From 61ff35662049f02da8d2c0f54ef6e84f97c14b1a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 11 Mar 2016 22:51:27 -0400 Subject: Add AuthorityKeyIdentifier.from_issuer_subject_key_identifier --- CHANGELOG.rst | 2 ++ docs/x509/reference.rst | 26 ++++++++++++++++++++++++++ src/cryptography/x509/extensions.py | 8 ++++++++ tests/test_x509_ext.py | 22 ++++++++++++++++++++++ 4 files changed, 58 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0bbbcde1..1c11f028 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -14,6 +14,8 @@ Changelog to :class:`~cryptography.x509.CertificateSigningRequest`. * Fixed an intermittent ``AssertionError`` when performing an RSA decryption on an invalid ciphertext, ``ValueError`` is now correctly raised in all cases. +* Added + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`. 1.2.3 - 2016-03-01 ~~~~~~~~~~~~~~~~~~ diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 67427ddb..1e8aebad 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -1568,6 +1568,32 @@ X.509 Extensions >>> x509.AuthorityKeyIdentifier.from_issuer_public_key(issuer_cert.public_key()) + .. classmethod:: from_issuer_subject_key_identifier(ski) + + .. versionadded:: 1.3 + + Creates a new AuthorityKeyIdentifier instance using the + SubjectKeyIdentifier from the issuer certificate. The resulting object + will contain + :attr:`~cryptography.x509.AuthorityKeyIdentifier.key_identifier`, but + :attr:`~cryptography.x509.AuthorityKeyIdentifier.authority_cert_issuer` + and + :attr:`~cryptography.x509.AuthorityKeyIdentifier.authority_cert_serial_number` + will be None. + + :param ski: The + :class:`~cryptography.x509.SubjectKeyIdentifier` from the issuer + certificate. + + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.backends import default_backend + >>> issuer_cert = x509.load_pem_x509_certificate(pem_data, default_backend()) + >>> ski = issuer_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier) + >>> x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski) + + .. class:: SubjectKeyIdentifier(digest) .. versionadded:: 0.9 diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 0aa67212..87d2de1c 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -191,6 +191,14 @@ class AuthorityKeyIdentifier(object): authority_cert_serial_number=None ) + @classmethod + def from_issuer_subject_key_identifier(cls, ski): + return cls( + key_identifier=ski.value.digest, + authority_cert_issuer=None, + authority_cert_serial_number=None + ) + def __repr__(self): return ( " Date: Sat, 12 Mar 2016 09:27:55 -0400 Subject: add some notes about when to use these classmethods --- docs/x509/reference.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 1e8aebad..399d693a 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -1541,6 +1541,13 @@ X.509 Extensions .. versionadded:: 1.0 + .. note:: + + This method should be used if the issuer certificate does not + contain a :class:`~cryptography.x509.SubjectKeyIdentifier`. + Otherwise, use + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`. + Creates a new AuthorityKeyIdentifier instance using the public key provided to generate the appropriate digest. This should be the **issuer's public key**. The resulting object will contain @@ -1572,6 +1579,11 @@ X.509 Extensions .. versionadded:: 1.3 + .. note:: + This method should be used if the issuer certificate contains a + :class:`~cryptography.x509.SubjectKeyIdentifier`. Otherwise, use + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_public_key`. + Creates a new AuthorityKeyIdentifier instance using the SubjectKeyIdentifier from the issuer certificate. The resulting object will contain -- cgit v1.2.3