Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / cad8ae268c5009c989b765021404ff8c86df1d8b / . / src / cryptography / x509 / base.py
blob: e29a31052e241ba2a66528727bbc4342dfacbee1 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]7import abc
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]8import datetime
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]9from enum import Enum
10
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]11import six
12
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]13from cryptography import utils
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]14from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
Paul Kehreraa7a3222015-08-11 00:00:54 -0500[diff] [blame]15from cryptography.x509.extensions import Extension, ExtensionType
Paul Kehrered036d22015-08-09 20:40:48 -0500[diff] [blame]16from cryptography.x509.name import Name
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]17
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]18
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]19_UNIX_EPOCH = datetime.datetime(1970, 1, 1)
20
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]21
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]22class Version(Enum):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]23 v1 = 0
24 v3 = 2
25
26
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]27def load_pem_x509_certificate(data, backend):
28 return backend.load_pem_x509_certificate(data)
29
30
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]31def load_der_x509_certificate(data, backend):
32 return backend.load_der_x509_certificate(data)
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]33
34
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]35def load_pem_x509_csr(data, backend):
36 return backend.load_pem_x509_csr(data)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]37
38
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]39def load_der_x509_csr(data, backend):
40 return backend.load_der_x509_csr(data)
41
42
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]43def load_pem_x509_crl(data, backend):
44 return backend.load_pem_x509_crl(data)
45
46
47def load_der_x509_crl(data, backend):
48 return backend.load_der_x509_crl(data)
49
50
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]51class InvalidVersion(Exception):
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]52 def __init__(self, msg, parsed_version):
53 super(InvalidVersion, self).__init__(msg)
54 self.parsed_version = parsed_version
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]55
56
57@six.add_metaclass(abc.ABCMeta)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]58class Certificate(object):
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]59 @abc.abstractmethod
60 def fingerprint(self, algorithm):
61 """
62 Returns bytes using digest passed.
63 """
64
65 @abc.abstractproperty
66 def serial(self):
67 """
68 Returns certificate serial number
69 """
70
71 @abc.abstractproperty
72 def version(self):
73 """
74 Returns the certificate version
75 """
76
77 @abc.abstractmethod
78 def public_key(self):
79 """
80 Returns the public key
81 """
82
83 @abc.abstractproperty
84 def not_valid_before(self):
85 """
86 Not before time (represented as UTC datetime)
87 """
88
89 @abc.abstractproperty
90 def not_valid_after(self):
91 """
92 Not after time (represented as UTC datetime)
93 """
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]94
95 @abc.abstractproperty
96 def issuer(self):
97 """
98 Returns the issuer name object.
99 """
100
101 @abc.abstractproperty
102 def subject(self):
103 """
104 Returns the subject name object.
105 """
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]106
107 @abc.abstractproperty
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]108 def signature_hash_algorithm(self):
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]109 """
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]110 Returns a HashAlgorithm corresponding to the type of the digest signed
111 in the certificate.
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]112 """
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]113
Paul Kehrer8c234d12015-05-15 09:27:22 -0700[diff] [blame]114 @abc.abstractproperty
115 def extensions(self):
116 """
117 Returns an Extensions object.
118 """
119
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]120 @abc.abstractproperty
121 def signature(self):
122 """
123 Returns the signature bytes.
124 """
125
126 @abc.abstractproperty
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]127 def tbs_certificate_bytes(self):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]128 """
129 Returns the tbsCertificate payload bytes as defined in RFC 5280.
130 """
131
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]132 @abc.abstractmethod
133 def __eq__(self, other):
134 """
135 Checks equality.
136 """
137
138 @abc.abstractmethod
139 def __ne__(self, other):
140 """
141 Checks not equal.
142 """
143
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]144 @abc.abstractmethod
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]145 def __hash__(self):
146 """
147 Computes a hash.
148 """
149
150 @abc.abstractmethod
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]151 def public_bytes(self, encoding):
Andre Caron18ef34b2015-05-19 21:24:31 -0400[diff] [blame]152 """
153 Serializes the certificate to PEM or DER format.
154 """
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]155
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]156
157@six.add_metaclass(abc.ABCMeta)
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]158class CertificateRevocationList(object):
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]159 @abc.abstractmethod
160 def public_bytes(self, encoding):
161 """
162 Serializes the CRL to PEM or DER format.
163 """
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]164
165 @abc.abstractmethod
166 def fingerprint(self, algorithm):
167 """
168 Returns bytes using digest passed.
169 """
170
171 @abc.abstractproperty
172 def signature_hash_algorithm(self):
173 """
174 Returns a HashAlgorithm corresponding to the type of the digest signed
175 in the certificate.
176 """
177
178 @abc.abstractproperty
179 def issuer(self):
180 """
181 Returns the X509Name with the issuer of this CRL.
182 """
183
184 @abc.abstractproperty
185 def next_update(self):
186 """
187 Returns the date of next update for this CRL.
188 """
189
190 @abc.abstractproperty
191 def last_update(self):
192 """
193 Returns the date of last update for this CRL.
194 """
195
196 @abc.abstractproperty
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]197 def extensions(self):
198 """
199 Returns an Extensions object containing a list of CRL extensions.
200 """
201
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]202 @abc.abstractproperty
203 def signature(self):
204 """
205 Returns the signature bytes.
206 """
207
208 @abc.abstractproperty
209 def tbs_certlist_bytes(self):
210 """
211 Returns the tbsCertList payload bytes as defined in RFC 5280.
212 """
213
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]214 @abc.abstractmethod
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]215 def __eq__(self, other):
216 """
217 Checks equality.
218 """
219
220 @abc.abstractmethod
221 def __ne__(self, other):
222 """
223 Checks not equal.
224 """
225
226
227@six.add_metaclass(abc.ABCMeta)
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]228class CertificateSigningRequest(object):
Alex Gaynor935f6ca2015-07-06 21:03:46 -0400[diff] [blame]229 @abc.abstractmethod
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]230 def __eq__(self, other):
231 """
232 Checks equality.
233 """
234
235 @abc.abstractmethod
236 def __ne__(self, other):
237 """
238 Checks not equal.
239 """
240
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]241 @abc.abstractmethod
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]242 def __hash__(self):
243 """
244 Computes a hash.
245 """
246
247 @abc.abstractmethod
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]248 def public_key(self):
249 """
250 Returns the public key
251 """
252
253 @abc.abstractproperty
254 def subject(self):
255 """
256 Returns the subject name object.
257 """
258
259 @abc.abstractproperty
260 def signature_hash_algorithm(self):
261 """
262 Returns a HashAlgorithm corresponding to the type of the digest signed
263 in the certificate.
264 """
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]265
266 @abc.abstractproperty
267 def extensions(self):
268 """
269 Returns the extensions in the signing request.
270 """
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]271
272 @abc.abstractmethod
273 def public_bytes(self, encoding):
274 """
275 Encodes the request to PEM or DER format.
276 """
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]277
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]278 @abc.abstractproperty
279 def signature(self):
280 """
281 Returns the signature bytes.
282 """
283
284 @abc.abstractproperty
285 def tbs_certrequest_bytes(self):
286 """
287 Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC
288 2986.
289 """
290
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]291
292@six.add_metaclass(abc.ABCMeta)
293class RevokedCertificate(object):
294 @abc.abstractproperty
295 def serial_number(self):
296 """
297 Returns the serial number of the revoked certificate.
298 """
299
300 @abc.abstractproperty
301 def revocation_date(self):
302 """
303 Returns the date of when this certificate was revoked.
304 """
305
306 @abc.abstractproperty
307 def extensions(self):
308 """
309 Returns an Extensions object containing a list of Revoked extensions.
310 """
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]311
312
313class CertificateSigningRequestBuilder(object):
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]314 def __init__(self, subject_name=None, extensions=[]):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]315 """
316 Creates an empty X.509 certificate request (v1).
317 """
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]318 self._subject_name = subject_name
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]319 self._extensions = extensions
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]320
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]321 def subject_name(self, name):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]322 """
323 Sets the certificate requestor's distinguished name.
324 """
325 if not isinstance(name, Name):
326 raise TypeError('Expecting x509.Name object.')
Ian Cordascod09ec372015-06-17 21:37:51 -0500[diff] [blame]327 if self._subject_name is not None:
328 raise ValueError('The subject name may only be set once.')
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]329 return CertificateSigningRequestBuilder(name, self._extensions)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]330
Ian Cordascof06b6be2015-06-21 10:09:18 -0500[diff] [blame]331 def add_extension(self, extension, critical):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]332 """
333 Adds an X.509 extension to the certificate request.
334 """
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]335 if not isinstance(extension, ExtensionType):
336 raise TypeError("extension must be an ExtensionType")
337
338 extension = Extension(extension.oid, critical, extension)
339
Ian Cordascof06b6be2015-06-21 10:09:18 -0500[diff] [blame]340 # TODO: This is quadratic in the number of extensions
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]341 for e in self._extensions:
342 if e.oid == extension.oid:
343 raise ValueError('This extension has already been set.')
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]344 return CertificateSigningRequestBuilder(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]345 self._subject_name, self._extensions + [extension]
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]346 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]347
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]348 def sign(self, private_key, algorithm, backend):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]349 """
350 Signs the request using the requestor's private key.
351 """
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]352 if self._subject_name is None:
353 raise ValueError("A CertificateSigningRequest must have a subject")
Andre Carona33ea282015-05-31 16:32:26 -0400[diff] [blame]354 return backend.create_x509_csr(self, private_key, algorithm)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]355
356
357class CertificateBuilder(object):
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]358 def __init__(self, issuer_name=None, subject_name=None,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]359 public_key=None, serial_number=None, not_valid_before=None,
360 not_valid_after=None, extensions=[]):
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]361 self._version = Version.v3
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]362 self._issuer_name = issuer_name
363 self._subject_name = subject_name
364 self._public_key = public_key
365 self._serial_number = serial_number
366 self._not_valid_before = not_valid_before
367 self._not_valid_after = not_valid_after
368 self._extensions = extensions
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]369
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]370 def issuer_name(self, name):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]371 """
372 Sets the CA's distinguished name.
373 """
374 if not isinstance(name, Name):
375 raise TypeError('Expecting x509.Name object.')
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]376 if self._issuer_name is not None:
377 raise ValueError('The issuer name may only be set once.')
378 return CertificateBuilder(
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]379 name, self._subject_name, self._public_key,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]380 self._serial_number, self._not_valid_before,
381 self._not_valid_after, self._extensions
382 )
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]383
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]384 def subject_name(self, name):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]385 """
386 Sets the requestor's distinguished name.
387 """
388 if not isinstance(name, Name):
389 raise TypeError('Expecting x509.Name object.')
Ian Cordasco43ae7382015-07-18 23:27:31 -0500[diff] [blame]390 if self._subject_name is not None:
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]391 raise ValueError('The subject name may only be set once.')
392 return CertificateBuilder(
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]393 self._issuer_name, name, self._public_key,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]394 self._serial_number, self._not_valid_before,
395 self._not_valid_after, self._extensions
396 )
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]397
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]398 def public_key(self, key):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]399 """
400 Sets the requestor's public key (as found in the signing request).
401 """
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]402 if not isinstance(key, (dsa.DSAPublicKey, rsa.RSAPublicKey,
403 ec.EllipticCurvePublicKey)):
404 raise TypeError('Expecting one of DSAPublicKey, RSAPublicKey,'
405 ' or EllipticCurvePublicKey.')
406 if self._public_key is not None:
407 raise ValueError('The public key may only be set once.')
408 return CertificateBuilder(
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]409 self._issuer_name, self._subject_name, key,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]410 self._serial_number, self._not_valid_before,
411 self._not_valid_after, self._extensions
412 )
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]413
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]414 def serial_number(self, number):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]415 """
416 Sets the certificate serial number.
417 """
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]418 if not isinstance(number, six.integer_types):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]419 raise TypeError('Serial number must be of integral type.')
Ian Cordasco43ae7382015-07-18 23:27:31 -0500[diff] [blame]420 if self._serial_number is not None:
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]421 raise ValueError('The serial number may only be set once.')
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]422 if number < 0:
423 raise ValueError('The serial number should be non-negative.')
424 if utils.bit_length(number) > 160: # As defined in RFC 5280
425 raise ValueError('The serial number should not be more than 160 '
426 'bits.')
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]427 return CertificateBuilder(
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]428 self._issuer_name, self._subject_name,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]429 self._public_key, number, self._not_valid_before,
430 self._not_valid_after, self._extensions
431 )
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]432
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]433 def not_valid_before(self, time):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]434 """
435 Sets the certificate activation time.
436 """
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]437 if not isinstance(time, datetime.datetime):
438 raise TypeError('Expecting datetime object.')
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]439 if self._not_valid_before is not None:
440 raise ValueError('The not valid before may only be set once.')
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]441 if time <= _UNIX_EPOCH:
442 raise ValueError('The not valid before date must be after the unix'
443 ' epoch (1970 January 1).')
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]444 if self._not_valid_after is not None and time > self._not_valid_after:
445 raise ValueError(
446 'The not valid before date must be before the not valid after '
447 'date.'
448 )
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]449 return CertificateBuilder(
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]450 self._issuer_name, self._subject_name,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]451 self._public_key, self._serial_number, time,
452 self._not_valid_after, self._extensions
453 )
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]454
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]455 def not_valid_after(self, time):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]456 """
457 Sets the certificate expiration time.
458 """
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]459 if not isinstance(time, datetime.datetime):
460 raise TypeError('Expecting datetime object.')
Ian Cordasco43ae7382015-07-18 23:27:31 -0500[diff] [blame]461 if self._not_valid_after is not None:
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]462 raise ValueError('The not valid after may only be set once.')
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]463 if time <= _UNIX_EPOCH:
464 raise ValueError('The not valid after date must be after the unix'
465 ' epoch (1970 January 1).')
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]466 if (self._not_valid_before is not None and
467 time < self._not_valid_before):
468 raise ValueError(
469 'The not valid after date must be after the not valid before '
470 'date.'
471 )
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]472 return CertificateBuilder(
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]473 self._issuer_name, self._subject_name,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]474 self._public_key, self._serial_number, self._not_valid_before,
475 time, self._extensions
476 )
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]477
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]478 def add_extension(self, extension, critical):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]479 """
480 Adds an X.509 extension to the certificate.
481 """
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]482 if not isinstance(extension, ExtensionType):
483 raise TypeError("extension must be an ExtensionType")
484
485 extension = Extension(extension.oid, critical, extension)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]486
487 # TODO: This is quadratic in the number of extensions
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]488 for e in self._extensions:
489 if e.oid == extension.oid:
490 raise ValueError('This extension has already been set.')
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]491
492 return CertificateBuilder(
Ian Cordascoc5e1c252015-07-31 23:33:35 -0500[diff] [blame]493 self._issuer_name, self._subject_name,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]494 self._public_key, self._serial_number, self._not_valid_before,
495 self._not_valid_after, self._extensions + [extension]
496 )
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]497
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]498 def sign(self, private_key, algorithm, backend):
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]499 """
500 Signs the certificate using the CA's private key.
501 """
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]502 if self._subject_name is None:
503 raise ValueError("A certificate must have a subject name")
504
505 if self._issuer_name is None:
506 raise ValueError("A certificate must have an issuer name")
507
508 if self._serial_number is None:
509 raise ValueError("A certificate must have a serial number")
510
511 if self._not_valid_before is None:
512 raise ValueError("A certificate must have a not valid before time")
513
514 if self._not_valid_after is None:
515 raise ValueError("A certificate must have a not valid after time")
516
517 if self._public_key is None:
518 raise ValueError("A certificate must have a public key")
519
Paul Kehrer1ae76532015-08-06 12:37:10 +0100[diff] [blame]520 return backend.create_x509_certificate(self, private_key, algorithm)
Paul Kehrerbfac2d12015-12-19 23:32:08 -0600[diff] [blame]521
522
523class CertificateRevocationListBuilder(object):
524 def __init__(self, issuer_name=None, last_update=None, next_update=None,
525 extensions=[], revoked_certificates=[]):
526 self._issuer_name = issuer_name
527 self._last_update = last_update
528 self._next_update = next_update
529 self._extensions = extensions
530 self._revoked_certificates = revoked_certificates
531
532 def issuer_name(self, issuer_name):
533 if not isinstance(issuer_name, Name):
534 raise TypeError('Expecting x509.Name object.')
535 if self._issuer_name is not None:
536 raise ValueError('The issuer name may only be set once.')
537 return CertificateRevocationListBuilder(
538 issuer_name, self._last_update, self._next_update,
539 self._extensions, self._revoked_certificates
540 )
541
542 def last_update(self, last_update):
543 if not isinstance(last_update, datetime.datetime):
544 raise TypeError('Expecting datetime object.')
545 if self._last_update is not None:
546 raise ValueError('Last update may only be set once.')
547 if last_update <= _UNIX_EPOCH:
548 raise ValueError('The last update date must be after the unix'
549 ' epoch (1970 January 1).')
550 if self._next_update is not None and last_update > self._next_update:
551 raise ValueError(
552 'The last update date must be before the next update date.'
553 )
554 return CertificateRevocationListBuilder(
555 self._issuer_name, last_update, self._next_update,
556 self._extensions, self._revoked_certificates
557 )
558
559 def next_update(self, next_update):
560 if not isinstance(next_update, datetime.datetime):
561 raise TypeError('Expecting datetime object.')
562 if self._next_update is not None:
563 raise ValueError('Last update may only be set once.')
564 if next_update <= _UNIX_EPOCH:
565 raise ValueError('The last update date must be after the unix'
566 ' epoch (1970 January 1).')
567 if self._last_update is not None and next_update < self._last_update:
568 raise ValueError(
569 'The next update date must be after the last update date.'
570 )
571 return CertificateRevocationListBuilder(
572 self._issuer_name, self._last_update, next_update,
573 self._extensions, self._revoked_certificates
574 )
575
Paul Kehrer426b48d2015-12-24 20:50:43 -0600[diff] [blame]576 def add_extension(self, extension, critical):
577 """
578 Adds an X.509 extension to the certificate revocation list.
579 """
580 if not isinstance(extension, ExtensionType):
581 raise TypeError("extension must be an ExtensionType")
582
583 extension = Extension(extension.oid, critical, extension)
584
585 # TODO: This is quadratic in the number of extensions
586 for e in self._extensions:
587 if e.oid == extension.oid:
588 raise ValueError('This extension has already been set.')
589 return CertificateRevocationListBuilder(
590 self._issuer_name, self._last_update, self._next_update,
591 self._extensions + [extension], self._revoked_certificates
592 )
593
Paul Kehrerbfac2d12015-12-19 23:32:08 -0600[diff] [blame]594 def sign(self, private_key, algorithm, backend):
595 if self._issuer_name is None:
596 raise ValueError("A CRL must have an issuer name")
597
598 if self._last_update is None:
599 raise ValueError("A CRL must have a last update time")
600
601 if self._next_update is None:
602 raise ValueError("A CRL must have a next update time")
603
604 return backend.create_x509_crl(self, private_key, algorithm)
Paul Kehrerc33ffd72015-12-25 10:59:22 -0600[diff] [blame]605
606
607class RevokedCertificateBuilder(object):
608 def __init__(self, serial_number=None, revocation_date=None,
609 extensions=[]):
610 self._serial_number = serial_number
611 self._revocation_date = revocation_date
612 self._extensions = extensions
613
614 def serial_number(self, number):
615 if not isinstance(number, six.integer_types):
616 raise TypeError('Serial number must be of integral type.')
617 if self._serial_number is not None:
618 raise ValueError('The serial number may only be set once.')
619 if number < 0:
620 raise ValueError('The serial number should be non-negative.')
621 if utils.bit_length(number) > 160: # As defined in RFC 5280
622 raise ValueError('The serial number should not be more than 160 '
623 'bits.')
624 return RevokedCertificateBuilder(
625 number, self._revocation_date, self._extensions
626 )
627
628 def revocation_date(self, time):
629 if not isinstance(time, datetime.datetime):
630 raise TypeError('Expecting datetime object.')
631 if self._revocation_date is not None:
632 raise ValueError('The revocation date may only be set once.')
633 if time <= _UNIX_EPOCH:
634 raise ValueError('The revocation date must be after the unix'
635 ' epoch (1970 January 1).')
636 return RevokedCertificateBuilder(
637 self._serial_number, time, self._extensions
638 )
639
640 def build(self, backend):
641 if self._serial_number is None:
642 raise ValueError("A revoked certificate must have a serial number")
643 if self._revocation_date is None:
644 raise ValueError(
645 "A revoked certificate must have a revocation date"
646 )
647
648 return backend.create_x509_revoked_certificate(self)