diff options
author | Rob Austein <sra@hactrn.net> | 2009-06-30 05:13:12 +0000 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2009-06-30 05:13:12 +0000 |
commit | 11a9070488afa0d073ce72941b5edb418c2ee1e2 (patch) | |
tree | b8a84b251ae8e016558c553c7a6b0ec4eb83ed6b | |
parent | 866c0a36cf74c7e389b2b7f964156623f839895e (diff) |
Refactor cross-certification code into rpki.x509 module.
svn path=/rpkid/cross_certify.py; revision=2553
-rw-r--r-- | rpkid/cross_certify.py | 27 | ||||
-rw-r--r-- | rpkid/rpki/x509.py | 28 |
2 files changed, 29 insertions, 26 deletions
diff --git a/rpkid/cross_certify.py b/rpkid/cross_certify.py index ae07305d..752fba55 100644 --- a/rpkid/cross_certify.py +++ b/rpkid/cross_certify.py @@ -104,32 +104,7 @@ try: except IOError: serial = 1 -def make_ext(name, critical, value): - assert isinstance(critical, bool) - return rpki.oids.name2oid[name], critical, value - -x = POW.pkix.Certificate() -x.setVersion(2) -x.setSerial(serial) -x.setIssuer(parent.get_POWpkix().getSubject()) -x.setSubject(child.get_POWpkix().getSubject()) -x.setNotBefore(now.toASN1tuple()) -x.setNotAfter(notAfter.toASN1tuple()) -x.tbs.subjectPublicKeyInfo.set( - child.get_POWpkix().tbs.subjectPublicKeyInfo.get()) -x.setExtensions(( - make_ext(name = "subjectKeyIdentifier", - critical = False, - value = child.get_SKI()), - make_ext(name = "authorityKeyIdentifier", - critical = False, - value = (parent.get_SKI(), (), None)), - make_ext(name = "basicConstraints", - critical = True, - value = (1, 0)))) -x.sign(keypair.get_POW(), POW.SHA256_DIGEST) - -cert = rpki.x509.X509(POWpkix = x) +cert = parent.cross_certify(keypair, child, serial, notAfter, now) f = open(serial_file, "w") f.write("%02x\n" % (serial + 1)) diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 9eb65504..4cff5d05 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -447,6 +447,34 @@ class X509(DER_object): return X509(POWpkix = cert) + def cross_certify(self, keypair, source_cert, serial, notAfter, now = None, pathLenConstraint = 0): + """ + Issue a certificate with values taking from an existing certificate. + This is used to construct some kinds oF BPKI certificates. + """ + + if now is None: + now = rpki.sundial.now() + + assert isinstance(pathLenConstraint, int) and pathLenConstraint >= 0 + + cert = POW.pkix.Certificate() + cert.setVersion(2) + cert.setSerial(serial) + cert.setIssuer(self.get_POWpkix().getSubject()) + cert.setSubject(source_cert.get_POWpkix().getSubject()) + cert.setNotBefore(now.toASN1tuple()) + cert.setNotAfter(notAfter.toASN1tuple()) + cert.tbs.subjectPublicKeyInfo.set( + source_cert.get_POWpkix().tbs.subjectPublicKeyInfo.get()) + cert.setExtensions(( + (rpki.oids.name2oid["subjectKeyIdentifier" ], False, source_cert.get_SKI()), + (rpki.oids.name2oid["authorityKeyIdentifier"], False, (self.get_SKI(), (), None)), + (rpki.oids.name2oid["basicConstraints" ], True, (1, 0)))) + cert.sign(keypair.get_POW(), POW.SHA256_DIGEST) + + return X509(POWpkix = cert) + @classmethod def normalize_chain(cls, chain): """ |