AuthorityKeyIdentifier support

3 files changed, 107 insertions, 0 deletions

diff --git a/docs/x509.rst b/docs/x509.rst
index e0e05b6b..932801bd 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -652,6 +652,25 @@ X.509 Extensions
     purposes indicated in the key usage extension. The object is
     iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
 
+.. class:: AuthorityKeyIdentifier
+
+    .. versionadded:: 0.9
+
+    The authority key identifier extension provides a means of identifying the
+    public key corresponding to the private key used to sign a certificate.
+
+    .. attribute:: key_identifier
+
+        :type: bytes
+
+    .. attribute:: authority_cert_issuer
+
+        :type: :class:`Name` or None
+
+    .. attribute:: authority_cert_serial_number
+
+        :type: int or None
+
 .. class:: SubjectKeyIdentifier
 
     .. versionadded:: 0.9
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 55b17460..cdc0e430 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -557,6 +557,43 @@ class SubjectAlternativeName(object):
         return "<SubjectAlternativeName({0})>".format(self._general_names)
 
 
+class AuthorityKeyIdentifier(object):
+    def __init__(self, key_identifier, authority_cert_issuer,
+                 authority_cert_serial_number):
+        if authority_cert_issuer or authority_cert_serial_number:
+            if not authority_cert_issuer or not authority_cert_serial_number:
+                raise ValueError(
+                    "authority_cert_issuer and authority_cert_serial_number "
+                    "must both be present or both None"
+                )
+
+            if not isinstance(authority_cert_issuer, Name):
+                raise TypeError("authority_cert_issuer must be a Name")
+
+            if not isinstance(authority_cert_serial_number, six.integer_types):
+                raise TypeError(
+                    "authority_cert_serial_number must be an integer"
+                )
+
+        self._key_identifier = key_identifier
+        self._authority_cert_issuer = authority_cert_issuer
+        self._authority_cert_serial_number = authority_cert_serial_number
+
+    def __repr__(self):
+        return (
+            "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, "
+            "authority_cert_issuer={0.authority_cert_issuer}, "
+            "authority_cert_serial_number={0.authority_cert_serial_number}"
+            ")>".format(self)
+        )
+
+    key_identifier = utils.read_only_property("_key_identifier")
+    authority_cert_issuer = utils.read_only_property("_authority_cert_issuer")
+    authority_cert_serial_number = utils.read_only_property(
+        "_authority_cert_serial_number"
+    )
+
+
 OID_COMMON_NAME = ObjectIdentifier("2.5.4.3")
 OID_COUNTRY_NAME = ObjectIdentifier("2.5.4.6")
 OID_LOCALITY_NAME = ObjectIdentifier("2.5.4.7")
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 4811541f..8516a339 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -220,6 +220,57 @@ class TestSubjectKeyIdentifier(object):
         assert ski != object()
 
 
+class TestAuthorityKeyIdentifier(object):
+    def test_authority_cert_issuer_not_name(self):
+        with pytest.raises(TypeError):
+            x509.AuthorityKeyIdentifier(b"identifier", "notname", 3)
+
+    def test_authority_cert_serial_number_not_integer(self):
+        name = x509.Name([
+            x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
+        ])
+        with pytest.raises(TypeError):
+            x509.AuthorityKeyIdentifier(b"identifier", name, "notanint")
+
+    def test_authority_issuer_none_serial_not_none(self):
+        with pytest.raises(ValueError):
+            x509.AuthorityKeyIdentifier(b"identifier", None, 3)
+
+    def test_authority_issuer_not_none_serial_none(self):
+        name = x509.Name([
+            x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
+        ])
+        with pytest.raises(ValueError):
+            x509.AuthorityKeyIdentifier(b"identifier", name, None)
+
+    def test_authority_cert_serial_and_issuer_none(self):
+        aki = x509.AuthorityKeyIdentifier(b"id", None, None)
+        assert aki.key_identifier == b"id"
+        assert aki.authority_cert_issuer is None
+        assert aki.authority_cert_serial_number is None
+
+    def test_repr(self):
+        name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
+        aki = x509.AuthorityKeyIdentifier(b"digest", name, 1234)
+
+        if six.PY3:
+            assert repr(aki) == (
+                "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
+                "cert_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid="
+                "2.5.4.3, name=commonName)>, value='myCN')>])>, authority_cer"
+                "t_serial_number=1234)>"
+            )
+        else:
+            assert repr(aki) == (
+                "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
+                "rt_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5"
+                ".4.3, name=commonName)>, value='myCN')>])>, authority_cert_se"
+                "rial_number=1234)>"
+            )
+
+
 class TestBasicConstraints(object):
     def test_ca_not_boolean(self):
         with pytest.raises(TypeError):