diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-06-10 14:20:19 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 239ef955af58c0a3e167dc85e3f2a0168a91989c (patch) | |
| tree | 39c6818cd97c2cb2f93e771cf5758eabd284ab97 /ipalib | |
| parent | 4ae3f815ba8e8f910cd2179c5ed402e7c3ea3db8 (diff) | |
| download | freeipa-239ef955af58c0a3e167dc85e3f2a0168a91989c.tar.gz freeipa-239ef955af58c0a3e167dc85e3f2a0168a91989c.tar.xz freeipa-239ef955af58c0a3e167dc85e3f2a0168a91989c.zip | |
Add function for extracting extended key usage from certs to ipalib.x509.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/x509.py | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index bc9ea5f25..ebb6a81d5 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -52,6 +52,13 @@ DER = 1 PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL) +EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' +EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' +EKU_CODE_SIGNING = '1.3.6.1.5.5.7.3.3' +EKU_EMAIL_PROTECTION = '1.3.6.1.5.5.7.3.4' +EKU_ANY = '2.5.29.37.0' +EKU_PLACEHOLDER = '1.3.6.1.4.1.3319.6.10.16' + _subject_base = None def subject_base(): @@ -226,6 +233,21 @@ def get_der_serial_number(cert, datatype=PEM, dbdir=None): def get_der_public_key_info(cert, datatype=PEM, dbdir=None): return _get_der_field(cert, datatype, dbdir, 'subjectPublicKeyInfo') +def get_ext_key_usage(certificate, datatype=PEM, dbdir=None): + nsscert = load_certificate(certificate, datatype, dbdir) + if not nsscert.extensions: + return None + + for ext in nsscert.extensions: + if ext.oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE: + break + else: + return None + + eku = nss.x509_ext_key_usage(ext.value, nss.AsDottedDecimal) + eku = set(o[4:] for o in eku) + return eku + def make_pem(data): """ Convert a raw base64-encoded blob into something that looks like a PE |