]> Cypherpunks.ru repositories - pygost.git/blobdiff - pygost/asn1schemas/cert-selfsigned-example.py
projects / pygost.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CA-related extensions should be critical
[pygost.git] / pygost / asn1schemas / cert-selfsigned-example.py
diff --git a/pygost/asn1schemas/cert-selfsigned-example.py b/pygost/asn1schemas/cert-selfsigned-example.py
index 1f505aae09e9e327fa9a2ea407690715634b6224..edce6969a92feef39d3d629fc575f26d40c64efa 100755 (executable)
--- a/pygost/asn1schemas/cert-selfsigned-example.py
+++ b/pygost/asn1schemas/cert-selfsigned-example.py
@@ -22,6 +22,7 @@ from pyderasn import UTCTime
 from pygost.asn1schemas.oids import id_at_commonName
 from pygost.asn1schemas.oids import id_ce_authorityKeyIdentifier
 from pygost.asn1schemas.oids import id_ce_basicConstraints
+from pygost.asn1schemas.oids import id_ce_keyUsage
 from pygost.asn1schemas.oids import id_ce_subjectAltName
 from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier
 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256
@@ -51,6 +52,7 @@ from pygost.asn1schemas.x509 import Extensions
 from pygost.asn1schemas.x509 import GeneralName
 from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters
 from pygost.asn1schemas.x509 import KeyIdentifier
+from pygost.asn1schemas.x509 import KeyUsage
 from pygost.asn1schemas.x509 import Name
 from pygost.asn1schemas.x509 import RDNSequence
 from pygost.asn1schemas.x509 import RelativeDistinguishedName
@@ -211,7 +213,7 @@ subj = Name(("rdnSequence", RDNSequence([
     ))
 ])))
 not_before = datetime.utcnow()
-not_after = not_before + timedelta(days=365)
+not_after = not_before + timedelta(days=365 * (10 if args.ca else 1))
 ai_sign = AlgorithmIdentifier((
     ("algorithm", (ai if ca_ai is None else ca_ai)["sign_algorithm"]),
 ))
@@ -235,7 +237,15 @@ exts = [
 if args.ca:
     exts.append(Extension((
         ("extnID", id_ce_basicConstraints),
-        ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())),
+        ("critical", Boolean(True)),
+        ("extnValue", OctetString(BasicConstraints((
+            ("cA", Boolean(True)),
+        )).encode())),
+    )))
+    exts.append(Extension((
+        ("extnID", id_ce_keyUsage),
+        ("critical", Boolean(True)),
+        ("extnValue", OctetString(KeyUsage(("keyCertSign",)).encode())),
     )))
 if ca_ai is not None:
     caKeyId = [
Pure Python GOST cryptographic functions library