randombit · arckoor · Jul 16, 2025 · Aug 22, 2025 · Sep 3, 2025 · Sep 3, 2025
diff --git a/.gitignore b/.gitignore
@@ -37,6 +37,7 @@ vgcore.*
 /*.sublime-project
 /*.sublime-workspace
 /.editorconfig
+/.vscode
 
 # Archive files
 *.tgz

diff --git a/configure.py b/configure.py
@@ -41,8 +41,8 @@ class InternalError(Exception):
     pass
 
 
-def flatten(l):
-    return sum(l, [])
+def flatten(lst):
+    return sum(lst, [])
 
 def normalize_source_path(source):
     """
@@ -1586,7 +1586,7 @@ def cc_compile_flags(self, options):
     def _so_link_search(osname, debug_info):
         so_link_typ = [osname, 'default']
         if debug_info:
-            so_link_typ = [l + '-debug' for l in so_link_typ] + so_link_typ
+            so_link_typ = [link + '-debug' for link in so_link_typ] + so_link_typ
         return so_link_typ
 
     def so_link_command_for(self, osname, options):
@@ -3408,7 +3408,7 @@ def run_compiler_preproc(options, ccinfo, source_file, default_return, extra_fla
     cc_output = run_compiler(options, ccinfo, default_return, ccinfo.preproc_flags.split(' ') + extra_flags + [source_file])
 
     def cleanup_output(output):
-        return ('\n'.join([l for l in output.splitlines() if l.startswith('#') is False])).strip()
+        return ('\n'.join([line for line in output.splitlines() if not line.startswith('#')])).strip()
 
     return cleanup_output(cc_output)
 

diff --git a/doc/api_ref/ffi.rst b/doc/api_ref/ffi.rst
diff --git a/doc/api_ref/python.rst b/doc/api_ref/python.rst
@@ -561,6 +561,14 @@ Multiple Precision Integers (MPI)
    Most of the usual arithmetic operators (``__add__``, ``__mul__``, etc) are
    defined.
 
+   .. py:classmethod:: from_bytes(buf)
+
+       Create a new MPI object from the big-endian binary encoding produced by ``to_bytes()``.
+
+   .. py:method::  to_bytes()
+
+      Return a big-endian binary encoding of the number.
+
    .. py:method:: inverse_mod(modulus)
 
       Return the inverse of ``self`` modulo ``modulus``, or zero if no inverse exists
@@ -715,6 +723,147 @@ HOTP
       in. If the code did verify and resync_range was zero, then the
       next counter will always be counter+1.
 
+X509CertificateBuilder
+-----------------------------------------
+.. versionadded:: 3.9.0
+
+.. py:class:: X509CertificateBuilder(opts, expire_time=None)
+
+   .. py:method:: add_common_name(name)
+
+   .. py:method:: add_country(country)
+
+   .. py:method:: add_state(state)
+
+   .. py:method:: add_locality(locality)
+
+   .. py:method:: add_serial_number(serial_number)
+
+   .. py:method:: add_organization(organization)
+
+   .. py:method:: add_organizational_unit(org_unit)
+
+   .. py:method:: add_email(email)
+
+   .. py:method:: add_dns(dns)
+
+   .. py:method:: add_uri(uri)
+
+   .. py:method:: add_xmpp(xmpp)
+
+   .. py:method:: add_ipv4(ipv4)
+
+   .. py:method:: add_allowed_usage(usage_list)
+
+   .. py:method:: add_allowed_extended_usage(oid)
+
+   .. py:method:: set_as_ca_certificate(limit)
+
+   .. py:method:: add_ext_ip_addr_blocks(ip_addr_blocks, is_critical)
+
+   .. py:method:: add_ext_as_blocks(as_blocks, is_critical)
+
+   .. py:method:: create_self_signed(key, rng, not_before, not_after, serial_number=None, hash_fn=None, padding=None)
+
+      Create a self-signed certificate from the given certificate options.
+      ``not_before`` and ``not_after`` are expected to be the time since the UNIX epoch, in seconds.
+
+   .. py:method:: create_req(key, rng, hash_fn=None, padding=None, challenge_password=None)
+
+      Create a PKCS #10 certificate request that can later be signed.
+
+X509ExtIPAddrBlocks
+-----------------------------------------
+
+.. versionadded:: 3.9.0
+
+.. py:class:: X509ExtIPAddrBlocks(cert=None)
+
+   .. py:method:: add_addr(ip, safi=None)
+
+      Add a single IP address to the extension. ``ip`` is expected to be a ``list[int]``
+      of length 4/16 for IPv4/IPv6.
+
+   .. py:method:: add_range(min_, max_, safi=None)
+
+      Add an IP address range to the extension.
+
+   .. py:method:: restrict(ipv6, safi=None)
+
+      Make the extension contain no allowed IP addresses for the given SAFI (if any).
+      Set ``ipv6`` to True to indicate IPv6, False for IPv4.
+
+   .. py:method:: inherit(ipv6, safi=None)
+
+      Mark the specified IP version and SAFI (if any) as "inherit".
+
+   .. py:method:: addresses()
+
+      Get the IP addresses registered in the extension.
+
+X509ExtASBlocks
+-----------------------------------------
+
+.. versionadded:: 3.9.0
+
+.. py:class:: X509ExtASBlocks(cert=None)
+
+   .. py:method:: add_asnum(asnum):
+
+      Add a single asnum to the extension.
+
+   .. py:method:: add_asnum_range(min_, max_)
+
+      Add an asnum range to the extension.
+
+   .. py:method:: restrict_asnum()
+
+      Make the extension contain no allowed asnum's.
+
+   .. py:method:: inherit_asnum()
+
+      Mark the asnum entry as "inherit".
+
+   .. py:method:: add_rdi(rdi):
+
+   .. py:method:: add_rdi_range(min_, max_)
+
+   .. py:method:: restrict_rdi()
+
+   .. py:method:: inherit_rdi()
+
+   .. py:method:: asnum()
+
+      Get the asnum(s) registered in the extension.
+
+   .. py:method:: rdi()
+
+PKCS10Req
+-----------------------------------------
+.. versionadded:: 3.9.0
+
+.. py:class:: PKCS10Req()
+
+   .. py:method:: public_key()
+
+      Get the public key associated with the signing request.
+
+   .. py:method:: allowed_usage()
+
+      Return a list of all the key constraints listed in the signing request.
+
+   .. py:method:: verify(key)
+
+      Verify the signature of the signing request.
+
+   .. py:method:: sign(issuing_cert, issuing_key, rng, not_before, not_after, hash_fn=None, padding=None)
+
+      ``not_before`` and ``not_after`` are expected to be the time since the UNIX epoch, in seconds.
+
+   .. py:method:: to_pem()
+
+   .. py:method:: to_der()
+
 X509Cert
 -----------------------------------------
 
@@ -736,6 +885,10 @@ X509Cert
 
       Format the certificate as a free-form string.
 
+   .. py:method:: to_pem()
+
+      Format the certificate as a PEM string.
+
    .. py:method:: fingerprint(hash_algo='SHA-256')
 
       Return a fingerprint for the certificate, which is basically just a hash
@@ -790,7 +943,31 @@ X509Cert
 
       Return True if the certificates Key Usage extension contains all constraints given in ``usage_list``.
       Also return True if the certificate doesn't have this extension.
-      Example usage constraints are: ``"DIGITAL_SIGNATURE"``, ``"KEY_CERT_SIGN"``, ``"CRL_SIGN"``.
+      Example usage constraints are: ``X509KeyConstraints.DIGITAL_SIGNATURE"``, ``X509KeyConstraints.KEY_CERT_SIGN``, ``X509KeyConstraints.CRL_SIGN``.
+
+   .. py:method:: allowed_usages()
+
+      Return a list of all the key constraints listed in the certificate.
+
+   .. py:method:: is_ca()
+
+      Return (True, limit) if the certificate is marked for CA usage, else (False, 0)
+
+   .. py:method:: ocsp_responder()
+
+      Return the OCSP responder.
+
+   .. py:method:: is_self_signed()
+
+      Return True if the certificate was self-signed.
+
+   .. py:method:: ext_ip_addr_blocks()
+
+      Return the certificate's IP Address Blocks extension.
+
+   .. py:method:: ext_as_blocks()
+
+      Return the certificate's AS Blocks extension.
 
    .. py:method:: verify(intermediates=None, \
                   trusted=None, \
@@ -840,6 +1017,31 @@ X509CRL
    A CRL in PEM or DER format can be loaded from a file, with the ``filename`` argument,
    or from a bytestring, with the ``buf`` argument.
 
+   .. py:classmethod:: create(rng, ca_cert, ca_key, issue_time, next_update, hash_fn=None, padding=None)
+
+      Create a new CRL for the given CA.
+      ``issue_time`` is expected to be the time since the UNIX epoch, in seconds, ``next_update`` the time in seconds until the next update.
+
+
+   .. py:method:: revoke(rng, ca_cert, ca_key, issue_time, next_update, revoked, reason, hash_fn=None, padding=None)
+
+      Revoke certificates issued by the CA.
+      ``issue_time`` is expected to be the time since the UNIX epoch, in seconds, ``next_update`` the time in seconds until the next update.
+      Revoked is expected to be a list of certificates you want to revoked, reason should be of instance ``X509CRLReason``.
+      This method returns a new CRL, it does not modify the existing one!
+
+   .. py:method:: revoked()
+
+      Return entries listed in the CRL.
+
+   .. py:method:: verify(key)
+
+      Verify the signature of the CRL.
+
+   .. py:method:: to_pem()
+
+   .. py:method:: to_der()
+
 
 
 

diff --git a/src/cli/perf_x509.cpp b/src/cli/perf_x509.cpp
@@ -16,9 +16,9 @@
    #include <botan/bigint.h>
    #include <botan/der_enc.h>
    #include <botan/pk_algs.h>
+   #include <botan/x509_builder.h>
    #include <botan/x509_ca.h>
    #include <botan/x509_ext.h>
-   #include <botan/x509self.h>
 #endif
 
 namespace Botan_CLI {
@@ -40,14 +40,23 @@ class PerfTest_ASN1_Parsing final : public PerfTest {
       }
 
       static CA create_ca(Botan::RandomNumberGenerator& rng) {
-         auto root_cert_options = Botan::X509_Cert_Options("Benchmark Root/DE/RS/CS");
-         root_cert_options.dns = "unobtainium.example.com";
-         root_cert_options.email = "[email protected]";
-         root_cert_options.is_CA = true;
-
          auto root_key = create_private_key(rng);
          BOTAN_ASSERT_NONNULL(root_key);
-         auto root_cert = Botan::X509::create_self_signed_cert(root_cert_options, *root_key, get_hash_function(), rng);
+
+         Botan::CertificateParametersBuilder root_cert_params;
+         root_cert_params.add_common_name("Benchmark Root")
+            .add_country("DE")
+            .add_organization("RS")
+            .add_organizational_unit("CS")
+            .add_dns("unobtainium.example.com")
+            .add_email("[email protected]")
+            .set_as_ca_certificate();
+
+         const auto not_before = std::chrono::system_clock::now();
+         const auto not_after = not_before + std::chrono::seconds(86400);
+
+         auto root_cert =
+            root_cert_params.into_self_signed_cert(not_before, not_after, *root_key, rng, get_hash_function());
          auto ca = Botan::X509_CA(root_cert, *root_key, get_hash_function(), rng);
 
          return CA{

diff --git a/src/configs/sphinx/conf.py b/src/configs/sphinx/conf.py
@@ -101,7 +101,7 @@ def parse_version_file(version_path):
 
 try:
     # On Arch this is python-sphinx-furo
-    import furo
+    import furo # noqa: F401
     html_theme = "furo"
 
     # Add a small edit button to each document to allow visitors to easily
@@ -111,7 +111,7 @@ def parse_version_file(version_path):
         'source_branch': 'master',
         'source_directory': 'doc/',
     }
-except ImportError as e:
+except ImportError:
     print("Could not import furo theme; falling back to agago")
     html_theme = 'agogo'
     html_theme_path = []