commit 6b79947fa3ce38795de4fc16db3095f3216935ca
author David Benjamin <davidben@google.com> Wed Jun 24 17:14:16 2020 -0400
committer GitHub <noreply@github.com> Wed Jun 24 17:14:16 2020 -0400
tree 1c425366baa582d3e2d8ac069b18ca57d2f9806a
parent 2dca7a75eef7c931abbbb6b9a87b1659db5ae6c8

Fix generated test X.509 certificates. (#917)

From RFC 5280, section 4.1.2.9:

   [Extensions] MUST only appear if the version is 3 (Section 4.1.2.1).
   If present, this field is a SEQUENCE of one or more certificate
   extensions.  The format and content of certificate extensions in the
   Internet PKI are defined in Section 4.2.

X509 objects default to v1, so the test certs need a set_version(2) call. (Note
v3 is encoded as 2.)

tests/test_ssl.py

diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 50e2026..2cee928 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -199,6 +199,7 @@
     cakey = PKey()
     cakey.generate_key(TYPE_RSA, 1024)
     cacert = X509()
+    cacert.set_version(2)
     cacert.get_subject().commonName = "Authority Certificate"
     cacert.set_issuer(cacert.get_subject())
     cacert.set_pubkey(cakey)
@@ -212,6 +213,7 @@
     ikey = PKey()
     ikey.generate_key(TYPE_RSA, 1024)
     icert = X509()
+    icert.set_version(2)
     icert.get_subject().commonName = "Intermediate Certificate"
     icert.set_issuer(cacert.get_subject())
     icert.set_pubkey(ikey)
@@ -225,6 +227,7 @@
     skey = PKey()
     skey.generate_key(TYPE_RSA, 1024)
     scert = X509()
+    scert.set_version(2)
     scert.get_subject().commonName = "Server Certificate"
     scert.set_issuer(icert.get_subject())
     scert.set_pubkey(skey)