diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-06-12 17:17:42 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 24932b2d91d3a32bc881d076562f9fe483a3d44e (patch) | |
| tree | 8e88ed0193c1086c5f9e6b40242e1707449ed70d /ipalib/x509.py | |
| parent | b5471a9f3eb2134ce7017224dd732f9a4b2a10f8 (diff) | |
| download | freeipa-24932b2d91d3a32bc881d076562f9fe483a3d44e.tar.gz freeipa-24932b2d91d3a32bc881d076562f9fe483a3d44e.tar.xz freeipa-24932b2d91d3a32bc881d076562f9fe483a3d44e.zip | |
Add functions for DER encoding certificate extensions to ipalib.x509.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipalib/x509.py')
| -rw-r--r-- | ipalib/x509.py | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index 1081c9ff7..4be46e144 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -348,6 +348,31 @@ def verify_cert_subject(ldap, hostname, dercert): raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ {'issuer' : issuer}) +class _Extension(univ.Sequence): + componentType = namedtype.NamedTypes( + namedtype.NamedType('extnID', univ.ObjectIdentifier()), + namedtype.NamedType('critical', univ.Boolean()), + namedtype.NamedType('extnValue', univ.OctetString()), + ) + +def _encode_extension(oid, critical, value): + ext = _Extension() + ext['extnID'] = univ.ObjectIdentifier(oid) + ext['critical'] = univ.Boolean(critical) + ext['extnValue'] = univ.OctetString(value) + ext = encoder.encode(ext) + return ext + +class _ExtKeyUsageSyntax(univ.SequenceOf): + componentType = univ.ObjectIdentifier() + +def encode_ext_key_usage(ext_key_usage): + eku = _ExtKeyUsageSyntax() + for i, oid in enumerate(ext_key_usage): + eku[i] = univ.ObjectIdentifier(oid) + eku = encoder.encode(eku) + return _encode_extension('2.5.29.37', EKU_ANY not in ext_key_usage, eku) + if __name__ == '__main__': # this can be run with: # python ipalib/x509.py < /etc/ipa/ca.crt |