tmp

Author: mathiasertl

ca/django_ca/ca_settings.py

@@ -184,7 +184,6 @@ def _get_hash_algorithm(setting: str, default: "HashAlgorithms") -> "AllowedHash
         "description": _(
             "A certificate for an enduser, allows client authentication, code and email signing."
         ),
-        "cn_in_san": False,
         "extensions": {
             "key_usage": {
                 "critical": True,
@@ -206,7 +205,6 @@ def _get_hash_algorithm(setting: str, default: "HashAlgorithms") -> "AllowedHash
     },
     "ocsp": {
         "description": _("A certificate for an OCSP responder."),
-        "cn_in_san": False,  # CAs frequently use human-readable name as CN
         "add_ocsp_url": False,
         "autogenerated": True,
         "subject": False,
@@ -290,7 +288,6 @@ def _get_hash_algorithm(setting: str, default: "HashAlgorithms") -> "AllowedHash
 
 for profile_name, profile in CA_PROFILES.items():
     profile.setdefault("subject", CA_DEFAULT_SUBJECT)
-    profile.setdefault("cn_in_san", True)
 
     if subject := profile.get("subject"):
         profile["subject"] = _normalize_x509_name(subject, f"subject in {profile_name} profile.")

ca/django_ca/managers.py

@@ -605,10 +605,6 @@ def create_cert(  # noqa: PLR0913
             Passed to :py:func:`Profiles.create_cert() <django_ca.profiles.Profile.create_cert>`.
         extensions : list or of :py:class:`~cg:cryptography.x509.Extension`
             Passed to :py:func:`Profiles.create_cert() <django_ca.profiles.Profile.create_cert>`.
-        cn_in_san : bool, optional
-            Passed to :py:func:`Profiles.create_cert() <django_ca.profiles.Profile.create_cert>`.
-        cn_in_san : bool, optional
-            Passed to :py:func:`Profiles.create_cert() <django_ca.profiles.Profile.create_cert>`.
         add_crl_url : bool, optional
             Passed to :py:func:`Profiles.create_cert() <django_ca.profiles.Profile.create_cert>`.
         add_ocsp_url : bool, optional
@@ -633,7 +629,6 @@ def create_cert(  # noqa: PLR0913
             expires=expires,
             algorithm=algorithm,
             extensions=extensions,
-            cn_in_san=False,
             add_crl_url=add_crl_url,
             add_ocsp_url=add_ocsp_url,
             add_issuer_url=add_issuer_url,

ca/django_ca/models.py

@@ -792,8 +792,7 @@ def sign(
 
         Required extensions are added if not provided. Unless already included in `extensions`, this function
         will add the AuthorityKeyIdentifier, BasicConstraints and SubjectKeyIdentifier extensions with values
-        coming from the certificate authority. The common names in `subject` are added to
-        SubjectAlternativeName if `cn_in_san` is ``True``.
+        coming from the certificate authority.
 
         Parameters
         ----------

ca/django_ca/profiles.py

@@ -41,7 +41,7 @@
     SerializedProfile,
     SerializedPydanticName,
 )
-from django_ca.utils import get_cert_builder, merge_x509_names, parse_expires, parse_general_name, x509_name
+from django_ca.utils import get_cert_builder, merge_x509_names, parse_expires, x509_name
 
 if typing.TYPE_CHECKING:
     from django_ca.models import CertificateAuthority
@@ -115,7 +115,12 @@ def __init__(  # noqa: PLR0913
             except KeyError as ex:
                 raise ValueError(f"{algorithm}: Unknown hash algorithm.") from ex
 
-        self.cn_in_san = cn_in_san
+        if cn_in_san is not None:  # pragma: no cover
+            warnings.warn(
+                "cn_in_san: Support for this flag has been removed.",
+                RemovedInDjangoCA128Warning,
+                stacklevel=2,
+            )
         self.expires = expires or ca_settings.CA_DEFAULT_EXPIRES
         self.add_crl_url = add_crl_url
         self.add_issuer_url = add_issuer_url
@@ -148,7 +153,6 @@ def __eq__(self, value: object) -> bool:
             and self.subject == value.subject
             and algo
             and self.extensions == value.extensions
-            and self.cn_in_san == value.cn_in_san
             and self.expires == value.expires
             and self.add_crl_url == value.add_crl_url
             and self.add_issuer_url == value.add_issuer_url
@@ -179,7 +183,6 @@ def create_cert(  # noqa: PLR0913
         expires: Expires = None,
         algorithm: Optional[AllowedHashTypes] = None,
         extensions: Optional[Iterable[x509.Extension[x509.ExtensionType]]] = None,
-        cn_in_san: Optional[bool] = None,
         add_crl_url: Optional[bool] = None,
         add_ocsp_url: Optional[bool] = None,
         add_issuer_url: Optional[bool] = None,
@@ -229,9 +232,6 @@ def create_cert(  # noqa: PLR0913
             :py:class:`~cg:cryptography.x509.IssuerAlternativeName` extension, *add_issuer_alternative_name*
             is ``True`` and the passed CA has an IssuerAlternativeName set, that value will be appended to the
             extension you pass here.
-        cn_in_san : bool, optional
-            Override if the commonName should be added as an SubjectAlternativeName. If not passed, the value
-            set in the profile is used.
         add_crl_url : bool, optional
             Override if any CRL URLs from the CA should be added to the CA. If not passed, the value set in
             the profile is used.
@@ -253,8 +253,6 @@ def create_cert(  # noqa: PLR0913
             The signed certificate.
         """
         # Get overrides values from profile if not passed as parameter
-        if cn_in_san is None:
-            cn_in_san = self.cn_in_san
         if add_crl_url is None:
             add_crl_url = self.add_crl_url
         if add_ocsp_url is None:
@@ -302,9 +300,6 @@ def create_cert(  # noqa: PLR0913
         # Make sure that expires is a fixed timestamp
         expires = self.get_expires(expires)
 
-        # Finally, add the commonName as a subjectAlternativeName if not already present.
-        self._update_san_from_cn(cn_in_san, subject=subject, extensions=cert_extensions)
-
         if not subject.get_attributes_for_oid(NameOID.COMMON_NAME) and not cert_extensions.get(
             ExtensionOID.SUBJECT_ALTERNATIVE_NAME
         ):
@@ -526,40 +521,6 @@ def _update_cn_from_san(
 
         return subject
 
-    def _update_san_from_cn(self, cn_in_san: bool, subject: x509.Name, extensions: ExtensionMapping) -> None:
-        if cn_in_san is False:
-            return
-
-        if not (common_name_attributes := subject.get_attributes_for_oid(NameOID.COMMON_NAME)):
-            return
-
-        common_name_value = typing.cast(str, common_name_attributes[0].value)
-        try:
-            common_name = parse_general_name(common_name_value)
-        except ValueError as ex:
-            raise ValueError(
-                f"{common_name_value}: Could not parse CommonName as subjectAlternativeName."
-            ) from ex
-
-        if ExtensionOID.SUBJECT_ALTERNATIVE_NAME in extensions:
-            san_ext = typing.cast(
-                x509.Extension[x509.SubjectAlternativeName],
-                extensions[ExtensionOID.SUBJECT_ALTERNATIVE_NAME],
-            )
-
-            if common_name not in san_ext.value:
-                extensions[ExtensionOID.SUBJECT_ALTERNATIVE_NAME] = x509.Extension(
-                    oid=ExtensionOID.SUBJECT_ALTERNATIVE_NAME,
-                    critical=san_ext.critical,
-                    value=x509.SubjectAlternativeName([*san_ext.value, common_name]),
-                )
-        else:
-            extensions[ExtensionOID.SUBJECT_ALTERNATIVE_NAME] = x509.Extension(
-                oid=ExtensionOID.SUBJECT_ALTERNATIVE_NAME,
-                critical=False,
-                value=x509.SubjectAlternativeName([common_name]),
-            )
-
 
 def get_profile(name: Optional[str] = None) -> Profile:
     """Get profile by the given name.

ca/django_ca/tests/test_models.py

@@ -66,10 +66,8 @@
     basic_constraints,
     crl_distribution_points,
     distribution_point,
-    dns,
     issuer_alternative_name,
     override_tmpcadir,
-    subject_alternative_name,
     subject_key_identifier,
     uri,
 )
@@ -1032,28 +1030,6 @@ def test_non_default_extensions(self) -> None:
         self.assertBasicCert(cert)
         self.assertExtensionDict(cert, [ski, basic_constraints(critical=False), aki])
 
-    @override_tmpcadir()
-    @freeze_time(TIMESTAMPS["everything_valid"])
-    def test_cn_not_in_san(self) -> None:
-        """Test the cn_in_san option."""
-        cn = "example.com"
-        csr = CERT_DATA["child-cert"]["csr"]["parsed"]
-        subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)])
-        san = subject_alternative_name(dns("example.net"))
-        with self.assertSignCertSignals():
-            cert = self.ca.sign(csr, subject=subject, extensions=[san])
-
-        self.assertBasicCert(cert)
-        self.assertExtensionDict(
-            cert,
-            [
-                subject_key_identifier(cert),
-                san,
-                basic_constraints(),
-                self.ca.get_authority_key_identifier_extension(),
-            ],
-        )
-
     def test_create_ca(self) -> None:
         """Try passing a BasicConstraints extension that allows creating a CA."""
         csr = CERT_DATA["child-cert"]["csr"]["parsed"]

ca/django_ca/tests/test_profiles.py

@@ -84,9 +84,7 @@ def test_python_intro(self) -> None:
 class ProfileTestCase(TestCaseMixin, TestCase):
     """Main tests for the profile class."""
 
-    def create_cert(  # type: ignore[override]
-        self, prof: Profile, ca: CertificateAuthority, *args: Any, **kwargs: Any
-    ) -> Certificate:
+    def create_cert(self, prof: Profile, ca: CertificateAuthority, *args: Any, **kwargs: Any) -> Certificate:
         """Shortcut to create a cert with the given profile."""
         cert = Certificate(ca=ca)
         cert.update_certificate(prof.create_cert(ca, *args, **kwargs))
@@ -108,10 +106,7 @@ def test_create_cert_minimal(self) -> None:
                 add_issuer_alternative_name=False,
             )
         self.assertEqual(pre.call_count, 1)
-        self.assertExtensions(
-            cert,
-            [ca.get_authority_key_identifier_extension(), subject_alternative_name(dns(self.hostname))],
-        )
+        self.assertExtensions(cert, [ca.get_authority_key_identifier_extension()])
 
     @override_tmpcadir()
     def test_alternative_values(self) -> None:
@@ -175,7 +170,6 @@ def test_overrides(self) -> None:
                 subject_key_identifier(cert),
                 ca.get_authority_key_identifier_extension(),
                 basic_constraints(),
-                subject_alternative_name(dns(self.hostname)),
             ],
             expect_defaults=False,
         )
@@ -199,7 +193,6 @@ def test_overrides(self) -> None:
             [
                 ca.get_authority_key_identifier_extension(),
                 basic_constraints(),
-                subject_alternative_name(dns(self.hostname)),
             ],
         )
 
@@ -215,78 +208,6 @@ def test_none_extension(self) -> None:
         self.assertEqual(pre.call_count, 1)
         self.assertNotIn(ExtensionOID.OCSP_NO_CHECK, cert.x509_extensions)
 
-    @override_tmpcadir()
-    def test_cn_in_san(self) -> None:
-        """Test writing the common name into the SAN."""
-        ca = self.load_ca(name="root", parsed=CERT_DATA["root"]["pub"]["parsed"])
-        csr = CERT_DATA["child-cert"]["csr"]["parsed"]
-
-        prof = Profile("example", subject=False, add_issuer_alternative_name=False, cn_in_san=False)
-        with self.mockSignal(pre_sign_cert) as pre:
-            cert = self.create_cert(prof, ca, csr, subject=self.subject)
-        self.assertEqual(pre.call_count, 1)
-        self.assertEqual(cert.subject, self.subject)
-        self.assertExtensions(cert, [ca.get_authority_key_identifier_extension()])
-
-        # Create the same cert, but pass cn_in_san=True to create_cert
-        with self.mockSignal(pre_sign_cert) as pre:
-            cert = self.create_cert(prof, ca, csr, subject=self.subject, cn_in_san=True)
-        self.assertEqual(pre.call_count, 1)
-        self.assertEqual(cert.subject, self.subject)
-        self.assertExtensions(
-            cert,
-            [ca.get_authority_key_identifier_extension(), subject_alternative_name(dns(self.hostname))],
-        )
-
-        # test that cn_in_san=True with a SAN that already contains the CN does not lead to a duplicate
-        with self.mockSignal(pre_sign_cert) as pre:
-            cert = self.create_cert(
-                prof,
-                ca,
-                csr,
-                subject=self.subject,
-                cn_in_san=True,
-                extensions=[subject_alternative_name(dns(self.hostname))],
-            )
-        self.assertEqual(pre.call_count, 1)
-        self.assertEqual(cert.subject, self.subject)
-        self.assertExtensions(
-            cert,
-            [ca.get_authority_key_identifier_extension(), subject_alternative_name(dns(self.hostname))],
-        )
-
-        # test that cn_in_san=True with a SAN that does NOT yet contain the CN, so it's added
-        with self.mockSignal(pre_sign_cert) as pre:
-            cert = self.create_cert(
-                prof,
-                ca,
-                csr,
-                subject=self.subject,
-                cn_in_san=True,
-                extensions=[subject_alternative_name(dns(self.hostname + ".added"))],
-            )
-        self.assertEqual(pre.call_count, 1)
-        self.assertEqual(cert.subject, self.subject)
-        self.assertExtensions(
-            cert,
-            [
-                ca.get_authority_key_identifier_extension(),
-                subject_alternative_name(dns(self.hostname + ".added"), dns(self.hostname)),
-            ],
-        )
-
-        # test that the first SAN is added as CN if we don't have A CN
-        with self.mockSignal(pre_sign_cert) as pre:
-            cert = self.create_cert(
-                prof, ca, csr, cn_in_san=True, extensions=[subject_alternative_name(dns(self.hostname))]
-            )
-        self.assertEqual(pre.call_count, 1)
-        self.assertEqual(cert.subject, self.subject)
-        self.assertExtensions(
-            cert,
-            [ca.get_authority_key_identifier_extension(), subject_alternative_name(dns(self.hostname))],
-        )
-
     @override_tmpcadir()
     def test_override_ski(self) -> None:
         """Test overriding the subject key identifier."""
@@ -314,12 +235,7 @@ def test_override_ski(self) -> None:
         self.assertEqual(pre.call_count, 1)
         self.assertExtensions(
             cert,
-            [
-                ca.get_authority_key_identifier_extension(),
-                basic_constraints(),
-                subject_alternative_name(dns(self.hostname)),
-                ski,
-            ],
+            [ca.get_authority_key_identifier_extension(), basic_constraints(), ski],
             expect_defaults=False,
         )
 
@@ -357,7 +273,6 @@ def test_add_distribution_point_with_ca_crldp(self) -> None:
                 ca.get_authority_key_identifier_extension(),
                 basic_constraints(),
                 x509.Extension(oid=ExtensionOID.SUBJECT_KEY_IDENTIFIER, critical=False, value=ski),
-                subject_alternative_name(dns(self.hostname)),
                 added_crldp,
             ],
             expect_defaults=False,
@@ -422,7 +337,6 @@ def test_issuer_alternative_name_override(self) -> None:
                 ca.get_authority_key_identifier_extension(),
                 basic_constraints(),
                 x509.Extension(oid=ExtensionOID.SUBJECT_KEY_IDENTIFIER, critical=False, value=ski),
-                subject_alternative_name(dns(self.hostname)),
                 issuer_alternative_name(added_ian_uri),
             ],
             expect_defaults=False,
@@ -468,7 +382,6 @@ def test_merge_authority_information_access_existing_values(self) -> None:
                 ca.get_authority_key_identifier_extension(),
                 basic_constraints(),
                 x509.Extension(oid=ExtensionOID.SUBJECT_KEY_IDENTIFIER, critical=False, value=ski),
-                subject_alternative_name(dns(self.hostname)),
                 authority_information_access(
                     ca_issuers=[cert_issuers, cert_issuers2],
                     ocsp=[cert_ocsp],
@@ -496,12 +409,7 @@ def test_extension_as_cryptography(self) -> None:
         self.assertEqual(pre.call_count, 1)
         self.assertExtensions(
             cert,
-            [
-                ca.get_authority_key_identifier_extension(),
-                basic_constraints(),
-                ocsp_no_check(),
-                subject_alternative_name(dns(self.hostname)),
-            ],
+            [ca.get_authority_key_identifier_extension(), basic_constraints(), ocsp_no_check()],
         )
 
     @override_tmpcadir()
@@ -643,22 +551,9 @@ def test_no_valid_cn_in_san(self) -> None:
         san = subject_alternative_name(x509.RegisteredID(ExtensionOID.OCSP_NO_CHECK))
 
         with self.mockSignal(pre_sign_cert) as pre:
-            self.create_cert(prof, ca, csr, cn_in_san=True, extensions=[san])
+            self.create_cert(prof, ca, csr, extensions=[san])
         self.assertEqual(pre.call_count, 1)
 
-    @override_tmpcadir()
-    def test_unparsable_cn(self) -> None:
-        """Try creating a profile with an unparsable Common Name."""
-        ca = self.load_ca(name="root", parsed=CERT_DATA["root"]["pub"]["parsed"])
-        csr = CERT_DATA["child-cert"]["csr"]["parsed"]
-        cname = "foo bar"
-
-        prof = Profile("example", subject=x509.Name([x509.NameAttribute(x509.NameOID.COMMON_NAME, cname)]))
-        msg = rf"^{cname}: Could not parse CommonName as subjectAlternativeName\.$"
-        with self.mockSignal(pre_sign_cert) as pre, self.assertRaisesRegex(ValueError, msg):
-            self.create_cert(prof, ca, csr)
-        self.assertEqual(pre.call_count, 0)
-
     def test_unknown_signature_hash_algorithm(self) -> None:
         """Test passing an unknown hash algorithm."""
         with self.assertRaisesRegex(ValueError, r"^foo: Unknown hash algorithm\.$"):