From 5d66966032a1efbcbf093804a19951f399c2a6eb Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 11 Sep 2017 09:16:34 +0800
Subject: [WIP] add support for the TLSFeature extension in x509 (#3899)

* add support for the TLSFeature extension in x509

This extension is used for OCSP Must-Staple.

* fix changelog link

* pep8

* refactor to support the sequence properly and add status_request_v2

* update some language

* add test vector, implement eq/ne/hash on TLSFeature

* address review comments
---
 docs/x509/reference.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

(limited to 'docs/x509/reference.rst')

diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 5e1c95c4..f07272a6 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -1606,6 +1606,45 @@ X.509 Extensions
 
         Returns :attr:`~cryptography.x509.oid.ExtensionOID.OCSP_NO_CHECK`.
 
+
+.. class:: TLSFeature(features)
+
+    .. versionadded:: 2.1
+
+    The TLS Feature extension is defined in :rfc:`7633` and is used in
+    certificates for OCSP Must-Staple. The object is iterable to get every
+    element.
+
+    :param list features: A list of features to enable from the
+        :class:`~cryptography.x509.TLSFeatureType` enum. At this time only
+        ``status_request`` or ``status_request_v2`` are allowed.
+
+    .. attribute:: oid
+
+        :type: :class:`ObjectIdentifier`
+
+        Returns :attr:`~cryptography.x509.oid.ExtensionOID.TLS_FEATURE`.
+
+.. class:: TLSFeatureType
+
+    .. versionadded:: 2.1
+
+    An enumeration of TLS Feature types.
+
+    .. attribute:: status_request
+
+        This feature type is defined in :rfc:`6066` and, when embedded in
+        an X.509 certificate, signals to the client that it should require
+        a stapled OCSP response in the TLS handshake. Commonly known as OCSP
+        Must-Staple in certificates.
+
+    .. attribute:: status_request_v2
+
+        This feature type is defined in :rfc:`6961`. This value is not
+        commonly used and if you want to enable OCSP Must-Staple you should
+        use ``status_request``.
+
+
 .. class:: NameConstraints(permitted_subtrees, excluded_subtrees)
 
     .. versionadded:: 1.0
@@ -2673,6 +2712,12 @@ instances. The following common OIDs are available as constants.
         identifier for the :class:`~cryptography.x509.OCSPNoCheck` extension
         type.
 
+    .. attribute:: TLS_FEATURE
+
+        Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.24"``. The
+        identifier for the :class:`~cryptography.x509.TLSFeature` extension
+        type.
+
     .. attribute:: CRL_NUMBER
 
         Corresponds to the dotted string ``"2.5.29.20"``. The identifier for
-- 
cgit v1.2.3