Merge pull request #2538 from reaperhulk/empty-crls-are-beautiful-too
support CRLs with no revoked certificates
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index 46ba5a2..71ce8a1 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -18,9 +18,7 @@
from cryptography.hazmat.primitives import constant_time, serialization
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
from cryptography.x509.name import Name
-from cryptography.x509.oid import (
- AuthorityInformationAccessOID, ExtensionOID, ObjectIdentifier
-)
+from cryptography.x509.oid import ExtensionOID, ObjectIdentifier
class _SubjectPublicKeyInfo(univ.Sequence):
@@ -238,11 +236,8 @@
class AccessDescription(object):
def __init__(self, access_method, access_location):
- if not (access_method == AuthorityInformationAccessOID.OCSP or
- access_method == AuthorityInformationAccessOID.CA_ISSUERS):
- raise ValueError(
- "access_method must be OID_OCSP or OID_CA_ISSUERS"
- )
+ if not isinstance(access_method, ObjectIdentifier):
+ raise TypeError("access_method must be an ObjectIdentifier")
if not isinstance(access_location, GeneralName):
raise TypeError("access_location must be a GeneralName")
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 5e5944a..511aac6 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1303,6 +1303,36 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_encode_nonstandard_aia(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ aia = x509.AuthorityInformationAccess([
+ x509.AccessDescription(
+ x509.ObjectIdentifier("2.999.7"),
+ x509.UniformResourceIdentifier(u"http://example.com")
+ ),
+ ])
+
+ builder = x509.CertificateBuilder().subject_name(x509.Name([
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ ])).issuer_name(x509.Name([
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ ])).public_key(
+ private_key.public_key()
+ ).serial_number(
+ 777
+ ).not_valid_before(
+ datetime.datetime(1999, 1, 1)
+ ).not_valid_after(
+ datetime.datetime(2020, 1, 1)
+ ).add_extension(
+ aia, False
+ )
+
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_subject_name(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder().serial_number(
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 751de08..83145cd 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -18,8 +18,8 @@
)
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.x509.oid import (
- AuthorityInformationAccessOID, ExtendedKeyUsageOID,
- ExtensionOID, NameOID
+ AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
+ NameOID, ObjectIdentifier
)
from .hazmat.primitives.test_ec import _skip_curve_unsupported
@@ -1861,7 +1861,7 @@
class TestAccessDescription(object):
def test_invalid_access_method(self):
- with pytest.raises(ValueError):
+ with pytest.raises(TypeError):
x509.AccessDescription("notanoid", x509.DNSName(u"test"))
def test_invalid_access_location(self):
@@ -1870,6 +1870,13 @@
AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
)
+ def test_valid_nonstandard_method(self):
+ ad = x509.AccessDescription(
+ ObjectIdentifier("2.999.1"),
+ x509.UniformResourceIdentifier(u"http://example.com")
+ )
+ assert ad is not None
+
def test_repr(self):
ad = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,