From f6ee2a5106477691486abd4712b5fdf8c2e4fc0f Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 14:17:50 -0500 Subject: [PATCH] Add RFC9174 OIDs (#12143) * Add BUNDLE_SECURITY EKU * Adding Other Name Form OIDs * Adding public access to OtherNameFormOID * Sorting names for lint * Sort imports * Fix format * Adding OID docs * Add specific next version --- docs/x509/reference.rst | 76 ++++++++++++++++++++++++++++++++- src/cryptography/hazmat/_oid.py | 11 +++++ src/cryptography/x509/oid.py | 2 + 3 files changed, 88 insertions(+), 1 deletion(-) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index a9f655085bb6..1297189d51f9 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -3737,7 +3737,17 @@ instances. The following common OIDs are available as constants. Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.17"``. This is used to denote that a certificate may be assigned to an IPSEC SA, and can be used by the assignee to initiate an IPSec Internet Key - Exchange. For more information see :rfc:`4945`. + Exchange (IKE). For more information see :rfc:`4945`. + + .. attribute:: BUNDLE_SECURITY + + .. versionadded:: 45.0.0 + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.35"``. This + is used to denote that a certificate is used by a Bundle Protocol + Node to secure data either in transit (e.g. via TLS/TCPCL) or at + rest (e.g. via BPSec). + For more information see :rfc:`9172` and :rfc:`9174`. .. attribute:: CERTIFICATE_TRANSPARENCY @@ -3749,6 +3759,70 @@ instances. The following common OIDs are available as constants. purposes. For more information see :rfc:`6962`. +.. class:: OtherNameFormOID + :canonical: cryptography.hazmat._oid.OtherNameFormOID + + .. versionadded:: 45.0.0 + + .. attribute:: PERMANENT_IDENTIFIER + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.3"``. + This is used to correlate multiple certificates which relate to + the same entity, as identified by this Other Name value. + The Other Name value is encoded as sequence of optional + UTF-8 value and optional OID assigner. + For more information see :rfc:`4043`. + + .. attribute:: HW_MODULE_NAME + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.4"``. + This is used to identify hardware module components when + protecting firmware packages. + The Other Name value is encoded as sequence of OID hardware-type + and octet-string serial number. + For more information see :rfc:`4108`. + + .. attribute:: DNS_SRV + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.7"``. + This is used to identify service names using qualified DNS name + of the form ``_Service.Name``. + The Other Name value is encoded as IA5 text. + For more information see :rfc:`4985`. + + .. attribute:: NAI_REALM + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.8"``. + This is used to identify realms for RADIUS dynamic peer discovery + using Network Access Identifier (NAI) values. + The Other Name value is encoded as UTF-8 text. + For more information see :rfc:`7585`. + + .. attribute:: SMTP_UTF8_MAILBOX + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.9"``. + This is used to identify an internationalized email address associated + with an entity. + The Other Name value is encoded as UTF-8 text. + For more information see :rfc:`9598`. + + .. attribute:: ACP_NODE_NAME + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.10"``. + This is used to identify a single node within an + Autonomic Control Plane (ACP). + The Other Name value is encoded as IA5 text. + For more information see :rfc:`8994`. + + .. attribute:: BUNDLE_EID + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.11"``. + This is used to contain the text form of an endpoint identifier (EID) + for the Bundle Protocol Version 7. + The Other Name value is encoded as IA5 text. + For more information see :rfc:`9171` and :rfc:`9174`. + + .. class:: AuthorityInformationAccessOID :canonical: cryptography.hazmat._oid.AuthorityInformationAccessOID diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index 8bd240d099a9..ff7be38b6911 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -177,9 +177,20 @@ class ExtendedKeyUsageOID: SMARTCARD_LOGON = ObjectIdentifier("1.3.6.1.4.1.311.20.2.2") KERBEROS_PKINIT_KDC = ObjectIdentifier("1.3.6.1.5.2.3.5") IPSEC_IKE = ObjectIdentifier("1.3.6.1.5.5.7.3.17") + BUNDLE_SECURITY = ObjectIdentifier("1.3.6.1.5.5.7.3.35") CERTIFICATE_TRANSPARENCY = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4") +class OtherNameFormOID: + PERMANENT_IDENTIFIER = ObjectIdentifier("1.3.6.1.5.5.7.8.3") + HW_MODULE_NAME = ObjectIdentifier("1.3.6.1.5.5.7.8.4") + DNS_SRV = ObjectIdentifier("1.3.6.1.5.5.7.8.7") + NAI_REALM = ObjectIdentifier("1.3.6.1.5.5.7.8.8") + SMTP_UTF8_MAILBOX = ObjectIdentifier("1.3.6.1.5.5.7.8.9") + ACP_NODE_NAME = ObjectIdentifier("1.3.6.1.5.5.7.8.10") + BUNDLE_EID = ObjectIdentifier("1.3.6.1.5.5.7.8.11") + + class AuthorityInformationAccessOID: CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2") OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1") diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index d4e409e0a2a0..520fc7ab018c 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -14,6 +14,7 @@ NameOID, ObjectIdentifier, OCSPExtensionOID, + OtherNameFormOID, PublicKeyAlgorithmOID, SignatureAlgorithmOID, SubjectInformationAccessOID, @@ -29,6 +30,7 @@ "NameOID", "OCSPExtensionOID", "ObjectIdentifier", + "OtherNameFormOID", "PublicKeyAlgorithmOID", "SignatureAlgorithmOID", "SubjectInformationAccessOID",