Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 5d66966032a1efbcbf093804a19951f399c2a6eb^! / . / docs / x509
commit5d66966032a1efbcbf093804a19951f399c2a6eb[log] [tgz]
authorPaul Kehrer <paul.l.kehrer@gmail.com>Mon Sep 11 09:16:34 2017 +0800
committerAlex Gaynor <alex.gaynor@gmail.com>Sun Sep 10 21:16:34 2017 -0400
treed769399c9c7f3e3a81fb199e89af8167bd28339f
parentd4bde9ce6668bb019f9c9db4cd26280e6cf7fa21 [diff]
[WIP] add support for the TLSFeature extension in x509 (#3899)

* add support for the TLSFeature extension in x509

This extension is used for OCSP Must-Staple.

* fix changelog link

* pep8

* refactor to support the sequence properly and add status_request_v2

* update some language

* add test vector, implement eq/ne/hash on TLSFeature

* address review comments

diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 5e1c95c..f07272a 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst

@@ -1606,6 +1606,45 @@
 
         Returns :attr:`~cryptography.x509.oid.ExtensionOID.OCSP_NO_CHECK`.
 
+
+.. class:: TLSFeature(features)
+
+    .. versionadded:: 2.1
+
+    The TLS Feature extension is defined in :rfc:`7633` and is used in
+    certificates for OCSP Must-Staple. The object is iterable to get every
+    element.
+
+    :param list features: A list of features to enable from the
+        :class:`~cryptography.x509.TLSFeatureType` enum. At this time only
+        ``status_request`` or ``status_request_v2`` are allowed.
+
+    .. attribute:: oid
+
+        :type: :class:`ObjectIdentifier`
+
+        Returns :attr:`~cryptography.x509.oid.ExtensionOID.TLS_FEATURE`.
+
+.. class:: TLSFeatureType
+
+    .. versionadded:: 2.1
+
+    An enumeration of TLS Feature types.
+
+    .. attribute:: status_request
+
+        This feature type is defined in :rfc:`6066` and, when embedded in
+        an X.509 certificate, signals to the client that it should require
+        a stapled OCSP response in the TLS handshake. Commonly known as OCSP
+        Must-Staple in certificates.
+
+    .. attribute:: status_request_v2
+
+        This feature type is defined in :rfc:`6961`. This value is not
+        commonly used and if you want to enable OCSP Must-Staple you should
+        use ``status_request``.
+
+
 .. class:: NameConstraints(permitted_subtrees, excluded_subtrees)
 
     .. versionadded:: 1.0
@@ -2673,6 +2712,12 @@
         identifier for the :class:`~cryptography.x509.OCSPNoCheck` extension
         type.
 
+    .. attribute:: TLS_FEATURE
+
+        Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.24"``. The
+        identifier for the :class:`~cryptography.x509.TLSFeature` extension
+        type.
+
     .. attribute:: CRL_NUMBER
 
         Corresponds to the dotted string ``"2.5.29.20"``. The identifier for