diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 55ef7ee..5bc00fd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,14 +14,24 @@ concurrency: jobs: test: - runs-on: ubuntu-latest + runs-on: ${{ matrix.os || 'ubuntu-latest' }} + strategy: + fail-fast: false + matrix: + python: + - "3.8" + - "3.12" + - "3.x" + include: + - os: ubuntu-22.04 + python: "3.7" steps: - uses: actions/checkout@v4 - name: setup uses: actions/setup-python@v5 with: - python-version: '3.x' + python-version: ${{ matrix.python }} - name: install run: | python -m pip install --upgrade pip diff --git a/certipy/certipy.py b/certipy/certipy.py index 2ac4173..1ae76d6 100644 --- a/certipy/certipy.py +++ b/certipy/certipy.py @@ -922,6 +922,10 @@ def create_signed_pair( cacert = ca_bundle.cert.load() cakey = ca_bundle.key.load() + extensions.append( + (x509.AuthorityKeyIdentifier.from_issuer_public_key(cacert.public_key()), False) + ) + now = datetime.now(timezone.utc) eol = now + timedelta(days=years * 365) cert = self.sign( diff --git a/certipy/test/test_certipy.py b/certipy/test/test_certipy.py index 21a9763..f5cb744 100644 --- a/certipy/test/test_certipy.py +++ b/certipy/test/test_certipy.py @@ -12,13 +12,12 @@ import os import pytest -import requests import socket import ssl +from urllib.request import urlopen, URLError from contextlib import closing, contextmanager from datetime import datetime, timedelta, timezone from flask import Flask -from requests.exceptions import SSLError from tempfile import TemporaryDirectory from threading import Thread from werkzeug.serving import make_server @@ -54,6 +53,8 @@ def make_flask_app(): @app.route("/") def working(): return "working" + + return app @contextmanager @@ -61,7 +62,7 @@ def tls_server(certfile: str, keyfile: str, host: str = "localhost", port: int = if port == 0: port = find_free_port() - ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) + ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ssl_context.load_cert_chain(certfile, keyfile) server = make_server( host, port, make_flask_app(), ssl_context=ssl_context, threaded=True @@ -373,10 +374,16 @@ def test_certs(): ) as server: # Execute/Verify url = f"https://{server.host}:{server.port}" - # Fails without specifying a CA for verification - with pytest.raises(SSLError): - requests.get(url) + with pytest.raises(URLError, match="SSL"): + with urlopen(url): + pass + + ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=ca_record["files"]["cert"]) + ssl_context.verify_mode = ssl.CERT_REQUIRED + ssl_context.load_default_certs() + ssl_context.load_cert_chain(ca_record["files"]["cert"], ca_record["files"]["key"]) # Succeeds when supplying the CA cert - requests.get(url, verify=ca_record["files"]["cert"]) + with urlopen(url, context=ssl_context): + pass diff --git a/pyproject.toml b/pyproject.toml index 3bbebdd..1524146 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,7 +10,7 @@ # SPDX-License-Identifier: BSD-3-Clause ############################################################################### [build-system] -requires = ["setuptools>=64", "setuptools_scm>=8"] +requires = ["setuptools>=64", "setuptools_scm>=7"] build-backend = "setuptools.build_meta" [project] @@ -41,7 +41,7 @@ requires-python = ">=3.7" dependencies = ["cryptography"] [project.optional-dependencies] -dev = ["pytest", "flask", "build", "requests", "pre-commit", "ruff", "bump-my-version"] +dev = ["pytest", "flask", "build", "pre-commit", "ruff", "bump-my-version"] [tool.setuptools.dynamic] version = {attr = "certipy.version.__version__"}