From 8d70412c35fb1f0538577ec578e5f0568421dcf0 Mon Sep 17 00:00:00 2001
From: Seth Vidal <skvidal@fedoraproject.org>
Date: Thu, 22 Apr 2010 17:07:59 -0400
Subject: [PATCH] - add BasicConstraints CA:TRUE for a ca cert, false for the
 others - make signature digest sha - instead of md5 - make certs ver 3 not
 ver 1 - closes rh bug: https://bugzilla.redhat.com/show_bug.cgi?id=583047

---
 certmaster/certs.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/certmaster/certs.py b/certmaster/certs.py
index 554822e..81409f3 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -96,7 +96,11 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f
     cacert.set_issuer(careq.get_subject())
     cacert.set_subject(careq.get_subject())
     cacert.set_pubkey(careq.get_pubkey())
-    cacert.sign(cakey, 'md5')
+    cacert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+    cacert.add_extensions((xt,))
+    cacert.sign(cakey, 'sha1')
     if ca_cert_file:
         destfo = open(ca_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
@@ -134,7 +138,11 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
     cert.set_issuer(cacert.get_subject())
     cert.set_subject(csr.get_subject())
     cert.set_pubkey(csr.get_pubkey())
-    cert.sign(cakey, 'md5')
+    cert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints', False ,'CA:False')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)    
+    cacert.add_extensions((xt,))
+    cert.sign(cakey, 'sha1')
     if slave_cert_file:
         destfo = open(slave_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
-- 
2.39.2