Set correct KU and EKU extensions

[tiran]

A CA certificate must not have an EKU extension. KU key_cert_signing is
required. crl_sign is recommended for CRLs and digital_signature is
recommended for OCSP.

An end-entity cert must have an EKU. TLS server and TLS client are
recommended. KU digital_signature is required for modern perfect forward
secrecy handshake. key_encipherment is optional for old non-PFS
handshake.

Signed-off-by: Christian Heimes christian@python.org

[sethmlarson]

Thanks @tiran! Is there a tool/service we can plop our certificate into and verify it's up to scuff? I know requirements change and become stricter typically over time :)

[tiran]

@sethmlarson uhm, I don't know. Maybe ssllabs?

You can also cross-verify the settings with CAB baseline requirements, https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.6.pdf

7.1.2.1 Root CA Certificate

keyUsage
This extension MUST be present and MUST be marked critical. Bit positions forkeyCertSignandcRLSignMUST be set. If the Root CA Private Key is used forsigning OCSP responses, then thedigitalSignaturebit MUST be set.

extKeyUsage
This extension MUST NOT be present.

7.1.2.3 Subscriber Certificate

keyUsage(optional)
If present, bit positions forkeyCertSignandcRLSignMUST NOT be set.

extKeyUsage(required)
Either the valueid-kp-serverAuth[RFC5280] orid-kp-clientAuth[RFC5280] or both values MUST be present.id-kp-emailProtection[RFC5280] MAY be present. Other values SHOULD NOT be present. The valueanyExtendedKeyUsageMUST NOT be present.

[codecov]

Codecov Report

Merging #328 (e3ac2d6) into master (b133ed5) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##            master      #328   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           10        10           
  Lines         1115      1160   +45     
  Branches        48        48           
=========================================
+ Hits          1115      1160   +45     

Impacted Files	Coverage Δ
trustme/__init__.py	100.00% <ø> (ø)
trustme/tests/test_trustme.py	100.00% <0.00%> (ø)
a/trustme/trustme/tests/test_trustme.py	100.00% <0.00%> (ø)
.../runner/work/trustme/trustme/tests/test_trustme.py	100.00% <0.00%> (ø)

[trio-bot]

Hey @tiran, it looks like that was the first time we merged one of your PRs! Thanks so much! 🎉 🎂

If you want to keep contributing, we'd love to have you. So, I just sent you an invitation to join the python-trio organization on Github! If you accept, then here's what will happen:

• Github will automatically subscribe you to notifications on all our repositories. (But you can unsubscribe again if you don't want the spam.)

• You'll be able to help us manage issues (add labels, close them, etc.)

• You'll be able to review and merge other people's pull requests

• You'll get a [member] badge next to your name when participating in the Trio repos, and you'll have the option of adding your name to our member's page and putting our icon on your Github profile (details)

If you want to read more, here's the relevant section in our contributing guide.

Alternatively, you're free to decline or ignore the invitation. You'll still be able to contribute as much or as little as you like, and I won't hassle you about joining again. But if you ever change your mind, just let us know and we'll send another invitation. We'd love to have you, but more importantly we want you to do whatever's best for you.

If you have any questions, well... I am just a humble Python script, so I probably can't help. But please do post a comment here, or in our chat, or on our forum, whatever's easiest, and someone will help you out!

[pquentin]

Thank you @tiran! Appreciated

[pquentin]

I released this as part of 0.8.0: https://pypi.org/project/trustme/0.8.0/