Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / ffa2a1557b4c5d79a68691eff77bc334817dd48c^! / .
commitffa2a1557b4c5d79a68691eff77bc334817dd48c[log] [tgz]
authorPaul Kehrer <paul.l.kehrer@gmail.com>Tue Mar 31 08:18:25 2015 -0500
committerPaul Kehrer <paul.l.kehrer@gmail.com>Tue Mar 31 08:18:25 2015 -0500
treec5eceac71cdc811070844e3e60e63a65a522b2cd
parent88a2eddd79d3d52a3433b48cca9c301723ecbca3 [diff]
add extendedkeyusage extension

diff --git a/docs/x509.rst b/docs/x509.rst
index d8fce97..af24944 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst

@@ -475,6 +475,15 @@
         subordinate CA, but the subordinate CA is not allowed to create
         subordinates with ``ca`` set to true.
 
+.. class:: ExtendedKeyUsage
+
+    .. versionadded:: 0.9
+
+    This extension indicates one or more purposes for which the certified
+    public key may be used, in addition to or in place of the basic
+    purposes indicated in the key usage extension. The object is
+    iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
+
 
 Object Identifiers
 ~~~~~~~~~~~~~~~~~~
@@ -633,6 +642,8 @@
     Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is
     a SHA256 digest signed by a DSA key.
 
+.. _eku_oids:
+
 Extended Key Usage OIDs
 ~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 8b4ee20..791d1ef 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py

@@ -222,6 +222,23 @@
                 "value={0.value})>").format(self)
 
 
+class ExtendedKeyUsage(object):
+    def __init__(self, usages):
+        for oid in usages:
+            if not isinstance(oid, ObjectIdentifier):
+                raise TypeError(
+                    "Every item in the usages list must be an ObjectIdentifier"
+                )
+
+        self._usages = usages
+
+    def __iter__(self):
+        return iter(self._usages)
+
+    def __len__(self):
+        return len(self._usages)
+
+
 class BasicConstraints(object):
     def __init__(self, ca, path_length):
         if not isinstance(ca, bool):

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index af13f27..87580a0 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py

@@ -62,6 +62,23 @@
         )
 
 
+class TestExtendedKeyUsage(object):
+    def test_not_all_oids(self):
+        with pytest.raises(TypeError):
+            x509.ExtendedKeyUsage(["notoid"])
+
+    def test_iter_len(self):
+        eku = x509.ExtendedKeyUsage([
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
+        ])
+        assert len(eku) == 2
+        assert list(eku) == [
+            x509.OID_SERVER_AUTH,
+            x509.OID_CLIENT_AUTH
+        ]
+
+
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)
 class TestExtensions(object):