opensips-cli/opensipscli/modules/tls.py
line 153 of class tlsCryptographyCert, function sign, it sets the public key and signs the certificate. That is fine for a CA certificate. However, for a user certificate, it is signed by the CA but has it’s own public key. I suggest an additional function called set_publickey that sets the certificate’s public key and remove that action from the sign function. The functions do_userCERT and do_rootCA in the tls module will also need to call the new set_publickey function. See the following:
@@ -151,11 +151,13 @@
self.cert = x509.load_pem_x509_certificate(open(cacert, 'rb').read())
def sign(self, key):
- self.builder = self.builder.public_key(key.key.public_key())
self.cert = self.builder.sign(private_key = key.key,
algorithm=getattr(hashes, self.md)(),
backend=default_backend())
+ def set_publickey(self, key):
+ self.builder = self.builder.public_key(key.key.public_key())
+
def set_issuer(self, issuer):
self.builder = self.builder.issuer_name(issuer)
@@ -237,6 +239,7 @@
key = tlsCryptographyKey("ca", cfg)
cert.set_issuer(cert.get_subject())
+ cert.set_publickey(key)
cert.sign(key)
try:
@@ -317,6 +320,7 @@
key = tlsCryptographyKey("user", cfg)
cert.set_issuer(ca_cert.get_subject())
+ cert.set_publickey(key)
cert.sign(ca_key)
try:
if not exists(dirname(c_f)):
opensips-cli/opensipscli/modules/tls.py
line 153 of class tlsCryptographyCert, function sign, it sets the public key and signs the certificate. That is fine for a CA certificate. However, for a user certificate, it is signed by the CA but has it’s own public key. I suggest an additional function called set_publickey that sets the certificate’s public key and remove that action from the sign function. The functions do_userCERT and do_rootCA in the tls module will also need to call the new set_publickey function. See the following: