Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 1a7ba87dcc9c44178c9dae3351484707730d6a18 / . / docs / x509.rst
blob: 27f1d544f4b7d54cf9024b75c44b142332de5714 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1X.509
2=====
3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]4.. currentmodule:: cryptography.x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]5
6X.509 is an ITU-T standard for a `public key infrastructure`_. X.509v3 is
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]7defined in :rfc:`5280` (which obsoletes :rfc:`2459` and :rfc:`3280`). X.509
8certificates are commonly used in protocols like `TLS`_.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]9
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]10
11Loading Certificates
12~~~~~~~~~~~~~~~~~~~~
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]13
14.. function:: load_pem_x509_certificate(data, backend)
15
16 .. versionadded:: 0.7
17
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]18 Deserialize a certificate from PEM encoded data. PEM certificates are
19 base64 decoded and have delimiters that look like
20 ``-----BEGIN CERTIFICATE-----``.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]21
22 :param bytes data: The PEM encoded certificate data.
23
24 :param backend: A backend supporting the
25 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
26 interface.
27
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]28 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]29
30.. function:: load_der_x509_certificate(data, backend)
31
32 .. versionadded:: 0.7
33
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]34 Deserialize a certificate from DER encoded data. DER is a binary format
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]35 and is commonly found in files with the ``.cer`` extension (although file
36 extensions are not a guarantee of encoding type).
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]37
38 :param bytes data: The DER encoded certificate data.
39
40 :param backend: A backend supporting the
41 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
42 interface.
43
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]44 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]45
46.. testsetup::
47
48 pem_data = b"""
49 -----BEGIN CERTIFICATE-----
50 MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
51 MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
52 QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowQDELMAkGA1UE
53 BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExEDAOBgNVBAMT
54 B0dvb2QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQWJpHYo37
55 Xfb7oJSPe+WvfTlzIG21WQ7MyMbGtK/m8mejCzR6c+f/pJhEH/OcDSMsXq8h5kXa
56 BGqWK+vSwD/Pzp5OYGptXmGPcthDtAwlrafkGOS4GqIJ8+k9XGKs+vQUXJKsOk47
57 RuzD6PZupq4s16xaLVqYbUC26UcY08GpnoLNHJZS/EmXw1ZZ3d4YZjNlpIpWFNHn
58 UGmdiGKXUPX/9H0fVjIAaQwjnGAbpgyCumWgzIwPpX+ElFOUr3z7BoVnFKhIXze+
59 VmQGSWxZxvWDUN90Ul0tLEpLgk3OVxUB4VUGuf15OJOpgo1xibINPmWt14Vda2N9
60 yrNKloJGZNqLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFOR9X9FclYYILAWuvnW2ZafZ
61 XahmMB0GA1UdDgQWBBRYAYQkG7wrUpRKPaUQchRR9a86yTAOBgNVHQ8BAf8EBAMC
62 AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
63 KoZIhvcNAQELBQADggEBADWHlxbmdTXNwBL/llwhQqwnazK7CC2WsXBBqgNPWj7m
64 tvQ+aLG8/50Qc2Sun7o2VnwF9D18UUe8Gj3uPUYH+oSI1vDdyKcjmMbKRU4rk0eo
65 3UHNDXwqIVc9CQS9smyV+x1HCwL4TTrq+LXLKx/qVij0Yqk+UJfAtrg2jnYKXsCu
66 FMBQQnWCGrwa1g1TphRp/RmYHnMynYFmZrXtzFz+U9XEA7C+gPq4kqDI/iVfIT1s
67 6lBtdB50lrDVwl2oYfAvW/6sC2se2QleZidUmrziVNP4oEeXINokU6T6p//HM1FG
68 QYw2jOvpKcKtWCSAnegEbgsGYzATKjmPJPJ0npHFqzM=
69 -----END CERTIFICATE-----
70 """.strip()
71
72.. doctest::
73
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]74 >>> from cryptography import x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]75 >>> from cryptography.hazmat.backends import default_backend
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]76 >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]77 >>> cert.serial
78 2
79
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]80X.509 Certificate Object
81~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]82
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]83.. class:: Certificate
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]84
85 .. versionadded:: 0.7
86
87 .. attribute:: version
88
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]89 :type: :class:`~cryptography.x509.Version`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]90
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]91 The certificate version as an enumeration. Version 3 certificates are
92 the latest version and also the only type you should see in practice.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]93
Alex Gaynor89c4dc82014-12-16 16:49:33 -0800[diff] [blame]94 :raises cryptography.x509.InvalidVersion: If the version in the
Alex Gaynor6d7ab4c2014-12-16 16:50:33 -0800[diff] [blame]95 certificate is not a known
96 :class:`X.509 version <cryptography.x509.Version>`.
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]97
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]98 .. doctest::
99
100 >>> cert.version
101 <Version.v3: 2>
102
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]103 .. method:: fingerprint(algorithm)
104
105 :param algorithm: The
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]106 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]107 that will be used to generate the fingerprint.
108
109 :return bytes: The fingerprint using the supplied hash algorithm as
110 bytes.
111
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]112 .. doctest::
113
114 >>> from cryptography.hazmat.primitives import hashes
115 >>> cert.fingerprint(hashes.SHA256())
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]116 '\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]117
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]118 .. attribute:: serial
119
120 :type: int
121
122 The serial as a Python integer.
123
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]124 .. doctest::
125
126 >>> cert.serial
127 2
128
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]129 .. method:: public_key()
130
131 :type:
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]132 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]133 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
134 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]135
136 The public key associated with the certificate.
137
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]138 .. doctest::
139
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]140 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]141 >>> public_key = cert.public_key()
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]142 >>> isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]143 True
144
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]145 .. attribute:: not_valid_before
146
147 :type: :class:`datetime.datetime`
148
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]149 A naïve datetime representing the beginning of the validity period for
150 the certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]151
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]152 .. doctest::
153
154 >>> cert.not_valid_before
155 datetime.datetime(2010, 1, 1, 8, 30)
156
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]157 .. attribute:: not_valid_after
158
159 :type: :class:`datetime.datetime`
160
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]161 A naïve datetime representing the end of the validity period for the
162 certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]163
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]164 .. doctest::
165
166 >>> cert.not_valid_after
167 datetime.datetime(2030, 12, 31, 8, 30)
168
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]169 .. attribute:: issuer
170
171 .. versionadded:: 0.8
172
173 :type: :class:`Name`
174
175 The :class:`Name` of the issuer.
176
177 .. attribute:: subject
178
179 .. versionadded:: 0.8
180
181 :type: :class:`Name`
182
183 The :class:`Name` of the subject.
184
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]185 .. attribute:: signature_hash_algorithm
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]186
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]187 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]188
Paul Kehrere612ec72015-02-16 14:33:35 -0600[diff] [blame]189 Returns the
Paul Kehrer71d40c62015-02-19 08:21:04 -0600[diff] [blame]190 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame^]191 was used in signing this certificate.
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]192
193 .. doctest::
194
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]195 >>> from cryptography.hazmat.primitives import hashes
196 >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
197 True
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]198
199.. class:: Name
200
201 .. versionadded:: 0.8
202
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]203 An X509 Name is an ordered list of attributes. The object is iterable to
Paul Kehrerd21596e2015-02-14 09:17:26 -0600[diff] [blame]204 get every attribute or you can use :meth:`Name.get_attributes_for_oid` to
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]205 obtain the specific type you want. Names are sometimes represented as a
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]206 slash or comma delimited string (e.g. ``/CN=mydomain.com/O=My Org/C=US`` or
207 ``CN=mydomain.com, O=My Org, C=US``).
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]208
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]209 .. doctest::
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]210
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]211 >>> len(cert.subject)
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]212 3
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]213 >>> for attribute in cert.subject:
214 ... print(attribute)
215 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
216 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
217 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]218
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]219 .. method:: get_attributes_for_oid(oid)
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]220
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]221 :param oid: An :class:`ObjectIdentifier` instance.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]222
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]223 :returns: A list of :class:`NameAttribute` instances that match the
224 OID provided. If nothing matches an empty list will be returned.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]225
226 .. doctest::
227
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]228 >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
229 [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]230
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]231.. class:: Version
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]232
233 .. versionadded:: 0.7
234
235 An enumeration for X.509 versions.
236
237 .. attribute:: v1
238
239 For version 1 X.509 certificates.
240
241 .. attribute:: v3
242
243 For version 3 X.509 certificates.
244
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]245.. class:: NameAttribute
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]246
247 .. versionadded:: 0.8
248
Paul Kehrer834d22f2015-02-06 11:01:07 -0600[diff] [blame]249 An X.509 name consists of a list of NameAttribute instances.
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]250
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]251 .. attribute:: oid
252
253 :type: :class:`ObjectIdentifier`
254
255 The attribute OID.
256
257 .. attribute:: value
258
Paul Kehrerd5852cb2015-01-30 08:25:23 -0600[diff] [blame]259 :type: :term:`text`
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]260
261 The value of the attribute.
262
263.. class:: ObjectIdentifier
264
265 .. versionadded:: 0.8
266
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]267 Object identifiers (frequently seen abbreviated as OID) identify the type
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]268 of a value (see: :class:`NameAttribute`).
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]269
Paul Kehrerd44f9a62015-02-04 14:47:34 -0600[diff] [blame]270 .. attribute:: dotted_string
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]271
272 :type: :class:`str`
273
Paul Kehrerfedf4f42015-02-06 11:22:07 -0600[diff] [blame]274 The dotted string value of the OID (e.g. ``"2.5.4.3"``)
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]275
276Object Identifiers
277~~~~~~~~~~~~~~~~~~
278
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]279X.509 elements are frequently identified by :class:`ObjectIdentifier`
280instances. The following common OIDs are available as constants.
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]281
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]282Name OIDs
283~~~~~~~~~
284
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]285.. data:: OID_COMMON_NAME
286
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]287 Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
288 name would be encoded here for server certificates. :rfc:`2818` deprecates
289 this practice and names of that type should now be located in a
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]290 SubjectAlternativeName extension. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]291
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]292.. data:: OID_COUNTRY_NAME
293
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]294 Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
295 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]296
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]297.. data:: OID_LOCALITY_NAME
298
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]299 Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
300 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]301
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]302.. data:: OID_STATE_OR_PROVINCE_NAME
303
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]304 Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
305 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]306
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]307.. data:: OID_ORGANIZATION_NAME
308
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]309 Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
310 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]311
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]312.. data:: OID_ORGANIZATIONAL_UNIT_NAME
313
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]314 Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
315 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]316
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]317.. data:: OID_SERIAL_NUMBER
318
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]319 Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
320 serial number of the certificate itself (which can be obtained with
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]321 :func:`Certificate.serial`). This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]322
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]323.. data:: OID_SURNAME
324
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]325 Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
326 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]327
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]328.. data:: OID_GIVEN_NAME
329
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]330 Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
331 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]332
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]333.. data:: OID_TITLE
334
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]335 Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
336 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]337
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]338.. data:: OID_GENERATION_QUALIFIER
339
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]340 Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
341 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]342
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]343.. data:: OID_DN_QUALIFIER
344
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]345 Corresponds to the dotted string ``"2.5.4.46"``. This specifies
346 disambiguating information to add to the relative distinguished name of an
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]347 entry. See :rfc:`2256`. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]348
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]349.. data:: OID_PSEUDONYM
350
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]351 Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
352 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]353
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]354.. data:: OID_DOMAIN_COMPONENT
355
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]356 Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]357 holding one component of a domain name. See :rfc:`4519`. This OID is
358 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]359
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]360.. data:: OID_EMAIL_ADDRESS
361
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]362 Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
363 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]364
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]365Signature Algorithm OIDs
366~~~~~~~~~~~~~~~~~~~~~~~~
367
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame^]368.. data:: OID_RSA_WITH_MD5
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]369
370 Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
371 an MD5 digest signed by an RSA key.
372
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame^]373.. data:: OID_RSA_WITH_SHA1
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]374
375 Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
376 a SHA1 digest signed by an RSA key.
377
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame^]378.. data:: OID_RSA_WITH_SHA224
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]379
380 Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
381 a SHA224 digest signed by an RSA key.
382
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame^]383.. data:: OID_RSA_WITH_SHA256
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]384
385 Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
386 a SHA256 digest signed by an RSA key.
387
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame^]388.. data:: OID_RSA_WITH_SHA384
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]389
390 Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
391 a SHA384 digest signed by an RSA key.
392
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame^]393.. data:: OID_RSA_WITH_SHA512
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]394
395 Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
396 a SHA512 digest signed by an RSA key.
397
398.. data:: OID_ECDSA_WITH_SHA224
399
400 Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
401 a SHA224 digest signed by an ECDSA key.
402
403.. data:: OID_ECDSA_WITH_SHA256
404
405 Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
406 a SHA256 digest signed by an ECDSA key.
407
408.. data:: OID_ECDSA_WITH_SHA384
409
410 Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
411 a SHA384 digest signed by an ECDSA key.
412
413.. data:: OID_ECDSA_WITH_SHA512
414
415 Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
416 a SHA512 digest signed by an ECDSA key.
417
418.. data:: OID_DSA_WITH_SHA1
419
420 Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
421 a SHA1 digest signed by a DSA key.
422
423.. data:: OID_DSA_WITH_SHA224
424
425 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
426 a SHA224 digest signed by a DSA key.
427
428.. data:: OID_DSA_WITH_SHA256
429
430 Corresponds to the dotted string ``2.16.840.1.101.3.4.3.2"``. This is
431 a SHA256 digest signed by a DSA key.
432
433
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]434Exceptions
435~~~~~~~~~~
436
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]437.. class:: InvalidVersion
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]438
439 This is raised when an X.509 certificate has an invalid version number.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]440
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]441 .. attribute:: parsed_version
442
Paul Kehrerbbffc402014-12-17 13:33:55 -0600[diff] [blame]443 :type: int
444
445 Returns the raw version that was parsed from the certificate.
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]446
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]447
448.. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]449.. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security