From: Sergey Matveev <stargrave@stargrave.org>
Date: Wed, 6 Oct 2021 10:33:00 +0000 (+0300)
Subject: CA-related extensions should be critical
X-Git-Tag: 5.7~4
X-Git-Url: http://www.git.cypherpunks.ru/?p=pygost.git;a=commitdiff_plain;h=f7d7f4e37cc84e0b188b8445009f2ee11d8a250b;hp=ce954e16992da0d00e7d365fa44aea49049ddc6b

CA-related extensions should be critical
---

diff --git a/pygost/asn1schemas/cert-selfsigned-example.py b/pygost/asn1schemas/cert-selfsigned-example.py
index df832ba..edce696 100755
--- a/pygost/asn1schemas/cert-selfsigned-example.py
+++ b/pygost/asn1schemas/cert-selfsigned-example.py
@@ -237,10 +237,14 @@ exts = [
 if args.ca:
     exts.append(Extension((
         ("extnID", id_ce_basicConstraints),
-        ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())),
+        ("critical", Boolean(True)),
+        ("extnValue", OctetString(BasicConstraints((
+            ("cA", Boolean(True)),
+        )).encode())),
     )))
     exts.append(Extension((
         ("extnID", id_ce_keyUsage),
+        ("critical", Boolean(True)),
         ("extnValue", OctetString(KeyUsage(("keyCertSign",)).encode())),
     )))
 if ca_ai is not None: