diff options
| -rw-r--r-- | docs/x509.rst | 22 | ||||
| -rw-r--r-- | src/cryptography/x509.py | 26 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 25 |
3 files changed, 73 insertions, 0 deletions
diff --git a/docs/x509.rst b/docs/x509.rst index d355edc7..594cd81d 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -930,6 +930,24 @@ X.509 Extensions removed from the CRL. This reason cannot be used as a reason flag in a :class:`DistributionPoint`. +.. class:: InhibitAnyPolicy + + .. versionadded:: 1.0 + + The inhibit ``anyPolicy`` extension indicates that the special OID + :data:`OID_ANY_POLICY`, is not considered an explicit match for other + :class:`CertificatePolicies` except when it appears in an intermediate + self-issued CA certificate. The value indicates the number of additional + non-self-issued certificates that may appear in the path before + :data:`OID_ANY_POLICY` is no longer permitted. For example, a value + of one indicates that :data:`OID_ANY_POLICY` may be processed in + certificates issued by the subject of this certificate, but not in + additional certificates in the path. + + .. attribute:: skip_certs + + :type: int + .. class:: CertificatePolicies .. versionadded:: 0.9 @@ -1221,6 +1239,10 @@ Policy Qualifier OIDs Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``. +.. data:: OID_ANY_POLICY + + Corresponds to the dotted string ``"2.5.29.32.0"``. + .. _extension_oids: Extension OIDs diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index e6d19ae7..b11c7949 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -785,6 +785,31 @@ class ReasonFlags(Enum): remove_from_crl = "removeFromCRL" +class InhibitAnyPolicy(object): + def __init__(self, skip_certs): + if not isinstance(skip_certs, six.integer_types): + raise TypeError("skip_certs must be an integer") + + if skip_certs < 0: + raise ValueError("skip_certs must be a non-negative integer") + + self._skip_certs = skip_certs + + def __repr__(self): + return "<InhibitAnyPolicy(skip_certs={0.skip_certs})>".format(self) + + def __eq__(self, other): + if not isinstance(other, InhibitAnyPolicy): + return NotImplemented + + return self.skip_certs == other.skip_certs + + def __ne__(self, other): + return not self == other + + skip_certs = utils.read_only_property("_skip_certs") + + @six.add_metaclass(abc.ABCMeta) class GeneralName(object): @abc.abstractproperty @@ -1090,6 +1115,7 @@ OID_OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1") OID_CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1") OID_CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2") +OID_ANY_POLICY = ObjectIdentifier("2.5.29.32.0") @six.add_metaclass(abc.ABCMeta) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 20a016b6..0405b798 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2271,3 +2271,28 @@ class TestCRLDistributionPointsExtension(object): )], ) ]) + + +class TestInhibitAnyPolicy(object): + def test_not_int(self): + with pytest.raises(TypeError): + x509.InhibitAnyPolicy("notint") + + def test_negative_int(self): + with pytest.raises(ValueError): + x509.InhibitAnyPolicy(-1) + + def test_repr(self): + iap = x509.InhibitAnyPolicy(0) + assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>" + + def test_eq(self): + iap = x509.InhibitAnyPolicy(1) + iap2 = x509.InhibitAnyPolicy(1) + assert iap == iap2 + + def test_ne(self): + iap = x509.InhibitAnyPolicy(1) + iap2 = x509.InhibitAnyPolicy(4) + assert iap != iap2 + assert iap != object() |