From cfd9759c4fb32b65dfe075427983207327a03469 Mon Sep 17 00:00:00 2001
From: Gibheer <gibheer+git@zero-knowledge.org>
Date: Wed, 10 Jun 2026 18:32:28 +0200
Subject: fix maximum path len for certificates

When no maximum ca length was given, it was interpreted as a free for
all and blocked the certificate generation for normal certificates.
---
 certificate.go      |  2 +-
 certificate_test.go | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/certificate.go b/certificate.go
index b90e9fa..9203e57 100644
--- a/certificate.go
+++ b/certificate.go
@@ -127,7 +127,7 @@ func (c *CertificateRequest) ToCertificate(private_key PrivateKey,
 	if cert_opts.IsCA {
 		template.BasicConstraintsValid = true
 	}
-	if cert_opts.CALength >= 0 {
+	if cert_opts.CALength > 0 {
 		template.MaxPathLen = cert_opts.CALength
 		template.MaxPathLenZero = true
 		template.BasicConstraintsValid = true
diff --git a/certificate_test.go b/certificate_test.go
index 14b1279..39e25c0 100644
--- a/certificate_test.go
+++ b/certificate_test.go
@@ -3,6 +3,7 @@ package pki
 import (
 	"crypto/elliptic"
 	"crypto/x509/pkix"
+	"fmt"
 	"math/big"
 	"reflect"
 	"testing"
@@ -52,6 +53,23 @@ func TestCertificateCreation(t *testing.T) {
 	}
 }
 
+func TestCertificateMaxLength(t *testing.T) {
+	pk, err := NewPrivateKeyRsa(1024)
+	if err != nil {
+		t.Errorf("cert: creating private key rsa failed: %s", err)
+	}
+	csr, err := TestCertificateData.ToCertificateRequest(pk)
+	cert_opts := CertificateOptions{SerialNumber: big.NewInt(1)}
+	fmt.Println("create cert")
+	cert, err := csr.ToCertificate(pk, cert_opts, nil)
+	if err != nil {
+		t.Errorf("cert: creating cert failed: %s", err)
+	}
+	if !fieldsAreSame(TestCertificateData, cert) {
+		t.Errorf("cert: Fields are not the same")
+	}
+}
+
 func fieldsAreSame(data CertificateData, cert *Certificate) bool {
 	if cert == nil {
 		return false
-- 
cgit v1.3.1