Branch: refs/heads/master
Home:
https://github.com/Checkmk/checkmk
Commit: 4d9335419dc8fa354e1aae6a4183a0124fdb454b
https://github.com/Checkmk/checkmk/commit/4d9335419dc8fa354e1aae6a4183a0124…
Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com>
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
A .werks/15196
M cmk/utils/crypto/certificate.py
M cmk/utils/encryption.py
M tests/unit/cmk/utils/crypto/test_certificate.py
Log Message:
-----------
15196 FIX Allow CA certificates without key usage restrictions
Prior to this Werk, certificates that did not include the KeyUsage extension were not
considered CA certificates by Checkmk, as they lack the keyCertSign bit.
While CAs conforming with RFC 5280 MUST include the extension and set this bit, not all do
in practice. Recommendation ITU-T X.509 considers only the basicConstraint "cA"
required for CAs.
With this Werk, Checkmk will consider setting the cA basicConstraint but not the KeyUsage
extension as valid for CA certificates. Note that certificates that do set the KeyUsage
extension but lack the keyCertSign bit may still not be used for certificate signing.
Change-Id: I491267e724ef16f7701c3ade57d4f077c8b46c52