OCSP request extension parsing (#4464)
* add OCSP request parsing support with OCSPNonce
* add docs
* reprs man
* make extensions a cached property
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index e8b9098..ed18924 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -76,6 +76,7 @@
pickleable
plaintext
pre
+precompute
preprocessor
preprocessors
presentational
diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst
index b706b32..163a6a8 100644
--- a/docs/x509/ocsp.rst
+++ b/docs/x509/ocsp.rst
@@ -190,6 +190,12 @@
The serial number of the certificate to check.
+ .. attribute:: extensions
+
+ :type: :class:`~cryptography.x509.Extensions`
+
+ The extensions encoded in the request.
+
.. method:: public_bytes(encoding)
:param encoding: The encoding to use. Only
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index ede08aa..079fef9 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -2432,6 +2432,30 @@
:type: :class:`datetime.datetime`
+OCSP Extensions
+~~~~~~~~~~~~~~~
+
+.. class:: OCSPNonce(nonce)
+
+ .. versionadded:: 2.4
+
+ OCSP nonce is an extension that is only valid inside
+ :class:`~cryptography.x509.ocsp.OCSPRequest` and
+ :class:`~cryptography.x509.ocsp.OCSPResponse` objects. The nonce
+ cryptographically binds a request and a response to prevent replay attacks.
+ In practice nonces are rarely used in OCSP due to the desire to precompute
+ OCSP responses at large scale.
+
+ .. attribute:: oid
+
+ :type: :class:`ObjectIdentifier`
+
+ Returns
+ :attr:`~cryptography.x509.oid.OCSPExtensionOID.NONCE`.
+
+ .. attribute:: nonce
+
+ :type: bytes
Object Identifiers
~~~~~~~~~~~~~~~~~~
@@ -2854,6 +2878,15 @@
Corresponds to the dotted string ``"2.5.29.24"``.
+
+.. class:: OCSPExtensionOID
+
+ .. versionadded:: 2.4
+
+ .. attribute:: NONCE
+
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.2"``.
+
Helper Functions
~~~~~~~~~~~~~~~~
.. currentmodule:: cryptography.x509