diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-09-11 09:16:34 +0800 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-09-10 21:16:34 -0400 |
commit | 5d66966032a1efbcbf093804a19951f399c2a6eb (patch) | |
tree | d769399c9c7f3e3a81fb199e89af8167bd28339f /src/cryptography/x509 | |
parent | d4bde9ce6668bb019f9c9db4cd26280e6cf7fa21 (diff) | |
download | cryptography-5d66966032a1efbcbf093804a19951f399c2a6eb.tar.gz cryptography-5d66966032a1efbcbf093804a19951f399c2a6eb.tar.bz2 cryptography-5d66966032a1efbcbf093804a19951f399c2a6eb.zip |
[WIP] add support for the TLSFeature extension in x509 (#3899)
* add support for the TLSFeature extension in x509
This extension is used for OCSP Must-Staple.
* fix changelog link
* pep8
* refactor to support the sequence properly and add status_request_v2
* update some language
* add test vector, implement eq/ne/hash on TLSFeature
* address review comments
Diffstat (limited to 'src/cryptography/x509')
-rw-r--r-- | src/cryptography/x509/__init__.py | 6 | ||||
-rw-r--r-- | src/cryptography/x509/extensions.py | 56 | ||||
-rw-r--r-- | src/cryptography/x509/oid.py | 2 |
3 files changed, 62 insertions, 2 deletions
diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 3b747302..176ed8ca 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -23,8 +23,8 @@ from cryptography.x509.extensions import ( InhibitAnyPolicy, InvalidityDate, IssuerAlternativeName, KeyUsage, NameConstraints, NoticeReference, OCSPNoCheck, PolicyConstraints, PolicyInformation, PrecertificateSignedCertificateTimestamps, ReasonFlags, - SubjectAlternativeName, SubjectKeyIdentifier, UnrecognizedExtension, - UserNotice + SubjectAlternativeName, SubjectKeyIdentifier, TLSFeature, TLSFeatureType, + UnrecognizedExtension, UserNotice ) from cryptography.x509.general_name import ( DNSName, DirectoryName, GeneralName, IPAddress, OtherName, RFC822Name, @@ -130,6 +130,8 @@ __all__ = [ "Extensions", "Extension", "ExtendedKeyUsage", + "TLSFeature", + "TLSFeatureType", "OCSPNoCheck", "BasicConstraints", "CRLNumber", diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index d90465b2..9eff3431 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -733,6 +733,62 @@ class OCSPNoCheck(object): @utils.register_interface(ExtensionType) +class TLSFeature(object): + oid = ExtensionOID.TLS_FEATURE + + def __init__(self, features): + features = list(features) + if ( + not all(isinstance(x, TLSFeatureType) for x in features) or + len(features) == 0 + ): + raise TypeError( + "features must be a list of elements from the TLSFeatureType " + "enum" + ) + + self._features = features + + def __iter__(self): + return iter(self._features) + + def __len__(self): + return len(self._features) + + def __repr__(self): + return "<TLSFeature(features={0._features})>".format(self) + + def __eq__(self, other): + if not isinstance(other, TLSFeature): + return NotImplemented + + return self._features == other._features + + def __getitem__(self, idx): + return self._features[idx] + + def __ne__(self, other): + return not self == other + + def __hash__(self): + return hash(tuple(self._features)) + + +class TLSFeatureType(Enum): + # status_request is defined in RFC 6066 and is used for what is commonly + # called OCSP Must-Staple when present in the TLS Feature extension in an + # X.509 certificate. + status_request = 5 + # status_request_v2 is defined in RFC 6961 and allows multiple OCSP + # responses to be provided. It is not currently in use by clients or + # servers. + status_request_v2 = 17 + + +_TLS_FEATURE_TYPE_TO_ENUM = dict((x.value, x) for x in TLSFeatureType) + + +@utils.register_interface(ExtensionType) class InhibitAnyPolicy(object): oid = ExtensionOID.INHIBIT_ANY_POLICY diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index 4a6fa3c1..7f8c9031 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -85,6 +85,7 @@ class ExtensionOID(object): AUTHORITY_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.1") SUBJECT_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.11") OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5") + TLS_FEATURE = ObjectIdentifier("1.3.6.1.5.5.7.1.24") CRL_NUMBER = ObjectIdentifier("2.5.29.20") PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS = ( ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2") @@ -255,6 +256,7 @@ _OID_NAMES = { ExtensionOID.SUBJECT_INFORMATION_ACCESS: "subjectInfoAccess", ExtensionOID.OCSP_NO_CHECK: "OCSPNoCheck", ExtensionOID.CRL_NUMBER: "cRLNumber", + ExtensionOID.TLS_FEATURE: "TLSFeature", AuthorityInformationAccessOID.OCSP: "OCSP", AuthorityInformationAccessOID.CA_ISSUERS: "caIssuers", CertificatePoliciesOID.CPS_QUALIFIER: "id-qt-cps", |