Generate test certificates that pass python 3.13 criteria

adrien-n · adrien-n · commit a3982b5390bc · 2025-01-08T09:55:50.000+01:00
Python 3.13 has started requiring the authorityKeyIdentifier field as per python/cpython#107361 . After iterating a bit, it appears that we only need to pass "-addext keyUsage=keyCertSign" to openssl during CA certificate creation and the server certificate will have the proper field. It's also possible to use something like `trustme` to generate the certificates but that would have been a much larger change and more work (maybe leading to most of the script being dropped however).
diff --git a/breezy/tests/ssl_certs/create_ssls.py b/breezy/tests/ssl_certs/create_ssls.py
@@ -131,6 +131,8 @@ def build_ca_certificate():
     _openssl(
         [
             "req",
+            "-addext",
+            "keyUsage = keyCertSign",
             "-passin",
             "stdin",
             "-new",

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,8 @@ def build_ca_certificate():`
`131`	`131`	`_openssl(`
`132`	`132`	`[`
`133`	`133`	`"req",`
	`134`	`+ "-addext",`
	`135`	`+ "keyUsage = keyCertSign",`
`134`	`136`	`"-passin",`
`135`	`137`	`"stdin",`
`136`	`138`	`"-new",`