From 7e8fe9df4328f0d3134a502b5d3bc05435de7e6e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 18 May 2015 09:53:47 -0700 Subject: add policy constraints class --- docs/x509/reference.rst | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) (limited to 'docs') diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 8bb3f40d..14fc37c8 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -1860,6 +1860,40 @@ X.509 Extensions :type: int +.. class:: PolicyConstraints + + .. versionadded:: 1.3 + + The policy constraints extension can be used in certificates issued + to CAs. The policy constraints extension constrains path validation + in two ways. It can be used to prohibit policy mapping or require + that each certificate in a path contain an acceptable policy + identifier. For more information about the use of this extension see + :rfc:`5280`. + + .. attribute:: require_explicit_policy + + :type: int or None + + If this field is present, the value indicates the number of additional + certificates that may appear in the path before an explicit policy is + required for the entire path. When an explicit policy is required, it + is necessary for all certificates in the path to contain an acceptable + policy identifier in the certificate policies extension. An + acceptable policy identifier is the identifier of a policy required + by the user of the certification path or the identifier of a policy + that has been declared equivalent through policy mapping. + + .. attribute:: inhibit_policy_mapping + + :type: int or None + + If this field is present, the value indicates the number of additional + certificates that may appear in the path before policy mapping is no + longer permitted. For example, a value of one indicates that policy + mapping may be processed in certificates issued by the subject of this + certificate, but not in additional certificates in the path. + .. class:: CRLNumber(crl_number) .. versionadded:: 1.2 @@ -2392,6 +2426,12 @@ instances. The following common OIDs are available as constants. the ``CRLNumber`` extension type. This extension only has meaning for certificate revocation lists. + .. attribute:: POLICY_CONSTRAINTS + + Corresponds to the dotted string ``"2.5.29.36"``. The identifier for the + :class:`PolicyConstraints` extension type. + + .. class:: CRLEntryExtensionOID .. versionadded:: 1.2 -- cgit v1.2.3 From 159b3b5ba975fcc2ebebfc707961070fc5fefacf Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Feb 2016 08:27:22 -0600 Subject: add the oid required by the extensiontype interface --- docs/x509/reference.rst | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs') diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 14fc37c8..30513082 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -1871,6 +1871,12 @@ X.509 Extensions identifier. For more information about the use of this extension see :rfc:`5280`. + .. attribute:: oid + + :type: :class:`ObjectIdentifier` + + Returns :attr:`~cryptography.x509.oid.ExtensionOID.POLICY_CONSTRAINTS`. + .. attribute:: require_explicit_policy :type: int or None -- cgit v1.2.3 From 20f0df583c8990c9c44c2941632c2a9b2780edf8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Feb 2016 08:37:13 -0600 Subject: fix docs --- docs/x509/reference.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 30513082..12fee807 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -2435,7 +2435,7 @@ instances. The following common OIDs are available as constants. .. attribute:: POLICY_CONSTRAINTS Corresponds to the dotted string ``"2.5.29.36"``. The identifier for the - :class:`PolicyConstraints` extension type. + :class:`~cryptography.x509.PolicyConstraints` extension type. .. class:: CRLEntryExtensionOID -- cgit v1.2.3 From 648c0fb14b762bd79243644ad5fcde586b94e098 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Feb 2016 16:10:36 -0600 Subject: try to improve the language --- docs/x509/reference.rst | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) (limited to 'docs') diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 12fee807..529578ba 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -1864,10 +1864,8 @@ X.509 Extensions .. versionadded:: 1.3 - The policy constraints extension can be used in certificates issued - to CAs. The policy constraints extension constrains path validation - in two ways. It can be used to prohibit policy mapping or require - that each certificate in a path contain an acceptable policy + The policy constraints extension is used to inhibit policy mapping or + require that each certificate in a chain contain an acceptable policy identifier. For more information about the use of this extension see :rfc:`5280`. @@ -1881,10 +1879,10 @@ X.509 Extensions :type: int or None - If this field is present, the value indicates the number of additional - certificates that may appear in the path before an explicit policy is + If this field is not None, the value indicates the number of additional + certificates that may appear in the chain before an explicit policy is required for the entire path. When an explicit policy is required, it - is necessary for all certificates in the path to contain an acceptable + is necessary for all certificates in the chain to contain an acceptable policy identifier in the certificate policies extension. An acceptable policy identifier is the identifier of a policy required by the user of the certification path or the identifier of a policy @@ -1894,11 +1892,11 @@ X.509 Extensions :type: int or None - If this field is present, the value indicates the number of additional - certificates that may appear in the path before policy mapping is no + If this field is not None, the value indicates the number of additional + certificates that may appear in the chain before policy mapping is no longer permitted. For example, a value of one indicates that policy mapping may be processed in certificates issued by the subject of this - certificate, but not in additional certificates in the path. + certificate, but not in additional certificates in the chain. .. class:: CRLNumber(crl_number) -- cgit v1.2.3