Add AuthorityKeyIdentifier extension for compatibility with Python 3.13#23
Add AuthorityKeyIdentifier extension for compatibility with Python 3.13#23
Conversation
3.13 fails with Missing Authority Key Identifier due to new default strictness
required for default ssl.VERIFY_X509_STRICT in Python 3.13
certipy/test/test_certipy.py
Outdated
| ssl_context.load_cert_chain(ca_record["files"]["cert"], ca_record["files"]["key"]) | ||
| # currently required to pass on 3.13 | ||
| # if hasattr(ssl, "VERIFY_X509_STRICT"): | ||
| # ssl_context.verify_flags &= ~ssl.VERIFY_X509_STRICT |
There was a problem hiding this comment.
VERIFY_X509_STRICT is in the default flags as of Python 3, which checks AuthorityKeyIdentity
minrk
changed the title
| cakey = ca_bundle.key.load() | ||
|
|
||
| extensions.append( | ||
| (x509.AuthorityKeyIdentifier.from_issuer_public_key(cacert.public_key()), False) |
There was a problem hiding this comment.
This is what was requires to pass default ssl checks in Python 3.13
|
Thanks @minrk! I appreciate you putting this PR together and for updating the tests. Sorry I hadn't covered 3.7 previously. LGTM. I'll open up a follow on issue to test on a schedule so I catch this next time. |
| ssl_context.load_cert_chain(ca_record["files"]["cert"], ca_record["files"]["key"]) | ||
|
|
||
| # Succeeds when supplying the CA cert | ||
| requests.get(url, verify=ca_record["files"]["cert"]) |
There was a problem hiding this comment.
btw, the reason I switched from requests to urlopen here is that requests does not use the default ssl config and this test still passed, even on 3.13. Only http libraries that use more default ssl setup (urllib, httpx, tornado, etc.) see this.
There was a problem hiding this comment.
Interesting, I figured that might have been why you did that. So it seems the default ssl setup is more strict than what requests is enforcing. Thanks for letting me know.
There was a problem hiding this comment.
Yeah, requests predates a lot of the standard library SSL stuff and is pretty hardcore about not changing default behavior no matter what, so changes in the standard library often don't affect requests.
2 participants
3.13 fails with Missing Authority Key Identifier due to new default strictness
I'm not sure what needs to change to fix this, but certipy certificates are not accepted by default with Python 3.13
also adds test coverage for oldest supported Python (3.7) to make sure it really works. Needed some metadata updates to keep working.