diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2015-06-21 22:32:59 -0400 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2015-06-21 22:32:59 -0400 |
| commit | 9fd9c0c791b5418a919456dd4183a7fd9cdbc919 (patch) | |
| tree | 61e093911cc23253cb52b15f066f63c186b231d2 /src | |
| parent | d845ea04b86568e544106207636aa3a47ab82170 (diff) | |
| parent | e0017be396df1a506b92ec1b669086dd02ca25b8 (diff) | |
| download | cryptography-9fd9c0c791b5418a919456dd4183a7fd9cdbc919.tar.gz cryptography-9fd9c0c791b5418a919456dd4183a7fd9cdbc919.tar.bz2 cryptography-9fd9c0c791b5418a919456dd4183a7fd9cdbc919.zip | |
Merge pull request #1974 from reaperhulk/name-constraints
add nameconstraints classes
Diffstat (limited to 'src')
| -rw-r--r-- | src/cryptography/x509.py | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 2e2e8512..4dbe3da1 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -676,6 +676,58 @@ class SubjectKeyIdentifier(object): return not self == other +class NameConstraints(object): + def __init__(self, permitted_subtrees, excluded_subtrees): + if permitted_subtrees is not None: + if not all( + isinstance(x, GeneralName) for x in permitted_subtrees + ): + raise TypeError( + "permitted_subtrees must be a list of GeneralName objects " + "or None" + ) + + self._validate_ip_name(permitted_subtrees) + + if excluded_subtrees is not None: + if not all( + isinstance(x, GeneralName) for x in excluded_subtrees + ): + raise TypeError( + "excluded_subtrees must be a list of GeneralName objects " + "or None" + ) + + self._validate_ip_name(excluded_subtrees) + + if permitted_subtrees is None and excluded_subtrees is None: + raise ValueError( + "At least one of permitted_subtrees and excluded_subtrees " + "must not be None" + ) + + self._permitted_subtrees = permitted_subtrees + self._excluded_subtrees = excluded_subtrees + + def _validate_ip_name(self, tree): + if any(isinstance(name, IPAddress) and not isinstance( + name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network) + ) for name in tree): + raise TypeError( + "IPAddress name constraints must be an IPv4Network or" + " IPv6Network object" + ) + + def __repr__(self): + return ( + u"<NameConstraints(permitted_subtrees={0.permitted_subtrees}, " + u"excluded_subtrees={0.excluded_subtrees})>".format(self) + ) + + permitted_subtrees = utils.read_only_property("_permitted_subtrees") + excluded_subtrees = utils.read_only_property("_excluded_subtrees") + + class CRLDistributionPoints(object): def __init__(self, distribution_points): if not all( |