ca: Allow user to add extensions to CA certificate.

caucase/ca.py

@@ -79,6 +79,7 @@ class CertificateAuthority(object):
     self,
     storage,
     ca_subject_dict=(),
+    ca_extension_list=(),
     ca_key_size=2048,
     crt_life_time=31 * 3, # Approximately 3 months
     ca_life_period=4, # Approximately a year
@@ -96,6 +97,11 @@ class CertificateAuthority(object):
       Items to use as Certificate Authority certificate subject.
       Supported keys are: C, O, OU, ST, CN, L, SN, GN.
 
+    ca_extension_list (list of cryptography.x509.Extension)
+      Extensions to apply to Certificate Authority certificae besides:
+      Basic Constraints and Key Usage. See Extension helper function in
+      this module.
+
     ca_key_size (int, None)
       Number of bits to use as Certificate Authority key.
       None to disable CA renewal.
@@ -165,6 +171,7 @@ class CertificateAuthority(object):
       )
       for key, value in dict(ca_subject_dict).iteritems()
     ])
+    self._ca_extension_list = list(ca_extension_list)
     if ca_life_period < 3:
       raise ValueError("ca_life_period must be >= 3 to allow CA rollout")
     self._crl_life_time = datetime.timedelta(
@@ -493,16 +500,7 @@ class CertificateAuthority(object):
               ),
               critical=True, # "SHOULD mark this extension critical"
             ),
-# Should we make use of certificate policies ? If we do, we need to enable
-# this extension and fill the values.
-#            Extension(
-#              x509.PolicyConstraints(
-#                require_explicit_policy=,
-#                inhibit_policy_mapping=,
-#              ),
-#              critical=True, # MUST mark this extension as critical
-#            ),
-          ]
+          ] + self._ca_extension_list
         public_key = private_key.public_key()
         subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key(
           public_key,