From 0847af16cb29fd5db6e811daaf519b05f59dbd92 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 8 Jul 2020 16:29:33 -0700
Subject: [PATCH] Fix setter of basic constraints.

---
 x509util/extensions.go | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/x509util/extensions.go b/x509util/extensions.go
index fb305c36..2b1c8527 100644
--- a/x509util/extensions.go
+++ b/x509util/extensions.go
@@ -293,9 +293,17 @@ type BasicConstraints struct {
 // Set sets the basic constraints to the given certificate.
 func (b BasicConstraints) Set(c *x509.Certificate) {
 	c.IsCA = b.IsCA
-	c.MaxPathLen = b.MaxPathLen
-	if c.MaxPathLen < 0 {
-		c.MaxPathLen = -1
+	if c.IsCA {
+		c.BasicConstraintsValid = true
+		switch {
+		case b.MaxPathLen == 0:
+			c.MaxPathLen = b.MaxPathLen
+			c.MaxPathLenZero = true
+		case b.MaxPathLen < 0:
+			c.MaxPathLen = -1
+		default:
+			c.MaxPathLen = b.MaxPathLen
+		}
 	}
 }