From cecbbbaef4fd71250914afc54f553d469feaad58 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 30 Mar 2015 14:58:38 -0500 Subject: add keyusage extension --- docs/x509.rst | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index af249449..39df4a0b 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -447,6 +447,99 @@ X.509 Extensions Returns an instance of the extension type corresponding to the OID. +.. class:: KeyUsage + + .. versionadded:: 0.9 + + The key usage extension defines the purpose of the key contained in the + certificate. The usage restriction might be employed when a key that could + be used for more than one operation is to be restricted. It corresponds to + :data:`OID_KEY_USAGE`. + + .. attribute:: digital_signature + + :type: bool + + This is asserted when the subject public key is used for verifying + digital signatures, other than signatures on certificates + (``key_cert_sign``) and CRLs (``crl_sign``). + + .. attribute:: content_commitment + + :type: bool + + This is asserted when the subject public key is used for verifying + digital signatures, other than signatures on certificates + (``key_cert_sign``) and CRLs (``crl_sign``). It is used to provide a + non-repudiation service that protects against the signing entity + falsely denying some action. In the case of later conflict, a + reliable third party may determine the authenticity of the signed + data. This was called ``non_repudiation`` in older revisions of the + X.509 specification. + + .. attribute:: key_encipherment + + :type: bool + + This is asserted when the subject public key is used for enciphering + private or secret keys. + + .. attribute:: data_encipherment + + :type: bool + + This is asserted when the subject public key is used for directly + enciphering raw user data without the use of an intermediate symmetric + cipher. + + .. attribute:: key_agreement + + :type: bool + + This is asserted when the subject public key is used for key agreement. + For example, when a Diffie-Hellman key is to be used for key + management, then this bit is set. + + .. attribute:: key_cert_sign + + :type: bool + + This is asserted when the subject public key is used for verifying + signatures on public key certificates. If this bit is asserted then + ``ca`` must be true in the :class:`BasicConstraints` extension. + + .. attribute:: crl_sign + + :type: bool + + This is asserted when the subject public key is used for verifying + signatures on certificate revocation lists. + + .. attribute:: encipher_only + + :type: bool + + The meaning of this bit is undefined in the absence of the + ``key_agreement`` bit. When this bit is asserted and the + ``key_agreement`` bit is also set, the subject public key may be + used only for enciphering data while performing key agreement. + + :raises ValueError: This is raised if accessed when ``key_agreement`` + is false. + + .. attribute:: decipher_only + + :type: bool + + The meaning of this bit is undefined in the absence of the + ``key_agreement`` bit. When this bit is asserted and the + ``key_agreement`` bit is also set, the subject public key may be + used only for deciphering data while performing key agreement. + + :raises ValueError: This is raised if accessed when ``key_agreement`` + is false. + + .. class:: BasicConstraints .. versionadded:: 0.9 @@ -687,6 +780,11 @@ Extension OIDs Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the :class:`BasicConstraints` extension type. +.. data:: OID_KEY_USAGE + + Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the + :class:`KeyUsage` extension type. + Exceptions ~~~~~~~~~~ -- cgit v1.2.3 From 738407ba87472f7f474c164e2fd33ab037bab93f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 1 Apr 2015 22:39:02 -0500 Subject: update doc language --- docs/x509.rst | 45 ++++++++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 23 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 39df4a0b..afc9620a 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -460,7 +460,7 @@ X.509 Extensions :type: bool - This is asserted when the subject public key is used for verifying + This purpose is set to true when the subject public key is used for verifying digital signatures, other than signatures on certificates (``key_cert_sign``) and CRLs (``crl_sign``). @@ -468,7 +468,7 @@ X.509 Extensions :type: bool - This is asserted when the subject public key is used for verifying + This purpose is set to true when the subject public key is used for verifying digital signatures, other than signatures on certificates (``key_cert_sign``) and CRLs (``crl_sign``). It is used to provide a non-repudiation service that protects against the signing entity @@ -481,48 +481,48 @@ X.509 Extensions :type: bool - This is asserted when the subject public key is used for enciphering - private or secret keys. + This purpose is set to true when the subject public key is used for + enciphering private or secret keys. .. attribute:: data_encipherment :type: bool - This is asserted when the subject public key is used for directly - enciphering raw user data without the use of an intermediate symmetric - cipher. + This purpose is set to true when the subject public key is used for + directly enciphering raw user data without the use of an intermediate + symmetric cipher. .. attribute:: key_agreement :type: bool - This is asserted when the subject public key is used for key agreement. - For example, when a Diffie-Hellman key is to be used for key - management, then this bit is set. + This purpose is set to true when the subject public key is used for key + agreement. For example, when a Diffie-Hellman key is to be used for + key management, then this purpose is set to true. .. attribute:: key_cert_sign :type: bool - This is asserted when the subject public key is used for verifying - signatures on public key certificates. If this bit is asserted then - ``ca`` must be true in the :class:`BasicConstraints` extension. + This purpose is set to true when the subject public key is used for + verifying signatures on public key certificates. If this purpose is set + to true then ``ca`` must be true in the :class:`BasicConstraints` + extension. .. attribute:: crl_sign :type: bool - This is asserted when the subject public key is used for verifying - signatures on certificate revocation lists. + This purpose is set to true when the subject public key is used for + verifying signatures on certificate revocation lists. .. attribute:: encipher_only :type: bool - The meaning of this bit is undefined in the absence of the - ``key_agreement`` bit. When this bit is asserted and the - ``key_agreement`` bit is also set, the subject public key may be - used only for enciphering data while performing key agreement. + When this purposes is set to true and the ``key_agreement`` purpose is + also set, the subject public key may be used only for enciphering data + while performing key agreement. :raises ValueError: This is raised if accessed when ``key_agreement`` is false. @@ -531,10 +531,9 @@ X.509 Extensions :type: bool - The meaning of this bit is undefined in the absence of the - ``key_agreement`` bit. When this bit is asserted and the - ``key_agreement`` bit is also set, the subject public key may be - used only for deciphering data while performing key agreement. + When this purposes is set to true and the ``key_agreement`` purpose is + also set, the subject public key may be used only for deciphering data + while performing key agreement. :raises ValueError: This is raised if accessed when ``key_agreement`` is false. -- cgit v1.2.3