diff options
-rw-r--r-- | docs/x509.rst | 11 | ||||
-rw-r--r-- | src/cryptography/x509.py | 17 | ||||
-rw-r--r-- | tests/test_x509_ext.py | 17 |
3 files changed, 45 insertions, 0 deletions
diff --git a/docs/x509.rst b/docs/x509.rst index d8fce976..af249449 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -475,6 +475,15 @@ X.509 Extensions subordinate CA, but the subordinate CA is not allowed to create subordinates with ``ca`` set to true. +.. class:: ExtendedKeyUsage + + .. versionadded:: 0.9 + + This extension indicates one or more purposes for which the certified + public key may be used, in addition to or in place of the basic + purposes indicated in the key usage extension. The object is + iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`. + Object Identifiers ~~~~~~~~~~~~~~~~~~ @@ -633,6 +642,8 @@ Signature Algorithm OIDs Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is a SHA256 digest signed by a DSA key. +.. _eku_oids: + Extended Key Usage OIDs ~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 8b4ee20f..791d1ef0 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -222,6 +222,23 @@ class Extension(object): "value={0.value})>").format(self) +class ExtendedKeyUsage(object): + def __init__(self, usages): + for oid in usages: + if not isinstance(oid, ObjectIdentifier): + raise TypeError( + "Every item in the usages list must be an ObjectIdentifier" + ) + + self._usages = usages + + def __iter__(self): + return iter(self._usages) + + def __len__(self): + return len(self._usages) + + class BasicConstraints(object): def __init__(self, ca, path_length): if not isinstance(ca, bool): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index af13f27a..87580a0d 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -62,6 +62,23 @@ class TestBasicConstraints(object): ) +class TestExtendedKeyUsage(object): + def test_not_all_oids(self): + with pytest.raises(TypeError): + x509.ExtendedKeyUsage(["notoid"]) + + def test_iter_len(self): + eku = x509.ExtendedKeyUsage([ + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), + ]) + assert len(eku) == 2 + assert list(eku) == [ + x509.OID_SERVER_AUTH, + x509.OID_CLIENT_AUTH + ] + + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestExtensions(object): |