diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/development/test-vectors.rst | 13 | ||||
| -rw-r--r-- | docs/x509.rst | 23 |
2 files changed, 34 insertions, 2 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 6f61a7ee..4c0063b5 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -217,6 +217,19 @@ Custom X.509 Request Vectors * ``san_rsa_sha1.pem`` and ``san_rsa_sha1.der`` - Contain a certificate request using RSA and SHA1 with a subject alternative name extension generated using OpenSSL. +* ``two_basic_constraints.pem`` - A certificate signing request + for a RSA 2048 bit key containing two basic constraints extensions. +* ``unsupported_extension.pem`` - A certificate signing request + for an RSA 2048 bit key containing containing an unsupported + extension type. The OID was encoded as "1.2.3.4" with an + ``extnValue`` of "value". +* ``unsupported_extension_critical.pem`` - A certificate signing + request for an RSA 2048 bit key containing containing an unsupported + extension type marked critical. The OID was encoded as "1.2.3.4" + with an ``extnValue`` of "value". +* ``basic_constraints.pem`` - A certificate signing request for a RSA + 2048 bit key containing a basic constraints extension marked as + critical. Hashes ~~~~~~ diff --git a/docs/x509.rst b/docs/x509.rst index ff43be01..3f1af86c 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -509,8 +509,9 @@ General Name Classes .. attribute:: value - :type: :class:`~ipaddress.IPv4Address` or - :class:`~ipaddress.IPv6Address`. + :type: :class:`~ipaddress.IPv4Address`, + :class:`~ipaddress.IPv6Address`, :class:`~ipaddress.IPv4Network`, + or :class:`~ipaddress.IPv6Network`. .. class:: RegisteredID @@ -698,6 +699,19 @@ X.509 Extensions purposes indicated in the key usage extension. The object is iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`. +.. class:: OCSPNoCheck + + .. versionadded:: 0.10 + + This presence of this extension indicates that an OCSP client can trust a + responder for the lifetime of the responder's certificate. CAs issuing + such a certificate should realize that a compromise of the responder's key + is as serious as the compromise of a CA key used to sign CRLs, at least for + the validity period of this certificate. CA's may choose to issue this type + of certificate with a very short lifetime and renew it frequently. This + extension is only relevant when the certificate is an authorized OCSP + responder. + .. class:: AuthorityKeyIdentifier .. versionadded:: 0.9 @@ -1234,6 +1248,11 @@ Extension OIDs Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier for the :class:`AuthorityInformationAccess` extension type. +.. data:: OID_OCSP_NO_CHECK + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The identifier + for the :class:`OCSPNoCheck` extension type. + Exceptions ~~~~~~~~~~ |