From bfac2d10305cf72d634e0e74a87fd08d4cd07257 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 19 Dec 2015 23:32:08 -0600
Subject: CertificateRevocationListBuilder

RSA keys only. Currently does not support CRL extensions or
CRLEntry extensions.
---
 docs/hazmat/backends/interfaces.rst | 19 +++++++++
 docs/x509/reference.rst             | 82 +++++++++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)

(limited to 'docs')

diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index 3a7224fa..2952d85a 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -589,6 +589,25 @@ A specific ``backend`` may provide one or more of these interfaces.
         :returns: A new instance of
             :class:`~cryptography.x509.CertificateRevocationList`.
 
+    .. method:: create_x509_crl(builder, private_key, algorithm)
+
+        .. versionadded:: 1.2
+
+        :param builder: An instance of
+            :class:`~cryptography.x509.CertificateRevocationListBuilder`.
+
+        :param private_key: The
+            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
+            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+            that will be used to sign the CRL.
+
+        :param algorithm: The
+            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+            that will be used to generate the CRL signature.
+
+        :returns: A new object with the
+            :class:`~cryptography.x509.CertificateRevocationList` interface.
 
 .. class:: DHBackend
 
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 4f4ce4fa..0697e636 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -761,6 +761,88 @@ X.509 CSR (Certificate Signing Request) Object
         key embedded in the CSR). This data may be used to validate the CSR
         signature.
 
+X.509 Certificate Revocation List Builder
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. class:: CertificateRevocationListBuilder
+
+    .. versionadded:: 1.2
+
+    .. doctest::
+
+        >>> from cryptography import x509
+        >>> from cryptography.hazmat.backends import default_backend
+        >>> from cryptography.hazmat.primitives import hashes
+        >>> from cryptography.hazmat.primitives.asymmetric import rsa
+        >>> from cryptography.x509.oid import NameOID
+        >>> import datetime
+        >>> one_day = datetime.timedelta(1, 0, 0)
+        >>> private_key = rsa.generate_private_key(
+        ...     public_exponent=65537,
+        ...     key_size=2048,
+        ...     backend=default_backend()
+        ... )
+        >>> builder = x509.CertificateRevocationListBuilder()
+        >>> builder = builder.issuer_name(x509.Name([
+        ...     x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io CA'),
+        ... ]))
+        >>> builder = builder.last_update(datetime.datetime.today())
+        >>> builder = builder.next_update(datetime.datetime.today() + one_day)
+        >>> crl = builder.sign(
+        ...     private_key=private_key, algorithm=hashes.SHA256(),
+        ...     backend=default_backend()
+        ... )
+        >>> isinstance(crl, x509.CertificateRevocationList)
+        True
+
+    .. method:: issuer_name(name)
+
+        Sets the issuer's distinguished name.
+
+        :param name: The :class:`~cryptography.x509.Name` that describes the
+            issuer (CA).
+
+    .. method:: last_update(time)
+
+        Sets the CRL's activation time.  This is the time from which
+        clients can start trusting the CRL.  It may be different from
+        the time at which the CRL was created. This is also known as the
+        ``thisUpdate`` time.
+
+        :param time: The :class:`datetime.datetime` object (in UTC) that marks the
+            activation time for the CRL.  The CRL may not be trusted if it is
+            used before this time.
+
+    .. method:: next_update(time)
+
+        Sets the CRL's next update time. This is the time by which
+        a new CRL will be issued. The next CRL could be issued before this
+        , but it will not be issued any later than the indicated date.
+
+        :param time: The :class:`datetime.datetime` object (in UTC) that marks the
+            next update time for the CRL.
+
+    .. method:: sign(private_key, algorithm, backend)
+
+        Sign the CRL using the CA's private key.
+
+        :param private_key: The
+            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
+            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+            that will be used to sign the certificate.
+
+        :param algorithm: The
+            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that
+            will be used to generate the signature.
+
+        :param backend: Backend that will be used to build the CRL.
+            Must support the
+            :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
+            interface.
+
+        :returns: :class:`~cryptography.x509.CertificateRevocationList`
+
 X.509 Revoked Certificate Object
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- 
cgit v1.2.3


From 0325b9db79ac5f96edfee53b7b2f57eef6d7fc5b Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 24 Dec 2015 19:19:59 -0600
Subject: update docs with review feedback

---
 docs/x509/reference.rst | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

(limited to 'docs')

diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 0697e636..859bc838 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -804,27 +804,27 @@ X.509 Certificate Revocation List Builder
 
     .. method:: last_update(time)
 
-        Sets the CRL's activation time.  This is the time from which
-        clients can start trusting the CRL.  It may be different from
-        the time at which the CRL was created. This is also known as the
+        Sets this CRL's activation time.  This is the time from which
+        clients can start trusting this CRL.  It may be different from
+        the time at which this CRL was created. This is also known as the
         ``thisUpdate`` time.
 
-        :param time: The :class:`datetime.datetime` object (in UTC) that marks the
-            activation time for the CRL.  The CRL may not be trusted if it is
-            used before this time.
+        :param time: The :class:`datetime.datetime` object (in UTC) that marks
+            the activation time for this CRL.  The CRL may not be trusted if it
+            is used before this time.
 
     .. method:: next_update(time)
 
-        Sets the CRL's next update time. This is the time by which
-        a new CRL will be issued. The next CRL could be issued before this
-        , but it will not be issued any later than the indicated date.
+        Sets this CRL's next update time. This is the time by which
+        a new CRL will be issued. The CA is allowed to issue a new CRL before
+        this date, however clients are not required to check for it.
 
-        :param time: The :class:`datetime.datetime` object (in UTC) that marks the
-            next update time for the CRL.
+        :param time: The :class:`datetime.datetime` object (in UTC) that marks
+            the next update time for this CRL.
 
     .. method:: sign(private_key, algorithm, backend)
 
-        Sign the CRL using the CA's private key.
+        Sign this CRL using the CA's private key.
 
         :param private_key: The
             :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
-- 
cgit v1.2.3


From 7eaaf0c6126c677b6dd656a35faca391ebc96c9a Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 24 Dec 2015 19:27:38 -0600
Subject: fix rebase mistake in the docs

---
 docs/hazmat/backends/interfaces.rst | 22 +---------------------
 1 file changed, 1 insertion(+), 21 deletions(-)

(limited to 'docs')

diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index 2952d85a..29abee1c 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -574,7 +574,7 @@ A specific ``backend`` may provide one or more of these interfaces.
         .. versionadded:: 1.2
 
         :param builder: An instance of
-            CertificateRevocationListBuilder.
+            :class:`~cryptography.x509.CertificateRevocationListBuilder`.
 
         :param private_key: The
             :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
@@ -589,26 +589,6 @@ A specific ``backend`` may provide one or more of these interfaces.
         :returns: A new instance of
             :class:`~cryptography.x509.CertificateRevocationList`.
 
-    .. method:: create_x509_crl(builder, private_key, algorithm)
-
-        .. versionadded:: 1.2
-
-        :param builder: An instance of
-            :class:`~cryptography.x509.CertificateRevocationListBuilder`.
-
-        :param private_key: The
-            :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
-            :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
-            :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
-            that will be used to sign the CRL.
-
-        :param algorithm: The
-            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
-            that will be used to generate the CRL signature.
-
-        :returns: A new object with the
-            :class:`~cryptography.x509.CertificateRevocationList` interface.
-
 .. class:: DHBackend
 
     .. versionadded:: 0.9
-- 
cgit v1.2.3