From b89f0dac49d092202cbbf1f8f5fd7a123a0022cb Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 09:26:10 -0500 Subject: [PATCH 1/8] Add BUNDLE_SECURITY EKU --- src/cryptography/hazmat/_oid.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index 8bd240d099a9..1e401f8947ce 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -177,6 +177,7 @@ class ExtendedKeyUsageOID: SMARTCARD_LOGON = ObjectIdentifier("1.3.6.1.4.1.311.20.2.2") KERBEROS_PKINIT_KDC = ObjectIdentifier("1.3.6.1.5.2.3.5") IPSEC_IKE = ObjectIdentifier("1.3.6.1.5.5.7.3.17") + BUNDLE_SECURITY = ObjectIdentifier("1.3.6.1.5.5.7.3.35") CERTIFICATE_TRANSPARENCY = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4") From 10eae3c6db28863619f3e0312151fa9165c23eac Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 09:33:55 -0500 Subject: [PATCH 2/8] Adding Other Name Form OIDs --- src/cryptography/hazmat/_oid.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index 1e401f8947ce..4ce1720c3514 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -180,6 +180,16 @@ class ExtendedKeyUsageOID: BUNDLE_SECURITY = ObjectIdentifier("1.3.6.1.5.5.7.3.35") CERTIFICATE_TRANSPARENCY = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4") +class OtherNameFormOID: + PERMANENT_IDENTIFIER = ObjectIdentifier("1.3.6.1.5.5.7.8.3") + HW_MODULE_NAME = ObjectIdentifier("1.3.6.1.5.5.7.8.4") + XMPP_ADDR = ObjectIdentifier("1.3.6.1.5.5.7.8.5") + SIM = ObjectIdentifier("1.3.6.1.5.5.7.8.6") + DNS_SRV = ObjectIdentifier("1.3.6.1.5.5.7.8.7") + NAI_REALM = ObjectIdentifier("1.3.6.1.5.5.7.8.8") + SMTP_UTF8_MAILBOX = ObjectIdentifier("1.3.6.1.5.5.7.8.9") + ACP_NODE_NAME = ObjectIdentifier("1.3.6.1.5.5.7.8.10") + BUNDLE_EID = ObjectIdentifier("1.3.6.1.5.5.7.8.11") class AuthorityInformationAccessOID: CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2") From 8398313eb30c11fb54e3a4940d9ccd1a9d9d5e07 Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 09:57:17 -0500 Subject: [PATCH 3/8] Adding public access to OtherNameFormOID --- src/cryptography/x509/oid.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index d4e409e0a2a0..70342c51e8c8 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -10,6 +10,7 @@ CertificatePoliciesOID, CRLEntryExtensionOID, ExtendedKeyUsageOID, + OtherNameFormOID, ExtensionOID, NameOID, ObjectIdentifier, @@ -25,6 +26,7 @@ "CRLEntryExtensionOID", "CertificatePoliciesOID", "ExtendedKeyUsageOID", + "OtherNameFormOID", "ExtensionOID", "NameOID", "OCSPExtensionOID", From 7375b7cdf240424549f21d56314ac1d71aeee0e8 Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 10:01:34 -0500 Subject: [PATCH 4/8] Sorting names for lint --- src/cryptography/x509/oid.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index 70342c51e8c8..f9471b6ff0e0 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -10,11 +10,11 @@ CertificatePoliciesOID, CRLEntryExtensionOID, ExtendedKeyUsageOID, - OtherNameFormOID, ExtensionOID, NameOID, - ObjectIdentifier, OCSPExtensionOID, + ObjectIdentifier, + OtherNameFormOID, PublicKeyAlgorithmOID, SignatureAlgorithmOID, SubjectInformationAccessOID, @@ -26,11 +26,11 @@ "CRLEntryExtensionOID", "CertificatePoliciesOID", "ExtendedKeyUsageOID", - "OtherNameFormOID", "ExtensionOID", "NameOID", "OCSPExtensionOID", "ObjectIdentifier", + "OtherNameFormOID", "PublicKeyAlgorithmOID", "SignatureAlgorithmOID", "SubjectInformationAccessOID", From 163929104e73b910faa1873d39e7d77c9773c728 Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 10:04:43 -0500 Subject: [PATCH 5/8] Sort imports --- src/cryptography/x509/oid.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index f9471b6ff0e0..520fc7ab018c 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -12,8 +12,8 @@ ExtendedKeyUsageOID, ExtensionOID, NameOID, - OCSPExtensionOID, ObjectIdentifier, + OCSPExtensionOID, OtherNameFormOID, PublicKeyAlgorithmOID, SignatureAlgorithmOID, From 298140b980d8afc6108434b2727dc4df8fe55ca3 Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 11:21:48 -0500 Subject: [PATCH 6/8] Fix format --- src/cryptography/hazmat/_oid.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index 4ce1720c3514..b5baab8a1d88 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -180,6 +180,7 @@ class ExtendedKeyUsageOID: BUNDLE_SECURITY = ObjectIdentifier("1.3.6.1.5.5.7.3.35") CERTIFICATE_TRANSPARENCY = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4") + class OtherNameFormOID: PERMANENT_IDENTIFIER = ObjectIdentifier("1.3.6.1.5.5.7.8.3") HW_MODULE_NAME = ObjectIdentifier("1.3.6.1.5.5.7.8.4") @@ -191,6 +192,7 @@ class OtherNameFormOID: ACP_NODE_NAME = ObjectIdentifier("1.3.6.1.5.5.7.8.10") BUNDLE_EID = ObjectIdentifier("1.3.6.1.5.5.7.8.11") + class AuthorityInformationAccessOID: CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2") OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1") From 2d421b1e6e2e6d41322aeff80aa1ecbe1263bb50 Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 12:28:42 -0500 Subject: [PATCH 7/8] Adding OID docs --- docs/x509/reference.rst | 76 ++++++++++++++++++++++++++++++++- src/cryptography/hazmat/_oid.py | 2 - 2 files changed, 75 insertions(+), 3 deletions(-) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index a9f655085bb6..47dd8d2c0346 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -3737,7 +3737,17 @@ instances. The following common OIDs are available as constants. Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.17"``. This is used to denote that a certificate may be assigned to an IPSEC SA, and can be used by the assignee to initiate an IPSec Internet Key - Exchange. For more information see :rfc:`4945`. + Exchange (IKE). For more information see :rfc:`4945`. + + .. attribute:: BUNDLE_SECURITY + + .. versionadded:: TBD + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.35"``. This + is used to denote that a certificate is used by a Bundle Protocol + Node to secure data either in transit (e.g. via TLS/TCPCL) or at + rest (e.g. via BPSec). + For more information see :rfc:`9172` and :rfc:`9174`. .. attribute:: CERTIFICATE_TRANSPARENCY @@ -3749,6 +3759,70 @@ instances. The following common OIDs are available as constants. purposes. For more information see :rfc:`6962`. +.. class:: OtherNameFormOID + :canonical: cryptography.hazmat._oid.OtherNameFormOID + + .. versionadded:: TBD + + .. attribute:: PERMANENT_IDENTIFIER + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.3"``. + This is used to correlate multiple certificates which relate to + the same entity, as identified by this Other Name value. + The Other Name value is encoded as sequence of optional + UTF-8 value and optional OID assigner. + For more information see :rfc:`4043`. + + .. attribute:: HW_MODULE_NAME + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.4"``. + This is used to identify hardware module components when + protecting firmware packages. + The Other Name value is encoded as sequence of OID hardware-type + and octet-string serial number. + For more information see :rfc:`4108`. + + .. attribute:: DNS_SRV + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.7"``. + This is used to identify service names using qualified DNS name + of the form ``_Service.Name``. + The Other Name value is encoded as IA5 text. + For more information see :rfc:`4985`. + + .. attribute:: NAI_REALM + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.8"``. + This is used to identify realms for RADIUS dynamic peer discovery + using Network Access Identifier (NAI) values. + The Other Name value is encoded as UTF-8 text. + For more information see :rfc:`7585`. + + .. attribute:: SMTP_UTF8_MAILBOX + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.9"``. + This is used to identify an internationalized email address associated + with an entity. + The Other Name value is encoded as UTF-8 text. + For more information see :rfc:`9598`. + + .. attribute:: ACP_NODE_NAME + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.10"``. + This is used to identify a single node within an + Autonomic Control Plane (ACP). + The Other Name value is encoded as IA5 text. + For more information see :rfc:`8994`. + + .. attribute:: BUNDLE_EID + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.8.11"``. + This is used to contain the text form of an endpoint identifier (EID) + for the Bundle Protocol Version 7. + The Other Name value is encoded as IA5 text. + For more information see :rfc:`9171` and :rfc:`9174`. + + .. class:: AuthorityInformationAccessOID :canonical: cryptography.hazmat._oid.AuthorityInformationAccessOID diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index b5baab8a1d88..ff7be38b6911 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -184,8 +184,6 @@ class ExtendedKeyUsageOID: class OtherNameFormOID: PERMANENT_IDENTIFIER = ObjectIdentifier("1.3.6.1.5.5.7.8.3") HW_MODULE_NAME = ObjectIdentifier("1.3.6.1.5.5.7.8.4") - XMPP_ADDR = ObjectIdentifier("1.3.6.1.5.5.7.8.5") - SIM = ObjectIdentifier("1.3.6.1.5.5.7.8.6") DNS_SRV = ObjectIdentifier("1.3.6.1.5.5.7.8.7") NAI_REALM = ObjectIdentifier("1.3.6.1.5.5.7.8.8") SMTP_UTF8_MAILBOX = ObjectIdentifier("1.3.6.1.5.5.7.8.9") From c8281848b74221cad8b8292589e8a9caa310fa1b Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Fri, 13 Dec 2024 13:58:58 -0500 Subject: [PATCH 8/8] Add specific next version --- docs/x509/reference.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 47dd8d2c0346..1297189d51f9 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -3741,7 +3741,7 @@ instances. The following common OIDs are available as constants. .. attribute:: BUNDLE_SECURITY - .. versionadded:: TBD + .. versionadded:: 45.0.0 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.35"``. This is used to denote that a certificate is used by a Bundle Protocol @@ -3762,7 +3762,7 @@ instances. The following common OIDs are available as constants. .. class:: OtherNameFormOID :canonical: cryptography.hazmat._oid.OtherNameFormOID - .. versionadded:: TBD + .. versionadded:: 45.0.0 .. attribute:: PERMANENT_IDENTIFIER