add SubjectInformationAccess extension support (#5295)

* add SubjectInformationAccess extension support * fixes
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2020-07-02 00:13:33 -0500
committer: GitHub <noreply@github.com> 2020-07-02 01:13:33 -0400
commit: 13fae162da9637009c3f21080e7d2fdbdffe8f36 (patch)
tree: 2cddfb049b16a02afd333215a2833506c35d5fbe /docs
parent: 63d337e5cc01c026e16b51a1c0b7aba40d9108ef (diff)
download: cryptography-13fae162da9637009c3f21080e7d2fdbdffe8f36.tar.gz
2 files changed, 55 insertions, 3 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 9fca681b2..4573e2172 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -401,6 +401,9 @@ Custom X.509 Vectors
   a ``policyConstraints`` extension with a ``requireExplicitPolicy`` value.
 * ``freshestcrl.pem`` - A self-signed certificate containing a ``freshestCRL``
   extension.
+* ``sia.pem`` - An RSA 2048 bit self-signed certificate containing a subject
+  information access extension with both a CA repository entry and a custom
+  OID entry.
 * ``ca/ca.pem`` - A self-signed certificate with ``basicConstraints`` set to
   true. Its private key is ``ca/ca_key.pem``. This certificate is encoded in
   several of the PKCS12 custom vectors.
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index fac2a3513..25f404991 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -2146,6 +2146,29 @@ X.509 Extensions
         :attr:`~cryptography.x509.oid.ExtensionOID.AUTHORITY_INFORMATION_ACCESS`.
 
 
+.. class:: SubjectInformationAccess(descriptions)
+
+    .. versionadded:: 3.0
+
+    The subject information access extension indicates how to access
+    information and services for the subject of the certificate in which
+    the extension appears. When the subject is a CA, information and
+    services may include certificate validation services and CA policy
+    data. When the subject is an end entity, the information describes
+    the type of services offered and how to access them. It is an iterable,
+    containing one or more :class:`~cryptography.x509.AccessDescription`
+    instances.
+
+    :param list descriptions: A list of :class:`AccessDescription` objects.
+
+    .. attribute:: oid
+
+        :type: :class:`ObjectIdentifier`
+
+        Returns
+        :attr:`~cryptography.x509.oid.ExtensionOID.SUBJECT_INFORMATION_ACCESS`.
+
+
 .. class:: AccessDescription(access_method, access_location)
 
     .. versionadded:: 0.9
@@ -2155,16 +2178,23 @@ X.509 Extensions
         :type: :class:`ObjectIdentifier`
 
         The access method defines what the ``access_location`` means. It must
-        be either
+        be
         :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.OCSP` or
-        :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.CA_ISSUERS`.
+        :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.CA_ISSUERS`
+        when used with :class:`~cryptography.x509.AuthorityInformationAccess`
+        or
+        :attr:`~cryptography.x509.oid.SubjectInformationAccessOID.CA_REPOSITORY`
+        when used with :class:`~cryptography.x509.SubjectInformationAccess`.
+
         If it is
         :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.OCSP`
         the access location will be where to obtain OCSP
         information for the certificate. If it is
         :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.CA_ISSUERS`
         the access location will provide additional information about the
-        issuing certificate.
+        issuing certificate. Finally, if it is
+        :attr:`~cryptography.x509.oid.SubjectInformationAccessOID.CA_REPOSITORY`
+        the access location will be the location of the CA's repository.
 
     .. attribute:: access_location
 
@@ -2973,6 +3003,17 @@ instances. The following common OIDs are available as constants.
         :class:`~cryptography.x509.AccessDescription` objects.
 
 
+.. class:: SubjectInformationAccessOID
+
+    .. versionadded:: 3.0
+
+    .. attribute:: CA_REPOSITORY
+
+        Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.5"``. Used as the
+        identifier for CA repository data in
+        :class:`~cryptography.x509.AccessDescription` objects.
+
+
 .. class:: CertificatePoliciesOID
 
     .. versionadded:: 1.0
@@ -3050,6 +3091,14 @@ instances. The following common OIDs are available as constants.
         for the :class:`~cryptography.x509.AuthorityInformationAccess` extension
         type.
 
+    .. attribute:: SUBJECT_INFORMATION_ACCESS
+
+        .. versionadded:: 3.0
+
+        Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.11"``. The
+        identifier for the :class:`~cryptography.x509.SubjectInformationAccess`
+        extension type.
+
     .. attribute:: INHIBIT_ANY_POLICY
 
         Corresponds to the dotted string ``"2.5.29.54"``. The identifier
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2020-07-02 00:13:33 -0500
committer	GitHub <noreply@github.com>	2020-07-02 01:13:33 -0400
commit	13fae162da9637009c3f21080e7d2fdbdffe8f36 (patch)
tree	2cddfb049b16a02afd333215a2833506c35d5fbe /docs
parent	63d337e5cc01c026e16b51a1c0b7aba40d9108ef (diff)
download	cryptography-13fae162da9637009c3f21080e7d2fdbdffe8f36.tar.gz