From bfac2d10305cf72d634e0e74a87fd08d4cd07257 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 19 Dec 2015 23:32:08 -0600 Subject: CertificateRevocationListBuilder RSA keys only. Currently does not support CRL extensions or CRLEntry extensions. --- docs/x509/reference.rst | 82 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) (limited to 'docs/x509/reference.rst') diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 4f4ce4fa..0697e636 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -761,6 +761,88 @@ X.509 CSR (Certificate Signing Request) Object key embedded in the CSR). This data may be used to validate the CSR signature. +X.509 Certificate Revocation List Builder +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. class:: CertificateRevocationListBuilder + + .. versionadded:: 1.2 + + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.backends import default_backend + >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.hazmat.primitives.asymmetric import rsa + >>> from cryptography.x509.oid import NameOID + >>> import datetime + >>> one_day = datetime.timedelta(1, 0, 0) + >>> private_key = rsa.generate_private_key( + ... public_exponent=65537, + ... key_size=2048, + ... backend=default_backend() + ... ) + >>> builder = x509.CertificateRevocationListBuilder() + >>> builder = builder.issuer_name(x509.Name([ + ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io CA'), + ... ])) + >>> builder = builder.last_update(datetime.datetime.today()) + >>> builder = builder.next_update(datetime.datetime.today() + one_day) + >>> crl = builder.sign( + ... private_key=private_key, algorithm=hashes.SHA256(), + ... backend=default_backend() + ... ) + >>> isinstance(crl, x509.CertificateRevocationList) + True + + .. method:: issuer_name(name) + + Sets the issuer's distinguished name. + + :param name: The :class:`~cryptography.x509.Name` that describes the + issuer (CA). + + .. method:: last_update(time) + + Sets the CRL's activation time. This is the time from which + clients can start trusting the CRL. It may be different from + the time at which the CRL was created. This is also known as the + ``thisUpdate`` time. + + :param time: The :class:`datetime.datetime` object (in UTC) that marks the + activation time for the CRL. The CRL may not be trusted if it is + used before this time. + + .. method:: next_update(time) + + Sets the CRL's next update time. This is the time by which + a new CRL will be issued. The next CRL could be issued before this + , but it will not be issued any later than the indicated date. + + :param time: The :class:`datetime.datetime` object (in UTC) that marks the + next update time for the CRL. + + .. method:: sign(private_key, algorithm, backend) + + Sign the CRL using the CA's private key. + + :param private_key: The + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` + that will be used to sign the certificate. + + :param algorithm: The + :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that + will be used to generate the signature. + + :param backend: Backend that will be used to build the CRL. + Must support the + :class:`~cryptography.hazmat.backends.interfaces.X509Backend` + interface. + + :returns: :class:`~cryptography.x509.CertificateRevocationList` + X.509 Revoked Certificate Object ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 0325b9db79ac5f96edfee53b7b2f57eef6d7fc5b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 24 Dec 2015 19:19:59 -0600 Subject: update docs with review feedback --- docs/x509/reference.rst | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'docs/x509/reference.rst') diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 0697e636..859bc838 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -804,27 +804,27 @@ X.509 Certificate Revocation List Builder .. method:: last_update(time) - Sets the CRL's activation time. This is the time from which - clients can start trusting the CRL. It may be different from - the time at which the CRL was created. This is also known as the + Sets this CRL's activation time. This is the time from which + clients can start trusting this CRL. It may be different from + the time at which this CRL was created. This is also known as the ``thisUpdate`` time. - :param time: The :class:`datetime.datetime` object (in UTC) that marks the - activation time for the CRL. The CRL may not be trusted if it is - used before this time. + :param time: The :class:`datetime.datetime` object (in UTC) that marks + the activation time for this CRL. The CRL may not be trusted if it + is used before this time. .. method:: next_update(time) - Sets the CRL's next update time. This is the time by which - a new CRL will be issued. The next CRL could be issued before this - , but it will not be issued any later than the indicated date. + Sets this CRL's next update time. This is the time by which + a new CRL will be issued. The CA is allowed to issue a new CRL before + this date, however clients are not required to check for it. - :param time: The :class:`datetime.datetime` object (in UTC) that marks the - next update time for the CRL. + :param time: The :class:`datetime.datetime` object (in UTC) that marks + the next update time for this CRL. .. method:: sign(private_key, algorithm, backend) - Sign the CRL using the CA's private key. + Sign this CRL using the CA's private key. :param private_key: The :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, -- cgit v1.2.3