InhibitAnyPolicy class
diff --git a/docs/x509.rst b/docs/x509.rst
index d355edc..594cd81 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -930,6 +930,24 @@
removed from the CRL. This reason cannot be used as a reason flag
in a :class:`DistributionPoint`.
+.. class:: InhibitAnyPolicy
+
+ .. versionadded:: 1.0
+
+ The inhibit ``anyPolicy`` extension indicates that the special OID
+ :data:`OID_ANY_POLICY`, is not considered an explicit match for other
+ :class:`CertificatePolicies` except when it appears in an intermediate
+ self-issued CA certificate. The value indicates the number of additional
+ non-self-issued certificates that may appear in the path before
+ :data:`OID_ANY_POLICY` is no longer permitted. For example, a value
+ of one indicates that :data:`OID_ANY_POLICY` may be processed in
+ certificates issued by the subject of this certificate, but not in
+ additional certificates in the path.
+
+ .. attribute:: skip_certs
+
+ :type: int
+
.. class:: CertificatePolicies
.. versionadded:: 0.9
@@ -1221,6 +1239,10 @@
Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``.
+.. data:: OID_ANY_POLICY
+
+ Corresponds to the dotted string ``"2.5.29.32.0"``.
+
.. _extension_oids:
Extension OIDs
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index e6d19ae..b11c794 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -785,6 +785,31 @@
remove_from_crl = "removeFromCRL"
+class InhibitAnyPolicy(object):
+ def __init__(self, skip_certs):
+ if not isinstance(skip_certs, six.integer_types):
+ raise TypeError("skip_certs must be an integer")
+
+ if skip_certs < 0:
+ raise ValueError("skip_certs must be a non-negative integer")
+
+ self._skip_certs = skip_certs
+
+ def __repr__(self):
+ return "<InhibitAnyPolicy(skip_certs={0.skip_certs})>".format(self)
+
+ def __eq__(self, other):
+ if not isinstance(other, InhibitAnyPolicy):
+ return NotImplemented
+
+ return self.skip_certs == other.skip_certs
+
+ def __ne__(self, other):
+ return not self == other
+
+ skip_certs = utils.read_only_property("_skip_certs")
+
+
@six.add_metaclass(abc.ABCMeta)
class GeneralName(object):
@abc.abstractproperty
@@ -1090,6 +1115,7 @@
OID_CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1")
OID_CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2")
+OID_ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
@six.add_metaclass(abc.ABCMeta)
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 20a016b..0405b79 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2271,3 +2271,28 @@
)],
)
])
+
+
+class TestInhibitAnyPolicy(object):
+ def test_not_int(self):
+ with pytest.raises(TypeError):
+ x509.InhibitAnyPolicy("notint")
+
+ def test_negative_int(self):
+ with pytest.raises(ValueError):
+ x509.InhibitAnyPolicy(-1)
+
+ def test_repr(self):
+ iap = x509.InhibitAnyPolicy(0)
+ assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
+
+ def test_eq(self):
+ iap = x509.InhibitAnyPolicy(1)
+ iap2 = x509.InhibitAnyPolicy(1)
+ assert iap == iap2
+
+ def test_ne(self):
+ iap = x509.InhibitAnyPolicy(1)
+ iap2 = x509.InhibitAnyPolicy(4)
+ assert iap != iap2
+ assert iap != object()