diff options
| -rw-r--r-- | CHANGELOG.rst | 3 | ||||
| -rw-r--r-- | docs/x509/reference.rst | 7 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 27 | ||||
| -rw-r--r-- | tests/test_x509.py | 4 |
4 files changed, 22 insertions, 19 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ec27596c..dd476a91 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,6 +9,9 @@ Changelog * Added support for Elliptic Curve Diffie-Hellman with :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`. * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`. +* Added support for parsing certificate revocation lists (CRLs) using + :func:`~cryptography.x509.load_pem_x509_crl` and + :func:`~cryptography.x509.load_der_x509_crl`. 1.0.2 - 2015-09-27 ~~~~~~~~~~~~~~~~~~ diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index fe52727c..e7e02de3 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -408,7 +408,8 @@ X.509 CRL (Certificate Revocation List) Object >>> len(crl) 1 - >>> type(crl[0]) + >>> revoked_certificate = crl[0] + >>> type(revoked_certificate) <class 'cryptography.hazmat.backends.openssl.x509._RevokedCertificate'> >>> for r in crl: ... print(r.serial_number) @@ -700,10 +701,6 @@ X.509 Revoked Certificate Object .. versionadded:: 1.0 - .. doctest:: - - >>> revoked_certificate = crl[0] - .. attribute:: serial_number :type: :class:`int` diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 2790ec7d..1ba59b68 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -658,24 +658,27 @@ def _decode_inhibit_any_policy(backend, asn1_int): return x509.InhibitAnyPolicy(skip_certs) +_CRL_REASON_CODE_TO_ENUM = { + 0: x509.ReasonFlags.unspecified, + 1: x509.ReasonFlags.key_compromise, + 2: x509.ReasonFlags.ca_compromise, + 3: x509.ReasonFlags.affiliation_changed, + 4: x509.ReasonFlags.superseded, + 5: x509.ReasonFlags.cessation_of_operation, + 6: x509.ReasonFlags.certificate_hold, + 8: x509.ReasonFlags.remove_from_crl, + 9: x509.ReasonFlags.privilege_withdrawn, + 10: x509.ReasonFlags.aa_compromise, +} + + def _decode_crl_reason(backend, enum): enum = backend._ffi.cast("ASN1_ENUMERATED *", enum) enum = backend._ffi.gc(enum, backend._lib.ASN1_ENUMERATED_free) code = backend._lib.ASN1_ENUMERATED_get(enum) try: - return { - 0: x509.ReasonFlags.unspecified, - 1: x509.ReasonFlags.key_compromise, - 2: x509.ReasonFlags.ca_compromise, - 3: x509.ReasonFlags.affiliation_changed, - 4: x509.ReasonFlags.superseded, - 5: x509.ReasonFlags.cessation_of_operation, - 6: x509.ReasonFlags.certificate_hold, - 8: x509.ReasonFlags.remove_from_crl, - 9: x509.ReasonFlags.privilege_withdrawn, - 10: x509.ReasonFlags.aa_compromise, - }[code] + return _CRL_REASON_CODE_TO_ENUM[code] except KeyError: raise ValueError("Unsupported reason code: {0}".format(code)) diff --git a/tests/test_x509.py b/tests/test_x509.py index e6358056..cb05daf0 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -161,7 +161,7 @@ class TestCertificateRevocationList(object): ) for r in crl: - assert isinstance(r, x509.RevokedCertificate) + assert isinstance(r, x509.RevokedCertificate) # Check that len() works for CRLs. assert len(crl) == 12 @@ -175,7 +175,7 @@ class TestCertificateRevocationList(object): # CRL extensions are currently not supported in the OpenSSL backend. with pytest.raises(NotImplementedError): - crl.extensions + crl.extensions @pytest.mark.requires_backend_interface(interface=X509Backend) |