add nameconstraints classes

1 files changed, 31 insertions, 0 deletions

diff --git a/docs/x509.rst b/docs/x509.rst
index ed7b8716..1e4efb4c 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -814,6 +814,32 @@ X.509 Extensions
     extension is only relevant when the certificate is an authorized OCSP
     responder.
 
+.. class:: NameConstraints
+
+    .. versionadded:: 1.0
+
+    The name constraints extension, which only has meaning in a CA certificate,
+    defines a name space within which all subject names in certificates issued
+    beneath the CA certificate must (or must not) be in. For specific details
+    on the way this extension should be processed see :rfc:`5280`.
+
+    .. attribute:: permitted_subtrees
+
+        :type: list of :class:`GeneralName` objects or None
+
+        The set of permitted name patterns. If a name matches this and an
+        element in ``excluded_subtrees`` it is invalid. At least one of
+        ``permitted_subtrees`` and ``excluded_subtrees`` will be non-None.
+
+    .. attribute:: excluded_subtrees
+
+        :type: list of :class:`GeneralName` objects or None
+
+        Any name matching a restriction in the ``excluded_subtrees`` field is
+        invalid regardless of information appearing in the
+        ``permitted_subtrees``. At least one of ``permitted_subtrees`` and
+        ``excluded_subtrees`` will be non-None.
+
 .. class:: AuthorityKeyIdentifier
 
     .. versionadded:: 0.9
@@ -1369,6 +1395,11 @@ Extension OIDs
     Corresponds to the dotted string ``"2.5.29.14"``. The identifier for the
     :class:`SubjectKeyIdentifier` extension type.
 
+.. data:: OID_NAME_CONSTRAINTS
+
+    Corresponds to the dotted string ``"2.5.29.30"``. The identifier for the
+    :class:`NameConstraints` extension type.
+
 .. data:: OID_CRL_DISTRIBUTION_POINTS
 
     Corresponds to the dotted string ``"2.5.29.31"``. The identifier for the