diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-10-01 20:40:21 -0500 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-10-01 20:40:21 -0500 |
| commit | 34dd76d8dd52405eebed64440656d932dad10791 (patch) | |
| tree | 0a73c081dea4687f29d709e84bbe5f2c0e3a9c9d | |
| parent | 61b2f05da921891c588af45b6ab65abbdfe12f8f (diff) | |
| parent | 6b55c4e42125dd9a01aaf83aa39b1fabfdcfa0b4 (diff) | |
| download | cryptography-34dd76d8dd52405eebed64440656d932dad10791.tar.gz cryptography-34dd76d8dd52405eebed64440656d932dad10791.tar.bz2 cryptography-34dd76d8dd52405eebed64440656d932dad10791.zip | |
Merge pull request #2386 from mdjunior/master
Handling path_length when ca is True
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 2 | ||||
| -rw-r--r-- | tests/test_x509.py | 24 |
2 files changed, 25 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d30bfc29..ac025e95 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -235,7 +235,7 @@ def _encode_basic_constraints(backend, basic_constraints): constraints, backend._lib.BASIC_CONSTRAINTS_free ) constraints.ca = 255 if basic_constraints.ca else 0 - if basic_constraints.ca: + if basic_constraints.ca and basic_constraints.path_length is not None: constraints.pathlen = _encode_asn1_int( backend, basic_constraints.path_length ) diff --git a/tests/test_x509.py b/tests/test_x509.py index 220e71a5..0c022df1 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1601,6 +1601,30 @@ class TestCertificateBuilder(object): decipher_only=False ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_ca_request_with_path_length_none(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, + u'PyCA'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=None), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + loaded_request = x509.load_pem_x509_csr( + request.public_bytes(encoding=serialization.Encoding.PEM), backend + ) + subject = loaded_request.subject + assert isinstance(subject, x509.Name) + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): |