From 8cf26425504d22dbcf463ff702a167cbe3567e6a Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 21 Mar 2015 09:50:24 -0500
Subject: basic constraints class & extensions interface

---
 docs/x509.rst | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

(limited to 'docs/x509.rst')

diff --git a/docs/x509.rst b/docs/x509.rst
index 27f1d544..89265df2 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -273,6 +273,49 @@ X.509 Certificate Object
 
         The dotted string value of the OID (e.g. ``"2.5.4.3"``)
 
+X.509 Extensions
+~~~~~~~~~~~~~~~~
+
+.. class:: Extension
+
+    .. versionadded:: 0.9
+
+    All X.509 extensions are registered against this interface.
+
+    .. attribute:: critical
+
+        :type: bool
+
+        Determines whether a given extension is critical or not.
+
+.. class:: BasicConstraints
+
+    .. versionadded:: 0.9
+
+    Basic constraints is an X.509 extension that defines whether a given
+    certificate is allowed to sign additional certificates and what path
+    length restrictions may exist.
+
+    .. attribute:: ca
+
+        :type: bool
+
+        Whether the certificate can sign certificates.
+
+    .. attribute:: path_length
+
+        :type: int, None
+
+        The maximum path length for certificates subordinate to this
+        certificate. This attribute only has meaning if ``ca`` is true.
+        If ``ca`` is true then a path length of None means there's no
+        restriction on the number of subordinate CAs in the certificate chain.
+        If it is zero or greater then that number defines the maximum length.
+        For example, a ``path_length`` of 1 means the certificate can sign a
+        subordinate CA, but the subordinate CA is not allowed to create
+        ``ca`` true certificates.
+
+
 Object Identifiers
 ~~~~~~~~~~~~~~~~~~
 
-- 
cgit v1.2.3


From 2bb9464c6eb3da36addd8c501f0a392c4339d1b8 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 21 Mar 2015 09:54:17 -0500
Subject: add docs for the OID_BASIC_CONSTRAINTS constant

---
 docs/x509.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'docs/x509.rst')

diff --git a/docs/x509.rst b/docs/x509.rst
index 89265df2..18f6ff18 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -473,6 +473,14 @@ Signature Algorithm OIDs
     Corresponds to the dotted string ``2.16.840.1.101.3.4.3.2"``. This is
     a SHA256 digest signed by a DSA key.
 
+Extension OIDs
+~~~~~~~~~~~~~~
+
+.. data:: OID_BASIC_CONSTRAINTS
+
+    Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
+    basic constraints extension.
+
 
 Exceptions
 ~~~~~~~~~~
-- 
cgit v1.2.3


From fd1444cfa97bb897eaee6ceca35175357317623b Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 21 Mar 2015 19:47:05 -0500
Subject: review feedback doc updates

---
 docs/x509.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/x509.rst')

diff --git a/docs/x509.rst b/docs/x509.rst
index 18f6ff18..80242581 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -304,7 +304,7 @@ X.509 Extensions
 
     .. attribute:: path_length
 
-        :type: int, None
+        :type: int or None
 
         The maximum path length for certificates subordinate to this
         certificate. This attribute only has meaning if ``ca`` is true.
@@ -313,7 +313,7 @@ X.509 Extensions
         If it is zero or greater then that number defines the maximum length.
         For example, a ``path_length`` of 1 means the certificate can sign a
         subordinate CA, but the subordinate CA is not allowed to create
-        ``ca`` true certificates.
+        subordinates with ``ca`` set to true.
 
 
 Object Identifiers
-- 
cgit v1.2.3


From 8589466c0a12835cda03bf91043cf51b657d9e46 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 22 Mar 2015 13:19:31 -0500
Subject: rework BasicConstraints and Extension.

---
 docs/x509.rst | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'docs/x509.rst')

diff --git a/docs/x509.rst b/docs/x509.rst
index 80242581..7eb47a31 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -280,7 +280,11 @@ X.509 Extensions
 
     .. versionadded:: 0.9
 
-    All X.509 extensions are registered against this interface.
+    .. attribute:: oid
+
+        :type: :class:`ObjectIdentifier`
+
+        The attribute OID.
 
     .. attribute:: critical
 
@@ -288,13 +292,18 @@ X.509 Extensions
 
         Determines whether a given extension is critical or not.
 
+    .. attribute:: value
+
+        Returns an instance of the extension type corresponding to the OID.
+
 .. class:: BasicConstraints
 
     .. versionadded:: 0.9
 
-    Basic constraints is an X.509 extension that defines whether a given
+    Basic constraints is an X.509 extension type that defines whether a given
     certificate is allowed to sign additional certificates and what path
-    length restrictions may exist.
+    length restrictions may exist. It corresponds to
+    :data:`OID_BASIC_CONSTRAINTS`.
 
     .. attribute:: ca
 
-- 
cgit v1.2.3


From 611d3d36fb1e33582eefc81cc241140d7a69f733 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 22 Mar 2015 13:31:18 -0500
Subject: doc update

---
 docs/x509.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/x509.rst')

diff --git a/docs/x509.rst b/docs/x509.rst
index 7eb47a31..751e077c 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -488,7 +488,7 @@ Extension OIDs
 .. data:: OID_BASIC_CONSTRAINTS
 
     Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
-    basic constraints extension.
+    :class:`BasicConstraints` extension type.
 
 
 Exceptions
-- 
cgit v1.2.3


From 58b756969211e2972fb6fda44582e55b98c02924 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 22 Mar 2015 23:24:58 -0500
Subject: doc updates and simplification of __repr__

---
 docs/x509.rst | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'docs/x509.rst')

diff --git a/docs/x509.rst b/docs/x509.rst
index 751e077c..36e9fab3 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -284,13 +284,16 @@ X.509 Extensions
 
         :type: :class:`ObjectIdentifier`
 
-        The attribute OID.
+        The extension OID.
 
     .. attribute:: critical
 
         :type: bool
 
-        Determines whether a given extension is critical or not.
+        Determines whether a given extension is critical or not. :rfc:`5280`
+        requires that "A certificate-using system MUST reject the certificate
+        if it encounters a critical extension it does not recognize or a
+        critical extension that contains information that it cannot process".
 
     .. attribute:: value
 
-- 
cgit v1.2.3


From 5553d576f3bc3f65b84de99a2561360f82fc110f Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 23 Mar 2015 21:08:01 -0500
Subject: review feedback updates

---
 docs/x509.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'docs/x509.rst')

diff --git a/docs/x509.rst b/docs/x509.rst
index 36e9fab3..13218914 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -284,7 +284,7 @@ X.509 Extensions
 
         :type: :class:`ObjectIdentifier`
 
-        The extension OID.
+        The :ref:`extension OID <extension_oids>`.
 
     .. attribute:: critical
 
@@ -485,6 +485,8 @@ Signature Algorithm OIDs
     Corresponds to the dotted string ``2.16.840.1.101.3.4.3.2"``. This is
     a SHA256 digest signed by a DSA key.
 
+.. _extension_oids:
+
 Extension OIDs
 ~~~~~~~~~~~~~~
 
-- 
cgit v1.2.3