Bugfix CA is verified for all usage.

smous · Aug 19, 2015 · e315164 · e315164
1 parent 7d93d19
commit e315164
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/gae_proxy/local/cert_util.py b/gae_proxy/local/cert_util.py
@@ -172,15 +172,18 @@ def create_ca():
         req.set_pubkey(key)
         req.sign(key, CertUtil.ca_digest)
         ca = OpenSSL.crypto.X509()
+        ca.set_version(2)
         ca.set_serial_number(0)
         ca.gmtime_adj_notBefore(0)
         ca.gmtime_adj_notAfter(24 * 60 * 60 * 3652)
         ca.set_issuer(req.get_subject())
         ca.set_subject(req.get_subject())
         ca.set_pubkey(req.get_pubkey())
+        ca.add_extensions([
+            OpenSSL.crypto.X509Extension(
+                'basicConstraints', False, 'CA:TRUE', ca, ca)
+            ])
         ca.sign(key, CertUtil.ca_digest)
-        v3 = OpenSSL.crypto.X509Extension('basicConstraints', False, 'CA:TRUE')
-        ca.add_extensions([v3])
         #logging.debug("CA key:%s", key)
         xlog.info("create ca")
         return key, ca

diff --git a/php_proxy/local/cert_util.py b/php_proxy/local/cert_util.py
@@ -172,15 +172,18 @@ def create_ca():
         req.set_pubkey(key)
         req.sign(key, CertUtil.ca_digest)
         ca = OpenSSL.crypto.X509()
+        ca.set_version(2)
         ca.set_serial_number(0)
         ca.gmtime_adj_notBefore(0)
         ca.gmtime_adj_notAfter(24 * 60 * 60 * 3652)
         ca.set_issuer(req.get_subject())
         ca.set_subject(req.get_subject())
         ca.set_pubkey(req.get_pubkey())
+        ca.add_extensions([
+            OpenSSL.crypto.X509Extension(
+                'basicConstraints', False, 'CA:TRUE', ca, ca)
+            ])
         ca.sign(key, CertUtil.ca_digest)
-        v3 = OpenSSL.crypto.X509Extension('basicConstraints', False, 'CA:TRUE')
-        ca.add_extensions([v3])
         return key, ca
 
     @staticmethod