vyos@r2:~$ show pki certificate
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/pki.py", line 873, in <module>
show_certificate(None if args.certificate == 'all' else args.certificate)
File "/usr/libexec/vyos/op_mode/pki.py", line 738, in show_certificate
ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
File "/usr/lib/python3/dist-packages/cryptography/x509/extensions.py", line 135, in get_extension_for_class
raise ExtensionNotFound(
cryptography.x509.extensions.ExtensionNotFound: No <class 'cryptography.x509.extensions.ExtendedKeyUsage'> extension was found
vyos@r2:~$Description
Description
Details
Details
- Version
- VyOS 1.4-rolling-202111080547
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Bug (incorrect behavior)
Related Objects
Related Objects
- Mentioned In
- rVYOSONEX65df99de6bca: Merge pull request #2497 from vyos/mergify/bp/sagitta/pr-2495
rVYOSONEX2d02c347a848: T3983: show pki certificate Doesnt show x509 certificates
rVYOSONEX36de14913e0f: T3983: show pki certificate Doesnt show x509 certificates
rVYOSONEX96ed4f8f130a: Merge pull request #2495 from JeffWDH/current
Event Timeline
Comment Actions
This is still an issue in 1.5. I tried importing a cert signed by my own CA and got the same error.
This patch will skip trying to read the non existent ExtendedKeyUsage but will show "Unknown" for the type as I'm not sure what to label it as based on the attributes available.
diff -rupP /usr/libexec/vyos/op_mode/pki.py pki.py --- /usr/libexec/vyos/op_mode/pki.py 2023-11-15 16:06:56.107961414 +0000 +++ pki.py 2023-11-15 16:09:06.490957018 +0000 @@ -896,12 +896,15 @@ def show_certificate(name=None, pem=Fals cert_subject_cn = cert.subject.rfc4514_string().split(",")[0] cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] cert_type = 'Unknown' - ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage) - if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value: - cert_type = 'Server' - elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value: - cert_type = 'Client' + try: + ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage) + if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value: + cert_type = 'Server' + elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value: + cert_type = 'Client' + except: + pass revoked = 'Yes' if 'revoke' in cert_dict else 'No' have_private = 'Yes' if 'private' in cert_dict and 'key' in cert_dict['private'] else 'No' have_ca = f'Yes ({ca_name})' if ca_name else 'No'
Imported cert properties:
<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xfc{\x07\xa6\x88\x03M\x86\xde\xd5*\x13\x99\x03P\x1f\xf6r/\xdd', authority_cert_issuer=None, authority_cert_serial_number=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=False, value=<BasicConstraints(ca=False, path_length=None)>)
>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=False, value=<KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=True, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)>, critical=False, value=<SubjectAlternativeName(<GeneralNames([<DNSName(value='imported.cert.com')>, <DNSName(value='othername.cert.com')>])>)>)>])>Client cert generated on VyOS properties:
<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=False, path_length=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clientAuth)>])>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b'\x95\x1e\xde\xb7\x81\xcd\x86\xeb2Xk\xed\xd9\x12ax6\xb9\xd5I')>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\x95\x1e\xde\xb7\x81\xcd\x86\xeb2Xk\xed\xd9\x12ax6\xb9\xd5I', authority_cert_issuer=None, authority_cert_serial_number=None)>)>])>
Server cert generated on VyOS properties:
<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=False, path_length=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name=serverAuth)>])>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b'\xbe\\\x1c\x8c\xa8\xde0FF\xe9N!\xd9\xf9;D\x12JV\x1a')>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xbe\\\x1c\x8c\xa8\xde0FF\xe9N!\xd9\xf9;D\x12JV\x1a', authority_cert_issuer=None, authority_cert_serial_number=None)>)>])>
Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present ------------------ ------- --------------------- ------------------------------------ ------------------- ------------------- --------- ------------- ------------- TestClient Client CN=vyos.io CN=vyos.io 2023-11-15 15:57:46 2024-11-14 15:57:46 No Yes No TestServer Server CN=vyos.io CN=vyos.io 2023-11-15 15:57:05 2024-11-14 15:57:05 No Yes No imported.cert.com Unknown CN=imported.cert.com 1.2.840.113549.1.9.1=me@domain.com 2023-08-29 18:12:06 2033-08-26 18:12:06 No Yes Yes (MY-CA)