Construct extensions like a CSR

- Use _encode_basic_constraints appropriately
- Create an appropriate object from the oid dotted string
- Create the X509 Extension appropriately

1 files changed, 9 insertions, 6 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 1c912e6c..5b9f0759 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1043,14 +1043,17 @@ class Backend(object):
         # Add extensions.
         for i, extension in enumerate(builder._extensions):
             if isinstance(extension.value, x509.BasicConstraints):
-                extension = _encode_basic_constraints(
-                    self,
-                    extension.value.ca,
-                    extension.value.path_length,
-                    extension.critical
-                )
+                pp, r = _encode_basic_constraints(self, extension.value)
             else:
                 raise ValueError('Extension not yet supported.')
+
+            obj = _txt2obj(self, extension.oid.dotted_string)
+            extension = self._lib.X509_EXTENSION_create_by_OBJ(
+                self._ffi.NULL,
+                obj,
+                1 if extension.critical else 0,
+                _encode_asn1_str_gc(self, pp[0], r)
+            )
             res = self._lib.X509_add_ext(x509_cert, extension, i)
             assert res == 1