Commit 95f2f9fa authored by Vincent Pelletier's avatar Vincent Pelletier Committed by Vincent Pelletier

ca: Allow user to add extensions to CA certificate.

parent 17325dc0
...@@ -79,6 +79,7 @@ class CertificateAuthority(object): ...@@ -79,6 +79,7 @@ class CertificateAuthority(object):
self, self,
storage, storage,
ca_subject_dict=(), ca_subject_dict=(),
ca_extension_list=(),
ca_key_size=2048, ca_key_size=2048,
crt_life_time=31 * 3, # Approximately 3 months crt_life_time=31 * 3, # Approximately 3 months
ca_life_period=4, # Approximately a year ca_life_period=4, # Approximately a year
...@@ -96,6 +97,11 @@ class CertificateAuthority(object): ...@@ -96,6 +97,11 @@ class CertificateAuthority(object):
Items to use as Certificate Authority certificate subject. Items to use as Certificate Authority certificate subject.
Supported keys are: C, O, OU, ST, CN, L, SN, GN. Supported keys are: C, O, OU, ST, CN, L, SN, GN.
ca_extension_list (list of cryptography.x509.Extension)
Extensions to apply to Certificate Authority certificae besides:
Basic Constraints and Key Usage. See Extension helper function in
this module.
ca_key_size (int, None) ca_key_size (int, None)
Number of bits to use as Certificate Authority key. Number of bits to use as Certificate Authority key.
None to disable CA renewal. None to disable CA renewal.
...@@ -165,6 +171,7 @@ class CertificateAuthority(object): ...@@ -165,6 +171,7 @@ class CertificateAuthority(object):
) )
for key, value in dict(ca_subject_dict).iteritems() for key, value in dict(ca_subject_dict).iteritems()
]) ])
self._ca_extension_list = list(ca_extension_list)
if ca_life_period < 3: if ca_life_period < 3:
raise ValueError("ca_life_period must be >= 3 to allow CA rollout") raise ValueError("ca_life_period must be >= 3 to allow CA rollout")
self._crl_life_time = datetime.timedelta( self._crl_life_time = datetime.timedelta(
...@@ -493,16 +500,7 @@ class CertificateAuthority(object): ...@@ -493,16 +500,7 @@ class CertificateAuthority(object):
), ),
critical=True, # "SHOULD mark this extension critical" critical=True, # "SHOULD mark this extension critical"
), ),
# Should we make use of certificate policies ? If we do, we need to enable ] + self._ca_extension_list
# this extension and fill the values.
# Extension(
# x509.PolicyConstraints(
# require_explicit_policy=,
# inhibit_policy_mapping=,
# ),
# critical=True, # MUST mark this extension as critical
# ),
]
public_key = private_key.public_key() public_key = private_key.public_key()
subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key( subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key(
public_key, public_key,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment