aboutsummaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
authorMarko Kreen <markokr@gmail.com>2019-09-09 02:44:02 +0300
committerPaul Kehrer <paul.l.kehrer@gmail.com>2019-09-09 07:44:02 +0800
commitf7c77712d6611dc72cb2ef6fb1fe72fee4ab88de (patch)
tree7ff0841b1c2e9b29737874ff76c215de50ce0ee0 /docs
parentc918fef88670fc46433d3edd91957231c654ff05 (diff)
downloadcryptography-f7c77712d6611dc72cb2ef6fb1fe72fee4ab88de.tar.gz
cryptography-f7c77712d6611dc72cb2ef6fb1fe72fee4ab88de.tar.bz2
cryptography-f7c77712d6611dc72cb2ef6fb1fe72fee4ab88de.zip
Finish ed25519 and ed448 support in x509 module (#4972)
* Support ed25519 in csr/crl creation * Tests for ed25519/x509 * Support ed448 in crt/csr/crl creation * Tests for ed448/x509 * Support ed25519/ed448 in OCSPResponseBuilder * Tests for eddsa in OCSPResponseBuilder * Builder check missing in create_x509_csr * Documentation update for ed25519+ed448 in x509
Diffstat (limited to 'docs')
-rw-r--r--docs/development/test-vectors.rst6
-rw-r--r--docs/x509/ocsp.rst22
-rw-r--r--docs/x509/reference.rst103
3 files changed, 94 insertions, 37 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 7584881a..9976d138 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -244,6 +244,9 @@ X.509
* ``server-ed25519-cert.pem`` - An ``ed25519`` server certificate (RSA
signature with ``ed25519`` public key) from the OpenSSL test suite.
(`server-ed25519-cert.pem`_)
+* ``server-ed448-cert.pem`` - An ``ed448`` server certificate (RSA
+ signature with ``ed448`` public key) from the OpenSSL test suite.
+ (`server-ed448-cert.pem`_)
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
@@ -404,6 +407,8 @@ Custom X.509 Vectors
* ``negative_serial.pem`` - A certificate with a serial number that is a
negative number.
* ``rsa_pss.pem`` - A certificate with an RSA PSS signature.
+* ``root-ed448.pem`` - An ``ed448`` self-signed CA certificate
+ using ``ed448-pkcs8.pem`` as key.
Custom X.509 Request Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -703,3 +708,4 @@ header format (substituting the correct information):
.. _`Botan's key wrap vectors`: https://github.com/randombit/botan/blob/737f33c09a18500e044dca3e2ae13bd2c08bafdd/src/tests/data/keywrap/nist_key_wrap.vec
.. _`root-ed25519.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/root-ed25519.pem
.. _`server-ed25519-cert.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/server-ed25519-cert.pem
+.. _`server-ed448-cert.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/server-ed448-cert.pem
diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst
index d3815d6f..e28c05a7 100644
--- a/docs/x509/ocsp.rst
+++ b/docs/x509/ocsp.rst
@@ -292,14 +292,23 @@ Creating Responses
:attr:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` response.
:param private_key: The
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
- or
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
that will be used to sign the certificate.
:param algorithm: The
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that
- will be used to generate the signature.
+ will be used to generate the signature. This must be ``None`` if
+ the ``private_key`` is an
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey`
+ or an
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
+ and an instance of a
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+ otherwise.
:returns: A new :class:`~cryptography.x509.ocsp.OCSPResponse`.
@@ -434,7 +443,10 @@ Interfaces
Returns the
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
- was used in signing this response.
+ was used in signing this response. Can be ``None`` if signature
+ did not use separate hash
+ (:attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED25519`,
+ :attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED448`).
.. attribute:: signature
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 7156ab8c..46cc0d27 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -335,11 +335,12 @@ X.509 Certificate Object
The public key associated with the certificate.
- :returns:
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` or
- :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey`
+ :returns: One of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey`
.. doctest::
@@ -394,7 +395,10 @@ X.509 Certificate Object
Returns the
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
- was used in signing this certificate.
+ was used in signing this certificate. Can be ``None`` if signature
+ did not use separate hash
+ (:attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED25519`,
+ :attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED448`).
.. doctest::
@@ -552,7 +556,10 @@ X.509 CRL (Certificate Revocation List) Object
Returns the
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
- was used in signing this CRL.
+ was used in signing this CRL. Can be ``None`` if signature
+ did not use separate hash
+ (:attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED25519`,
+ :attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED448`).
.. doctest::
@@ -729,9 +736,9 @@ X.509 Certificate Builder
:param public_key: The subject's public key. This can be one of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
- or
- :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey`
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey`.
.. method:: serial_number(serial_number)
@@ -785,9 +792,9 @@ X.509 Certificate Builder
:param private_key: The
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
- , or
- :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey`
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
that will be used to sign the certificate.
:param algorithm: The
@@ -795,6 +802,8 @@ X.509 Certificate Builder
will be used to generate the signature. This must be ``None`` if
the ``private_key`` is an
:class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey`
+ or an
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
and an instance of a
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
otherwise.
@@ -818,10 +827,12 @@ X.509 CSR (Certificate Signing Request) Object
The public key associated with the request.
- :returns:
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
+ :returns: One of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey`.
.. doctest::
@@ -842,7 +853,10 @@ X.509 CSR (Certificate Signing Request) Object
Returns the
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
- was used in signing this request.
+ was used in signing this request. Can be ``None`` if signature
+ did not use separate hash
+ (:attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED25519`,
+ :attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED448`).
.. doctest::
@@ -1010,13 +1024,22 @@ X.509 Certificate Revocation List Builder
:param private_key: The
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
that will be used to sign the certificate.
:param algorithm: The
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that
will be used to generate the signature.
+ This must be ``None`` if the ``private_key`` is an
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey`
+ or an
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
+ and an instance of a
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+ otherwise.
:param backend: Backend that will be used to build the CRL.
Must support the
@@ -1182,8 +1205,10 @@ X.509 CSR (Certificate Signing Request) Builder Object
:param private_key: The
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
that will be used to sign the request. When the request is
signed by a certificate authority, the private key's associated
public key will be stored in the resulting certificate.
@@ -1191,6 +1216,13 @@ X.509 CSR (Certificate Signing Request) Builder Object
:param algorithm: The
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
that will be used to generate the request signature.
+ This must be ``None`` if the ``private_key`` is an
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey`
+ or an
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`
+ and an instance of a
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+ otherwise.
:returns: A new
:class:`~cryptography.x509.CertificateSigningRequest`.
@@ -1863,11 +1895,11 @@ X.509 Extensions
section 4.2.1.2.
:param public_key: One of
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
- ,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
- , or
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey`.
.. doctest::
@@ -1941,11 +1973,11 @@ X.509 Extensions
recommendation in :rfc:`5280` section 4.2.1.2.
:param public_key: One of
- :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
- ,
- :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
- , or
- :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey`.
.. doctest::
@@ -2853,6 +2885,13 @@ instances. The following common OIDs are available as constants.
Corresponds to the dotted string ``"1.3.101.112"``. This is a signature
using an ed25519 key.
+ .. attribute:: ED448
+
+ .. versionadded:: 2.8
+
+ Corresponds to the dotted string ``"1.3.101.113"``. This is a signature
+ using an ed448 key.
+
.. class:: ExtendedKeyUsageOID
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-07 05:00:39 +0000