add a CRL public_bytes method
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index cb2934c..bcad55a 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -16,6 +16,9 @@
* :class:`~cryptography.x509.NameConstraints` are now supported in the
:class:`~cryptography.x509.CertificateBuilder` and
:class:`~cryptography.x509.CertificateSigningRequestBuilder`.
+* Support serialization of certificate revocation lists using the
+ ``public_bytes`` method of
+ :class:`~cryptography.x509.CertificateRevocationList`.
1.1.2 - 2015-12-10
~~~~~~~~~~~~~~~~~~
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 91c5344..d060633 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -523,6 +523,18 @@
used to validate a signature, but use extreme caution as CRL validation
is a complex problem that involves much more than just signature checks.
+ .. method:: public_bytes(encoding)
+
+ .. versionadded:: 1.2
+
+ :param encoding: The
+ :class:`~cryptography.hazmat.primitives.serialization.Encoding`
+ that will be used to serialize the certificate revocation list.
+
+ :return bytes: The data that can be written to a file or sent
+ over the network and used as part of a certificate verification
+ process.
+
X.509 Certificate Builder
~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index f50a0d5..b7a88a4 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -833,6 +833,20 @@
)
return self._backend._ffi.buffer(pp[0], res)[:]
+ def public_bytes(self, encoding):
+ bio = self._backend._create_mem_bio()
+ if encoding is serialization.Encoding.PEM:
+ res = self._backend._lib.PEM_write_bio_X509_CRL(
+ bio, self._x509_crl
+ )
+ elif encoding is serialization.Encoding.DER:
+ res = self._backend._lib.i2d_X509_CRL_bio(bio, self._x509_crl)
+ else:
+ raise TypeError("encoding must be an item from the Encoding enum")
+
+ self._backend.openssl_assert(res == 1)
+ return self._backend._read_mem_bio(bio)
+
def _revoked_certificates(self):
revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl)
revoked_list = []
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index 4976104..057d0e9 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -156,6 +156,11 @@
@six.add_metaclass(abc.ABCMeta)
class CertificateRevocationList(object):
+ @abc.abstractmethod
+ def public_bytes(self, encoding):
+ """
+ Serializes the CRL to PEM or DER format.
+ """
@abc.abstractmethod
def fingerprint(self, algorithm):
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 511aac6..fecafec 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -222,6 +222,48 @@
verifier.update(crl.tbs_certlist_bytes)
verifier.verify()
+ def test_public_bytes_pem(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_empty.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ # Encode it to PEM and load it back.
+ crl = x509.load_pem_x509_crl(crl.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ), backend)
+
+ assert len(crl) == 0
+ assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
+ assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
+
+ def test_public_bytes_der(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ # Encode it to DER and load it back.
+ crl = x509.load_der_x509_crl(crl.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ), backend)
+
+ assert len(crl) == 12
+ assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
+ assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
+
+ def test_public_bytes_invalid_encoding(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_empty.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ with pytest.raises(TypeError):
+ crl.public_bytes('NotAnEncoding')
+
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestRevokedCertificate(object):