diff --git a/src/calibre/srv/tests/loop.py b/src/calibre/srv/tests/loop.py index f3f4cecadd..7e4ea0e857 100644 --- a/src/calibre/srv/tests/loop.py +++ b/src/calibre/srv/tests/loop.py @@ -201,8 +201,6 @@ class LoopTest(BaseTest): cert_file, key_file, ca_file = map(lambda x:os.path.join(tdir, x), 'cka') create_server_cert(address, ca_file, cert_file, key_file, key_size=2048) ctx = ssl.create_default_context(cafile=ca_file) - # python 3.13 added this flag to validate stricter RFC compliance. It is unneeded complexity for the testsuite. - ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT with TestServer( lambda data:(data.path[0] + data.read().decode('utf-8')), ssl_certfile=cert_file, ssl_keyfile=key_file, listen_on=address, port=0) as server: diff --git a/src/calibre/utils/certgen.c b/src/calibre/utils/certgen.c index 6c66551a7d..2e46478f58 100644 --- a/src/calibre/utils/certgen.c +++ b/src/calibre/utils/certgen.c @@ -269,6 +269,20 @@ static PyObject* create_rsa_cert(PyObject *self, PyObject *args) { if (!PubKey) { set_error("X509_REQ_get_pubkey"); goto error; } if (!X509_REQ_verify(req, PubKey)) { set_error("X509_REQ_verify"); goto error; } if (!X509_set_pubkey(Cert, PubKey)) { set_error("X509_set_pubkey"); goto error; } + if (!req_is_for_CA_cert) { + X509V3_CTX ctx; + X509V3_set_ctx(&ctx, Cert, Cert, NULL, NULL, 0); + X509V3_set_ctx_nodb(&ctx); + X509_EXTENSION *ex; + ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash"); + if (!ex) { set_error("creating subject key identifier failed"); goto error; } + X509_add_ext(Cert, ex, -1); + X509_EXTENSION_free(ex); + ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_authority_key_identifier, "keyid:always"); + if (!ex) { set_error("creating authority key identifier failed"); goto error; } + X509_add_ext(Cert, ex, -1); + X509_EXTENSION_free(ex); + } Py_BEGIN_ALLOW_THREADS; signature_length = X509_sign(Cert, CA_key, EVP_sha256()); Py_END_ALLOW_THREADS;