From 0ef595f1d9b5336872dc24d7d67c8cd127b31cea Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Mon, 18 May 2015 13:53:43 -0400 Subject: Adds CSR builder. --- docs/x509.rst | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index b8e3c8ee..8507edc1 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -468,6 +468,47 @@ X.509 Revoked Certificate Object The extensions encoded in the revoked certificate. +X.509 CSR (Certificate Signing Request) Builder Object +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. class:: CertificateSigningRequestBuilder + + .. method:: __init__() + + Creates an empty certificate signing request. + + .. method:: set_version(version) + + :param version: The :class:`Version` of the X.509 protocol. + + .. method:: set_subject_name(name) + + :param name: The :class:`Name` of the certificate subject. + + .. method:: add_extension(extension) + + :param extension: The :class:`Extension` to add to the request. + + .. method:: sign(backend, private_key, algorithm) + + :param backend: Backend that will be used to sign the request. + Must support the + :class:`~cryptography.hazmat.backends.interfaces.X509Backend` + interface. + + :param private_key: The + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + that will be used to sign the request. When the request is + signed by a certificate authority, the private key's associated + public key will be stored in the resulting certificate. + + :param algorithm: The + :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` + that will be used to generate the request signature. + + :type: :class:`CertificateSigningRequest` + + .. class:: Name .. versionadded:: 0.8 -- cgit v1.2.3 From 6d7e39b039c6c1f56084088b96a4a73566b25844 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sun, 31 May 2015 18:10:04 -0400 Subject: Adds updates docs for method chaining in CSR builder. --- docs/x509.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 8507edc1..f79f630c 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -479,15 +479,18 @@ X.509 CSR (Certificate Signing Request) Builder Object .. method:: set_version(version) - :param version: The :class:`Version` of the X.509 protocol. + :param version: The :class:`Version` of the X.509 protocol. + :returns: A new `CertificateSigningRequestBuilder`. .. method:: set_subject_name(name) :param name: The :class:`Name` of the certificate subject. + :returns: A new `CertificateSigningRequestBuilder`. .. method:: add_extension(extension) :param extension: The :class:`Extension` to add to the request. + :returns: A new `CertificateSigningRequestBuilder`. .. method:: sign(backend, private_key, algorithm) -- cgit v1.2.3 From d259ee51abae5a35e34f16ad74bfb1c62aa433d7 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Tue, 2 Jun 2015 23:47:11 -0400 Subject: Polishes builder documentation, --- docs/x509.rst | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index f79f630c..a2a3ded7 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -473,14 +473,37 @@ X.509 CSR (Certificate Signing Request) Builder Object .. class:: CertificateSigningRequestBuilder - .. method:: __init__() + .. versionadded:: 1.0 - Creates an empty certificate signing request. + .. doctest:: - .. method:: set_version(version) + >>> from cryptography import x509 + >>> from cryptography.hazmat.backends import default_backend + >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.hazmat.primitives.asymmetric import rsa + >>> private_key = rsa.generate_private_key( + ... public_exponent=65537, + ... key_size=2048, + ... backend=default_backend() + ... ) + >>> builder = x509.CertificateSigningRequestBuilder() + >>> builder = builder.set_subject_name(x509.Name([ + ... x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ... ])) + >>> buidlder = builder.add_extension(x509.Extension( + ... x509.OID_BASIC_CONSTRAINTS, + ... True, + ... x509.BasicConstraints(False, None), + ... )) + >>> request = builder.sign( + ... default_backend(), private_key, hashes.SHA1() + ... ) + >>> isinstance(request, x509.CertificateSigningRequest) + True - :param version: The :class:`Version` of the X.509 protocol. - :returns: A new `CertificateSigningRequestBuilder`. + .. method:: __init__() + + Creates an empty certificate signing request. .. method:: set_subject_name(name) -- cgit v1.2.3 From 472fd6991e05735e00fdca7fbe2573a44fdabd17 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sat, 6 Jun 2015 20:04:44 -0400 Subject: Changes builder extension API. --- docs/x509.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index a2a3ded7..52117c84 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -490,11 +490,9 @@ X.509 CSR (Certificate Signing Request) Builder Object >>> builder = builder.set_subject_name(x509.Name([ ... x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), ... ])) - >>> buidlder = builder.add_extension(x509.Extension( - ... x509.OID_BASIC_CONSTRAINTS, - ... True, - ... x509.BasicConstraints(False, None), - ... )) + >>> buidlder = builder.add_extension( + ... x509.BasicConstraints(False, None), critical=True, + ... ) >>> request = builder.sign( ... default_backend(), private_key, hashes.SHA1() ... ) @@ -510,9 +508,11 @@ X.509 CSR (Certificate Signing Request) Builder Object :param name: The :class:`Name` of the certificate subject. :returns: A new `CertificateSigningRequestBuilder`. - .. method:: add_extension(extension) + .. method:: add_extension(extension, critical=False) :param extension: The :class:`Extension` to add to the request. + :param critical: Set to `True` if the extension must be understood and + handled by whoever reads the certificate. :returns: A new `CertificateSigningRequestBuilder`. .. method:: sign(backend, private_key, algorithm) -- cgit v1.2.3 From 341ff85a7ceee3fb2e39e3ea11768b37e195445f Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sat, 6 Jun 2015 20:14:31 -0400 Subject: Fully qualifies symbols in doc references. --- docs/x509.rst | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 52117c84..06a363fc 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -505,15 +505,19 @@ X.509 CSR (Certificate Signing Request) Builder Object .. method:: set_subject_name(name) - :param name: The :class:`Name` of the certificate subject. - :returns: A new `CertificateSigningRequestBuilder`. + :param name: The :class:`~cryptography.x509.Name` of the certificate + subject. + :returns: A new + :class:`~cryptography.x509.CertificateSigningRequestBuilder`. .. method:: add_extension(extension, critical=False) - :param extension: The :class:`Extension` to add to the request. + :param extension: The :class:`~cryptography.x509.Extension` to add to + the request. :param critical: Set to `True` if the extension must be understood and handled by whoever reads the certificate. - :returns: A new `CertificateSigningRequestBuilder`. + :returns: A new + :class:`~cryptography.x509.CertificateSigningRequestBuilder`. .. method:: sign(backend, private_key, algorithm) @@ -532,7 +536,8 @@ X.509 CSR (Certificate Signing Request) Builder Object :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that will be used to generate the request signature. - :type: :class:`CertificateSigningRequest` + :returns: A new + :class:`~cryptography.x509.CertificateSigningRequest`. .. class:: Name -- cgit v1.2.3 From 24f9bf4ba52c64f10ea6895a7e37dd0b4761b589 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sat, 6 Jun 2015 20:14:54 -0400 Subject: Lists support for DSA and EC in CSR builder. --- docs/x509.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 06a363fc..d7ab6478 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -527,7 +527,9 @@ X.509 CSR (Certificate Signing Request) Builder Object interface. :param private_key: The - :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` that will be used to sign the request. When the request is signed by a certificate authority, the private key's associated public key will be stored in the resulting certificate. -- cgit v1.2.3 From a9a5117f9aae4f0aa3e2e1bd3dcd6a93867c67a4 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sat, 6 Jun 2015 20:18:44 -0400 Subject: Removes set_ prefix on CSR builder method. --- docs/x509.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index d7ab6478..0f55e8e4 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -487,7 +487,7 @@ X.509 CSR (Certificate Signing Request) Builder Object ... backend=default_backend() ... ) >>> builder = x509.CertificateSigningRequestBuilder() - >>> builder = builder.set_subject_name(x509.Name([ + >>> builder = builder.subject_name(x509.Name([ ... x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), ... ])) >>> buidlder = builder.add_extension( @@ -503,7 +503,7 @@ X.509 CSR (Certificate Signing Request) Builder Object Creates an empty certificate signing request. - .. method:: set_subject_name(name) + .. method:: subject_name(name) :param name: The :class:`~cryptography.x509.Name` of the certificate subject. -- cgit v1.2.3 From 0112b0242717e394ec35aad8d0c8311a47dfa577 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Tue, 16 Jun 2015 17:51:18 -0500 Subject: Address code review regarding style and gc - Use keyword arguments for x509.BasicConstraints in several places - Use SHA256 instead of SHA1 in documented examples - Give function variables meaningful names in _encode_asn1_str - Accept a x509.BasicConstraints object in _encode_basic_constraints - Properly garbage-collect some things - Raise a NotImplementedError instead of a ValueError --- docs/x509.rst | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 0f55e8e4..aa8e2593 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -491,18 +491,14 @@ X.509 CSR (Certificate Signing Request) Builder Object ... x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), ... ])) >>> buidlder = builder.add_extension( - ... x509.BasicConstraints(False, None), critical=True, + ... x509.BasicConstraints(ca=False, path_length=None), critical=True, ... ) >>> request = builder.sign( - ... default_backend(), private_key, hashes.SHA1() + ... default_backend(), private_key, hashes.SHA256() ... ) >>> isinstance(request, x509.CertificateSigningRequest) True - .. method:: __init__() - - Creates an empty certificate signing request. - .. method:: subject_name(name) :param name: The :class:`~cryptography.x509.Name` of the certificate -- cgit v1.2.3 From 4d46eb7217d1effa3043da0def8c365c199b5b7f Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 17 Jun 2015 12:08:27 -0500 Subject: Properly use RSA fixtures to generate private keys --- docs/x509.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index aa8e2593..84b3b8b4 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -488,7 +488,7 @@ X.509 CSR (Certificate Signing Request) Builder Object ... ) >>> builder = x509.CertificateSigningRequestBuilder() >>> builder = builder.subject_name(x509.Name([ - ... x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ... ])) >>> buidlder = builder.add_extension( ... x509.BasicConstraints(ca=False, path_length=None), critical=True, -- cgit v1.2.3 From f06b6be82300d9339bcfb062aedd7d7a3865aec9 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 21 Jun 2015 10:09:18 -0500 Subject: Address review comments around add_extension method - Fix typo in the docs (s/buidlder/builder/) - Remove default from the method declaration and docs - Replace ValueError with NotImpelementedError for unsupported X.509 extensions - Add TODO comment as requested by Alex - Fix test to pass critical=False since it no longer is a default value --- docs/x509.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 84b3b8b4..c4c441e7 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -490,7 +490,7 @@ X.509 CSR (Certificate Signing Request) Builder Object >>> builder = builder.subject_name(x509.Name([ ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ... ])) - >>> buidlder = builder.add_extension( + >>> builder = builder.add_extension( ... x509.BasicConstraints(ca=False, path_length=None), critical=True, ... ) >>> request = builder.sign( @@ -506,7 +506,7 @@ X.509 CSR (Certificate Signing Request) Builder Object :returns: A new :class:`~cryptography.x509.CertificateSigningRequestBuilder`. - .. method:: add_extension(extension, critical=False) + .. method:: add_extension(extension, critical) :param extension: The :class:`~cryptography.x509.Extension` to add to the request. -- cgit v1.2.3