Merge pull request #2572 from reaperhulk/crlbuilder-add-revoked-certificate

support revoked certificates in CertificateRevocationListBuilder

1 files changed, 17 insertions, 2 deletions

diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 8d8bda4b..e02d4b20 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -788,12 +788,18 @@ X.509 Certificate Revocation List Builder
         ... ]))
         >>> builder = builder.last_update(datetime.datetime.today())
         >>> builder = builder.next_update(datetime.datetime.today() + one_day)
+        >>> revoked_cert = x509.RevokedCertificateBuilder().serial_number(
+        ...     333
+        ... ).revocation_date(
+        ...     datetime.datetime.today()
+        ... ).build(default_backend())
+        >>> builder = builder.add_revoked_certificate(revoked_cert)
         >>> crl = builder.sign(
         ...     private_key=private_key, algorithm=hashes.SHA256(),
         ...     backend=default_backend()
         ... )
-        >>> isinstance(crl, x509.CertificateRevocationList)
-        True
+        >>> len(crl)
+        1
 
     .. method:: issuer_name(name)
 
@@ -832,6 +838,15 @@ X.509 Certificate Revocation List Builder
         :param critical: Set to ``True`` if the extension must be understood and
              handled by whoever reads the CRL.
 
+    .. method:: add_revoked_certificate(revoked_certificate)
+
+        Adds a revoked certificate to this CRL.
+
+        :param revoked_certificate: An instance of
+            :class:`~cryptography.x509.RevokedCertificate`. These can be
+            obtained from an existing CRL or created with
+            :class:`~cryptography.x509.RevokedCertificateBuilder`.
+
     .. method:: sign(private_key, algorithm, backend)
 
         Sign this CRL using the CA's private key.