aboutsummaryrefslogtreecommitdiffstats
path: root/docs/x509/reference.rst
blob: d86ebbe8f1f30ce10ad8a4aa6ee4e67823673415 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
pre { line-height: 125%; margin: 0; }
td.linenos pre { color: #000000; background-color: #f0f0f0; padding: 0 5px 0 5px; }
span.linenos { color: #000000; background-color: #f0f0f0; padding: 0 5px 0 5px; }
td.linenos pre.special { color: #000000; background-color: #ffffc0; padding: 0 5px 0 5px; }
span.linenos.special { color: #000000; background-color: #ffffc0; padding: 0 5px 0 5px; }
.highlight .hll { background-color: #ffffcc }
.highlight { background: #ffffff; }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
# -*- coding: utf-8 -*-

# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.

#
# Cryptography documentation build configuration file, created by
# sphinx-quickstart on Tue Aug  6 19:19:14 2013.
#
# This file is execfile()d with the current directory set to its containing dir
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.

from __future__ import absolute_import, division, print_function

import os
import sys

try:
    import sphinx_rtd_theme
except ImportError:
    sphinx_rtd_theme = None

try:
    from sphinxcontrib import spelling
except ImportError:
    spelling = None


# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
sys.path.insert(0, os.path.abspath('.'))

# -- General configuration ----------------------------------------------------

# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'

# Add any Sphinx extension module names here, as strings. They can be
# extensions  coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
extensions = [
    'sphinx.ext.autodoc',
    'sphinx.ext.doctest',
    'sphinx.ext.intersphinx',
    'sphinx.ext.viewcode',
    'cryptography-docs',
]

if spelling is not None:
    extensions.append('sphinxcontrib.spelling')

# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']

nitpicky = True

# The suffix of source filenames.
source_suffix = '.rst'

# The encoding of source files.
# source_encoding = 'utf-8-sig'

# The master toctree document.
master_doc = 'index'

# General information about the project.
project = 'Cryptography'
copyright = '2013-2017, Individual Contributors'

# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#

base_dir = os.path.join(os.path.dirname(__file__), os.pardir)
about = {}
with open(os.path.join(base_dir, "src", "cryptography", "__about__.py")) as f:
    exec(f.read(), about)

version = release = about["__version__"]

# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
# language = None

# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
# today = ''
# Else, today_fmt is used as the format for a strftime call.
# today_fmt = '%B %d, %Y'

# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = ['_build']

# The reST default role (used for this markup: `text`) to use for all documents
# default_role = None

# If true, '()' will be appended to :func: etc. cross-reference text.
# add_function_parentheses = True

# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
# add_module_names = True

# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
# show_authors = False

# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'

# -- Options for HTML output --------------------------------------------------

# The theme to use for HTML and HTML Help pages.  See the documentation for
# a list of builtin themes.

if sphinx_rtd_theme:
    html_theme = "sphinx_rtd_theme"
    html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
else:
    html_theme = "default"

# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']

# Output file base name for HTML help builder.
htmlhelp_basename = 'Cryptographydoc'


# -- Options for LaTeX output -------------------------------------------------

latex_elements = {
}

# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title, author, documentclass [howto/manual])
latex_documents = [
    ('index', 'Cryptography.tex', 'Cryptography Documentation',
        'Individual Contributors', 'manual'),
]

# -- Options for manual page output -------------------------------------------

# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
    ('index', 'cryptography', 'Cryptography Documentation',
        ['Individual Contributors'], 1)
]

# -- Options for Texinfo output -----------------------------------------------

# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
#  dir menu entry, description, category)
texinfo_documents = [
    ('index', 'Cryptography', 'Cryptography Documentation',
        'Individual Contributors', 'Cryptography',
        'One line description of project.',
        'Miscellaneous'),
]

# Example configuration for intersphinx: refer to the Python standard library.
intersphinx_mapping = {'https://docs.python.org/3': None}

epub_theme = 'epub'

# Retry requests in the linkcheck builder so that we're resillient against
# transient network errors.
linkcheck_retries = 10

linkcheck_ignore = [
    # Small DH key results in a TLS failure on modern OpenSSL
    "https://info.isl.ntt.co.jp/crypt/eng/camellia/",
]
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-15 08:55:52 +0000
'>755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 
X.509 Reference
===============

.. currentmodule:: cryptography.x509

.. testsetup::

    pem_req_data = b"""
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC0zCCAbsCAQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCElsbGlub2lzMRAw
    DgYDVQQHDAdDaGljYWdvMREwDwYDVQQKDAhyNTA5IExMQzESMBAGA1UEAwwJaGVs
    bG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqhZx+Mo9VRd9
    vsnWWa6NBCws21rZ0+1B/JGgB4hDsZS7iDE4Bj5z4idheFRtl8bBbdjPknq7BfoF
    8v15Zq/Zv7i2xMSDL+LUrTBZezRd4bRTGqCm6YJ5EYkhqdcqeZleHCFImguHoq1J
    Fh0+kObQrTHXw3ZP57a3o1IvyIUA3nNoCBL0QQhwBXaDXOojMKNR+bqB5ve8GS1y
    Elr0AM/+cJsfaIahNQUgFKx3Eu3GeEOMKYOAG1lycgdQdmTUybLrT3U7vkClTseM
    xHg1r5En7ALjONIhqRuq3rddYahrP8HXozb3zUy3cJ7P6IeaosuvNzvMXOX9P6HD
    Ha9urDAJ1wIDAQABoDUwMwYJKoZIhvcNAQkOMSYwJDAiBgNVHREEGzAZggl3b3Js
    ZC5jb22CDHdoYXRldmVyLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAS4Ro6h+z52SK
    YSLCYARpnEu/rmh4jdqndt8naqcNb6uLx9mlKZ2W9on9XDjnSdQD9q+ZP5aZfESw
    R0+rJhW9ZrNa/g1pt6M24ihclHYDAxYMWxT1z/TXXGM3TmZZ6gfYlNE1kkBuODHa
    UYsR/1Ht1E1EsmmUimt2n+zQR2K8T9Coa+boaUW/GsTEuz1aaJAkj5ZvTDiIhRG4
    AOCqFZOLAQmCCNgJnnspD9hDz/Ons085LF5wnYjN4/Nsk5tS6AGs3xjZ3jPoOGGn
    82WQ9m4dBGoVDZXsobVTaN592JEYwN5iu72zRn7Einb4V4H5y3yD2dD4yWPlt4pk
    5wFkeYsZEA==
    -----END CERTIFICATE REQUEST-----
    """.strip()

    pem_data = b"""
    -----BEGIN CERTIFICATE-----
    MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
    MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
    QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowQDELMAkGA1UE
    BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExEDAOBgNVBAMT
    B0dvb2QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQWJpHYo37
    Xfb7oJSPe+WvfTlzIG21WQ7MyMbGtK/m8mejCzR6c+f/pJhEH/OcDSMsXq8h5kXa
    BGqWK+vSwD/Pzp5OYGptXmGPcthDtAwlrafkGOS4GqIJ8+k9XGKs+vQUXJKsOk47
    RuzD6PZupq4s16xaLVqYbUC26UcY08GpnoLNHJZS/EmXw1ZZ3d4YZjNlpIpWFNHn
    UGmdiGKXUPX/9H0fVjIAaQwjnGAbpgyCumWgzIwPpX+ElFOUr3z7BoVnFKhIXze+
    VmQGSWxZxvWDUN90Ul0tLEpLgk3OVxUB4VUGuf15OJOpgo1xibINPmWt14Vda2N9
    yrNKloJGZNqLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFOR9X9FclYYILAWuvnW2ZafZ
    XahmMB0GA1UdDgQWBBRYAYQkG7wrUpRKPaUQchRR9a86yTAOBgNVHQ8BAf8EBAMC
    AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
    KoZIhvcNAQELBQADggEBADWHlxbmdTXNwBL/llwhQqwnazK7CC2WsXBBqgNPWj7m
    tvQ+aLG8/50Qc2Sun7o2VnwF9D18UUe8Gj3uPUYH+oSI1vDdyKcjmMbKRU4rk0eo
    3UHNDXwqIVc9CQS9smyV+x1HCwL4TTrq+LXLKx/qVij0Yqk+UJfAtrg2jnYKXsCu
    FMBQQnWCGrwa1g1TphRp/RmYHnMynYFmZrXtzFz+U9XEA7C+gPq4kqDI/iVfIT1s
    6lBtdB50lrDVwl2oYfAvW/6sC2se2QleZidUmrziVNP4oEeXINokU6T6p//HM1FG
    QYw2jOvpKcKtWCSAnegEbgsGYzATKjmPJPJ0npHFqzM=
    -----END CERTIFICATE-----
    """.strip()

    cryptography_cert_pem = b"""
    -----BEGIN CERTIFICATE-----
    MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
    FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
    NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
    BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
    L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
    bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
    LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
    itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
    PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
    CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
    6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
    3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
    r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
    ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
    diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
    gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
    YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
    FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
    8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
    aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
    LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
    BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
    dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
    bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
    LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
    CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
    dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
    Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
    7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
    aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
    GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
    -----END CERTIFICATE-----
    """.strip()

Loading Certificates
~~~~~~~~~~~~~~~~~~~~

.. function:: load_pem_x509_certificate(data, backend)

    .. versionadded:: 0.7

    Deserialize a certificate from PEM encoded data. PEM certificates are
    base64 decoded and have delimiters that look like
    ``-----BEGIN CERTIFICATE-----``.

    :param bytes data: The PEM encoded certificate data.

    :param backend: A backend supporting the
        :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
        interface.

    :returns: An instance of :class:`~cryptography.x509.Certificate`.

.. function:: load_der_x509_certificate(data, backend)

    .. versionadded:: 0.7

    Deserialize a certificate from DER encoded data. DER is a binary format
    and is commonly found in files with the ``.cer`` extension (although file
    extensions are not a guarantee of encoding type).

    :param bytes data: The DER encoded certificate data.

    :param backend: A backend supporting the
        :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
        interface.

    :returns: An instance of :class:`~cryptography.x509.Certificate`.

.. doctest::

    >>> from cryptography import x509
    >>> from cryptography.hazmat.backends import default_backend
    >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
    >>> cert.serial
    2

Loading Certificate Signing Requests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. function:: load_pem_x509_csr(data, backend)

    .. versionadded:: 0.9

    Deserialize a certificate signing request (CSR) from PEM encoded data. PEM
    requests are base64 decoded and have delimiters that look like
    ``-----BEGIN CERTIFICATE REQUEST-----``. This format is also known as
    PKCS#10.

    :param bytes data: The PEM encoded request data.

    :param backend: A backend supporting the
        :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
        interface.

    :returns: An instance of
        :class:`~cryptography.x509.CertificateSigningRequest`.

.. function:: load_der_x509_csr(data, backend)

    .. versionadded:: 0.9

    Deserialize a certificate signing request (CSR) from DER encoded data. DER
    is a binary format and is not commonly used with CSRs.

    :param bytes data: The DER encoded request data.

    :param backend: A backend supporting the
        :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
        interface.

    :returns: An instance of
        :class:`~cryptography.x509.CertificateSigningRequest`.

.. doctest::

    >>> from cryptography import x509
    >>> from cryptography.hazmat.backends import default_backend
    >>> from cryptography.hazmat.primitives import hashes
    >>> csr = x509.load_pem_x509_csr(pem_req_data, default_backend())
    >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
    True

X.509 Certificate Object
~~~~~~~~~~~~~~~~~~~~~~~~

.. class:: Certificate

    .. versionadded:: 0.7

    .. attribute:: version

        :type: :class:`~cryptography.x509.Version`

        The certificate version as an enumeration. Version 3 certificates are
        the latest version and also the only type you should see in practice.

        :raises cryptography.x509.InvalidVersion: If the version in the
            certificate is not a known
            :class:`X.509 version <cryptography.x509.Version>`.

        .. doctest::

            >>> cert.version
            <Version.v3: 2>

    .. method:: fingerprint(algorithm)

        :param algorithm: The
            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
            that will be used to generate the fingerprint.

        :return bytes: The fingerprint using the supplied hash algorithm, as
            bytes.

        .. doctest::

            >>> from cryptography.hazmat.primitives import hashes
            >>> cert.fingerprint(hashes.SHA256())
            '\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'

    .. attribute:: serial

        :type: int

        The serial as a Python integer.

        .. doctest::

            >>> cert.serial
            2

    .. method:: public_key()

        :type:
            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`

        The public key associated with the certificate.

        .. doctest::

            >>> from cryptography.hazmat.primitives.asymmetric import rsa
            >>> public_key = cert.public_key()
            >>> isinstance(public_key, rsa.RSAPublicKey)
            True

    .. attribute:: not_valid_before

        :type: :class:`datetime.datetime`

        A naïve datetime representing the beginning of the validity period for
        the certificate in UTC. This value is inclusive.

        .. doctest::

            >>> cert.not_valid_before
            datetime.datetime(2010, 1, 1, 8, 30)

    .. attribute:: not_valid_after

        :type: :class:`datetime.datetime`

        A naïve datetime representing the end of the validity period for the
        certificate in UTC. This value is inclusive.

        .. doctest::

            >>> cert.not_valid_after
            datetime.datetime(2030, 12, 31, 8, 30)

    .. attribute:: issuer

        .. versionadded:: 0.8

        :type: :class:`Name`

        The :class:`Name` of the issuer.

    .. attribute:: subject

        .. versionadded:: 0.8

        :type: :class:`Name`

        The :class:`Name` of the subject.

    .. attribute:: signature_hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        Returns the
        :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
        was used in signing this certificate.

        .. doctest::

            >>> from cryptography.hazmat.primitives import hashes
            >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
            True

    .. attribute:: extensions

        :type: :class:`Extensions`

        The extensions encoded in the certificate.

        :raises cryptography.x509.DuplicateExtension: If more than one
            extension of the same type is found within the certificate.

        :raises cryptography.x509.UnsupportedExtension: If the certificate
            contains an extension that is not supported.

        :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
            contains a general name that is not supported.

        :raises UnicodeError: If an extension contains IDNA encoding that is
            invalid or not compliant with IDNA 2008.

        .. doctest::

            >>> for ext in cert.extensions:
            ...     print(ext)
            <Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier='\xe4}_\xd1\\\x95\x86\x08,\x05\xae\xbeu\xb6e\xa7\xd9]\xa8f', authority_cert_issuer=None, authority_cert_serial_number=None)>)>
            <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9')>)>
            <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=None, decipher_only=None)>)>
            <Extension(oid=<ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)>, critical=False, value=<CertificatePolicies([<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=2.16.840.1.101.3.2.1.48.1, name=Unknown OID)>, policy_qualifiers=None)>])>)>
            <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>

    .. method:: public_bytes(encoding)

        .. versionadded:: 1.0

        :param encoding: The
            :class:`~cryptography.hazmat.primitives.serialization.Encoding`
            that will be used to serialize the certificate.

        :return bytes: The data that can be written to a file or sent
            over the network to be verified by clients.

X.509 CRL (Certificate Revocation List) Object
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. class:: CertificateRevocationList

    .. versionadded:: 1.0

    .. method:: fingerprint(algorithm)

        :param algorithm: The
            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
            that will be used to generate the fingerprint.

        :return bytes: The fingerprint using the supplied hash algorithm, as
            bytes.

    .. attribute:: signature_hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        Returns the
        :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
        was used in signing this CRL.

    .. attribute:: issuer

        :type: :class:`Name`

        The :class:`Name` of the issuer.

    .. attribute:: next_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing when the next update to this CRL is
        expected.

    .. attribute:: last_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing when the this CRL was last updated.

    .. attribute:: revoked_certificates

        :type: list of :class:`RevokedCertificate`

        The revoked certificates listed in this CRL.

    .. attribute:: extensions

        :type: :class:`Extensions`

        The extensions encoded in the CRL.

X.509 Certificate Builder
~~~~~~~~~~~~~~~~~~~~~~~~~

.. class:: CertificateBuilder

    .. versionadded:: 1.0

    .. doctest::

        >>> from cryptography import x509
        >>> from cryptography.hazmat.backends import default_backend
        >>> from cryptography.hazmat.primitives import hashes
        >>> from cryptography.hazmat.primitives.asymmetric import rsa
        >>> import datetime
        >>> import uuid
        >>> one_day = datetime.timedelta(1, 0, 0)
        >>> private_key = rsa.generate_private_key(
        ...     public_exponent=65537,
        ...     key_size=2048,
        ...     backend=default_backend()
        ... )
        >>> public_key = rsa.generate_private_key(
        ...     public_exponent=65537,
        ...     key_size=2048,
        ...     backend=default_backend()
        ... ).public_key()
        >>> builder = x509.CertificateBuilder()
        >>> builder = builder.subject_name(x509.Name([
        ...     x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
        ... ]))
        >>> builder = builder.issuer_name(x509.Name([
        ...     x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
        ... ]))
        >>> builder = builder.not_valid_before(datetime.datetime.today() - one_day)
        >>> builder = builder.not_valid_after(datetime.datetime(2018, 8, 2))
        >>> builder = builder.serial_number(int(uuid.uuid4()))
        >>> builder = builder.public_key(public_key)
        >>> builder = builder.add_extension(
        ...     x509.BasicConstraints(ca=False, path_length=None), critical=True,
        ... )
        >>> certificate = builder.sign(
        ...     private_key=private_key, algorithm=hashes.SHA256(),
        ...     backend=default_backend()
        ... )
        >>> isinstance(certificate, x509.Certificate)
        True

    .. method:: issuer_name(name)

        Sets the issuer's distinguished name.

        :param name: The :class:`~cryptography.x509.Name` that describes the
            issuer (CA).

    .. method:: subject_name(name)

        Sets the subject's distinguished name.

        :param name: The :class:`~cryptography.x509.Name` that describes the
            subject.

    .. method:: public_key(public_key)

        Sets the subject's public key.

        :param public_key: The subject's public key. This can be one of
            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`

    .. method:: serial_number(serial_number)

        Sets the certificate's serial number (an integer).  The CA's policy
        determines how it attributes serial numbers to certificates.  The only
        requirement is that this number uniquely identify the certificate given
        the issuer.

        :param serial_number: Integer number that will be used by the CA to
            identify this certificate (most notably during certificate
            revocation checking). Users are encouraged to use a method of
            generating 20 bytes of entropy, e.g., UUID4. For more information
            on secure random number generation, see :doc:`/random-numbers`.

    .. method:: not_valid_before(time)

        Sets the certificate's activation time.  This is the time from which
        clients can start trusting the certificate.  It may be different from
        the time at which the certificate was created.

        :param time: The :class:`datetime.datetime` object (in UTC) that marks the
            activation time for the certificate.  The certificate may not be
            trusted clients if it is used before this time.

    .. method:: not_valid_after(time)

        Sets the certificate's expiration time.  This is the time from which
        clients should no longer trust the certificate.  The CA's policy will
        determine how long the certificate should remain in use.

        :param time: The :class:`datetime.datetime` object (in UTC) that marks the
            expiration time for the certificate.  The certificate may not be
            trusted clients if it is used after this time.

    .. method:: add_extension(extension, critical)

        Adds an X.509 extension to the certificate.

        :param extension: The extension to add to the certificate. Can be one
            of :class:`~cryptography.x509.BasicConstraints` or
            :class:`~cryptography.x509.SubjectAlternativeName`.

        :param critical: Set to ``True`` if the extension must be understood and
             handled by whoever reads the certificate.

    .. method:: sign(private_key, algorithm, backend)

        Sign the certificate using the CA's private key.

        :param private_key: The
            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
            that will be used to sign the certificate.

        :param algorithm: The
            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that
            will be used to generate the signature.

        :param backend: Backend that will be used to build the certificate.
            Must support the
            :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
            interface.


X.509 CSR (Certificate Signing Request) Object
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. class:: CertificateSigningRequest

    .. versionadded:: 0.9

    .. method:: public_key()

        :type:
            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`

        The public key associated with the request.

        .. doctest::

            >>> from cryptography.hazmat.primitives.asymmetric import rsa
            >>> public_key = csr.public_key()
            >>> isinstance(public_key, rsa.RSAPublicKey)
            True

    .. attribute:: subject

        :type: :class:`Name`

        The :class:`Name` of the subject.

    .. attribute:: signature_hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        Returns the
        :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
        was used in signing this request.

        .. doctest::

            >>> from cryptography.hazmat.primitives import hashes
            >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
            True

    .. attribute:: extensions

        :type: :class:`Extensions`

        The extensions encoded in the certificate signing request.

        :raises cryptography.x509.DuplicateExtension: If more than one
            extension of the same type is found within the certificate signing request.

        :raises cryptography.x509.UnsupportedExtension: If the certificate signing request
            contains an extension that is not supported.

        :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
            contains a general name that is not supported.

        :raises UnicodeError: If an extension contains IDNA encoding that is
            invalid or not compliant with IDNA 2008.


    .. method:: public_bytes(encoding)

        .. versionadded:: 1.0

        :param encoding: The
            :class:`~cryptography.hazmat.primitives.serialization.Encoding`
            that will be used to serialize the certificate request.

        :return bytes: The data that can be written to a file or sent
            over the network to be signed by the certificate
            authority.

X.509 Revoked Certificate Object
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. class:: RevokedCertificate

    .. versionadded:: 1.0

    .. attribute:: serial_number

        :type: :class:`int`

        An integer representing the serial number of the revoked certificate.

    .. attribute:: revocation_date

        :type: :class:`datetime.datetime`

        A naïve datetime representing the date this certificates was revoked.

    .. attribute:: extensions

        :type: :class:`Extensions`

        The extensions encoded in the revoked certificate.

X.509 CSR (Certificate Signing Request) Builder Object
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. class:: CertificateSigningRequestBuilder

    .. versionadded:: 1.0

    .. doctest::

        >>> from cryptography import x509
        >>> from cryptography.hazmat.backends import default_backend
        >>> from cryptography.hazmat.primitives import hashes
        >>> from cryptography.hazmat.primitives.asymmetric import rsa
        >>> private_key = rsa.generate_private_key(
        ...     public_exponent=65537,
        ...     key_size=2048,
        ...     backend=default_backend()
        ... )
        >>> builder = x509.CertificateSigningRequestBuilder()
        >>> builder = builder.subject_name(x509.Name([
        ...     x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
        ... ]))
        >>> builder = builder.add_extension(
        ...     x509.BasicConstraints(ca=False, path_length=None), critical=True,
        ... )
        >>> request = builder.sign(
        ...     private_key, hashes.SHA256(), default_backend()
        ... )
        >>> isinstance(request, x509.CertificateSigningRequest)
        True

    .. method:: subject_name(name)

        :param name: The :class:`~cryptography.x509.Name` of the certificate
            subject.
        :returns: A new
            :class:`~cryptography.x509.CertificateSigningRequestBuilder`.

    .. method:: add_extension(extension, critical)

        :param extension: The :class:`~cryptography.x509.Extension` to add to
            the request.
        :param critical: Set to `True` if the extension must be understood and
             handled by whoever reads the certificate.
        :returns: A new
            :class:`~cryptography.x509.CertificateSigningRequestBuilder`.

    .. method:: sign(private_key, algorithm, backend)

        :param backend: Backend that will be used to sign the request.
            Must support the
            :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
            interface.

        :param private_key: The
            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
            that will be used to sign the request.  When the request is
            signed by a certificate authority, the private key's associated
            public key will be stored in the resulting certificate.

        :param algorithm: The
            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
            that will be used to generate the request signature.

        :returns: A new
            :class:`~cryptography.x509.CertificateSigningRequest`.


.. class:: Name

    .. versionadded:: 0.8

    An X509 Name is an ordered list of attributes. The object is iterable to
    get every attribute or you can use :meth:`Name.get_attributes_for_oid` to
    obtain the specific type you want. Names are sometimes represented as a
    slash or comma delimited string (e.g. ``/CN=mydomain.com/O=My Org/C=US`` or
    ``CN=mydomain.com, O=My Org, C=US``).

    .. doctest::

        >>> len(cert.subject)
        3
        >>> for attribute in cert.subject:
        ...     print(attribute)
        <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
        <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
        <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>

    .. method:: get_attributes_for_oid(oid)

        :param oid: An :class:`ObjectIdentifier` instance.

        :returns: A list of :class:`NameAttribute` instances that match the
            OID provided. If nothing matches an empty list will be returned.

        .. doctest::

            >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
            [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]

.. class:: Version

    .. versionadded:: 0.7

    An enumeration for X.509 versions.

    .. attribute:: v1

        For version 1 X.509 certificates.

    .. attribute:: v3

        For version 3 X.509 certificates.

.. class:: NameAttribute

    .. versionadded:: 0.8

    An X.509 name consists of a list of NameAttribute instances.

    .. attribute:: oid

        :type: :class:`ObjectIdentifier`

        The attribute OID.

    .. attribute:: value

        :type: :term:`text`

        The value of the attribute.

.. class:: ObjectIdentifier

    .. versionadded:: 0.8

    Object identifiers (frequently seen abbreviated as OID) identify the type
    of a value (see: :class:`NameAttribute`).

    .. attribute:: dotted_string

        :type: :class:`str`

        The dotted string value of the OID (e.g. ``"2.5.4.3"``)

.. _general_name_classes:

General Name Classes
~~~~~~~~~~~~~~~~~~~~

.. class:: GeneralName

    .. versionadded:: 0.9

    This is the generic interface that all the following classes are registered
    against.

.. class:: RFC822Name

    .. versionadded:: 0.9

    This corresponds to an email address. For example, ``user@example.com``.

    .. attribute:: value

        :type: :term:`text`

.. class:: DNSName

    .. versionadded:: 0.9

    This corresponds to a domain name. For example, ``cryptography.io``.

    .. attribute:: value

        :type: :term:`text`

.. class:: DirectoryName

    .. versionadded:: 0.9

    This corresponds to a directory name.

    .. attribute:: value

        :type: :class:`Name`

.. class:: UniformResourceIdentifier

    .. versionadded:: 0.9

    This corresponds to a uniform resource identifier.  For example,
    ``https://cryptography.io``. The URI is parsed and IDNA decoded (see
    :rfc:`5895`).

    .. note::

        URIs that do not contain ``://`` in them will not be decoded.

    .. attribute:: value

        :type: :term:`text`

.. class:: IPAddress

    .. versionadded:: 0.9

    This corresponds to an IP address.

    .. attribute:: value

        :type: :class:`~ipaddress.IPv4Address`,
            :class:`~ipaddress.IPv6Address`,  :class:`~ipaddress.IPv4Network`,
            or :class:`~ipaddress.IPv6Network`.

.. class:: RegisteredID

    .. versionadded:: 0.9

    This corresponds to a registered ID.

    .. attribute:: value

        :type: :class:`ObjectIdentifier`

.. class:: OtherName

    .. versionadded:: 1.0

    This corresponds to an ``otherName.``  An ``otherName`` has a type identifier and a value represented in binary DER format.

    .. attribute:: type_id

        :type: :class:`ObjectIdentifier`

    .. attribute:: value

        :type: `bytes`

X.509 Extensions
~~~~~~~~~~~~~~~~

.. class:: Extensions

    .. versionadded:: 0.9

    An X.509 Extensions instance is an ordered list of extensions.  The object
    is iterable to get every extension.

    .. method:: get_extension_for_oid(oid)

        :param oid: An :class:`ObjectIdentifier` instance.

        :returns: An instance of the extension class.

        :raises cryptography.x509.ExtensionNotFound: If the certificate does
            not have the extension requested.

        .. doctest::

            >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
            <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>

.. class:: Extension

    .. versionadded:: 0.9

    .. attribute:: oid

        :type: :class:`ObjectIdentifier`

        The :ref:`extension OID <extension_oids>`.

    .. attribute:: critical

        :type: bool

        Determines whether a given extension is critical or not. :rfc:`5280`
        requires that "A certificate-using system MUST reject the certificate
        if it encounters a critical extension it does not recognize or a
        critical extension that contains information that it cannot process".

    .. attribute:: value

        Returns an instance of the extension type corresponding to the OID.

.. class:: ExtensionType

    .. versionadded:: 1.0

    This is the interface against which all the following extension types are
    registered.

.. class:: KeyUsage

    .. versionadded:: 0.9

    The key usage extension defines the purpose of the key contained in the
    certificate.  The usage restriction might be employed when a key that could
    be used for more than one operation is to be restricted.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_KEY_USAGE`.

    .. attribute:: digital_signature

        :type: bool

        This purpose is set to true when the subject public key is used for verifying
        digital signatures, other than signatures on certificates
        (``key_cert_sign``) and CRLs (``crl_sign``).

    .. attribute:: content_commitment

        :type: bool

        This purpose is set to true when the subject public key is used for verifying
        digital signatures, other than signatures on certificates
        (``key_cert_sign``) and CRLs (``crl_sign``). It is used to provide a
        non-repudiation service that protects against the signing entity
        falsely denying some action. In the case of later conflict, a
        reliable third party may determine the authenticity of the signed
        data. This was called ``non_repudiation`` in older revisions of the
        X.509 specification.

    .. attribute:: key_encipherment

        :type: bool

        This purpose is set to true when the subject public key is used for
        enciphering private or secret keys.

    .. attribute:: data_encipherment

        :type: bool

        This purpose is set to true when the subject public key is used for
        directly enciphering raw user data without the use of an intermediate
        symmetric cipher.

    .. attribute:: key_agreement

        :type: bool

        This purpose is set to true when the subject public key is used for key
        agreement.  For example, when a Diffie-Hellman key is to be used for
        key management, then this purpose is set to true.

    .. attribute:: key_cert_sign

        :type: bool

        This purpose is set to true when the subject public key is used for
        verifying signatures on public key certificates. If this purpose is set
        to true then ``ca`` must be true in the :class:`BasicConstraints`
        extension.

    .. attribute:: crl_sign

        :type: bool

        This purpose is set to true when the subject public key is used for
        verifying signatures on certificate revocation lists.

    .. attribute:: encipher_only

        :type: bool

        When this purposes is set to true and the ``key_agreement`` purpose is
        also set, the subject public key may be used only for enciphering data
        while performing key agreement.

        :raises ValueError: This is raised if accessed when ``key_agreement``
            is false.

    .. attribute:: decipher_only

        :type: bool

        When this purposes is set to true and the ``key_agreement`` purpose is
        also set, the subject public key may be used only for deciphering data
        while performing key agreement.

        :raises ValueError: This is raised if accessed when ``key_agreement``
            is false.


.. class:: BasicConstraints

    .. versionadded:: 0.9

    Basic constraints is an X.509 extension type that defines whether a given
    certificate is allowed to sign additional certificates and what path
    length restrictions may exist.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_BASIC_CONSTRAINTS`.

    .. attribute:: ca

        :type: bool

        Whether the certificate can sign certificates.

    .. attribute:: path_length

        :type: int or None

        The maximum path length for certificates subordinate to this
        certificate. This attribute only has meaning if ``ca`` is true.
        If ``ca`` is true then a path length of None means there's no
        restriction on the number of subordinate CAs in the certificate chain.
        If it is zero or greater then it defines the maximum length for a
        subordinate CA's certificate chain. For example, a ``path_length`` of 1
        means the certificate can sign a subordinate CA, but the subordinate CA
        is not allowed to create subordinates with ``ca`` set to true.

.. class:: ExtendedKeyUsage

    .. versionadded:: 0.9

    This extension indicates one or more purposes for which the certified
    public key may be used, in addition to or in place of the basic
    purposes indicated in the key usage extension. The object is
    iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_EXTENDED_KEY_USAGE`.


.. class:: OCSPNoCheck

    .. versionadded:: 1.0

    This presence of this extension indicates that an OCSP client can trust a
    responder for the lifetime of the responder's certificate. CAs issuing
    such a certificate should realize that a compromise of the responder's key
    is as serious as the compromise of a CA key used to sign CRLs, at least for
    the validity period of this certificate. CA's may choose to issue this type
    of certificate with a very short lifetime and renew it frequently. This
    extension is only relevant when the certificate is an authorized OCSP
    responder.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_OCSP_NO_CHECK`.

.. class:: NameConstraints

    .. versionadded:: 1.0

    The name constraints extension, which only has meaning in a CA certificate,
    defines a name space within which all subject names in certificates issued
    beneath the CA certificate must (or must not) be in. For specific details
    on the way this extension should be processed see :rfc:`5280`.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_NAME_CONSTRAINTS`.

    .. attribute:: permitted_subtrees

        :type: list of :class:`GeneralName` objects or None

        The set of permitted name patterns. If a name matches this and an
        element in ``excluded_subtrees`` it is invalid. At least one of
        ``permitted_subtrees`` and ``excluded_subtrees`` will be non-None.

    .. attribute:: excluded_subtrees

        :type: list of :class:`GeneralName` objects or None

        Any name matching a restriction in the ``excluded_subtrees`` field is
        invalid regardless of information appearing in the
        ``permitted_subtrees``. At least one of ``permitted_subtrees`` and
        ``excluded_subtrees`` will be non-None.

.. class:: AuthorityKeyIdentifier

    .. versionadded:: 0.9

    The authority key identifier extension provides a means of identifying the
    public key corresponding to the private key used to sign a certificate.
    This extension is typically used to assist in determining the appropriate
    certificate chain. For more information about generation and use of this
    extension see `RFC 5280 section 4.2.1.1`_.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_AUTHORITY_KEY_IDENTIFIER`.

    .. attribute:: key_identifier

        :type: bytes

        A value derived from the public key used to verify the certificate's
        signature.

    .. attribute:: authority_cert_issuer

        :type: :class:`Name` or None

        The :class:`Name` of the issuer's issuer.

    .. attribute:: authority_cert_serial_number

        :type: int or None

        The serial number of the issuer's issuer.

    .. classmethod:: from_issuer_public_key(public_key)

        .. versionadded:: 1.0

        Creates a new AuthorityKeyIdentifier instance using the public key
        provided to generate the appropriate digest. This should be the
        **issuer's public key**. The resulting object will contain
        :attr:`~cryptography.x509.AuthorityKeyIdentifier.key_identifier`, but
        :attr:`~cryptography.x509.AuthorityKeyIdentifier.authority_cert_issuer`
        and
        :attr:`~cryptography.x509.AuthorityKeyIdentifier.authority_cert_serial_number`
        will be None.
        The generated ``key_identifier`` is the SHA1 hash of the ``subjectPublicKey``
        ASN.1 bit string. This is the first recommendation in :rfc:`5280`
        section 4.2.1.2.

        :param public_key: One of
            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
            ,
            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
            , or
            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.

        .. doctest::

            >>> from cryptography import x509
            >>> from cryptography.hazmat.backends import default_backend
            >>> issuer_cert = x509.load_pem_x509_certificate(pem_data, default_backend())
            >>> x509.AuthorityKeyIdentifier.from_issuer_public_key(issuer_cert.public_key())
            <AuthorityKeyIdentifier(key_identifier='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9', authority_cert_issuer=None, authority_cert_serial_number=None)>

.. class:: SubjectKeyIdentifier

    .. versionadded:: 0.9

    The subject key identifier extension provides a means of identifying
    certificates that contain a particular public key.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_SUBJECT_KEY_IDENTIFIER`.

    .. attribute:: digest

        :type: bytes

        The binary value of the identifier.

    .. classmethod:: from_public_key(public_key)

        .. versionadded:: 1.0

        Creates a new SubjectKeyIdentifier instance using the public key
        provided to generate the appropriate digest. This should be the public
        key that is in the certificate. The generated digest is the SHA1 hash
        of the ``subjectPublicKey`` ASN.1 bit string. This is the first
        recommendation in :rfc:`5280` section 4.2.1.2.

        :param public_key: One of
            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
            ,
            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
            , or
            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.

        .. doctest::

            >>> from cryptography import x509
            >>> from cryptography.hazmat.backends import default_backend
            >>> csr = x509.load_pem_x509_csr(pem_req_data, default_backend())
            >>> x509.SubjectKeyIdentifier.from_public_key(csr.public_key())
            <SubjectKeyIdentifier(digest='\xdb\xaa\xf0\x06\x11\xdbD\xfe\xbf\x93\x03\x8av\x88WP7\xa6\x91\xf7')>

.. class:: SubjectAlternativeName

    .. versionadded:: 0.9

    Subject alternative name is an X.509 extension that provides a list of
    :ref:`general name <general_name_classes>` instances that provide a set
    of identities for which the certificate is valid. The object is iterable to
    get every element.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_SUBJECT_ALTERNATIVE_NAME`.

    .. method:: get_values_for_type(type)

        :param type: A :class:`GeneralName` provider. This is one of the
            :ref:`general name classes <general_name_classes>`.

        :returns: A list of values extracted from the matched general names.
            The type of the returned values depends on the :class:`GeneralName`.

        .. doctest::

            >>> from cryptography import x509
            >>> from cryptography.hazmat.backends import default_backend
            >>> from cryptography.hazmat.primitives import hashes
            >>> cert = x509.load_pem_x509_certificate(cryptography_cert_pem, default_backend())
            >>> # Get the subjectAltName extension from the certificate
            >>> ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME)
            >>> # Get the dNSName entries from the SAN extension
            >>> ext.value.get_values_for_type(x509.DNSName)
            [u'www.cryptography.io', u'cryptography.io']


.. class:: IssuerAlternativeName

    .. versionadded:: 1.0

    Issuer alternative name is an X.509 extension that provides a list of
    :ref:`general name <general_name_classes>` instances that provide a set
    of identities for the certificate issuer. The object is iterable to
    get every element.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_ISSUER_ALTERNATIVE_NAME`.

    .. method:: get_values_for_type(type)

        :param type: A :class:`GeneralName` provider. This is one of the
            :ref:`general name classes <general_name_classes>`.

        :returns: A list of values extracted from the matched general names.


.. class:: AuthorityInformationAccess

    .. versionadded:: 0.9

    The authority information access extension indicates how to access
    information and services for the issuer of the certificate in which
    the extension appears. Information and services may include online
    validation services (such as OCSP) and issuer data. It is an iterable,
    containing one or more :class:`AccessDescription` instances.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_AUTHORITY_INFORMATION_ACCESS`.


.. class:: AccessDescription

    .. versionadded:: 0.9

    .. attribute:: access_method

        :type: :class:`ObjectIdentifier`

        The access method defines what the ``access_location`` means. It must
        be either :data:`OID_OCSP` or :data:`OID_CA_ISSUERS`. If it is
        :data:`OID_OCSP` the access location will be where to obtain OCSP
        information for the certificate. If it is :data:`OID_CA_ISSUERS` the
        access location will provide additional information about the issuing
        certificate.

    .. attribute:: access_location

        :type: :class:`GeneralName`

        Where to access the information defined by the access method.

.. class:: CRLDistributionPoints

    .. versionadded:: 0.9

    The CRL distribution points extension identifies how CRL information is
    obtained. It is an iterable, containing one or more
    :class:`DistributionPoint` instances.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_CRL_DISTRIBUTION_POINTS`.

.. class:: DistributionPoint

    .. versionadded:: 0.9

    .. attribute:: full_name

        :type: list of :class:`GeneralName` instances or None

        This field describes methods to retrieve the CRL. At most one of
        ``full_name`` or ``relative_name`` will be non-None.

    .. attribute:: relative_name

        :type: :class:`Name` or None

        This field describes methods to retrieve the CRL relative to the CRL
        issuer. At most one of ``full_name`` or ``relative_name`` will be
        non-None.

    .. attribute:: crl_issuer

        :type: list of :class:`GeneralName` instances or None

        Information about the issuer of the CRL.

    .. attribute:: reasons

        :type: frozenset of :class:`ReasonFlags` or None

        The reasons a given distribution point may be used for when performing
        revocation checks.

.. class:: ReasonFlags

    .. versionadded:: 0.9

    An enumeration for CRL reasons.

    .. attribute:: unspecified

        It is unspecified why the certificate was revoked. This reason cannot
        be used as a reason flag in a :class:`DistributionPoint`.

    .. attribute:: key_compromise

        This reason indicates that the private key was compromised.

    .. attribute:: ca_compromise

        This reason indicates that the CA issuing the certificate was
        compromised.

    .. attribute:: affiliation_changed

        This reason indicates that the subject's name or other information has
        changed.

    .. attribute:: superseded

        This reason indicates that a certificate has been superseded.

    .. attribute:: cessation_of_operation

        This reason indicates that the certificate is no longer required.

    .. attribute:: certificate_hold

        This reason indicates that the certificate is on hold.

    .. attribute:: privilege_withdrawn

        This reason indicates that the privilege granted by this certificate
        have been withdrawn.

    .. attribute:: aa_compromise

        When an attribute authority has been compromised.

    .. attribute:: remove_from_crl

        This reason indicates that the certificate was on hold and should be
        removed from the CRL. This reason cannot be used as a reason flag
        in a :class:`DistributionPoint`.

.. class:: InhibitAnyPolicy

    .. versionadded:: 1.0

    The inhibit ``anyPolicy`` extension indicates that the special OID
    :data:`OID_ANY_POLICY`, is not considered an explicit match for other
    :class:`CertificatePolicies` except when it appears in an intermediate
    self-issued CA certificate.  The value indicates the number of additional
    non-self-issued certificates that may appear in the path before
    :data:`OID_ANY_POLICY` is no longer permitted.  For example, a value
    of one indicates that :data:`OID_ANY_POLICY` may be processed in
    certificates issued by the subject of this certificate, but not in
    additional certificates in the path.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_INHIBIT_ANY_POLICY`.

    .. attribute:: skip_certs

        :type: int

.. class:: CertificatePolicies

    .. versionadded:: 0.9

    The certificate policies extension is an iterable, containing one or more
    :class:`PolicyInformation` instances.

    .. attribute:: oid

        .. versionadded:: 1.0

        :type: :class:`ObjectIdentifier`

        Returns :data:`OID_CERTIFICATE_POLICIES`.

Certificate Policies Classes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

These classes may be present within a :class:`CertificatePolicies` instance.

.. class:: PolicyInformation

    .. versionadded:: 0.9

    Contains a policy identifier and an optional list of qualifiers.

    .. attribute:: policy_identifier

        :type: :class:`ObjectIdentifier`

    .. attribute:: policy_qualifiers

        :type: list

        A list consisting of :term:`text` and/or :class:`UserNotice` objects.
        If the value is text it is a pointer to the practice statement
        published by the certificate authority. If it is a user notice it is
        meant for display to the relying party when the certificate is
        used.

.. class:: UserNotice

    .. versionadded:: 0.9

    User notices are intended for display to a relying party when a certificate
    is used. In practice, few if any UIs expose this data and it is a rarely
    encoded component.

    .. attribute:: notice_reference

        :type: :class:`NoticeReference` or None

        The notice reference field names an organization and identifies,
        by number, a particular statement prepared by that organization.

    .. attribute:: explicit_text

        This field includes an arbitrary textual statement directly in the
        certificate.

        :type: :term:`text`

.. class:: NoticeReference

    Notice reference can name an organization and provide information about
    notices related to the certificate. For example, it might identify the
    organization name and notice number 1. Application software could
    have a notice file containing the current set of notices for the named
    organization; the application would then extract the notice text from the
    file and display it. In practice this is rarely seen.

    .. versionadded:: 0.9

    .. attribute:: organization

        :type: :term:`text`

    .. attribute:: notice_numbers

        :type: list

        A list of integers.

Object Identifiers
~~~~~~~~~~~~~~~~~~

X.509 elements are frequently identified by :class:`ObjectIdentifier`
instances. The following common OIDs are available as constants.

Name OIDs
~~~~~~~~~

.. data:: OID_COMMON_NAME

    Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
    name would be encoded here for server certificates. :rfc:`2818` deprecates
    this practice and names of that type should now be located in a
    SubjectAlternativeName extension. This OID is typically seen in X.509 names.

.. data:: OID_COUNTRY_NAME

    Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
    in X.509 names.

.. data:: OID_LOCALITY_NAME

    Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
    in X.509 names.

.. data:: OID_STATE_OR_PROVINCE_NAME

    Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
    in X.509 names.

.. data:: OID_ORGANIZATION_NAME

    Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
    in X.509 names.

.. data:: OID_ORGANIZATIONAL_UNIT_NAME

    Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
    in X.509 names.

.. data:: OID_SERIAL_NUMBER

    Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
    serial number of the certificate itself (which can be obtained with
    :func:`Certificate.serial`). This OID is typically seen in X.509 names.

.. data:: OID_SURNAME

    Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
    in X.509 names.

.. data:: OID_GIVEN_NAME

    Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
    in X.509 names.

.. data:: OID_TITLE

    Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
    in X.509 names.

.. data:: OID_GENERATION_QUALIFIER

    Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
    in X.509 names.

.. data:: OID_DN_QUALIFIER

    Corresponds to the dotted string ``"2.5.4.46"``. This specifies
    disambiguating information to add to the relative distinguished name of an
    entry. See :rfc:`2256`. This OID is typically seen in X.509 names.

.. data:: OID_PSEUDONYM

    Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
    in X.509 names.

.. data:: OID_DOMAIN_COMPONENT

    Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
    holding one component of a domain name. See :rfc:`4519`. This OID is
    typically seen in X.509 names.

.. data:: OID_EMAIL_ADDRESS

    Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
    typically seen in X.509 names.

Signature Algorithm OIDs
~~~~~~~~~~~~~~~~~~~~~~~~

.. data:: OID_RSA_WITH_MD5

    Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
    an MD5 digest signed by an RSA key.

.. data:: OID_RSA_WITH_SHA1

    Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
    a SHA1 digest signed by an RSA key.

.. data:: OID_RSA_WITH_SHA224

    Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
    a SHA224 digest signed by an RSA key.

.. data:: OID_RSA_WITH_SHA256

    Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
    a SHA256 digest signed by an RSA key.

.. data:: OID_RSA_WITH_SHA384

    Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
    a SHA384 digest signed by an RSA key.

.. data:: OID_RSA_WITH_SHA512

    Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
    a SHA512 digest signed by an RSA key.

.. data:: OID_ECDSA_WITH_SHA1

    Corresponds to the dotted string ``"1.2.840.10045.4.1"``. This is a SHA1
    digest signed by an ECDSA key.

.. data:: OID_ECDSA_WITH_SHA224

    Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
    a SHA224 digest signed by an ECDSA key.

.. data:: OID_ECDSA_WITH_SHA256

    Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
    a SHA256 digest signed by an ECDSA key.

.. data:: OID_ECDSA_WITH_SHA384

    Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
    a SHA384 digest signed by an ECDSA key.

.. data:: OID_ECDSA_WITH_SHA512

    Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
    a SHA512 digest signed by an ECDSA key.

.. data:: OID_DSA_WITH_SHA1

    Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
    a SHA1 digest signed by a DSA key.

.. data:: OID_DSA_WITH_SHA224

    Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
    a SHA224 digest signed by a DSA key.

.. data:: OID_DSA_WITH_SHA256

    Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is
    a SHA256 digest signed by a DSA key.

.. _eku_oids:

Extended Key Usage OIDs
~~~~~~~~~~~~~~~~~~~~~~~

.. data:: OID_SERVER_AUTH

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used to
    denote that a certificate may be used for TLS web server authentication.

.. data:: OID_CLIENT_AUTH

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used to
    denote that a certificate may be used for TLS web client authentication.

.. data:: OID_CODE_SIGNING

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used to
    denote that a certificate may be used for code signing.

.. data:: OID_EMAIL_PROTECTION

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used to
    denote that a certificate may be used for email protection.

.. data:: OID_TIME_STAMPING

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used to
    denote that a certificate may be used for time stamping.

.. data:: OID_OCSP_SIGNING

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used to
    denote that a certificate may be used for signing OCSP responses.

Authority Information Access OIDs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. data:: OID_OCSP

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1"``. Used as the
    identifier for OCSP data in :class:`AccessDescription` objects.

.. data:: OID_CA_ISSUERS

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the
    identifier for CA issuer data in :class:`AccessDescription` objects.

Policy Qualifier OIDs
~~~~~~~~~~~~~~~~~~~~~

.. data:: OID_CPS_QUALIFIER

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``.

.. data:: OID_CPS_USER_NOTICE

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``.

.. data:: OID_ANY_POLICY

    Corresponds to the dotted string ``"2.5.29.32.0"``.

.. _extension_oids:

Extension OIDs
~~~~~~~~~~~~~~

.. data:: OID_BASIC_CONSTRAINTS

    Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
    :class:`BasicConstraints` extension type.

.. data:: OID_KEY_USAGE

    Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the
    :class:`KeyUsage` extension type.

.. data:: OID_SUBJECT_ALTERNATIVE_NAME

    Corresponds to the dotted string ``"2.5.29.17"``. The identifier for the
    :class:`SubjectAlternativeName` extension type.

.. data:: OID_ISSUER_ALTERNATIVE_NAME

    Corresponds to the dotted string ``"2.5.29.18"``. The identifier for the
    :class:`IssuerAlternativeName` extension type.

.. data:: OID_SUBJECT_KEY_IDENTIFIER

    Corresponds to the dotted string ``"2.5.29.14"``. The identifier for the
    :class:`SubjectKeyIdentifier` extension type.

.. data:: OID_NAME_CONSTRAINTS

    Corresponds to the dotted string ``"2.5.29.30"``. The identifier for the
    :class:`NameConstraints` extension type.

.. data:: OID_CRL_DISTRIBUTION_POINTS

    Corresponds to the dotted string ``"2.5.29.31"``. The identifier for the
    :class:`CRLDistributionPoints` extension type.

.. data:: OID_CERTIFICATE_POLICIES

    Corresponds to the dotted string ``"2.5.29.32"``. The identifier for the
    :class:`CertificatePolicies` extension type.

.. data:: OID_AUTHORITY_KEY_IDENTIFIER

    Corresponds to the dotted string ``"2.5.29.35"``. The identifier for the
    :class:`AuthorityKeyIdentifier` extension type.

.. data:: OID_EXTENDED_KEY_USAGE

    Corresponds to the dotted string ``"2.5.29.37"``. The identifier for the
    :class:`ExtendedKeyUsage` extension type.

.. data:: OID_AUTHORITY_INFORMATION_ACCESS

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier
    for the :class:`AuthorityInformationAccess` extension type.

.. data:: OID_INHIBIT_ANY_POLICY

    Corresponds to the dotted string ``"2.5.29.54"``. The identifier
    for the :class:`InhibitAnyPolicy` extension type.

.. data:: OID_OCSP_NO_CHECK

    Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The identifier
    for the :class:`OCSPNoCheck` extension type.

Exceptions
~~~~~~~~~~

.. class:: InvalidVersion

    This is raised when an X.509 certificate has an invalid version number.

    .. attribute:: parsed_version

        :type: int

        Returns the raw version that was parsed from the certificate.

.. class:: DuplicateExtension

    This is raised when more than one X.509 extension of the same type is
    found within a certificate.

    .. attribute:: oid

        :type: :class:`ObjectIdentifier`

        Returns the OID.

.. class:: UnsupportedExtension

    This is raised when a certificate contains an unsupported extension type.

    .. attribute:: oid

        :type: :class:`ObjectIdentifier`

        Returns the OID.

.. class:: ExtensionNotFound

    This is raised when calling :meth:`Extensions.get_extension_for_oid` with
    an extension OID that is not present in the certificate.

    .. attribute:: oid

        :type: :class:`ObjectIdentifier`

        Returns the OID.

.. class:: UnsupportedGeneralNameType

    This is raised when a certificate contains an unsupported general name
    type in an extension.

    .. attribute:: type

        :type: int

        The integer value of the unsupported type. The complete list of
        types can be found in `RFC 5280 section 4.2.1.6`_.


.. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-15 08:55:53 +0000