Anchor

Add support for the required extensions

Bug #1495392 reported by Stanislaw Pitucha on 2015-09-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Anchor	Fix Released	Medium	Unassigned

Bug Description

RFC5280 says that effectively Anchor MUST understand the following extensions:

key identifiers (see sec. 4.2.1.1 and 4.2.1.2)
key usage (see sec. 4.2.1.3),
certificate policies (see sec. 4.2.1.5),
the subject alternative name (see sec. 4.2.1.7),
basic constraints (see sec. 4.2.1.10),
name constraints (see sec. 4.2.1.11),
policy constraints (see sec. 4.2.1.12),
extended key usage (see sec. 4.2.1.13).

Anchor needs to either support these extensions or document that/why they're ignored.

See original description

Revision history for this message

Robert Clark (robert-clark) wrote on 2015-09-14:

I'm all for supporting these, however, some don't make as much sense for Anchor as other systems; certificate policies for example can be implemented CA side - particularly after we change to simply extracting things we care about. Certain features like enabling code signing don't map well to ephemeral PKI and can probably be ignored too.

Changed in anchor:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Stanislaw Pitucha (stanislaw-pitucha) wrote on 2015-09-15:

Sorry, I didn't want to imply that they all need to be implemented. Standards say we should understand those, so we need to at least look at them and either implement or document that we don't care (and why)

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-28: Fix merged to anchor (master)

Reviewed: https://review.openstack.org/223433
Committed: https://git.openstack.org/cgit/openstack/anchor/commit/?id=33ac1a09e2d9f553c3a44e7e1738a3ba29d50bef
Submitter: Jenkins
Branch: master

commit 33ac1a09e2d9f553c3a44e7e1738a3ba29d50bef
Author: Stanisław Pitucha <email address hidden>
Date: Tue Sep 15 16:41:59 2015 +1000

Add documentation about supported extensions

Explain which extensions will / will not be supported.

Change-Id: Ie2dfaa8f1f52eb1dc644c4e042df449c306b9ed7
Partial-bug: 1495392

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-28:

Reviewed: https://review.openstack.org/222986
Committed: https://git.openstack.org/cgit/openstack/anchor/commit/?id=09b7811de742ebe8abd8627f51d69db459438527
Submitter: Jenkins
Branch: master

commit 09b7811de742ebe8abd8627f51d69db459438527
Author: Stanisław Pitucha <email address hidden>
Date: Mon Sep 14 17:14:12 2015 +1000

Add operations on extended key usage

Extended key usage is one of the extensions which SHOULD be recognised.
Add support. Validator for it will follow.

Partial-bug: 1495392
Change-Id: I06466ced783d0856ddac82da3d3ffc745cd1b6bb

Revision history for this message

Stanislaw Pitucha (stanislaw-pitucha) wrote on 2016-02-19:

We've got everything apart from certificate policies implemented. Since Anchor is very unlikely to be needed in a private CA environment, I'm going to just ignore that part until it's raised as needed (with some good reasons).

Changed in anchor:
status:	Confirmed → Fix Committed

Stanislaw Pitucha (stanislaw-pitucha) on 2016-04-15

Changed in anchor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.