
|
|||
]
|
||||
)
|
||||
)
|
||||
.add_extension(x509.SubjectAlternativeName(alt_names), critical=True)
|
||||
.not_valid_before(datetime.datetime.today() - one_day)
|
||||
.not_valid_after(datetime.datetime.today() + datetime.timedelta(days=validity_days))
|
||||
.serial_number(int(uuid.uuid4()))
|
||||
.public_key(self.__public_key)
|
||||
)
|
||||
if alt_names:
|
||||
self.__builder = self.__builder.add_extension(
|
||||
x509.SubjectAlternativeName(alt_names), critical=True
|
||||
)
|
||||
self.__certificate = self.__builder.sign(
|
||||
private_key=self.__private_key,
|
||||
algorithm=hashes.SHA256(),
|
||||
|
|
|
@ -51,10 +51,10 @@ class JWKSView(View):
|
|||
public_key: RSAPublicKey = private_key.public_key()
|
||||
public_numbers = public_key.public_numbers()
|
||||
key_data = {
|
||||
"kid": key.kid,
|
||||
"kty": "RSA",
|
||||
"alg": JWTAlgorithms.RS256,
|
||||
"use": "sig",
|
||||
"kid": key.kid,
|
||||
"n": b64_enc(public_numbers.n),
|
||||
"e": b64_enc(public_numbers.e),
|
||||
}
|
||||
|
@ -62,10 +62,10 @@ class JWKSView(View):
|
|||
public_key: EllipticCurvePublicKey = private_key.public_key()
|
||||
public_numbers = public_key.public_numbers()
|
||||
key_data = {
|
||||
"kid": key.kid,
|
||||
"kty": "EC",
|
||||
"alg": JWTAlgorithms.ES256,
|
||||
"use": "sig",
|
||||
"kid": key.kid,
|
||||
"x": b64_enc(public_numbers.x),
|
||||
"y": b64_enc(public_numbers.y),
|
||||
"crv": ec_crv_map.get(type(public_key.curve), public_key.curve.name),
|
||||
|
|
Reference in a new issue