Commit 95f2f9fa authored by Vincent Pelletier's avatar Vincent Pelletier Committed by Vincent Pelletier

ca: Allow user to add extensions to CA certificate.

parent 17325dc0
......@@ -79,6 +79,7 @@ class CertificateAuthority(object):
self,
storage,
ca_subject_dict=(),
ca_extension_list=(),
ca_key_size=2048,
crt_life_time=31 * 3, # Approximately 3 months
ca_life_period=4, # Approximately a year
......@@ -96,6 +97,11 @@ class CertificateAuthority(object):
Items to use as Certificate Authority certificate subject.
Supported keys are: C, O, OU, ST, CN, L, SN, GN.
ca_extension_list (list of cryptography.x509.Extension)
Extensions to apply to Certificate Authority certificae besides:
Basic Constraints and Key Usage. See Extension helper function in
this module.
ca_key_size (int, None)
Number of bits to use as Certificate Authority key.
None to disable CA renewal.
......@@ -165,6 +171,7 @@ class CertificateAuthority(object):
)
for key, value in dict(ca_subject_dict).iteritems()
])
self._ca_extension_list = list(ca_extension_list)
if ca_life_period < 3:
raise ValueError("ca_life_period must be >= 3 to allow CA rollout")
self._crl_life_time = datetime.timedelta(
......@@ -493,16 +500,7 @@ class CertificateAuthority(object):
),
critical=True, # "SHOULD mark this extension critical"
),
# Should we make use of certificate policies ? If we do, we need to enable
# this extension and fill the values.
# Extension(
# x509.PolicyConstraints(
# require_explicit_policy=,
# inhibit_policy_mapping=,
# ),
# critical=True, # MUST mark this extension as critical
# ),
]
] + self._ca_extension_list
public_key = private_key.public_key()
subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key(
public_key,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment