Page MenuHomeVyOS Platform

show pki certificate Doesnt show x509 certificates
Closed, ResolvedPublicBUG

Description

vyos@r2:~$ show pki certificate 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 873, in <module>
    show_certificate(None if args.certificate == 'all' else args.certificate)
  File "/usr/libexec/vyos/op_mode/pki.py", line 738, in show_certificate
    ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
  File "/usr/lib/python3/dist-packages/cryptography/x509/extensions.py", line 135, in get_extension_for_class
    raise ExtensionNotFound(
cryptography.x509.extensions.ExtensionNotFound: No <class 'cryptography.x509.extensions.ExtendedKeyUsage'> extension was found
vyos@r2:~$

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202111080547
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Note, the host was upgraded from 1.2.8

This is still an issue in 1.5. I tried importing a cert signed by my own CA and got the same error.

This patch will skip trying to read the non existent ExtendedKeyUsage but will show "Unknown" for the type as I'm not sure what to label it as based on the attributes available.

diff -rupP /usr/libexec/vyos/op_mode/pki.py pki.py
--- /usr/libexec/vyos/op_mode/pki.py    2023-11-15 16:06:56.107961414 +0000
+++ pki.py      2023-11-15 16:09:06.490957018 +0000
@@ -896,12 +896,15 @@ def show_certificate(name=None, pem=Fals
             cert_subject_cn = cert.subject.rfc4514_string().split(",")[0]
             cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0]
             cert_type = 'Unknown'
-            ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
-            if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value:
-                cert_type = 'Server'
-            elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value:
-                cert_type = 'Client'

+            try:
+                ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
+                if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value:
+                    cert_type = 'Server'
+                elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value:
+                    cert_type = 'Client'
+            except:
+                pass
             revoked = 'Yes' if 'revoke' in cert_dict else 'No'
             have_private = 'Yes' if 'private' in cert_dict and 'key' in cert_dict['private'] else 'No'
             have_ca = f'Yes ({ca_name})' if ca_name else 'No'

Imported cert properties:

<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xfc{\x07\xa6\x88\x03M\x86\xde\xd5*\x13\x99\x03P\x1f\xf6r/\xdd', authority_cert_issuer=None, authority_cert_serial_number=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=False, value=<BasicConstraints(ca=False, path_length=None)>)
>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=False, value=<KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=True, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)>, critical=False, value=<SubjectAlternativeName(<GeneralNames([<DNSName(value='imported.cert.com')>, <DNSName(value='othername.cert.com')>])>)>)>])>

Client cert generated on VyOS properties:

<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=False, path_length=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clientAuth)>])>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b'\x95\x1e\xde\xb7\x81\xcd\x86\xeb2Xk\xed\xd9\x12ax6\xb9\xd5I')>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\x95\x1e\xde\xb7\x81\xcd\x86\xeb2Xk\xed\xd9\x12ax6\xb9\xd5I', authority_cert_issuer=None, authority_cert_serial_number=None)>)>])>

Server cert generated on VyOS properties:

<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=False, path_length=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name=serverAuth)>])>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b'\xbe\\\x1c\x8c\xa8\xde0FF\xe9N!\xd9\xf9;D\x12JV\x1a')>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xbe\\\x1c\x8c\xa8\xde0FF\xe9N!\xd9\xf9;D\x12JV\x1a', authority_cert_issuer=None, authority_cert_serial_number=None)>)>])>
Certificates:
Name                Type     Subject CN             Issuer CN                             Issued               Expiry               Revoked    Private Key    CA Present
------------------  -------  ---------------------  ------------------------------------  -------------------  -------------------  ---------  -------------  -------------
TestClient          Client   CN=vyos.io             CN=vyos.io                            2023-11-15 15:57:46  2024-11-14 15:57:46  No         Yes            No
TestServer          Server   CN=vyos.io             CN=vyos.io                            2023-11-15 15:57:05  2024-11-14 15:57:05  No         Yes            No
imported.cert.com  Unknown  CN=imported.cert.com  [email protected]  2023-08-29 18:12:06  2033-08-26 18:12:06  No         Yes            Yes (MY-CA)
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.