From 24932b2d91d3a32bc881d076562f9fe483a3d44e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Jul 30 2014 14:04:21 +0000
Subject: Add functions for DER encoding certificate extensions to ipalib.x509.


Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 1081c9f..4be46e1 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -348,6 +348,31 @@ def verify_cert_subject(ldap, hostname, dercert):
         raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
         {'issuer' : issuer})
 
+class _Extension(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('extnID', univ.ObjectIdentifier()),
+        namedtype.NamedType('critical', univ.Boolean()),
+        namedtype.NamedType('extnValue', univ.OctetString()),
+    )
+
+def _encode_extension(oid, critical, value):
+    ext = _Extension()
+    ext['extnID'] = univ.ObjectIdentifier(oid)
+    ext['critical'] = univ.Boolean(critical)
+    ext['extnValue'] = univ.OctetString(value)
+    ext = encoder.encode(ext)
+    return ext
+
+class _ExtKeyUsageSyntax(univ.SequenceOf):
+    componentType = univ.ObjectIdentifier()
+
+def encode_ext_key_usage(ext_key_usage):
+    eku = _ExtKeyUsageSyntax()
+    for i, oid in enumerate(ext_key_usage):
+        eku[i] = univ.ObjectIdentifier(oid)
+    eku = encoder.encode(eku)
+    return _encode_extension('2.5.29.37', EKU_ANY not in ext_key_usage, eku)
+
 if __name__ == '__main__':
     # this can be run with:
     # python ipalib/x509.py < /etc/ipa/ca.crt