From 239ef955af58c0a3e167dc85e3f2a0168a91989c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Jul 30 2014 14:04:21 +0000
Subject: Add function for extracting extended key usage from certs to ipalib.x509.


Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipalib/x509.py b/ipalib/x509.py
index bc9ea5f..ebb6a81 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -52,6 +52,13 @@ DER = 1
 
 PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL)
 
+EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
+EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
+EKU_CODE_SIGNING = '1.3.6.1.5.5.7.3.3'
+EKU_EMAIL_PROTECTION = '1.3.6.1.5.5.7.3.4'
+EKU_ANY = '2.5.29.37.0'
+EKU_PLACEHOLDER = '1.3.6.1.4.1.3319.6.10.16'
+
 _subject_base = None
 
 def subject_base():
@@ -226,6 +233,21 @@ def get_der_serial_number(cert, datatype=PEM, dbdir=None):
 def get_der_public_key_info(cert, datatype=PEM, dbdir=None):
     return _get_der_field(cert, datatype, dbdir, 'subjectPublicKeyInfo')
 
+def get_ext_key_usage(certificate, datatype=PEM, dbdir=None):
+    nsscert = load_certificate(certificate, datatype, dbdir)
+    if not nsscert.extensions:
+        return None
+
+    for ext in nsscert.extensions:
+        if ext.oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
+            break
+    else:
+        return None
+
+    eku = nss.x509_ext_key_usage(ext.value, nss.AsDottedDecimal)
+    eku = set(o[4:] for o in eku)
+    return eku
+
 def make_pem(data):
     """
     Convert a raw base64-encoded blob into something that looks like a PE