vyos@r2:~$ show pki certificate Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 873, in <module> show_certificate(None if args.certificate == 'all' else args.certificate) File "/usr/libexec/vyos/op_mode/pki.py", line 738, in show_certificate ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage) File "/usr/lib/python3/dist-packages/cryptography/x509/extensions.py", line 135, in get_extension_for_class raise ExtensionNotFound( cryptography.x509.extensions.ExtensionNotFound: No <class 'cryptography.x509.extensions.ExtendedKeyUsage'> extension was found vyos@r2:~$
Description
Description
Details
Details
- Difficulty level
- Normal (likely a few hours)
- Version
- VyOS 1.4-rolling-202111080547
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Unspecified (please specify)
Event Timeline
Comment Actions
This is still an issue in 1.5. I tried importing a cert signed by my own CA and got the same error.
This patch will skip trying to read the non existent ExtendedKeyUsage but will show "Unknown" for the type as I'm not sure what to label it as based on the attributes available.
diff -rupP /usr/libexec/vyos/op_mode/pki.py pki.py --- /usr/libexec/vyos/op_mode/pki.py 2023-11-15 16:06:56.107961414 +0000 +++ pki.py 2023-11-15 16:09:06.490957018 +0000 @@ -896,12 +896,15 @@ def show_certificate(name=None, pem=Fals cert_subject_cn = cert.subject.rfc4514_string().split(",")[0] cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] cert_type = 'Unknown' - ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage) - if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value: - cert_type = 'Server' - elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value: - cert_type = 'Client' + try: + ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage) + if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value: + cert_type = 'Server' + elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value: + cert_type = 'Client' + except: + pass revoked = 'Yes' if 'revoke' in cert_dict else 'No' have_private = 'Yes' if 'private' in cert_dict and 'key' in cert_dict['private'] else 'No' have_ca = f'Yes ({ca_name})' if ca_name else 'No'
Imported cert properties:
<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xfc{\x07\xa6\x88\x03M\x86\xde\xd5*\x13\x99\x03P\x1f\xf6r/\xdd', authority_cert_issuer=None, authority_cert_serial_number=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=False, value=<BasicConstraints(ca=False, path_length=None)>) >, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=False, value=<KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=True, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)>, critical=False, value=<SubjectAlternativeName(<GeneralNames([<DNSName(value='imported.cert.com')>, <DNSName(value='othername.cert.com')>])>)>)>])>
Client cert generated on VyOS properties:
<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=False, path_length=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clientAuth)>])>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b'\x95\x1e\xde\xb7\x81\xcd\x86\xeb2Xk\xed\xd9\x12ax6\xb9\xd5I')>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\x95\x1e\xde\xb7\x81\xcd\x86\xeb2Xk\xed\xd9\x12ax6\xb9\xd5I', authority_cert_issuer=None, authority_cert_serial_number=None)>)>])>
Server cert generated on VyOS properties:
<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=False, path_length=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name=serverAuth)>])>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b'\xbe\\\x1c\x8c\xa8\xde0FF\xe9N!\xd9\xf9;D\x12JV\x1a')>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xbe\\\x1c\x8c\xa8\xde0FF\xe9N!\xd9\xf9;D\x12JV\x1a', authority_cert_issuer=None, authority_cert_serial_number=None)>)>])>
Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present ------------------ ------- --------------------- ------------------------------------ ------------------- ------------------- --------- ------------- ------------- TestClient Client CN=vyos.io CN=vyos.io 2023-11-15 15:57:46 2024-11-14 15:57:46 No Yes No TestServer Server CN=vyos.io CN=vyos.io 2023-11-15 15:57:05 2024-11-14 15:57:05 No Yes No imported.cert.com Unknown CN=imported.cert.com [email protected] 2023-08-29 18:12:06 2033-08-26 18:12:06 No Yes Yes (MY-CA)