From 0e94257d4396a16efe8ff3170886b80489ea94f8 Mon Sep 17 00:00:00 2001
From: Manoel Domingues Junior <mdjunior@users.noreply.github.com>
Date: Thu, 1 Oct 2015 14:45:48 -0300
Subject: Handling path_length when ca is True

Using CertificateBuilder:
builder = builder.add_extension(x509.BasicConstraints(ca=True,path_length=None), critical=True) return TypeError in line 792 because None can't be converted to hex.

In https://tools.ietf.org/html/rfc5280.html#section-4.2.1.9: CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit.
---
 src/cryptography/hazmat/backends/openssl/backend.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index d30bfc29..715624bf 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -235,7 +235,7 @@ def _encode_basic_constraints(backend, basic_constraints):
         constraints, backend._lib.BASIC_CONSTRAINTS_free
     )
     constraints.ca = 255 if basic_constraints.ca else 0
-    if basic_constraints.ca:
+    if basic_constraints.ca and basic_constraints.path_length != None:
         constraints.pathlen = _encode_asn1_int(
             backend, basic_constraints.path_length
         )
-- 
cgit v1.2.3