Support x509 Certificate, CSR, and CRL types in declarative ASN.1 API#14959
Merged
Conversation
These three X.509 types can now be used as field types in asn1.sequence and asn1.set classes (and as top-level types for encode_der/decode_der). They are encoded by embedding their DER serialization, and decoded by parsing the field with the existing X.509 loaders. Fixes #14893 https://claude.ai/code/session_01TjVKLCXEtSPCRnAjTDYRtn
Decoding now reads a TLV and passes its full data to the existing load_der_x509_* loaders instead of doing a full parse first. As a consequence, IMPLICIT annotations are now rejected for X.509 field types at class definition time (the original tag cannot be recovered from an implicitly-tagged TLV), matching the existing TLV behavior. https://claude.ai/code/session_01TjVKLCXEtSPCRnAjTDYRtn
The all-green CI job enforces 100% combined coverage; this covers the error propagation when reading an X.509 field's TLV fails (empty input) and the short-form branch of the _der_length test helper. https://claude.ai/code/session_01TjVKLCXEtSPCRnAjTDYRtn
reaperhulk
previously approved these changes
Jun 7, 2026
…-CqYD8 # Conflicts: # CHANGELOG.rst
reaperhulk
approved these changes
Jun 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #14893
x509.Certificate,x509.CertificateSigningRequest, andx509.CertificateRevocationListcan now be used as field types inasn1.sequence/asn1.setclasses (and as top-level types forencode_der/decode_der), implemented as a special case for these three types in the ASN.1 code:EXPLICITtagging supported).load_der_x509_*loaders, so the usual validation (version checks, CRL inner/outer signature algorithm match) applies.IMPLICITannotations are rejected at class definition time (the original tag can't be recovered from an implicitly-tagged TLV), matching the existing TLV behavior.OPTIONALandCHOICE(tag-matched as SEQUENCE).https://claude.ai/code/session_01TjVKLCXEtSPCRnAjTDYRtn
Generated by Claude Code