Permalink
Fetching contributors…
Cannot retrieve contributors at this time
2704 lines (1727 sloc) 88.1 KB

X.509 Reference

Loading Certificates

Loading Certificate Revocation Lists

Loading Certificate Signing Requests

X.509 Certificate Object

X.509 CRL (Certificate Revocation List) Object

A CertificateRevocationList is an object representing a list of revoked certificates. The object is iterable and will yield the RevokedCertificate objects stored in this CRL.

X.509 Certificate Builder

X.509 CSR (Certificate Signing Request) Object

X.509 Certificate Revocation List Builder

X.509 Revoked Certificate Object

X.509 Revoked Certificate Builder

This class is used to create :class:`~cryptography.x509.RevokedCertificate` objects that can be used with the :class:`~cryptography.x509.CertificateRevocationListBuilder`.

X.509 CSR (Certificate Signing Request) Builder Object

An X509 Name is an ordered list of attributes. The object is iterable to get every attribute or you can use :meth:`Name.get_attributes_for_oid` to obtain the specific type you want. Names are sometimes represented as a slash or comma delimited string (e.g. /CN=mydomain.com/O=My Org/C=US or CN=mydomain.com, O=My Org, C=US).

Technically, a Name is a list of sets of attributes, called Relative Distinguished Names or RDNs, although multi-valued RDNs are rarely encountered. The iteration order of values within a multi-valued RDN is undefined. If you need to handle multi-valued RDNs, the rdns property gives access to an ordered list of :class:`RelativeDistinguishedName` objects.

A Name can be initialized with an iterable of :class:`NameAttribute` (the common case where each RDN has a single attribute) or an iterable of :class:`RelativeDistinguishedName` objects (in the rare case of multi-valued RDNs).

An enumeration for X.509 versions.

An X.509 name consists of a list of :class:`RelativeDistinguishedName` instances, which consist of a set of :class:`NameAttribute` instances.

A relative distinguished name is a non-empty set of name attributes. The object is iterable to get every attribute.

Object identifiers (frequently seen abbreviated as OID) identify the type of a value (see: :class:`NameAttribute`).

General Name Classes

This is the generic interface that all the following classes are registered against.

This corresponds to an email address. For example, user@example.com.

This corresponds to a domain name. For example, cryptography.io.

This corresponds to a directory name.

This corresponds to a uniform resource identifier. For example, https://cryptography.io. The URI is parsed and IDNA decoded (see RFC 5895).

Note

URIs that do not contain :// in them will not be decoded.

This corresponds to an IP address.

This corresponds to a registered ID.

This corresponds to an otherName. An otherName has a type identifier and a value represented in binary DER format.

X.509 Extensions

An X.509 Extensions instance is an ordered list of extensions. The object is iterable to get every extension.

This is the interface against which all the following extension types are registered.

The key usage extension defines the purpose of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted.

Basic constraints is an X.509 extension type that defines whether a given certificate is allowed to sign additional certificates and what path length restrictions may exist.

This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. The object is iterable to obtain the list of :class:`~cryptography.x509.oid.ExtendedKeyUsageOID` OIDs present.

param list usages:A list of :class:`~cryptography.x509.oid.ExtendedKeyUsageOID` OIDs.

This presence of this extension indicates that an OCSP client can trust a responder for the lifetime of the responder's certificate. CAs issuing such a certificate should realize that a compromise of the responder's key is as serious as the compromise of a CA key used to sign CRLs, at least for the validity period of this certificate. CA's may choose to issue this type of certificate with a very short lifetime and renew it frequently. This extension is only relevant when the certificate is an authorized OCSP responder.

The name constraints extension, which only has meaning in a CA certificate, defines a name space within which all subject names in certificates issued beneath the CA certificate must (or must not) be in. For specific details on the way this extension should be processed see RFC 5280.

The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is typically used to assist in determining the appropriate certificate chain. For more information about generation and use of this extension see RFC 5280 section 4.2.1.1.

The subject key identifier extension provides a means of identifying certificates that contain a particular public key.

Subject alternative name is an X.509 extension that provides a list of :ref:`general name <general_name_classes>` instances that provide a set of identities for which the certificate is valid. The object is iterable to get every element.

param list general_names:A list of :class:`GeneralName` instances.

Issuer alternative name is an X.509 extension that provides a list of :ref:`general name <general_name_classes>` instances that provide a set of identities for the certificate issuer. The object is iterable to get every element.

param list general_names:A list of :class:`GeneralName` instances.

The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears. Information and services may include online validation services (such as OCSP) and issuer data. It is an iterable, containing one or more :class:`~cryptography.x509.AccessDescription` instances.

param list descriptions:A list of :class:`AccessDescription` objects.

The CRL distribution points extension identifies how CRL information is obtained. It is an iterable, containing one or more :class:`DistributionPoint` instances.

param list distribution_points:A list of :class:`DistributionPoint` instances.

An enumeration for CRL reasons.

The inhibit anyPolicy extension indicates that the special OID :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY`, is not considered an explicit match for other :class:`CertificatePolicies` except when it appears in an intermediate self-issued CA certificate. The value indicates the number of additional non-self-issued certificates that may appear in the path before :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY` is no longer permitted. For example, a value of one indicates that :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY` may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path.

The policy constraints extension is used to inhibit policy mapping or require that each certificate in a chain contain an acceptable policy identifier. For more information about the use of this extension see RFC 5280.

The CRL number is a CRL extension that conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL. RFC 5280 requires that this extension be present in conforming CRLs.

A generic extension class used to hold the raw value of non-critical extensions that cryptography does not know how to parse. Extensions marked critical will raise :class:`~cryptography.x509.UnsupportedExtension`.

The certificate policies extension is an iterable, containing one or more :class:`PolicyInformation` instances.

param list policies:A list of :class:`PolicyInformation` instances.

Certificate Policies Classes

These classes may be present within a :class:`CertificatePolicies` instance.

Contains a policy identifier and an optional list of qualifiers.

User notices are intended for display to a relying party when a certificate is used. In practice, few if any UIs expose this data and it is a rarely encoded component.

Notice reference can name an organization and provide information about notices related to the certificate. For example, it might identify the organization name and notice number 1. Application software could have a notice file containing the current set of notices for the named organization; the application would then extract the notice text from the file and display it. In practice this is rarely seen.

CRL Entry Extensions

These extensions are only valid within a :class:`RevokedCertificate` object.

The certificate issuer is an extension that is only valid inside :class:`~cryptography.x509.RevokedCertificate` objects. If the indirectCRL property of the parent CRL's IssuingDistributionPoint extension is set, then this extension identifies the certificate issuer associated with the revoked certificate. The object is iterable to get every element.

param list general_names:A list of :class:`GeneralName` instances.

CRL reason (also known as reasonCode) is an extension that is only valid inside :class:`~cryptography.x509.RevokedCertificate` objects. It identifies a reason for the certificate revocation.

param reason:A value from the :class:`~cryptography.x509.oid.CRLEntryExtensionOID` enum.

Invalidity date is an extension that is only valid inside :class:`~cryptography.x509.RevokedCertificate` objects. It provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This date may be earlier than the revocation date in the CRL entry, which is the date at which the CA processed the revocation.

param invalidity_date:The :class:`datetime.datetime` when it is known or suspected that the private key was compromised.

Object Identifiers

X.509 elements are frequently identified by :class:`ObjectIdentifier` instances. The following common OIDs are available as constants.

These OIDs are typically seen in X.509 names.

Helper Functions

Exceptions

This is raised when an X.509 certificate has an invalid version number.

This is raised when more than one X.509 extension of the same type is found within a certificate.

This is raised when a certificate contains an unsupported extension type that is marked critical.

This is raised when calling :meth:`Extensions.get_extension_for_oid` with an extension OID that is not present in the certificate.

This is raised when a certificate contains an unsupported general name type in an extension.