Merge pull request #1954 from reaperhulk/inhibitanypolicy

InhibitAnyPolicy class

docs/x509.rst

@@ -1009,6 +1009,24 @@ X.509 Extensions
         removed from the CRL. This reason cannot be used as a reason flag
         in a :class:`DistributionPoint`.
 
+.. class:: InhibitAnyPolicy
+
+    .. versionadded:: 1.0
+
+    The inhibit ``anyPolicy`` extension indicates that the special OID
+    :data:`OID_ANY_POLICY`, is not considered an explicit match for other
+    :class:`CertificatePolicies` except when it appears in an intermediate
+    self-issued CA certificate.  The value indicates the number of additional
+    non-self-issued certificates that may appear in the path before
+    :data:`OID_ANY_POLICY` is no longer permitted.  For example, a value
+    of one indicates that :data:`OID_ANY_POLICY` may be processed in
+    certificates issued by the subject of this certificate, but not in
+    additional certificates in the path.
+
+    .. attribute:: skip_certs
+
+        :type: int
+
 .. class:: CertificatePolicies
 
     .. versionadded:: 0.9
@@ -1300,6 +1318,10 @@ Policy Qualifier OIDs
 
     Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``.
 
+.. data:: OID_ANY_POLICY
+
+    Corresponds to the dotted string ``"2.5.29.32.0"``.
+
 .. _extension_oids:
 
 Extension OIDs

src/cryptography/x509.py

@@ -791,6 +791,31 @@ class ReasonFlags(Enum):
     remove_from_crl = "removeFromCRL"
 
 
+class InhibitAnyPolicy(object):
+    def __init__(self, skip_certs):
+        if not isinstance(skip_certs, six.integer_types):
+            raise TypeError("skip_certs must be an integer")
+
+        if skip_certs < 0:
+            raise ValueError("skip_certs must be a non-negative integer")
+
+        self._skip_certs = skip_certs
+
+    def __repr__(self):
+        return "<InhibitAnyPolicy(skip_certs={0.skip_certs})>".format(self)
+
+    def __eq__(self, other):
+        if not isinstance(other, InhibitAnyPolicy):
+            return NotImplemented
+
+        return self.skip_certs == other.skip_certs
+
+    def __ne__(self, other):
+        return not self == other
+
+    skip_certs = utils.read_only_property("_skip_certs")
+
+
 @six.add_metaclass(abc.ABCMeta)
 class GeneralName(object):
     @abc.abstractproperty
@@ -1122,6 +1147,7 @@ OID_OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1")
 
 OID_CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1")
 OID_CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2")
+OID_ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
 
 
 @six.add_metaclass(abc.ABCMeta)

tests/test_x509_ext.py

@@ -2327,3 +2327,28 @@ class TestCRLDistributionPointsExtension(object):
                 )],
             )
         ])
+
+
+class TestInhibitAnyPolicy(object):
+    def test_not_int(self):
+        with pytest.raises(TypeError):
+            x509.InhibitAnyPolicy("notint")
+
+    def test_negative_int(self):
+        with pytest.raises(ValueError):
+            x509.InhibitAnyPolicy(-1)
+
+    def test_repr(self):
+        iap = x509.InhibitAnyPolicy(0)
+        assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
+
+    def test_eq(self):
+        iap = x509.InhibitAnyPolicy(1)
+        iap2 = x509.InhibitAnyPolicy(1)
+        assert iap == iap2
+
+    def test_ne(self):
+        iap = x509.InhibitAnyPolicy(1)
+        iap2 = x509.InhibitAnyPolicy(4)
+        assert iap != iap2
+        assert iap != object()