Add AuthorityKeyIdentifier extension for compatibility with Python 3.13

.github/workflows/ci.yml

@@ -14,14 +14,24 @@ concurrency:
 jobs:
   test:
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        python:
+          - "3.8"
+          - "3.12"
+          - "3.x"
+        include:
+          - os: ubuntu-22.04
+            python: "3.7"
 
     steps:
       - uses: actions/checkout@v4
       - name: setup
         uses: actions/setup-python@v5
         with:
-          python-version: '3.x'
+          python-version: ${{ matrix.python }}
       - name: install
         run: |
           python -m pip install --upgrade pip

certipy/certipy.py

@@ -922,6 +922,10 @@ def create_signed_pair(
         cacert = ca_bundle.cert.load()
         cakey = ca_bundle.key.load()
 
+        extensions.append(
+            (x509.AuthorityKeyIdentifier.from_issuer_public_key(cacert.public_key()), False)
+        )
+
         now = datetime.now(timezone.utc)
         eol = now + timedelta(days=years * 365)
         cert = self.sign(

certipy/test/test_certipy.py

@@ -12,13 +12,12 @@
 
 import os
 import pytest
-import requests
 import socket
 import ssl
+from urllib.request import urlopen, URLError
 from contextlib import closing, contextmanager
 from datetime import datetime, timedelta, timezone
 from flask import Flask
-from requests.exceptions import SSLError
 from tempfile import TemporaryDirectory
 from threading import Thread
 from werkzeug.serving import make_server
@@ -54,14 +53,16 @@ def make_flask_app():
     @app.route("/")
     def working():
         return "working"
+
+    return app
 
 
 @contextmanager
 def tls_server(certfile: str, keyfile: str, host: str = "localhost", port: int = 0):
     if port == 0:
         port = find_free_port()
 
-    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
     ssl_context.load_cert_chain(certfile, keyfile)
     server = make_server(
         host, port, make_flask_app(), ssl_context=ssl_context, threaded=True
@@ -373,10 +374,16 @@ def test_certs():
         ) as server:
             # Execute/Verify
             url = f"https://{server.host}:{server.port}"
-
             # Fails without specifying a CA for verification
-            with pytest.raises(SSLError):
-                requests.get(url)
+            with pytest.raises(URLError, match="SSL"):
+                with urlopen(url):
+                    pass
+
+            ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=ca_record["files"]["cert"])
+            ssl_context.verify_mode = ssl.CERT_REQUIRED
+            ssl_context.load_default_certs()
+            ssl_context.load_cert_chain(ca_record["files"]["cert"], ca_record["files"]["key"])
 
             # Succeeds when supplying the CA cert
-            requests.get(url, verify=ca_record["files"]["cert"])
+            with urlopen(url, context=ssl_context):
+                pass

pyproject.toml

@@ -10,7 +10,7 @@
 # SPDX-License-Identifier: BSD-3-Clause
 ###############################################################################
 [build-system]
-requires = ["setuptools>=64", "setuptools_scm>=8"]
+requires = ["setuptools>=64", "setuptools_scm>=7"]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -41,7 +41,7 @@ requires-python = ">=3.7"
 dependencies = ["cryptography"]
 
 [project.optional-dependencies]
-dev = ["pytest", "flask", "build", "requests", "pre-commit", "ruff", "bump-my-version"]
+dev = ["pytest", "flask", "build", "pre-commit", "ruff", "bump-my-version"]
 
 [tool.setuptools.dynamic]
 version = {attr = "certipy.version.__version__"}