crypto
— Generic cryptographic module¶
-
class
OpenSSL.crypto.
X509
¶ A class representing X.509 certificates.
-
class
OpenSSL.crypto.
X509Name
(x509name)¶ A class representing X.509 Distinguished Names.
This constructor creates a copy of x509name which should be an instance of
X509Name
.
-
class
OpenSSL.crypto.
X509Req
¶ A class representing X.509 certificate requests.
-
OpenSSL.crypto.
X509StoreType
¶ See
X509Store
-
OpenSSL.crypto.
X509StoreContext
¶ A class representing the X.509 store context.
-
class
OpenSSL.crypto.
PKey
¶ A class representing DSA or RSA keys.
-
OpenSSL.crypto.
PKCS7Type
¶ A Python type object representing the PKCS7 object type.
-
OpenSSL.crypto.
PKCS12Type
¶ A Python type object representing the PKCS12 object type.
-
OpenSSL.crypto.
X509ExtensionType
¶ See
X509Extension
.
-
class
OpenSSL.crypto.
X509Extension
(typename, critical, value[, subject][, issuer])¶ A class representing an X.509 v3 certificate extensions. See http://openssl.org/docs/apps/x509v3_config.html#STANDARD_EXTENSIONS for typename strings and their options. Optional parameters subject and issuer must be X509 objects.
-
OpenSSL.crypto.
NetscapeSPKIType
¶ See
NetscapeSPKI
.
-
class
OpenSSL.crypto.
NetscapeSPKI
([enc])¶ A class representing Netscape SPKI objects.
If the enc argument is present, it should be a base64-encoded string representing a NetscapeSPKI object, as returned by the
b64_encode()
method.
-
class
OpenSSL.crypto.
CRL
¶ A class representing Certifcate Revocation List objects.
-
class
OpenSSL.crypto.
Revoked
¶ A class representing Revocation objects of CRL.
-
OpenSSL.crypto.
get_elliptic_curves
()¶ Return a set of objects representing the elliptic curves supported in the OpenSSL build in use.
The curve objects have a
unicode
name
attribute by which they identify themselves.The curve objects are useful as values for the argument accepted by
Context.set_tmp_ecdh()
to specify which elliptical curve should be used for ECDHE key exchange.
-
OpenSSL.crypto.
get_elliptic_curve
()¶ Return a single curve object selected by name.
See
get_elliptic_curves()
for information about curve objects.If the named curve is not supported then
ValueError
is raised.
-
OpenSSL.crypto.
dump_certificate
(type, cert)¶ Dump the certificate cert into a buffer string encoded with the type type.
-
OpenSSL.crypto.
dump_certificate_request
(type, req)¶ Dump the certificate request req into a buffer string encoded with the type type.
-
OpenSSL.crypto.
dump_privatekey
(type, pkey[, cipher, passphrase])¶ Dump the private key pkey into a buffer string encoded with the type type, optionally (if type is
FILETYPE_PEM
) encrypting it using cipher and passphrase.passphrase must be either a string or a callback for providing the pass phrase.
-
OpenSSL.crypto.
load_certificate
(type, buffer)¶ Load a certificate (X509) from the string buffer encoded with the type type.
-
OpenSSL.crypto.
load_certificate_request
(type, buffer)¶ Load a certificate request (X509Req) from the string buffer encoded with the type type.
-
OpenSSL.crypto.
load_privatekey
(type, buffer[, passphrase])¶ Load a private key (PKey) from the string buffer encoded with the type type (must be one of
FILETYPE_PEM
andFILETYPE_ASN1
).passphrase must be either a string or a callback for providing the pass phrase.
-
OpenSSL.crypto.
load_crl
(type, buffer)¶ Load Certificate Revocation List (CRL) data from a string buffer. buffer encoded with the type type. The type type must either
FILETYPE_PEM
orFILETYPE_ASN1
).
-
OpenSSL.crypto.
load_pkcs7_data
(type, buffer)¶ Load pkcs7 data from the string buffer encoded with the type type.
-
OpenSSL.crypto.
load_pkcs12
(buffer[, passphrase])¶ Load pkcs12 data from the string buffer. If the pkcs12 structure is encrypted, a passphrase must be included. The MAC is always checked and thus required.
See also the man page for the C function
PKCS12_parse()
.
-
OpenSSL.crypto.
sign
(key, data, digest)¶ Sign a data string using the given key and message digest.
key is a
PKey
instance. data is astr
instance. digest is astr
naming a supported message digest type, for examplesha1
.New in version 0.11.
-
OpenSSL.crypto.
verify
(certificate, signature, data, digest)¶ Verify the signature for a data string.
certificate is a
X509
instance corresponding to the private key which generated the signature. signature is a str instance giving the signature itself. data is a str instance giving the data to which the signature applies. digest is a str instance naming the message digest type of the signature, for examplesha1
.New in version 0.11.
X509 objects¶
X509 objects have the following methods:
-
X509.
get_issuer
()¶ Return an X509Name object representing the issuer of the certificate.
-
X509.
get_serial_number
()¶ Return the certificate serial number.
-
X509.
get_signature_algorithm
()¶ Return the signature algorithm used in the certificate. If the algorithm is undefined, raise
ValueError
.New in version 0.13.
-
X509.
get_version
()¶ Return the certificate version.
-
X509.
get_notBefore
()¶ Return a string giving the time before which the certificate is not valid. The string is formatted as an ASN1 GENERALIZEDTIME:
YYYYMMDDhhmmssZ YYYYMMDDhhmmss+hhmm YYYYMMDDhhmmss-hhmm
If no value exists for this field,
None
is returned.
-
X509.
get_notAfter
()¶ Return a string giving the time after which the certificate is not valid. The string is formatted as an ASN1 GENERALIZEDTIME:
YYYYMMDDhhmmssZ YYYYMMDDhhmmss+hhmm YYYYMMDDhhmmss-hhmm
If no value exists for this field,
None
is returned.
-
X509.
set_notBefore
(when)¶ Change the time before which the certificate is not valid. when is a string formatted as an ASN1 GENERALIZEDTIME:
YYYYMMDDhhmmssZ YYYYMMDDhhmmss+hhmm YYYYMMDDhhmmss-hhmm
-
X509.
set_notAfter
(when)¶ Change the time after which the certificate is not valid. when is a string formatted as an ASN1 GENERALIZEDTIME:
YYYYMMDDhhmmssZ YYYYMMDDhhmmss+hhmm YYYYMMDDhhmmss-hhmm
-
X509.
gmtime_adj_notBefore
(time)¶ Adjust the timestamp (in GMT) when the certificate starts being valid.
-
X509.
gmtime_adj_notAfter
(time)¶ Adjust the timestamp (in GMT) when the certificate stops being valid.
-
X509.
has_expired
()¶ Checks the certificate’s time stamp against current time. Returns true if the certificate has expired and false otherwise.
-
X509.
set_issuer
(issuer)¶ Set the issuer of the certificate to issuer.
-
X509.
set_pubkey
(pkey)¶ Set the public key of the certificate to pkey.
-
X509.
set_serial_number
(serialno)¶ Set the serial number of the certificate to serialno.
-
X509.
set_subject
(subject)¶ Set the subject of the certificate to subject.
-
X509.
set_version
(version)¶ Set the certificate version to version.
-
X509.
sign
(pkey, digest)¶ Sign the certificate, using the key pkey and the message digest algorithm identified by the string digest.
-
X509.
subject_name_hash
()¶ Return the hash of the certificate subject.
-
X509.
digest
(digest_name)¶ Return a digest of the certificate, using the digest_name method. digest_name must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example,
"md5"
or"sha1"
.
-
X509.
add_extensions
(extensions)¶ Add the extensions in the sequence extensions to the certificate.
-
X509.
get_extension_count
()¶ Return the number of extensions on this certificate.
New in version 0.12.
-
X509.
get_extension
(index)¶ Retrieve the extension on this certificate at the given index.
Extensions on a certificate are kept in order. The index parameter selects which extension will be returned. The returned object will be an
X509Extension
instance.New in version 0.12.
X509Name objects¶
X509Name objects have the following methods:
-
X509Name.
hash
()¶ Return an integer giving the first four bytes of the MD5 digest of the DER representation of the name.
-
X509Name.
der
()¶ Return a string giving the DER representation of the name.
-
X509Name.
get_components
()¶ Return a list of two-tuples of strings giving the components of the name.
X509Name objects have the following members:
-
X509Name.
countryName
¶ The country of the entity.
C
may be used as an alias forcountryName
.
-
X509Name.
stateOrProvinceName
¶ The state or province of the entity.
ST
may be used as an alias forstateOrProvinceName
.
-
X509Name.
localityName
¶ The locality of the entity.
L
may be used as an alias forlocalityName
.
-
X509Name.
organizationName
¶ The organization name of the entity.
O
may be used as an alias fororganizationName
.
-
X509Name.
organizationalUnitName
¶ The organizational unit of the entity.
OU
may be used as an alias fororganizationalUnitName
.
-
X509Name.
commonName
¶ The common name of the entity.
CN
may be used as an alias forcommonName
.
-
X509Name.
emailAddress
¶ The e-mail address of the entity.
X509Req objects¶
X509Req objects have the following methods:
-
X509Req.
set_pubkey
(pkey)¶ Set the public key of the certificate request to pkey.
-
X509Req.
sign
(pkey, digest)¶ Sign the certificate request, using the key pkey and the message digest algorithm identified by the string digest.
-
X509Req.
verify
(pkey)¶ Verify a certificate request using the public key pkey.
-
X509Req.
set_version
(version)¶ Set the version (RFC 2459, 4.1.2.1) of the certificate request to version.
-
X509Req.
get_version
()¶ Get the version (RFC 2459, 4.1.2.1) of the certificate request.
-
X509Req.
get_extensions
()¶ Get extensions to the request.
New in version 0.15.
X509Store objects¶
The X509Store object has currently just one method:
-
X509Store.
add_cert
(cert)¶ Add the certificate cert to the certificate store.
X509StoreContextError objects¶
The X509StoreContextError is an exception raised from X509StoreContext.verify_certificate in circumstances where a certificate cannot be verified in a provided context.
The certificate for which the verification error was detected is given by the
certificate
attribute of the exception instance as a X509
instance.
Details about the verification error are given in the exception’s args
attribute.
X509StoreContext objects¶
The X509StoreContext object is used for verifying a certificate against a set of trusted certificates.
-
X509StoreContext.
verify_certificate
()¶ Verify a certificate in the context of this initialized X509StoreContext. On error, raises X509StoreContextError, otherwise does nothing.
New in version 0.15.
PKey objects¶
The PKey object has the following methods:
-
PKey.
bits
()¶ Return the number of bits of the key.
-
PKey.
generate_key
(type, bits)¶ Generate a public/private key pair of the type type (one of
TYPE_RSA
andTYPE_DSA
) with the size bits.
-
PKey.
type
()¶ Return the type of the key.
-
PKey.
check
()¶ Check the consistency of this key, returning True if it is consistent and raising an exception otherwise. This is only valid for RSA keys. See the OpenSSL RSA_check_key man page for further limitations.
PKCS7 objects¶
PKCS7 objects have the following methods:
-
PKCS7.
type_is_signed
()¶ FIXME
-
PKCS7.
type_is_enveloped
()¶ FIXME
-
PKCS7.
type_is_signedAndEnveloped
()¶ FIXME
-
PKCS7.
type_is_data
()¶ FIXME
-
PKCS7.
get_type_name
()¶ Get the type name of the PKCS7.
PKCS12 objects¶
PKCS12 objects have the following methods:
-
PKCS12.
export
([passphrase=None][, iter=2048][, maciter=1])¶ Returns a PKCS12 object as a string.
The optional passphrase must be a string not a callback.
See also the man page for the C function
PKCS12_create()
.
-
PKCS12.
get_ca_certificates
()¶ Return CA certificates within the PKCS12 object as a tuple. Returns
None
if no CA certificates are present.
-
PKCS12.
get_certificate
()¶ Return certificate portion of the PKCS12 structure.
-
PKCS12.
get_friendlyname
()¶ Return friendlyName portion of the PKCS12 structure.
-
PKCS12.
get_privatekey
()¶ Return private key portion of the PKCS12 structure
-
PKCS12.
set_ca_certificates
(cacerts)¶ Replace or set the CA certificates within the PKCS12 object with the sequence cacerts.
Set cacerts to
None
to remove all CA certificates.
-
PKCS12.
set_certificate
(cert)¶ Replace or set the certificate portion of the PKCS12 structure.
-
PKCS12.
set_friendlyname
(name)¶ Replace or set the friendlyName portion of the PKCS12 structure.
-
PKCS12.
set_privatekey
(pkey)¶ Replace or set private key portion of the PKCS12 structure
X509Extension objects¶
X509Extension objects have several methods:
-
X509Extension.
get_critical
()¶ Return the critical field of the extension object.
-
X509Extension.
get_short_name
()¶ Retrieve the short descriptive name for this extension.
The result is a byte string like
basicConstraints
.New in version 0.12.
-
X509Extension.
get_data
()¶ Retrieve the data for this extension.
The result is the ASN.1 encoded form of the extension data as a byte string.
New in version 0.12.
NetscapeSPKI objects¶
NetscapeSPKI objects have the following methods:
-
NetscapeSPKI.
b64_encode
()¶ Return a base64-encoded string representation of the object.
-
NetscapeSPKI.
get_pubkey
()¶ Return the public key of object.
-
NetscapeSPKI.
set_pubkey
(key)¶ Set the public key of the object to key.
-
NetscapeSPKI.
sign
(key, digest_name)¶ Sign the NetscapeSPKI object using the given key and digest_name. digest_name must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example,
"md5"
or"sha1"
.
-
NetscapeSPKI.
verify
(key)¶ Verify the NetscapeSPKI object using the given key.
CRL objects¶
CRL objects have the following methods:
-
CRL.
add_revoked
(revoked)¶ Add a Revoked object to the CRL, by value not reference.
-
CRL.
export
(cert, key[, type=FILETYPE_PEM][, days=100][, digest=b'md5'])¶ Use cert and key to sign the CRL and return the CRL as a string. days is the number of days before the next CRL is due. digest is the algorithm that will be used to sign CRL.
-
CRL.
get_revoked
()¶ Return a tuple of Revoked objects, by value not reference.
Revoked objects¶
Revoked objects have the following methods:
-
Revoked.
all_reasons
()¶ Return a list of all supported reasons.
-
Revoked.
get_reason
()¶ Return the revocation reason as a str. Can be None, which differs from “Unspecified”.
-
Revoked.
get_rev_date
()¶ Return the revocation date as a str. The string is formatted as an ASN1 GENERALIZEDTIME.
-
Revoked.
get_serial
()¶ Return a str containing a hex number of the serial of the revoked certificate.
-
Revoked.
set_reason
(reason)¶ Set the revocation reason. reason must be None or a string, but the values are limited. Spaces and case are ignored. See
all_reasons()
.
-
Revoked.
set_rev_date
(date)¶ Set the revocation date. The string is formatted as an ASN1 GENERALIZEDTIME.
-
Revoked.
set_serial
(serial)¶ serial is a string containing a hex number of the serial of the revoked certificate.