aboutsummaryrefslogtreecommitdiff
path: root/rpkid/rpki/x509.py
diff options
context:
space:
mode:
Diffstat (limited to 'rpkid/rpki/x509.py')
-rw-r--r--rpkid/rpki/x509.py16
1 files changed, 12 insertions, 4 deletions
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 847c90f6..5cb5efd6 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -598,13 +598,15 @@ class X509(DER_object):
def issue(self, keypair, subject_key, serial, sia, aia, crldp, notAfter,
cn = None, resources = None, is_ca = True, notBefore = None,
- sn = None):
+ sn = None, eku = None):
"""
Issue an RPKI certificate.
"""
assert aia is not None and crldp is not None
+ assert eku is None or not is_ca
+
return self._issue(
keypair = keypair,
subject_key = subject_key,
@@ -619,7 +621,8 @@ class X509(DER_object):
resources = resources,
is_ca = is_ca,
aki = self.get_SKI(),
- issuer_name = self.getSubject())
+ issuer_name = self.getSubject(),
+ eku = eku)
@classmethod
@@ -649,12 +652,13 @@ class X509(DER_object):
resources = resources,
is_ca = True,
aki = ski,
- issuer_name = X501DN.from_cn(cn, sn))
+ issuer_name = X501DN.from_cn(cn, sn),
+ eku = None)
@classmethod
def _issue(cls, keypair, subject_key, serial, sia, aia, crldp, notAfter,
- cn, sn, resources, is_ca, aki, issuer_name, notBefore):
+ cn, sn, resources, is_ca, aki, issuer_name, notBefore, eku):
"""
Common code to issue an RPKI certificate.
"""
@@ -719,6 +723,10 @@ class X509(DER_object):
ipv6 = ("inherit" if resources.v6.inherit else
((r.min, r.max) for r in resources.v6)))
+ if eku is not None:
+ assert not is_ca
+ cert.setEKU(eku)
+
cert.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST)
return cls(POW = cert)
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-13 16:45:35 +0000