certs: add subject key identifier extension

Add the subject key identifier extension to the certificate generated
by Magnum. Which should permit Kubernetes clusters to have certificates
that include authority key identifier extension which appears to be a
requirement in Python 3.13 and newer.

Closes-Bug: #2097094
Change-Id: I13bbb97c8b17fbba2f5f1acfac9d597f12925818
(cherry picked from commit 89f185b)
Signed-off-by: Michal Nasiadka <[email protected]>

Author: jackhodgkiss

magnum/common/x509/operations.py

@@ -223,6 +223,12 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
         builder = builder.add_extension(extention.value,
                                         critical=extention.critical)
 
+    subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key(
+        csr.public_key())
+    builder = builder.add_extension(
+            subject_key_identifier, critical=False
+    )
+
     certificate = builder.sign(
         private_key=ca_key, algorithm=hashes.SHA256(),
     ).public_bytes(serialization.Encoding.PEM).strip()

magnum/tests/unit/common/x509/test_sign.py

@@ -233,6 +233,26 @@ def test_sign_empty_chars(self, mock_load_pem):
         self.assertEqual(certificate,
                          certificate.strip())
 
+    # If a subject key identifier is given in the CSR, ensure it is added
+    @mock.patch('cryptography.x509.load_pem_x509_csr')
+    def test_sign_subject_key_identifier(self, mock_load_pem):
+        ca_key = self._generate_private_key()
+        private_key = self._generate_private_key()
+        csr_obj = self._build_csr(private_key)
+        csr = csr_obj.public_bytes(serialization.Encoding.PEM)
+        csr = csr.decode('utf-8')
+
+        mock_load_pem.return_value = csr_obj
+        certificate = operations.sign(csr, self.issuer_name,
+                                      ca_key, skip_validation=True)
+
+        # Ensure the Subject Key Identifier extension is present
+        cert = c_x509.load_pem_x509_certificate(certificate)
+        ext_ski = [ext for ext in cert.extensions
+                   if cert.extensions[0].oid ==
+                   c_x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER]
+        self.assertEqual(len(ext_ski), 1)
+
     def test_sign_with_invalid_csr(self):
         ca_key = self._generate_private_key()
         csr = 'test'

releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add subject key identifier extension to x509 operations
+    signing function. Allows for magnum Kubernetes clusters
+    to generate certificates with authority key
+    identifier extension.