2 files changed, 29 insertions, 26 deletions

diff --git a/rpkid/cross_certify.py b/rpkid/cross_certify.py
index ae07305d..752fba55 100644
--- a/rpkid/cross_certify.py
+++ b/rpkid/cross_certify.py
@@ -104,32 +104,7 @@ try:
 except IOError:
   serial = 1
 
-def make_ext(name, critical, value):
-  assert isinstance(critical, bool)
-  return rpki.oids.name2oid[name], critical, value
-
-x = POW.pkix.Certificate()
-x.setVersion(2)
-x.setSerial(serial)
-x.setIssuer(parent.get_POWpkix().getSubject())
-x.setSubject(child.get_POWpkix().getSubject())
-x.setNotBefore(now.toASN1tuple())
-x.setNotAfter(notAfter.toASN1tuple())
-x.tbs.subjectPublicKeyInfo.set(
-  child.get_POWpkix().tbs.subjectPublicKeyInfo.get())
-x.setExtensions((
-  make_ext(name     = "subjectKeyIdentifier",
-           critical = False,
-           value    = child.get_SKI()),
-  make_ext(name     = "authorityKeyIdentifier",
-           critical = False,
-           value    = (parent.get_SKI(), (), None)),
-  make_ext(name     = "basicConstraints",
-           critical = True,
-           value    = (1, 0))))
-x.sign(keypair.get_POW(), POW.SHA256_DIGEST)
-
-cert = rpki.x509.X509(POWpkix = x)
+cert = parent.cross_certify(keypair, child, serial, notAfter, now)
 
 f = open(serial_file, "w")
 f.write("%02x\n" % (serial + 1))
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 9eb65504..4cff5d05 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -447,6 +447,34 @@ class X509(DER_object):
 
     return X509(POWpkix = cert)
 
+  def cross_certify(self, keypair, source_cert, serial, notAfter, now = None, pathLenConstraint = 0):
+    """
+    Issue a certificate with values taking from an existing certificate.
+    This is used to construct some kinds oF BPKI certificates.
+    """
+
+    if now is None:
+      now = rpki.sundial.now()
+
+    assert isinstance(pathLenConstraint, int) and pathLenConstraint >= 0
+
+    cert = POW.pkix.Certificate()
+    cert.setVersion(2)
+    cert.setSerial(serial)
+    cert.setIssuer(self.get_POWpkix().getSubject())
+    cert.setSubject(source_cert.get_POWpkix().getSubject())
+    cert.setNotBefore(now.toASN1tuple())
+    cert.setNotAfter(notAfter.toASN1tuple())
+    cert.tbs.subjectPublicKeyInfo.set(
+      source_cert.get_POWpkix().tbs.subjectPublicKeyInfo.get())
+    cert.setExtensions((
+      (rpki.oids.name2oid["subjectKeyIdentifier"  ], False, source_cert.get_SKI()),
+      (rpki.oids.name2oid["authorityKeyIdentifier"], False, (self.get_SKI(), (), None)),
+      (rpki.oids.name2oid["basicConstraints"      ], True,  (1, 0))))
+    cert.sign(keypair.get_POW(), POW.SHA256_DIGEST)
+
+    return X509(POWpkix = cert)
+
   @classmethod
   def normalize_chain(cls, chain):
     """