From 3e6d558d1b845cf2df31efec08235b15998174d4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 21:57:56 -0500 Subject: add authority information access classes --- docs/spelling_wordlist.txt | 1 + docs/x509.rst | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) (limited to 'docs') diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index b7c4c6c2..badb500c 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -40,6 +40,7 @@ multi naïve namespace namespaces +online paddings pickleable plaintext diff --git a/docs/x509.rst b/docs/x509.rst index 5f36a921..f66178ab 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -719,6 +719,29 @@ X.509 Extensions :returns: A list of values extracted from the matched general names. +.. class:: AuthorityInformationAccess + + .. versionadded:: 0.9 + + The authority information access extension indicates how to access + information and services for the issuer of the certificate in which + the extension appears. Information and services may include online + validation services (such as OCSP) and issuer data. It is an iterable, + containing one or more :class:`AccessDescription` instances. + + +.. class:: AccessDescription + + .. attribute:: access_method + + :type: :class:`ObjectIdentifier` + + Either :data:`OID_OCSP` or :data:`OID_CA_ISSUERS` + + .. attribute:: access_location + + :type: :class:`GeneralName` + Object Identifiers ~~~~~~~~~~~~~~~~~~ @@ -911,6 +934,19 @@ Extended Key Usage OIDs Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used to denote that a certificate may be used for signing OCSP responses. +Authority Information Access OIDs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. data:: OID_OCSP + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1"``. Used as the + identifier for OCSP data in :class:`AccessDescription` objects. + +.. data:: OID_CA_ISSUERS + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the + identifier for CA issuer data in :class:`AccessDescription` objects. + .. _extension_oids: Extension OIDs -- cgit v1.2.3 From f506bca3d2bb449c3889cbbaba11749304e81563 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 22:31:47 -0500 Subject: updates based on review feedback --- docs/x509.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index f66178ab..42468626 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -736,12 +736,19 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Either :data:`OID_OCSP` or :data:`OID_CA_ISSUERS` + The access method defines what the ``access_location`` means. It must + be either :data:`OID_OCSP` or :data:`OID_CA_ISSUERS`. If it is + :data:`OID_OCSP` the access location will be where to obtain OCSP + information for the certificate. If it is :data:`OID_CA_ISSUERS` the + access location will provide additional information about the issuing + certificate. .. attribute:: access_location :type: :class:`GeneralName` + Where to access the information defined by the access method. + Object Identifiers ~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 93ae805debd88f976b96c6d50a2e85e848ec96e3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 23:18:09 -0500 Subject: add example to show how to get DNSNames from SAN extension --- docs/x509.rst | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 5f36a921..a8beb20a 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -50,6 +50,42 @@ X.509 -----END CERTIFICATE----- """.strip() + cryptography_cert_pem = b""" + -----BEGIN CERTIFICATE----- + MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx + FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1 + NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR + BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t + L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh + bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5 + LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s + itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR + PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ + CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu + 6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y + 3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/ + r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW + ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx + diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi + gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu + YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74 + FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc + 8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT + aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi + LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB + BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw + dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv + bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw + LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G + CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc + dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt + Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF + 7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH + aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i + GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP + -----END CERTIFICATE----- + """.strip() + X.509 is an ITU-T standard for a `public key infrastructure`_. X.509v3 is defined in :rfc:`5280` (which obsoletes :rfc:`2459` and :rfc:`3280`). X.509 certificates are commonly used in protocols like `TLS`_. @@ -718,6 +754,17 @@ X.509 Extensions :returns: A list of values extracted from the matched general names. + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.backends import default_backend + >>> from cryptography.hazmat.primitives import hashes + >>> cert = x509.load_pem_x509_certificate(cryptography_cert_pem, default_backend()) + >>> ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME) + >>> san = ext.value + >>> san.get_values_for_type(x509.DNSName) + [u'www.cryptography.io', u'cryptography.io'] + Object Identifiers ~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From d0cd507bd7b95147a53448053e7fa7a355045ead Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 23:27:00 -0500 Subject: add some comments --- docs/x509.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index a8beb20a..6bb7c9a3 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -760,9 +760,10 @@ X.509 Extensions >>> from cryptography.hazmat.backends import default_backend >>> from cryptography.hazmat.primitives import hashes >>> cert = x509.load_pem_x509_certificate(cryptography_cert_pem, default_backend()) + >>> # Get the subjectAltName extension from the certificate >>> ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME) - >>> san = ext.value - >>> san.get_values_for_type(x509.DNSName) + >>> # Get the dNSName entries from the SAN extension + >>> ext.value.get_values_for_type(x509.DNSName) [u'www.cryptography.io', u'cryptography.io'] -- cgit v1.2.3 From 12cc9a4fcbc628b908652c8a47ae9cf9add56fa3 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sat, 25 Apr 2015 18:06:22 +0100 Subject: Script for generating SECP256K1 vectors --- .../custom-vectors/secp256k1/generate_secp256k1.py | 89 ++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 docs/development/custom-vectors/secp256k1/generate_secp256k1.py (limited to 'docs') diff --git a/docs/development/custom-vectors/secp256k1/generate_secp256k1.py b/docs/development/custom-vectors/secp256k1/generate_secp256k1.py new file mode 100644 index 00000000..502a3ff6 --- /dev/null +++ b/docs/development/custom-vectors/secp256k1/generate_secp256k1.py @@ -0,0 +1,89 @@ +from __future__ import absolute_import, print_function + +import hashlib +import os +from binascii import hexlify +from collections import defaultdict + +from ecdsa import SECP256k1, SigningKey +from ecdsa.util import sigdecode_der, sigencode_der + +from cryptography_vectors import open_vector_file + +from tests.utils import ( + load_fips_ecdsa_signing_vectors, load_vectors_from_file +) + +HASHLIB_HASH_TYPES = { + "SHA-1": hashlib.sha1, + "SHA-224": hashlib.sha224, + "SHA-256": hashlib.sha256, + "SHA-384": hashlib.sha384, + "SHA-512": hashlib.sha512, +} + + +class TruncatedHash(object): + def __init__(self, hasher): + self.hasher = hasher + + def __call__(self, data): + self.hasher.update(data) + return self + + def digest(self): + return self.hasher.digest()[:256 // 8] + + +def build_vectors(fips_vectors): + vectors = defaultdict(list) + for vector in fips_vectors: + vectors[vector['digest_algorithm']].append(vector['message']) + + for digest_algorithm, messages in vectors.items(): + if digest_algorithm not in HASHLIB_HASH_TYPES: + continue + + yield "" + yield "[K-256,{0}]".format(digest_algorithm) + yield "" + + for message in messages: + # Make a hash context + hash_func = TruncatedHash(HASHLIB_HASH_TYPES[digest_algorithm]()) + + # Sign the message using warner/ecdsa + secret_key = SigningKey.generate(curve=SECP256k1) + public_key = secret_key.get_verifying_key() + signature = secret_key.sign(message, hashfunc=hash_func, + sigencode=sigencode_der) + + r, s = sigdecode_der(signature, None) + + yield "Msg = {0}".format(hexlify(message)) + yield "d = {0:x}".format(secret_key.privkey.secret_multiplier) + yield "Qx = {0:x}".format(public_key.pubkey.point.x()) + yield "Qy = {0:x}".format(public_key.pubkey.point.y()) + yield "R = {0:x}".format(r) + yield "S = {0:x}".format(s) + yield "" + + +def write_file(lines, dest): + for line in lines: + print(line) + print(line, file=dest) + +source_path = os.path.join("asymmetric", "ECDSA", "FIPS_186-3", "SigGen.txt") +dest_path = os.path.join("asymmetric", "ECDSA", "SECP256K1", "SigGen.txt") + +fips_vectors = load_vectors_from_file( + source_path, + load_fips_ecdsa_signing_vectors +) + +with open_vector_file(dest_path, "w") as dest_file: + write_file( + build_vectors(fips_vectors), + dest_file + ) -- cgit v1.2.3 From fddf29ff64919ea6b885469e0bb47045f6ea22b9 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sun, 3 May 2015 12:15:55 +0100 Subject: Verification script --- .../custom-vectors/secp256k1/verify_secp256k1.py | 59 ++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 docs/development/custom-vectors/secp256k1/verify_secp256k1.py (limited to 'docs') diff --git a/docs/development/custom-vectors/secp256k1/verify_secp256k1.py b/docs/development/custom-vectors/secp256k1/verify_secp256k1.py new file mode 100644 index 00000000..3d2c25b9 --- /dev/null +++ b/docs/development/custom-vectors/secp256k1/verify_secp256k1.py @@ -0,0 +1,59 @@ +from __future__ import absolute_import, print_function + +import os + +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.asymmetric.utils import ( + encode_rfc6979_signature +) + +from tests.utils import ( + load_fips_ecdsa_signing_vectors, load_vectors_from_file +) + +CRYPTOGRAPHY_HASH_TYPES = { + "SHA-1": hashes.SHA1, + "SHA-224": hashes.SHA224, + "SHA-256": hashes.SHA256, + "SHA-384": hashes.SHA384, + "SHA-512": hashes.SHA512, +} + + +def verify_one_vector(vector): + digest_algorithm = vector['digest_algorithm'] + message = vector['message'] + x = vector['x'] + y = vector['y'] + signature = encode_rfc6979_signature(vector['r'], vector['s']) + + numbers = ec.EllipticCurvePublicNumbers( + x, y, + ec.SECP256K1() + ) + + key = numbers.public_key(default_backend()) + + verifier = key.verifier( + signature, + ec.ECDSA(CRYPTOGRAPHY_HASH_TYPES[digest_algorithm]()) + ) + verifier.update(message) + return verifier.verify() + + +def verify_vectors(vectors): + for vector in vectors: + assert verify_one_vector(vector) + + +vector_path = os.path.join("asymmetric", "ECDSA", "SECP256K1", "SigGen.txt") + +secp256k1_vectors = load_vectors_from_file( + vector_path, + load_fips_ecdsa_signing_vectors +) + +verify_vectors(secp256k1_vectors) -- cgit v1.2.3 From 99c5f1554b1dd1109a220fe56d79f8ad4c74250c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 3 May 2015 10:01:04 -0400 Subject: Attempt to make the BasicConstraints.path_length docs more clear --- docs/x509.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 5f36a921..a69c4263 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -646,10 +646,10 @@ X.509 Extensions certificate. This attribute only has meaning if ``ca`` is true. If ``ca`` is true then a path length of None means there's no restriction on the number of subordinate CAs in the certificate chain. - If it is zero or greater then that number defines the maximum length. - For example, a ``path_length`` of 1 means the certificate can sign a - subordinate CA, but the subordinate CA is not allowed to create - subordinates with ``ca`` set to true. + If it is zero or greater then it defines the maximum length for a + subordinate CA's certificate chain. For example, a ``path_length`` of 1 + means the certificate can sign a subordinate CA, but the subordinate CA + is not allowed to create subordinates with ``ca`` set to true. .. class:: ExtendedKeyUsage -- cgit v1.2.3 From b0deb444efc01677bedad99c89f2c64c632e0096 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 3 May 2015 10:53:45 -0500 Subject: add AKI vector --- docs/development/test-vectors.rst | 3 +++ 1 file changed, 3 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index f6eecfec..bc7cd640 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -160,6 +160,9 @@ Custom X.509 Vectors containing an inhibit any policy extension with the value 5. * ``inhibit_any_policy_negative.pem`` - An RSA 2048 bit self-signed certificate containing an inhibit any policy extension with the value -1. +* ``authority_key_identifier.pem`` - An RSA 2048 bit self-signed certificate + containing an authority key identifier extension with key identifier, + authority certificate issuer, and authority certificate serial number fields. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 0d52e2a50b21f0f491a9a14a1bbe77667eab593e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 3 May 2015 11:17:12 -0500 Subject: add another authority key identifier vector --- docs/development/test-vectors.rst | 3 +++ 1 file changed, 3 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index bc7cd640..a170142c 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -163,6 +163,9 @@ Custom X.509 Vectors * ``authority_key_identifier.pem`` - An RSA 2048 bit self-signed certificate containing an authority key identifier extension with key identifier, authority certificate issuer, and authority certificate serial number fields. +* ``authority_key_identifier_no_keyid.pem`` - An RSA 2048 bit self-signed + certificate containing an authority key identifier extension with authority + certificate issuer and authority certificate serial number fields. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From e54478f5194474ea1be4f4a3e3ca2dde9b3df2ed Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sun, 3 May 2015 11:38:36 +0100 Subject: Docs for custom secp256k1 vectors --- docs/development/custom-vectors/secp256k1.rst | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 docs/development/custom-vectors/secp256k1.rst (limited to 'docs') diff --git a/docs/development/custom-vectors/secp256k1.rst b/docs/development/custom-vectors/secp256k1.rst new file mode 100644 index 00000000..b19bf4e4 --- /dev/null +++ b/docs/development/custom-vectors/secp256k1.rst @@ -0,0 +1,32 @@ +SECP256K1 vector creation +========================= + +This page documents the code that was used to generate the SECP256K1 elliptic +curve test vectors as well as code used to verify them against another +implementation. + + +Creation +-------- + +The vectors are generated using a `pure Python ecdsa`_ implementation. The test +messages and combinations of algorithms are derived from the NIST vector data. + +.. literalinclude:: /development/custom-vectors/secp256k1/generate_secp256k1.py + +Download link: :download:`generate_secp256k1.py +` + + +Verification +------------ + +``cryptography`` was modified to support the SECP256K1 curve. Then +the following python script was run to generate the vector files. + +.. literalinclude:: /development/custom-vectors/secp256k1/verify_secp256k1.py + +Download link: :download:`verify_secp256k1.py +` + +.. _`pure Python ecdsa`: https://pypi.python.org/pypi/ecdsa -- cgit v1.2.3 From e0afa5d8394e32369a0bec9486b5eb44193412b6 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sun, 3 May 2015 18:14:20 +0100 Subject: Add new vectors to the docs --- docs/development/test-vectors.rst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index f6eecfec..7edf01ab 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -37,9 +37,14 @@ Asymmetric ciphers Ruby test suite. -Custom Asymmetric Vectors +Custom asymmetric vectors ~~~~~~~~~~~~~~~~~~~~~~~~~ +.. toctree:: + :maxdepth: 1 + + custom-vectors/secp256k1 + * ``asymmetric/PEM_Serialization/ec_private_key.pem`` and ``asymmetric/DER_Serialization/ec_private_key.der`` - Contains an Elliptic Curve key generated by OpenSSL from the curve ``secp256r1``. @@ -78,6 +83,7 @@ Custom Asymmetric Vectors ``asymmetric/public/PKCS1/rsa.pub.der`` are PKCS1 conversions of the public key from ``asymmetric/PKCS8/unenc-rsa-pkcs8.pem`` using PEM and DER encoding. + Key exchange ~~~~~~~~~~~~ -- cgit v1.2.3 From d774de9d49512a16b58e1461dd982c072fd36b8e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 3 May 2015 10:52:25 -0500 Subject: authority key identifier support in the openssl backend --- docs/x509.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index f9c9af2f..f4ea2a52 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -317,6 +317,7 @@ X.509 Certificate Object >>> for ext in cert.extensions: ... print(ext) + , critical=False, value=)> , critical=False, value=)> , critical=True, value=)> , critical=True, value=)> -- cgit v1.2.3 From 64c82e0f20a1908c6f73549c261373d369d1202e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 4 May 2015 17:38:52 -0500 Subject: add some authority information access x509 vectors --- docs/development/test-vectors.rst | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 77ec6259..41531f7b 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -172,6 +172,13 @@ Custom X.509 Vectors * ``authority_key_identifier_no_keyid.pem`` - An RSA 2048 bit self-signed certificate containing an authority key identifier extension with authority certificate issuer and authority certificate serial number fields. +* ``aia_ocsp_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate + containing an authority information access extension with two OCSP and one + CA issuers entry. +* ``aia_ocsp.pem`` - An RSA 2048 bit self-signed certificate + containing an authority information access extension with an OCSP entry. +* ``aia_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate + containing an authority information access extension with a CA issuers entry. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 5a48552b4b7fc4d108b6d45232769f111fe38896 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 6 May 2015 00:29:12 -0500 Subject: add CRLDistributionPoints and associated classes --- docs/x509.rst | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index f4ea2a52..9ef8e149 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -781,6 +781,8 @@ X.509 Extensions .. class:: AccessDescription + .. versionadded:: 0.9 + .. attribute:: access_method :type: :class:`ObjectIdentifier` @@ -798,6 +800,76 @@ X.509 Extensions Where to access the information defined by the access method. +.. class:: CRLDistributionPoints + + .. versionadded:: 0.9 + + The CRL distribution points extension identifies how CRL information is + obtained. It is an iterable, containing one or more + :class:`DistributionPoint` instances. + +.. class:: DistributionPoint + + .. versionadded:: 0.9 + + .. attribute:: distribution_point + + :type: list of :class:`GeneralName` instances, :class:`Name`, or None + + This field describes methods to retrieve the CRL. + + .. attribute:: crl_issuer + + :type: list of :class:`GeneralName` instances or None + + Information about the issuer of the CRL. + + .. attribute:: reasons + + :type: :class:`ReasonFlags` or None + + The reasons a given distribution point may be used for when performing + revocation checks. + +.. class:: ReasonFlags + + .. versionadded:: 0.9 + + This class holds reasons a distribution point may be used for when + performing revocation checks. + + .. attribute:: key_compromise + + :type: bool + + .. attribute:: ca_compromise + + :type: bool + + .. attribute:: affiliation_changed + + :type: bool + + .. attribute:: superseded + + :type: bool + + .. attribute:: cessation_of_operation + + :type: bool + + .. attribute:: certificate_hold + + :type: bool + + .. attribute:: privilege_withdrawn + + :type: bool + + .. attribute:: aa_compromise + + :type: bool + Object Identifiers ~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From ebbeedfd5d0e98e3e47d6d3af90161225a8a3e4a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 8 May 2015 18:13:14 -0500 Subject: add support for secp256k1 --- docs/hazmat/primitives/asymmetric/ec.rst | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs') diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 6f4afe7d..71f6e6fd 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -251,6 +251,14 @@ All named curves are providers of :class:`EllipticCurve`. SECG curve ``secp192r1``. Also called NIST P-192. + +.. class:: SECP256K1 + + .. versionadded:: 0.9 + + SECG curve ``secp256k1``. + + Key Interfaces ~~~~~~~~~~~~~~ -- cgit v1.2.3 From 4e8dacd02ec4c4b8238e5ebdfcd5ab26348ec658 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 9 May 2015 10:38:23 -0500 Subject: separate full_name/relative_name and change reasons to an enumeration --- docs/x509.rst | 49 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 35 insertions(+), 14 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 9ef8e149..3cf4f905 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -812,11 +812,19 @@ X.509 Extensions .. versionadded:: 0.9 - .. attribute:: distribution_point + .. attribute:: full_name - :type: list of :class:`GeneralName` instances, :class:`Name`, or None + :type: list of :class:`GeneralName` instances or None + + This field describes methods to retrieve the CRL. If this is not None + then ``relative_name`` must be None. + + .. attribute:: relative_name + + :type: :class:`Name` or None - This field describes methods to retrieve the CRL. + This field describes methods to retrieve the CRL relative to the CRL + issuer. If this is not None then ``full_name`` must be None. .. attribute:: crl_issuer @@ -826,7 +834,7 @@ X.509 Extensions .. attribute:: reasons - :type: :class:`ReasonFlags` or None + :type: list of :class:`ReasonFlags` or None The reasons a given distribution point may be used for when performing revocation checks. @@ -835,40 +843,53 @@ X.509 Extensions .. versionadded:: 0.9 - This class holds reasons a distribution point may be used for when - performing revocation checks. + An enumeration for CRL reasons. + + .. attribute:: unspecified + + It is unspecified why the certificate was revoked. This reason cannot + be used as a reason flag in a :class:`DistributionPoint`. .. attribute:: key_compromise - :type: bool + This reason indicates that the private key was compromised. .. attribute:: ca_compromise - :type: bool + This reason indicates that the CA issuing the certificate was + compromised. .. attribute:: affiliation_changed - :type: bool + This reason indicates that the subject's name or other information has + changed. .. attribute:: superseded - :type: bool + This reason indicates that a certificate has been superseded. .. attribute:: cessation_of_operation - :type: bool + This reason indicates that the certificate is no longer required. .. attribute:: certificate_hold - :type: bool + This reason indicates that the certificate is on hold. .. attribute:: privilege_withdrawn - :type: bool + This reason indicates that the privilege granted by this certificate + have been withdrawn. .. attribute:: aa_compromise - :type: bool + When an attribute authority has been compromised. + + .. attribute:: remove_from_crl + + This reason indicates that the certificate was on hold and should be + removed from the CRL. This reason cannot be used as a reason flag + in a :class:`DistributionPoint`. Object Identifiers ~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From f2c072bf271f1ae0081a58fdf232110cc5af815d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 9 May 2015 17:04:28 -0500 Subject: update doc language --- docs/x509.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 3cf4f905..f9992e20 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -816,15 +816,16 @@ X.509 Extensions :type: list of :class:`GeneralName` instances or None - This field describes methods to retrieve the CRL. If this is not None - then ``relative_name`` must be None. + This field describes methods to retrieve the CRL. At most one of + ``full_name`` or ``relative_name`` will be non-None. .. attribute:: relative_name :type: :class:`Name` or None This field describes methods to retrieve the CRL relative to the CRL - issuer. If this is not None then ``full_name`` must be None. + issuer. At most one of ``full_name`` or ``relative_name`` will be + non-None. .. attribute:: crl_issuer -- cgit v1.2.3 From 3fd0260a3dd110d99c0174c3937aa3d86b0d9ba0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 9 May 2015 19:46:13 -0500 Subject: switch reasons to frozenset --- docs/x509.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index f9992e20..86673e3b 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -835,7 +835,7 @@ X.509 Extensions .. attribute:: reasons - :type: list of :class:`ReasonFlags` or None + :type: frozenset of :class:`ReasonFlags` or None The reasons a given distribution point may be used for when performing revocation checks. -- cgit v1.2.3 From 0d21092b1342128cb6568f20d3d5b9ae12009ec0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 28 Apr 2015 17:31:07 -0500 Subject: add some docs --- docs/x509.rst | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 86673e3b..e4d0cd87 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -892,6 +892,69 @@ X.509 Extensions removed from the CRL. This reason cannot be used as a reason flag in a :class:`DistributionPoint`. +.. class:: CertificatePolicies + + .. versionadded:: 0.9 + + The certificate policies extension is a list of one or more + :class:`PolicyInformation` instances. The object is iterable to get every + instance. + +Certificate Policies Classes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +These classes may be present within a :class:`CertificatePolicies` instance. + +.. class:: PolicyInformation + + .. versionadded:: 0.9 + + Contains a policy identifier and an optional list of qualifiers. + + .. attribute:: policy_identifier + + :type: :class:`ObjectIdentifier` + + .. attribute:: policy_qualifiers + + :type: list + + A list of :class:`PolicyQualifierInfo` objects. + +.. class:: PolicyQualifierInfo + + .. versionadded:: 0.9 + + .. attribute:: qualifier + + :type: :term:`text` or :class:`UserNotice` + +.. class:: UserNotice + + .. versionadded:: 0.9 + + .. attribute:: notice_reference + + :type: :class:`NoticeReference` or None + + .. attribute:: explicit_text + + :type: :term:`text` + +.. class:: NoticeReference + + .. versionadded:: 0.9 + + .. attribute:: organization + + :type: :term:`text` or None + + .. attribute :: notice_numbers + + :type: list or None + + A list of integers or None. + Object Identifiers ~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 2e879745596f4d0affec6b65f759a1082eefd040 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 23:09:56 -0500 Subject: expand docs --- docs/x509.rst | 50 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index e4d0cd87..20929768 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -896,9 +896,8 @@ X.509 Extensions .. versionadded:: 0.9 - The certificate policies extension is a list of one or more - :class:`PolicyInformation` instances. The object is iterable to get every - instance. + The certificate policies extension is an iterable, containing one or more + :class:`PolicyInformation` instances. Certificate Policies Classes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -925,24 +924,56 @@ These classes may be present within a :class:`CertificatePolicies` instance. .. versionadded:: 0.9 + .. attribute:: policy_qualifier_id + + :type: :class:`ObjectIdentifier` + + This attribute can have two possible values: :data:`OID_CPS_QUALIFIER` + or :data:`OID_CPS_USER_NOTICE`. If it is :data:`OID_CPS_QUALIFIER` then + ``qualifier`` will be :term:`text` and should contain a pointer to + a certification practice statement (CPS) published by the CA. This + text should be in the form of a URI. If it is + :data:`OID_CPS_USER_NOTICE` then ``qualifier`` will be + :class:`UserNotice`. + .. attribute:: qualifier :type: :term:`text` or :class:`UserNotice` + The type of this attribute is determined by checking the + ``policy_qualifier_id``. + .. class:: UserNotice .. versionadded:: 0.9 + User notices are intended for display to a relying party when a certificate + is used. In practice, few if any UIs expose this data and it is a rarely + encoded component. + .. attribute:: notice_reference :type: :class:`NoticeReference` or None + The notice reference field names an organization and identifies, + by number, a particular statement prepared by that organization. + .. attribute:: explicit_text + This field includes an arbitrary textual statement directly in the + certificate. + :type: :term:`text` .. class:: NoticeReference + Notice reference can name an organization and provide information about + notices related to the certificate. For example, it might identify the + organization name and notice number 1. Application software could + have a notice file containing the current set of notices for the named + organization; the application would then extract the notice text from the + file and display it. In practice this is rarely seen. + .. versionadded:: 0.9 .. attribute:: organization @@ -1160,6 +1191,19 @@ Authority Information Access OIDs Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the identifier for CA issuer data in :class:`AccessDescription` objects. +Policy Qualifier OIDs +~~~~~~~~~~~~~~~~~~~~~ + +.. data:: OID_CPS_QUALIFIER + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``. Used as an + identifier in :class:`PolicyQualifierInfo` objects. + +.. data:: OID_CPS_USER_NOTICE + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``. Used as an + identifier in :class:`PolicyQualifierInfo` objects. + .. _extension_oids: Extension OIDs -- cgit v1.2.3 From ba35b3ba85c374dfd0659992cae01255c530679d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 10 May 2015 13:07:59 -0500 Subject: remove policyqualifierinfo object --- docs/x509.rst | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 20929768..48cb0730 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -918,30 +918,7 @@ These classes may be present within a :class:`CertificatePolicies` instance. :type: list - A list of :class:`PolicyQualifierInfo` objects. - -.. class:: PolicyQualifierInfo - - .. versionadded:: 0.9 - - .. attribute:: policy_qualifier_id - - :type: :class:`ObjectIdentifier` - - This attribute can have two possible values: :data:`OID_CPS_QUALIFIER` - or :data:`OID_CPS_USER_NOTICE`. If it is :data:`OID_CPS_QUALIFIER` then - ``qualifier`` will be :term:`text` and should contain a pointer to - a certification practice statement (CPS) published by the CA. This - text should be in the form of a URI. If it is - :data:`OID_CPS_USER_NOTICE` then ``qualifier`` will be - :class:`UserNotice`. - - .. attribute:: qualifier - - :type: :term:`text` or :class:`UserNotice` - - The type of this attribute is determined by checking the - ``policy_qualifier_id``. + A list consisting of :term:`text` and/or :class:`UserNotice` objects. .. class:: UserNotice @@ -1196,13 +1173,11 @@ Policy Qualifier OIDs .. data:: OID_CPS_QUALIFIER - Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``. Used as an - identifier in :class:`PolicyQualifierInfo` objects. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``. .. data:: OID_CPS_USER_NOTICE - Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``. Used as an - identifier in :class:`PolicyQualifierInfo` objects. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``. .. _extension_oids: -- cgit v1.2.3 From 28d5421f61050ea601e14b713496024ef50a94bb Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 10 May 2015 14:58:21 -0500 Subject: add CRL distribution points vectors --- docs/development/test-vectors.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 41531f7b..40331f89 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -179,6 +179,11 @@ Custom X.509 Vectors containing an authority information access extension with an OCSP entry. * ``aia_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate containing an authority information access extension with a CA issuers entry. +* ``cdp_fullname_reasons_crl_issuer.pem`` - An RSA 1024 bit certificate + containing a CRL distribution points extension with ``fullName``, + ``cRLIssuer``, and ``reasons`` data. +* ``cdp_crl_issuer.pem`` - An RSA 1024 bit certificate containing a CRL + distribution points extension with ``cRLIssuer`` data. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 3f8ddeb3fa8d66710dfbcef54061f5ce9c10c2f4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 11 May 2015 00:25:36 -0500 Subject: update docs --- docs/x509.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 48cb0730..d2313292 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -919,6 +919,10 @@ These classes may be present within a :class:`CertificatePolicies` instance. :type: list A list consisting of :term:`text` and/or :class:`UserNotice` objects. + If the value is text it is a pointer to the practice statement + published by the certificate authority. If it is a user notice it is + meant for display to the relying party when the certificate is + used. .. class:: UserNotice @@ -957,7 +961,7 @@ These classes may be present within a :class:`CertificatePolicies` instance. :type: :term:`text` or None - .. attribute :: notice_numbers + .. attribute:: notice_numbers :type: list or None -- cgit v1.2.3 From cdfe0f987ac853b77094693923bf9f7d43917d39 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 11 May 2015 20:00:29 -0500 Subject: add certificate policies vectors --- docs/development/test-vectors.rst | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 40331f89..3d49801d 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -184,6 +184,14 @@ Custom X.509 Vectors ``cRLIssuer``, and ``reasons`` data. * ``cdp_crl_issuer.pem`` - An RSA 1024 bit certificate containing a CRL distribution points extension with ``cRLIssuer`` data. +* ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed + certificate containing a certificate policies extension with a + notice reference in the user notice. +* ``cp_user_notice_with_explicit_text.pem`` - An RSA 2048 bit self-signed + certificate containing a certificate policies extension with explicit + text and no notice reference. +* ``cp_cps_uri.pem`` - An RSA 2048 bit self-signed certificate containing a + certificate policies extension with a CPS URI and no user notice. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From d4f632ef9d06f3c527fea9558218b99b1f165032 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 08:25:42 -0500 Subject: add OID information about all supported extensions --- docs/x509.rst | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index d2313292..96255a2c 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -1198,6 +1198,40 @@ Extension OIDs Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the :class:`KeyUsage` extension type. +.. data:: OID_SUBJECT_ALTERNATIVE_NAME + + Corresponds to the dotted string ``"2.5.29.17"``. The identifier for the + :class:`SubjectAlternativeName` extension type. + +.. data:: OID_SUBJECT_KEY_IDENTIFIER + + Corresponds to the dotted string ``"2.5.29.14"``. The identifier for the + :class:`SubjectKeyIdentifier` extension type. + +.. data:: OID_CRL_DISTRIBUTION_POINTS + + Corresponds to the dotted string ``"2.5.29.31"``. The identifier for the + :class:`CRLDistributionPoints` extension type. + +.. data:: OID_CERTIFICATE_POLICIES + + Corresponds to the dotted string ``"2.5.29.32"``. The identifier for the + :class:`CertificatePolicies` extension type. + +.. data:: OID_AUTHORITY_KEY_IDENTIFIER + + Corresponds to the dotted string ``"2.5.29.35"``. The identifier for the + :class:`AuthorityKeyIdentifier` extension type. + +.. data:: OID_EXTENDED_KEY_USAGE + + Corresponds to the dotted string ``"2.5.29.37"``. The identifier for the + :class:`ExtendedKeyUsage` extension type. + +.. data:: OID_AUTHORITY_INFORMATION_ACCESS + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier + for the :class:`AuthorityInformationAccess` extension type. Exceptions ~~~~~~~~~~ -- cgit v1.2.3 From 5ac41547b893dbb69b1b02fb21214d6b8115a843 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 16:04:52 -0500 Subject: add another certificate policies test vector --- docs/development/test-vectors.rst | 3 +++ 1 file changed, 3 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3d49801d..824fb57f 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -192,6 +192,9 @@ Custom X.509 Vectors text and no notice reference. * ``cp_cps_uri.pem`` - An RSA 2048 bit self-signed certificate containing a certificate policies extension with a CPS URI and no user notice. +* ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed + certificate containing a certificate policies extension with a user notice + with no explicit text. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 66c6170c02d0b3c00a9a10951f7bb0d29341d34e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 16:39:18 -0500 Subject: also update the docs to reflect the non-optional nature of these things --- docs/x509.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 96255a2c..a40727cc 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -959,13 +959,13 @@ These classes may be present within a :class:`CertificatePolicies` instance. .. attribute:: organization - :type: :term:`text` or None + :type: :term:`text` .. attribute:: notice_numbers - :type: list or None + :type: list - A list of integers or None. + A list of integers. Object Identifiers ~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 2008d9c83cf99c56f961b6b726cfdfae426f2a31 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 22:19:56 -0500 Subject: fix the docs test --- docs/x509.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index a40727cc..ff43be01 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -320,6 +320,7 @@ X.509 Certificate Object , critical=False, value=)> , critical=False, value=)> , critical=True, value=)> + , critical=False, value=, policy_qualifiers=None)>])>)> , critical=True, value=)> X.509 CSR (Certificate Signing Request) Object -- cgit v1.2.3 From 208d678f3b172d33748647be3389a2482bb87163 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 23:09:13 -0500 Subject: more CDP vectors! --- docs/development/test-vectors.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 824fb57f..6f61a7ee 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -184,6 +184,11 @@ Custom X.509 Vectors ``cRLIssuer``, and ``reasons`` data. * ``cdp_crl_issuer.pem`` - An RSA 1024 bit certificate containing a CRL distribution points extension with ``cRLIssuer`` data. +* ``cdp_all_reasons.pem`` - An RSA 1024 bit certificate containing a CRL + distribution points extension with all ``reasons`` bits set. +* ``cdp_reason_aa_compromise.pem`` - An RSA 1024 bit certificate containing a + CRL distribution points extension with the ``AACompromise`` ``reasons`` bit + set. * ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed certificate containing a certificate policies extension with a notice reference in the user notice. -- cgit v1.2.3