summaryrefslogtreecommitdiff
path: root/docs/x509
Commit message (Collapse)AuthorAgeFilesLines
* support X.509 certificate PSS signing (#8888)Paul Kehrer2023-05-101-1/+17
| | | | | | | | | | | | | * support X.509 certificate PSS signing no CSR, CRL, etc * handle PSS.(MAX_LENGTH, DIGEST_LENGTH), review feedback * name the kwarg * test improvements * skip if sha3 isn't supported
* add signature_algorithm_parameters to certificate (#8795)Paul Kehrer2023-05-071-0/+52
| | | | this allows easier verification of cert signatures, but more specifically allows PSS signature verification
* Fix for #8854 (#8855)Harmin Parra Rueda2023-05-031-0/+6
| | | | | | | | | | | | | | | * Fix for #8854 Fix for issue #8854 * Fix for issue #8854 Fix for issue #8854 * versionadded --------- Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* OCSP responses are responses, not certificates (#8696)Paul Kehrer2023-04-101-2/+2
|
* Support msCertificateTemplate extension (#8695)Paul Kehrer2023-04-101-0/+34
| | | | | | | * support ms certificate template * contortions for rust coverage * review feedback
* Added support for OCSP AcceptableResponses extension (#8617)Alex Gaynor2023-03-271-0/+29
| | | fixes #8589
* Fix sample code for policy extension (#8489)shane-kearns2023-03-101-1/+1
|
* Make Union type aliases a documented public API (#8168)Marti Raudsepp2023-03-071-50/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Rename Union type aliases to CamelCase Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases) * Add utils.deprecated for the old non-underscore type aliases * Added documentation for new type aliases & minor tweaks * Use 'versionadded:: 40.0.0' * Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes * Fix imports (ruff) * Fix one more versionadded * Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes * Fix test mypy errors using cast() * Fix black, oops * Revert "Fix black, oops" This reverts commit 85344e231d697bdc0940e105f7aed729445f9743. * Revert "Fix test mypy errors using cast()" This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e. * Revert type of SubjectKeyIdentifier.from_public_key arg * Changelog tweak
* embrace my inner nitpicker (#8361)Paul Kehrer2023-02-202-24/+24
| | | fixes all our versionadded/changed to match actual versions we released
* fixes #8052 -- correct NameAttribute.value documentation (#8060)Alex Gaynor2023-01-141-2/+4
|
* serial_number is not a function (#8061)Alex Gaynor2023-01-141-1/+1
|
* Add Certificate.verify_signed_by (#8011)Paul Kehrer2023-01-121-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add Certificate.verify_signed_by Verify that the signature on a certificate was created by the private key belonging to another certificate's public key. This code does not validate anything else! It is not a path builder, general x509 validator, etc. * switch to issued_by validate issuer subject matches certificate issuer and refactor * two fixes * signed_by isn't the right target now * coverage * skip test on some *ssls * extensive refactoring * lol * does any of this work * final commit i swear
* add canonical names to Sphinx class documentation (#7938)Mathias Ertl2022-12-261-0/+84
|
* document POLICY_MAPPING and SUBJECT_DIRECTORY_ATTRIBUTES (#7904)Mathias Ertl2022-12-171-0/+8
|
* x509: add `load_pem_x509_certificates` (#7878)William Woodruff2022-12-051-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * x509: add `load_pem_x509_certificates` This behaves similarly to `load_pem_x509_certificate`, except that it returns a list of loaded certificates instead of just the first X.509 certificate. It raises if the input contains no PEM-encoded certificates, or if PEM or certificate parsing fail. Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: blacken Signed-off-by: William Woodruff <william@trailofbits.com> * Update docs/x509/reference.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * tests/x509: assert each item in the list is actually a certificate Signed-off-by: William Woodruff <william@trailofbits.com> * bindings: expose `load_pem_x509_certificates` in `x509.pyi` Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: test the structure of each cert a bit This has the transitive effect of establishing a fixed order. Signed-off-by: William Woodruff <william@trailofbits.com> * CHANGELOG: record changes Signed-off-by: William Woodruff <william@trailofbits.com> * docs: add PEM to spellcheck allowlist Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: document expected param Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* add support for creating OCSP requests with precomputed hashes (#7706)Paul Kehrer2022-10-131-1/+31
| | | | | | | | | | | * add support for creating OCSP requests with precomputed hashes * mypy and clippy fixes * flake, fix MSRV * MSRV this time * feedback
* docs: Fix type returned by get_extension_for_oid() and ↵Felix Dreissig2022-06-281-2/+2
| | | | | | | | | get_extension_for_class() (#7380) The previous wording (to me) sounded as if an instance of the specific `ExtensionType` subclass would be returned. But the methods actually return an `Extension` instance, from which the specific `ExtensionType` instance can be accessed through the `value` property.
* X.509/Certificate: Add `tbs_precertificate_bytes` property (#7279)William Woodruff2022-05-311-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add `tbs_precertificate_bytes` property * docs/x509: document `tbs_precertificate_bytes` Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: add two trivial tests Signed-off-by: William Woodruff <william@trailofbits.com> * x509/base: fix lint Signed-off-by: William Woodruff <william@trailofbits.com> * oid: add CERTIFICATE_TRANSPARENCY (1.3.6.1.4.1.11129.2.4.4) Signed-off-by: William Woodruff <william@trailofbits.com> * hazmat/oid: rehome CERTIFICATE_TRANSPARENCY under ExtendedKeyUsageOID Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: fix link, help the spellchecker Signed-off-by: William Woodruff <william@trailofbits.com> * x509: Raise ValueError when we can't filter SCT list extension * tests: Expect a `ValueError` when accessing `tbs_precertificate_bytes` in default example * tests, vectors: Add TBS precert vector for test comparison * docs/x509: document the `CERTIFICATE_TRANSPARENCY` OID Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: elaborate `tbs_precertificate_bytes` Signed-off-by: William Woodruff <william@trailofbits.com> * rust/x509: remove unused OID Signed-off-by: William Woodruff <william@trailofbits.com> * x509/certificate: tweak error Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: reorganize Signed-off-by: William Woodruff <william@trailofbits.com> * Update src/rust/src/x509/certificate.rs Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * tests/x509: more reorg, rename Signed-off-by: William Woodruff <william@trailofbits.com> * docs: document new testvector Signed-off-by: William Woodruff <william@trailofbits.com> * docs: coax the spellchecker Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: use a cert that doesn't require SHA-1 Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: test for no extensions at all Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Enforce that CRL and CSR versions must be valid. (#7249)Alex Gaynor2022-05-221-2/+2
| | | Fixes #7231
* CT: `extensions` -> `extension_bytes` (#7238)William Woodruff2022-05-191-1/+1
| | | Signed-off-by: William Woodruff <william@trailofbits.com>
* CT: add `SignedCertificateTimestamp.extensions` (#7237)William Woodruff2022-05-201-0/+8
| | | Signed-off-by: William Woodruff <william@trailofbits.com>
* x509/CT: expose more SCT internals (#7207)William Woodruff2022-05-131-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * WIP * x509: remove TBS work for now Signed-off-by: William Woodruff <william@yossarian.net> * CT: flake8 Signed-off-by: William Woodruff <william@yossarian.net> * CT: remove TODO, add links Signed-off-by: William Woodruff <william@yossarian.net> * CT/SCT: strong enums for HashAlgorithm and SignatureAlgorithm Signed-off-by: William Woodruff <william@yossarian.net> * tests: add SCT hash/signature algorithm tests Signed-off-by: William Woodruff <william@yossarian.net> * tests: fix SignatureAlgorithm test, add signature contents test Signed-off-by: William Woodruff <william@yossarian.net> * rust: unit tests for {Hash,Signature}Algorithm Signed-off-by: William Woodruff <william@yossarian.net> * x509/sct: code coverage shenanigans Signed-off-by: William Woodruff <william@yossarian.net> * asn1, sct: pesky coverage Signed-off-by: William Woodruff <william@yossarian.net> * x509/sct: simplify parsing Signed-off-by: William Woodruff <william@yossarian.net> * docs: document new SCT APIs Signed-off-by: William Woodruff <william@yossarian.net> * docs: add refs to RFC 5246 Signed-off-by: William Woodruff <william@yossarian.net> * SCT: forbid nonsense hash and signature algos No tests, yet. Signed-off-by: William Woodruff <william@yossarian.net> * tests: add invalid hash/sig algo tests Signed-off-by: William Woodruff <william@yossarian.net> * sct: remove ToAttr trait Inline impl into each struct's impl. Signed-off-by: William Woodruff <william@yossarian.net> * sct: remove invalid hash/sig variants These should never appear in the context of SCTs. Signed-off-by: William Woodruff <william@yossarian.net> * sct: collapse matches Handle invalid/unknown variants together. Signed-off-by: William Woodruff <william@yossarian.net> * tests: update SCT tests Signed-off-by: William Woodruff <william@yossarian.net> * sct: add a TODO Signed-off-by: William Woodruff <william@yossarian.net> * sct: return a primitives.hashes object instead of a custom enum Signed-off-by: William Woodruff <william@yossarian.net> Co-authored-by: Alex Cameron <asc@tetsuo.sh>
* Fixes #7127 -- added attr_name_overrides on from_rfc4514_string (#7160)Alex Gaynor2022-04-301-1/+7
|
* Remove trailing white space in docs (#7115)Alex Gaynor2022-04-261-1/+1
| | | Apparently none of our linters care
* Implement a parser for RFC4514 strings (#7055)Alex Gaynor2022-04-161-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | * Initial tests * Implement. Required updating many many tests based on my read of the RFC. Should be reviewed closely. * Fix for py36 * flake8 * Improve coverage on hypothesis test * Remove bad assertion in hypothesis test * Update docs * fix docs * Fixed unicode support * review * docs review
* Fix indentation in docs/x509/reference.rst (#7044)Dustin Ingram2022-04-051-3/+2
|
* Added OID for #6920 (#6925)sanchayanghosh2022-03-031-0/+9
| | | | | | | | | | | * Added OID * Added to docuemntation for IPSec SAs * Update docs/x509/reference.rst to correct the version change. Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com> Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* refs #6835 -- added oid constants for SHA3 signatures (#6850)Alex Gaynor2022-02-071-0/+40
|
* Basic support for multiple SINGLERESP messages in one OCSP response, take 2 ↵turettn2022-01-031-9/+94
| | | | | | | | | | | | | | | | | | | | | | | (#6410) * OCSP responses can contain multiple SINGLERESPs Instead of throwing an exception when encountering a OCSP response with multiple SINGLERESPs, throw the exception when attempting to pull a single structure if multiple are present. Add a response_iter property to the OCSP Response object, which allows for iteration through all the SINGLERESPs, and properties to be individually accessed for each. * Small fixes to OCSP multiple response handling. Squash eventually * Docs updates. Should be squashed * Get rid of mutating iterator, replace with separate return object * Fix versionadded strings in docs * Cleanup docs & python bindings.
* support attributes on csrs with an iterable (#6603)Paul Kehrer2021-11-141-9/+46
|
* Allow to serialize extension values as DER bytes strings (#6346)Felix Fontein2021-11-121-0/+8
| | | | | * Allow to serialize extension values as DER bytes string. * Prepare test for SignedCertificateTimestamps.
* allow x25519/x448 public keys in certificatebuilder (#6562)Paul Kehrer2021-11-071-4/+8
| | | | also document that we can return these key types in a certificate, although they can't be self-signed of course
* deprecate backend part 4 of n (#6522)Paul Kehrer2021-11-021-60/+12
|
* Allow custom attribute shortnames in rfc4514_string (#6490)Marti Raudsepp2021-11-011-5/+53
| | | | | | | | | | | | | `rfc4514_string()` and related methods now have an optional `attr_name_overrides` parameter to supply custom OID to name mappings, which can be used to match vendor-specific extensions. **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of email address fields as `E` in `rfc4514_string()` methods from version 35.0. The previous behavior can be restored with: `name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})` Expanded documentation of `Name.rfc4514_string`.
* add two additional DSA signature algorithm oids & test dsa_with_sha224 (#6483)Paul Kehrer2021-10-261-0/+14
|
* Migrate CRL implementation to Rust (#6276)Alex Gaynor2021-09-201-1/+1
| | | (Lots of commits that got squashed)
* add more eku oids (#6271)Paul Kehrer2021-09-121-0/+17
| | | | | | | * add more eku oids fixes #5892 * kerberos is a word in our world
* Remove straddling jargon "text". (#6067)Benjamin Peterson2021-05-251-13/+12
|
* Add x509.Name.rfc4514_attribute_name (#5969)Maximilian Hils2021-04-131-0/+9
| | | | | | | * add x509.Name.rfc4514_attribute_name * tests++, docs++ * lint++
* update ocsp docs to use sha256 (#5880)Paul Kehrer2021-02-281-6/+12
| | | rfc 6960 suggests it and we want our docs to be best practice
* Strict typehints for extensions and OIDs (#5870)Mathias Ertl2021-02-271-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | * add typehint for name * strictly type ObjectIdentifier * explicit reexport for mypy * type (most) of extensions.py * minor cleanup * more consistently return None in constructors * revert explicit reexport, as requested * use _make_sequence_methods for now (#5870) * mark oid as normal type-hinted property so that classes can access it * fix spelling (upper case) use short form for reference * annotate as ClassVar * add type ignore for special extension class
* simplify docs a bit (#5855)Paul Kehrer2021-02-211-3/+2
|
* Add key_identifier property to SubjectKeyIdentifier (#5849)Arnaud Durand2021-02-211-0/+9
| | | Fix #5848
* Apply type annotations to x509 ct and ocsp (#5712)Alex Gaynor2021-01-301-4/+4
|
* Apply type annotations to x509 builders (#5709)Alex Gaynor2021-01-291-6/+6
|
* update docs to not use backends (#5404)Paul Kehrer2020-08-293-42/+20
|
* x509 optional backend args (#5390)Paul Kehrer2020-08-151-22/+22
|
* remove idna support finally (#5351)Paul Kehrer2020-07-261-34/+15
| | | | | * remove idna support finally * remove unused import
* support encoding attributes via CertificateSigningRequestBuilder (#5315)Paul Kehrer2020-07-181-1/+14
| | | | | | | * support encoding attributes via CertificateSigningRequestBuilder * use a constant. now you know what 12 means! * pep8
* change KeyUsage repr to be less confusing (#5314)Paul Kehrer2020-07-181-1/+1
| | | fixes #5127
View Lorry Controller Status