diff options
| author | David Benjamin <davidben@google.com> | 2020-06-24 17:14:16 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-24 17:14:16 -0400 |
| commit | 6b79947fa3ce38795de4fc16db3095f3216935ca (patch) | |
| tree | 1c425366baa582d3e2d8ac069b18ca57d2f9806a | |
| parent | 2dca7a75eef7c931abbbb6b9a87b1659db5ae6c8 (diff) | |
| download | pyopenssl-git-6b79947fa3ce38795de4fc16db3095f3216935ca.tar.gz | |
Fix generated test X.509 certificates. (#917)
From RFC 5280, section 4.1.2.9:
[Extensions] MUST only appear if the version is 3 (Section 4.1.2.1).
If present, this field is a SEQUENCE of one or more certificate
extensions. The format and content of certificate extensions in the
Internet PKI are defined in Section 4.2.
X509 objects default to v1, so the test certs need a set_version(2) call. (Note
v3 is encoded as 2.)
| -rw-r--r-- | tests/test_crypto.py | 3 | ||||
| -rw-r--r-- | tests/test_ssl.py | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/tests/test_crypto.py b/tests/test_crypto.py index 34a9d6e..2a0c967 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -1729,6 +1729,9 @@ WpOdIpB8KksUTCzV591Nr1wd def _extcert(self, pkey, extensions): cert = X509() + # Certificates with extensions must be X.509v3, which is encoded with a + # version of two. + cert.set_version(2) cert.set_pubkey(pkey) cert.get_subject().commonName = "Unit Tests" cert.get_issuer().commonName = "Unit Tests" diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 50e2026..2cee928 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -199,6 +199,7 @@ def _create_certificate_chain(): cakey = PKey() cakey.generate_key(TYPE_RSA, 1024) cacert = X509() + cacert.set_version(2) cacert.get_subject().commonName = "Authority Certificate" cacert.set_issuer(cacert.get_subject()) cacert.set_pubkey(cakey) @@ -212,6 +213,7 @@ def _create_certificate_chain(): ikey = PKey() ikey.generate_key(TYPE_RSA, 1024) icert = X509() + icert.set_version(2) icert.get_subject().commonName = "Intermediate Certificate" icert.set_issuer(cacert.get_subject()) icert.set_pubkey(ikey) @@ -225,6 +227,7 @@ def _create_certificate_chain(): skey = PKey() skey.generate_key(TYPE_RSA, 1024) scert = X509() + scert.set_version(2) scert.get_subject().commonName = "Server Certificate" scert.set_issuer(icert.get_subject()) scert.set_pubkey(skey) |