diff --git a/provision/albatross_provision.ml b/provision/albatross_provision.ml index 4cd9b43..98ac091 100644 --- a/provision/albatross_provision.ml +++ b/provision/albatross_provision.ml @@ -1,6 +1,6 @@ (* (c) 2017 Hannes Mehnert, all rights reserved *) -let asn_version = `AV2 +let asn_version = `AV4 let timestamps validity = let now = Ptime_clock.now () in diff --git a/provision/albatross_provision_ca.ml b/provision/albatross_provision_ca.ml index fa28da5..ce35fd7 100644 --- a/provision/albatross_provision_ca.ml +++ b/provision/albatross_provision_ca.ml @@ -41,10 +41,9 @@ let sign_csr dbname cacert key csr days = match albatross_extension csr with | Ok v -> Vmm_asn.cert_extension_of_cstruct v >>= fun (version, cmd) -> - (if Vmm_commands.version_eq version version then - Ok () - else - Error (`Msg "unknown version in request")) >>= fun () -> + if not (Vmm_commands.version_eq asn_version version) then + Logs.warn (fun m -> m "version in request (%a) different from our version %a, using ours" + Vmm_commands.pp_version version Vmm_commands.pp_version asn_version); let exts, default_days = match cmd with | `Policy_cmd (`Policy_add _) -> d_exts (), 365 | _ -> l_exts, 1 @@ -54,7 +53,8 @@ let sign_csr dbname cacert key csr days = (* the "false" is here since X509 validation bails on exts marked as critical (as required), but has no way to supply which extensions are actually handled by the application / caller *) - let extensions = Extension.(add (Unsupported Vmm_asn.oid) (false, v) exts) in + let v' = Vmm_asn.cert_extension_to_cstruct (asn_version, cmd) in + let extensions = Extension.(add (Unsupported Vmm_asn.oid) (false, v') exts) in sign ~dbname extensions issuer key csr (Duration.of_day days) | Error e -> Error e