fix indentations
change docs to indicate CRL objects are iterable
fix docs for revoked certs
make _decode_crl_reason more readable
add __getitem__ method to CRL object
remove double underscores
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 9f9526e..eda6378 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -401,6 +401,19 @@
.. versionadded:: 1.0
+ A CertificateRevocationList is an object representing a list of revoked
+ certificates. The object is iterable and will yield the RevokedCertificate
+ objects stored in this CRL.
+
+ .. doctest::
+ >>> len(crl)
+ 1
+ >>> type(crl[0])
+ <class 'cryptography.hazmat.backends.openssl.x509._RevokedCertificate'>
+ >>> for r in crl:
+ ... print(r.serial_number)
+ 0
+
.. method:: fingerprint(algorithm)
:param algorithm: The
@@ -706,7 +719,8 @@
.. doctest::
- >>> crl.revoked_certificates[0].serial_number
+ >>> revoked_certificate = crl.revoked_certificates[0]
+ >>> revoked_certificate.serial_number
0
.. attribute:: revocation_date
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index a0ad87e..3267893 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -645,39 +645,39 @@
self._backend = backend
self._x509_revoked = x509_revoked
- self.__serial_number = None
- self.__revocation_date = None
- self.__extensions = None
+ self._serial_number = None
+ self._revocation_date = None
+ self._extensions = None
@property
def serial_number(self):
- if self.__serial_number:
- return self.__serial_number
+ if self._serial_number:
+ return self._serial_number
asn1_int = self._x509_revoked.serialNumber
self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
- self.__serial_number = self._backend._asn1_integer_to_int(asn1_int)
- return self.__serial_number
+ self._serial_number = self._backend._asn1_integer_to_int(asn1_int)
+ return self._serial_number
@property
def revocation_date(self):
- if self.__revocation_date:
- return self.__revocation_date
+ if self._revocation_date:
+ return self._revocation_date
- self.__revocation_date = self._backend._parse_asn1_time(
+ self._revocation_date = self._backend._parse_asn1_time(
self._x509_revoked.revocationDate)
- return self.__revocation_date
+ return self._revocation_date
@property
def extensions(self):
- if self.__extensions:
- return self.__extensions
+ if self._extensions:
+ return self._extensions
extensions = []
seen_oids = set()
extcount = self._backend._lib.X509_REVOKED_get_ext_count(
self._x509_revoked)
- for i in range(0, extcount):
+ for i in range(extcount):
ext = self._backend._lib.X509_REVOKED_get_ext(
self._x509_revoked, i)
self._backend.openssl_assert(ext != self._backend._ffi.NULL)
@@ -693,8 +693,8 @@
value = self._decode_crl_reason(ext)
elif oid == x509.OID_INVALIDITY_DATE:
value = self._decode_invalidity_date(ext)
- elif oid == x509.OID_CERTIFICATE_ISSUER and \
- self._backend._lib.OPENSSL_VERSION_NUMBER >= 0x10000000:
+ elif (oid == x509.OID_CERTIFICATE_ISSUER and
+ self._backend._lib.OPENSSL_VERSION_NUMBER >= 0x10000000):
value = self._decode_cert_issuer(ext)
elif critical:
raise x509.UnsupportedExtension(
@@ -708,38 +708,38 @@
seen_oids.add(oid)
extensions.append(x509.Extension(oid, critical, value))
- self.__extensions = x509.Extensions(extensions)
- return self.__extensions
+ self._extensions = x509.Extensions(extensions)
+ return self._extensions
def get_reason(self):
"""
Returns the CRLReason extension if it exists.
"""
try:
- return self.extensions.get_extension_for_oid(
- x509.OID_CRL_REASON).value
+ return self.extensions.get_extension_for_oid(
+ x509.OID_CRL_REASON).value
except x509.ExtensionNotFound:
- return None
+ return None
def get_invalidity_date(self):
"""
Returns the InvalidityDate extension if it exists.
"""
try:
- return self.extensions.get_extension_for_oid(
- x509.OID_INVALIDITY_DATE).value
+ return self.extensions.get_extension_for_oid(
+ x509.OID_INVALIDITY_DATE).value
except x509.ExtensionNotFound:
- return None
+ return None
def get_certificate_issuer(self):
"""
Returns the CertificateIssuer extension if it exists.
"""
try:
- return self.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_ISSUER).value
+ return self.extensions.get_extension_for_oid(
+ x509.OID_CERTIFICATE_ISSUER).value
except x509.ExtensionNotFound:
- return None
+ return None
def _decode_crl_reason(self, ext):
enum = self._backend._lib.X509V3_EXT_d2i(ext)
@@ -749,27 +749,21 @@
enum, self._backend._lib.ASN1_ENUMERATED_free
)
code = self._backend._lib.ASN1_ENUMERATED_get(enum)
- if code == 0:
- return x509.ReasonFlags.unspecified
- elif code == 1:
- return x509.ReasonFlags.key_compromise
- elif code == 2:
- return x509.ReasonFlags.ca_compromise
- elif code == 3:
- return x509.ReasonFlags.affiliation_changed
- elif code == 4:
- return x509.ReasonFlags.superseded
- elif code == 5:
- return x509.ReasonFlags.cessation_of_operation
- elif code == 6:
- return x509.ReasonFlags.certificate_hold
- elif code == 8:
- return x509.ReasonFlags.remove_from_crl
- elif code == 9:
- return x509.ReasonFlags.privilege_withdrawn
- elif code == 10:
- return x509.ReasonFlags.aa_compromise
- else:
+
+ try:
+ return {
+ 0: x509.ReasonFlags.unspecified,
+ 1: x509.ReasonFlags.key_compromise,
+ 2: x509.ReasonFlags.ca_compromise,
+ 3: x509.ReasonFlags.affiliation_changed,
+ 4: x509.ReasonFlags.superseded,
+ 5: x509.ReasonFlags.cessation_of_operation,
+ 6: x509.ReasonFlags.certificate_hold,
+ 8: x509.ReasonFlags.remove_from_crl,
+ 9: x509.ReasonFlags.privilege_withdrawn,
+ 10: x509.ReasonFlags.aa_compromise,
+ }[code]
+ except KeyError:
raise ValueError("Unsupported reason code: {0}".format(code))
def _decode_invalidity_date(self, ext):
@@ -805,10 +799,10 @@
self._backend = backend
self._x509_crl = x509_crl
- self.__revoked = None
- self.__issuer = None
- self.__next_update = None
- self.__last_update = None
+ self._revoked = None
+ self._issuer = None
+ self._next_update = None
+ self._last_update = None
def __eq__(self, other):
if not isinstance(other, x509.CertificateRevocationList):
@@ -843,38 +837,38 @@
@property
def issuer(self):
- if self.__issuer:
- return self.__issuer
+ if self._issuer:
+ return self._issuer
issuer = self._backend._lib.X509_CRL_get_issuer(self._x509_crl)
self._backend.openssl_assert(issuer != self._backend._ffi.NULL)
- self.__issuer = _decode_x509_name(self._backend, issuer)
- return self.__issuer
+ self._issuer = _decode_x509_name(self._backend, issuer)
+ return self._issuer
@property
def next_update(self):
- if self.__next_update:
- return self.__next_update
+ if self._next_update:
+ return self._next_update
nu = self._backend._lib.X509_CRL_get_nextUpdate(self._x509_crl)
self._backend.openssl_assert(nu != self._backend._ffi.NULL)
- self.__next_update = self._backend._parse_asn1_time(nu)
- return self.__next_update
+ self._next_update = self._backend._parse_asn1_time(nu)
+ return self._next_update
@property
def last_update(self):
- if self.__last_update:
- return self.__last_update
+ if self._last_update:
+ return self._last_update
lu = self._backend._lib.X509_CRL_get_lastUpdate(self._x509_crl)
self._backend.openssl_assert(lu != self._backend._ffi.NULL)
- self.__last_update = self._backend._parse_asn1_time(lu)
- return self.__last_update
+ self._last_update = self._backend._parse_asn1_time(lu)
+ return self._last_update
@property
def revoked_certificates(self):
- if self.__revoked:
- return self.__revoked
+ if self._revoked:
+ return self._revoked
revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl)
self._backend.openssl_assert(revoked != self._backend._ffi.NULL)
@@ -886,12 +880,15 @@
self._backend.openssl_assert(r != self._backend._ffi.NULL)
revoked_list.append(_RevokedCertificate(self._backend, r))
- self.__revoked = revoked_list
- return self.__revoked
+ self._revoked = revoked_list
+ return self._revoked
def __iter__(self):
return iter(self.revoked_certificates)
+ def __getitem__(self, idx):
+ return self.revoked_certificates[idx]
+
def __len__(self):
return len(self.revoked_certificates)
diff --git a/tests/test_x509.py b/tests/test_x509.py
index c380b86..61e7a7d 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -241,6 +241,9 @@
# Check that len() works for CRLs.
assert len(crl) == 12
+ # Check that direct access to revoked cert in CRL works
+ assert isinstance(crl[0], x509.RevokedCertificate)
+
def test_duplicate_entry_ext(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),