In [1]:
# NO SSL in here! We are hear to learn more about the cryptography package.
#  import ssl
from cryptography import x509

In [2]:
CERTIFICATE = './certificate/github-com-chain.pem'

In [3]:
with open(CERTIFICATE, 'rb') as f:
    data = f.read()

certificate_chain = x509.load_pem_x509_certificates(data)
certificate_chain

[<Certificate(subject=<Name(CN=github.com)>, ...)>,
 <Certificate(subject=<Name(C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo ECC Domain Validation Secure Server CA)>, ...)>,
 <Certificate(subject=<Name(C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust ECC Certification Authority)>, ...)>]

In [4]:
# gihub is the server CA. 
# Sectigo is a chained CA.
# USERTrust is the root CA.
GITHUB, SECTIGO, USERTRUST = 0, 1, 2
git = certificate_chain[GITHUB]
( 
    git.version, 
    git.serial_number, # A unique identifyer.
    git.not_valid_before_utc,
    git.not_valid_after_utc, 
    git.subject, # The subject is the current certificate.
    git.issuer,  # The issuer is the parent in the chain.
    git.signature_hash_algorithm, # The hash used to sign this certificate. Generally the issuer.
    git.signature_algorithm_oid,
    git.signature_algorithm_parameters,
    git.signature,
    git.tbs_certificate_bytes, # DER bytes playload, hashed and signed with the issuer's private key.
    git.tbs_precertificate_bytes # A simplified hash that cannot be used to auth. It's a proof of submission.
)


(<Version.v3: 2>,
 103892495973767669722220901035501109925,
 datetime.datetime(2024, 3, 7, 0, 0, tzinfo=datetime.timezone.utc),
 datetime.datetime(2025, 3, 7, 23, 59, 59, tzinfo=datetime.timezone.utc),
 <Name(CN=github.com)>,
 <Name(C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo ECC Domain Validation Secure Server CA)>,
 <cryptography.hazmat.primitives.hashes.SHA256 at 0x2d6c132d340>,
 <ObjectIdentifier(oid=1.2.840.10045.4.3.2, name=ecdsa-with-SHA256)>,
 <cryptography.hazmat.primitives.asymmetric.ec.ECDSA at 0x2d6c1358080>,
 b'0E\x02!\x00\xae\xed\x8cp\xfa\xf4x\xdc\x1cX\xdb\x83\x11\x8d\x1a\xfe\xb1\xb3]\x17\xd1\xaeo\xba]\xf6^K8Xe\xec\x02 \x1a\xb8MA\x01\n\x06\xa9\xbf\xbco\x02\xd4JuWb\xfd\xbe&\xdf\xa52z=`\x83"l\x89\xeb\x00',
 b'0\x82\x04I\xa0\x03\x02\x01\x02\x02\x10N(\xf7\x86\xb6l\x1a;\x94,\xd2\xc4\x0e\xb7B\xa50\n\x06\x08*\x86H\xce=\x04\x03\x020\x81\x8f1\x0b0\t\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\

In [5]:
# Public_bytes can be used to encode the certificate in DER or PEM.
from cryptography.hazmat.primitives.serialization import Encoding
git.public_bytes(encoding=Encoding.PEM)

b'-----BEGIN CERTIFICATE-----\nMIIEozCCBEmgAwIBAgIQTij3hrZsGjuULNLEDrdCpTAKBggqhkjOPQQDAjCBjzEL\nMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\nBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5T\nZWN0aWdvIEVDQyBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMB4X\nDTI0MDMwNzAwMDAwMFoXDTI1MDMwNzIzNTk1OVowFTETMBEGA1UEAxMKZ2l0aHVi\nLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARO/Ho9XdkY1qh9mAgjOUkW\nmXTb05jgRulKciMVBuKB3ZHexvCdyoiCRHEMBfFXoZhWkQVMogNLo/lW215X3pGj\nggL+MIIC+jAfBgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4E\nFgQUO2g/NDr1RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB\n/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw\nNAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv\nbS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0\ndHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25T\nZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3Rp\nZ28uY29tMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAd

In [6]:
# There can only be one of each extension type i.e. authorityKeyIdentifier.
[e for e in git.extensions]

[<Extension(oid=<ObjectIdentifier(oid=2.5.29.35, name=authorityKeyIdentifier)>, critical=False, value=<AuthorityKeyIdentifier(key_identifier=b'\xf6\x85\n;\x11\x86\xe1\x04}\x0e\xaa\x0b,\xd2\xee\xccd{{\xae', authority_cert_issuer=None, authority_cert_serial_number=None)>)>,
 <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest=b';h?4:\xf5G4\xca\xef\xa6N=\x9a\xbd^nz\xcc\x9f')>)>,
 <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>)>,
 <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=False, path_length=None)>)>,
 <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<Ext

In [7]:
from cryptography.hazmat.primitives.asymmetric import ec
# We don't need to guess the hashing algo, it's already saved in `c.signature_hash_algorithm`
from cryptography.hazmat.primitives import hashes
isinstance(git.public_key(), ec.EllipticCurvePublicKey), git.fingerprint(git.signature_hash_algorithm)

(True,
 b'\xfdn\x9b\x0e\xf3\x98\xbc\xd9\x04\xc3\xb2\xec\x16z{\x0f\xdar\x01\xc9\x03\xc5:jj\xe5\xd0ACc\xefe')

In [8]:
# This test match the issuer name and ensure the certificate 
# is signed by the issuer's private key.
sectigo = certificate_chain[SECTIGO]
'isValid=', git.verify_directly_issued_by(sectigo) is None

('isValid=', True)

In [9]:
usertrust = certificate_chain[USERTRUST]
'isValid=', sectigo.verify_directly_issued_by(usertrust) is None

('isValid=', True)

In [10]:
'isValid=', usertrust.verify_directly_issued_by(usertrust) is None

('isValid=', True)

In [11]:
# Usertrust should have no issuer.
# Therefore, it should be presented as its own issuer.
usertrust.issuer, usertrust.subject

(<Name(C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust ECC Certification Authority)>,
 <Name(C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust ECC Certification Authority)>)

In [38]:
# Artemas - I like the way you kiss me.

# A test to ensure the verification algorithm works as intended.
# In this test, we manually modify the github-com-chain.pem file to figure out
# if integrity triggers a tls exception.
with open(CERTIFICATE, 'rb') as f:
    data = f.read()

cert_chain = x509.load_pem_x509_certificates(data)
git, sec, usr = cert_chain[GITHUB], cert_chain[SECTIGO], cert_chain[USERTRUST]
print(
    git.verify_directly_issued_by(sec) is None,
    sec.verify_directly_issued_by(usr) is None,
    usr.verify_directly_issued_by(usr) is None,
    sep='\n')


True
True
True
