From a3982b5390bcc2396ae651b7a701fd28af8b46da Mon Sep 17 00:00:00 2001
From: Adrien Nader <adrien.nader@canonical.com>
Date: Tue, 7 Jan 2025 13:36:40 +0100
Subject: [PATCH] Generate test certificates that pass python 3.13 criteria

Python 3.13 has started requiring the authorityKeyIdentifier field as per
https://github.com/python/cpython/issues/107361 . After iterating a bit,
it appears that we only need to pass "-addext keyUsage=keyCertSign" to
openssl during CA certificate creation and the server certificate will have
the proper field.

It's also possible to use something like `trustme` to generate the
certificates but that would have been a much larger change and more work
(maybe leading to most of the script being dropped however).
---
 breezy/tests/ssl_certs/create_ssls.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/breezy/tests/ssl_certs/create_ssls.py b/breezy/tests/ssl_certs/create_ssls.py
index 4a1dd4b432..3bab367479 100755
--- a/breezy/tests/ssl_certs/create_ssls.py
+++ b/breezy/tests/ssl_certs/create_ssls.py
@@ -131,6 +131,8 @@ def build_ca_certificate():
     _openssl(
         [
             "req",
+            "-addext",
+            "keyUsage = keyCertSign",
             "-passin",
             "stdin",
             "-new",