Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 31bdf790fdd64a0e8ecae44592ceb3b57832c9ef / . / docs / x509.rst
blob: b4ff748a68d4de8e28393892808b3031b6add7f4 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1X.509
2=====
3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]4.. currentmodule:: cryptography.x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]5
Paul Kehrerd26c4db2015-03-15 15:36:24 -0500[diff] [blame]6.. testsetup::
7
8 pem_req_data = b"""
9 -----BEGIN CERTIFICATE REQUEST-----
10 MIIC0zCCAbsCAQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCElsbGlub2lzMRAw
11 DgYDVQQHDAdDaGljYWdvMREwDwYDVQQKDAhyNTA5IExMQzESMBAGA1UEAwwJaGVs
12 bG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqhZx+Mo9VRd9
13 vsnWWa6NBCws21rZ0+1B/JGgB4hDsZS7iDE4Bj5z4idheFRtl8bBbdjPknq7BfoF
14 8v15Zq/Zv7i2xMSDL+LUrTBZezRd4bRTGqCm6YJ5EYkhqdcqeZleHCFImguHoq1J
15 Fh0+kObQrTHXw3ZP57a3o1IvyIUA3nNoCBL0QQhwBXaDXOojMKNR+bqB5ve8GS1y
16 Elr0AM/+cJsfaIahNQUgFKx3Eu3GeEOMKYOAG1lycgdQdmTUybLrT3U7vkClTseM
17 xHg1r5En7ALjONIhqRuq3rddYahrP8HXozb3zUy3cJ7P6IeaosuvNzvMXOX9P6HD
18 Ha9urDAJ1wIDAQABoDUwMwYJKoZIhvcNAQkOMSYwJDAiBgNVHREEGzAZggl3b3Js
19 ZC5jb22CDHdoYXRldmVyLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAS4Ro6h+z52SK
20 YSLCYARpnEu/rmh4jdqndt8naqcNb6uLx9mlKZ2W9on9XDjnSdQD9q+ZP5aZfESw
21 R0+rJhW9ZrNa/g1pt6M24ihclHYDAxYMWxT1z/TXXGM3TmZZ6gfYlNE1kkBuODHa
22 UYsR/1Ht1E1EsmmUimt2n+zQR2K8T9Coa+boaUW/GsTEuz1aaJAkj5ZvTDiIhRG4
23 AOCqFZOLAQmCCNgJnnspD9hDz/Ons085LF5wnYjN4/Nsk5tS6AGs3xjZ3jPoOGGn
24 82WQ9m4dBGoVDZXsobVTaN592JEYwN5iu72zRn7Einb4V4H5y3yD2dD4yWPlt4pk
25 5wFkeYsZEA==
26 -----END CERTIFICATE REQUEST-----
27 """.strip()
28
Paul Kehrerd3dafbd2015-03-15 16:24:18 -0500[diff] [blame]29 pem_data = b"""
30 -----BEGIN CERTIFICATE-----
31 MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
32 MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
33 QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowQDELMAkGA1UE
34 BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExEDAOBgNVBAMT
35 B0dvb2QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQWJpHYo37
36 Xfb7oJSPe+WvfTlzIG21WQ7MyMbGtK/m8mejCzR6c+f/pJhEH/OcDSMsXq8h5kXa
37 BGqWK+vSwD/Pzp5OYGptXmGPcthDtAwlrafkGOS4GqIJ8+k9XGKs+vQUXJKsOk47
38 RuzD6PZupq4s16xaLVqYbUC26UcY08GpnoLNHJZS/EmXw1ZZ3d4YZjNlpIpWFNHn
39 UGmdiGKXUPX/9H0fVjIAaQwjnGAbpgyCumWgzIwPpX+ElFOUr3z7BoVnFKhIXze+
40 VmQGSWxZxvWDUN90Ul0tLEpLgk3OVxUB4VUGuf15OJOpgo1xibINPmWt14Vda2N9
41 yrNKloJGZNqLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFOR9X9FclYYILAWuvnW2ZafZ
42 XahmMB0GA1UdDgQWBBRYAYQkG7wrUpRKPaUQchRR9a86yTAOBgNVHQ8BAf8EBAMC
43 AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
44 KoZIhvcNAQELBQADggEBADWHlxbmdTXNwBL/llwhQqwnazK7CC2WsXBBqgNPWj7m
45 tvQ+aLG8/50Qc2Sun7o2VnwF9D18UUe8Gj3uPUYH+oSI1vDdyKcjmMbKRU4rk0eo
46 3UHNDXwqIVc9CQS9smyV+x1HCwL4TTrq+LXLKx/qVij0Yqk+UJfAtrg2jnYKXsCu
47 FMBQQnWCGrwa1g1TphRp/RmYHnMynYFmZrXtzFz+U9XEA7C+gPq4kqDI/iVfIT1s
48 6lBtdB50lrDVwl2oYfAvW/6sC2se2QleZidUmrziVNP4oEeXINokU6T6p//HM1FG
49 QYw2jOvpKcKtWCSAnegEbgsGYzATKjmPJPJ0npHFqzM=
50 -----END CERTIFICATE-----
51 """.strip()
52
53X.509 is an ITU-T standard for a `public key infrastructure`_. X.509v3 is
54defined in :rfc:`5280` (which obsoletes :rfc:`2459` and :rfc:`3280`). X.509
55certificates are commonly used in protocols like `TLS`_.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]56
57Loading Certificates
58~~~~~~~~~~~~~~~~~~~~
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]59
60.. function:: load_pem_x509_certificate(data, backend)
61
62 .. versionadded:: 0.7
63
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]64 Deserialize a certificate from PEM encoded data. PEM certificates are
65 base64 decoded and have delimiters that look like
66 ``-----BEGIN CERTIFICATE-----``.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]67
68 :param bytes data: The PEM encoded certificate data.
69
70 :param backend: A backend supporting the
71 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
72 interface.
73
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]74 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]75
76.. function:: load_der_x509_certificate(data, backend)
77
78 .. versionadded:: 0.7
79
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]80 Deserialize a certificate from DER encoded data. DER is a binary format
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]81 and is commonly found in files with the ``.cer`` extension (although file
82 extensions are not a guarantee of encoding type).
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]83
84 :param bytes data: The DER encoded certificate data.
85
86 :param backend: A backend supporting the
87 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
88 interface.
89
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]90 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]91
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]92.. doctest::
93
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]94 >>> from cryptography import x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]95 >>> from cryptography.hazmat.backends import default_backend
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]96 >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]97 >>> cert.serial
98 2
99
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]100Loading Certificate Signing Requests
101~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]102
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]103.. function:: load_pem_x509_csr(data, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]104
105 .. versionadded:: 0.9
106
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]107 Deserialize a certificate signing request (CSR) from PEM encoded data. PEM
Paul Kehrer5aadb9c2015-03-11 20:48:42 -0500[diff] [blame]108 requests are base64 decoded and have delimiters that look like
Paul Kehrerd3dafbd2015-03-15 16:24:18 -0500[diff] [blame]109 ``-----BEGIN CERTIFICATE REQUEST-----``. This format is also known as
110 PKCS#10.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]111
112 :param bytes data: The PEM encoded request data.
113
114 :param backend: A backend supporting the
115 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
116 interface.
117
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]118 :returns: An instance of
119 :class:`~cryptography.x509.CertificateSigningRequest`.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]120
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]121.. function:: load_der_x509_csr(data, backend)
122
123 .. versionadded:: 0.9
124
125 Deserialize a certificate signing request (CSR) from DER encoded data. DER
126 is a binary format and is not commonly used with CSRs.
127
128 :param bytes data: The DER encoded request data.
129
130 :param backend: A backend supporting the
131 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
132 interface.
133
134 :returns: An instance of
135 :class:`~cryptography.x509.CertificateSigningRequest`.
136
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]137.. doctest::
138
139 >>> from cryptography import x509
140 >>> from cryptography.hazmat.backends import default_backend
141 >>> from cryptography.hazmat.primitives import hashes
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]142 >>> csr = x509.load_pem_x509_csr(pem_req_data, default_backend())
143 >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]144 True
145
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]146X.509 Certificate Object
147~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]148
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]149.. class:: Certificate
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]150
151 .. versionadded:: 0.7
152
153 .. attribute:: version
154
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]155 :type: :class:`~cryptography.x509.Version`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]156
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]157 The certificate version as an enumeration. Version 3 certificates are
158 the latest version and also the only type you should see in practice.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]159
Alex Gaynor89c4dc82014-12-16 16:49:33 -0800[diff] [blame]160 :raises cryptography.x509.InvalidVersion: If the version in the
Alex Gaynor6d7ab4c2014-12-16 16:50:33 -0800[diff] [blame]161 certificate is not a known
162 :class:`X.509 version <cryptography.x509.Version>`.
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]163
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]164 .. doctest::
165
166 >>> cert.version
167 <Version.v3: 2>
168
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]169 .. method:: fingerprint(algorithm)
170
171 :param algorithm: The
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]172 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]173 that will be used to generate the fingerprint.
174
175 :return bytes: The fingerprint using the supplied hash algorithm as
176 bytes.
177
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]178 .. doctest::
179
180 >>> from cryptography.hazmat.primitives import hashes
181 >>> cert.fingerprint(hashes.SHA256())
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]182 '\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]183
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]184 .. attribute:: serial
185
186 :type: int
187
188 The serial as a Python integer.
189
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]190 .. doctest::
191
192 >>> cert.serial
193 2
194
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]195 .. method:: public_key()
196
197 :type:
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]198 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]199 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
200 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]201
202 The public key associated with the certificate.
203
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]204 .. doctest::
205
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]206 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]207 >>> public_key = cert.public_key()
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]208 >>> isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]209 True
210
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]211 .. attribute:: not_valid_before
212
213 :type: :class:`datetime.datetime`
214
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]215 A naïve datetime representing the beginning of the validity period for
216 the certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]217
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]218 .. doctest::
219
220 >>> cert.not_valid_before
221 datetime.datetime(2010, 1, 1, 8, 30)
222
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]223 .. attribute:: not_valid_after
224
225 :type: :class:`datetime.datetime`
226
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]227 A naïve datetime representing the end of the validity period for the
228 certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]229
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]230 .. doctest::
231
232 >>> cert.not_valid_after
233 datetime.datetime(2030, 12, 31, 8, 30)
234
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]235 .. attribute:: issuer
236
237 .. versionadded:: 0.8
238
239 :type: :class:`Name`
240
241 The :class:`Name` of the issuer.
242
243 .. attribute:: subject
244
245 .. versionadded:: 0.8
246
247 :type: :class:`Name`
248
249 The :class:`Name` of the subject.
250
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]251 .. attribute:: signature_hash_algorithm
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]252
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]253 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]254
Paul Kehrere612ec72015-02-16 14:33:35 -0600[diff] [blame]255 Returns the
Paul Kehrer71d40c62015-02-19 08:21:04 -0600[diff] [blame]256 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]257 was used in signing this certificate.
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]258
259 .. doctest::
260
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]261 >>> from cryptography.hazmat.primitives import hashes
262 >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
263 True
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]264
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]265 .. attribute:: extensions
266
267 :type: :class:`Extensions`
268
269 The extensions encoded in the certificate.
270
271 :raises cryptography.x509.DuplicateExtension: If more than one
272 extension of the same type is found within the certificate.
273
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]274 .. doctest::
275
276 >>> for ext in cert.extensions:
277 ... print(ext)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]278 <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9')>)>
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]279 <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=N/A, decipher_only=N/A)>)>
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]280 <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
281
Paul Kehrer5aadb9c2015-03-11 20:48:42 -0500[diff] [blame]282X.509 CSR (Certificate Signing Request) Object
283~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]284
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]285.. class:: CertificateSigningRequest
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]286
287 .. versionadded:: 0.9
288
289 .. method:: public_key()
290
291 :type:
292 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
293 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
294 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
295
296 The public key associated with the request.
297
298 .. doctest::
299
300 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]301 >>> public_key = csr.public_key()
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]302 >>> isinstance(public_key, rsa.RSAPublicKey)
303 True
304
305 .. attribute:: subject
306
307 :type: :class:`Name`
308
309 The :class:`Name` of the subject.
310
311 .. attribute:: signature_hash_algorithm
312
313 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
314
315 Returns the
316 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
317 was used in signing this request.
318
319 .. doctest::
320
321 >>> from cryptography.hazmat.primitives import hashes
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]322 >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]323 True
324
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]325.. class:: Name
326
327 .. versionadded:: 0.8
328
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]329 An X509 Name is an ordered list of attributes. The object is iterable to
Paul Kehrerd21596e2015-02-14 09:17:26 -0600[diff] [blame]330 get every attribute or you can use :meth:`Name.get_attributes_for_oid` to
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]331 obtain the specific type you want. Names are sometimes represented as a
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]332 slash or comma delimited string (e.g. ``/CN=mydomain.com/O=My Org/C=US`` or
333 ``CN=mydomain.com, O=My Org, C=US``).
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]334
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]335 .. doctest::
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]336
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]337 >>> len(cert.subject)
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]338 3
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]339 >>> for attribute in cert.subject:
340 ... print(attribute)
341 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
342 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
343 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]344
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]345 .. method:: get_attributes_for_oid(oid)
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]346
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]347 :param oid: An :class:`ObjectIdentifier` instance.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]348
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]349 :returns: A list of :class:`NameAttribute` instances that match the
350 OID provided. If nothing matches an empty list will be returned.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]351
352 .. doctest::
353
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]354 >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
355 [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]356
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]357.. class:: Version
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]358
359 .. versionadded:: 0.7
360
361 An enumeration for X.509 versions.
362
363 .. attribute:: v1
364
365 For version 1 X.509 certificates.
366
367 .. attribute:: v3
368
369 For version 3 X.509 certificates.
370
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]371.. class:: NameAttribute
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]372
373 .. versionadded:: 0.8
374
Paul Kehrer834d22f2015-02-06 11:01:07 -0600[diff] [blame]375 An X.509 name consists of a list of NameAttribute instances.
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]376
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]377 .. attribute:: oid
378
379 :type: :class:`ObjectIdentifier`
380
381 The attribute OID.
382
383 .. attribute:: value
384
Paul Kehrerd5852cb2015-01-30 08:25:23 -0600[diff] [blame]385 :type: :term:`text`
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]386
387 The value of the attribute.
388
389.. class:: ObjectIdentifier
390
391 .. versionadded:: 0.8
392
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]393 Object identifiers (frequently seen abbreviated as OID) identify the type
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]394 of a value (see: :class:`NameAttribute`).
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]395
Paul Kehrerd44f9a62015-02-04 14:47:34 -0600[diff] [blame]396 .. attribute:: dotted_string
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]397
398 :type: :class:`str`
399
Paul Kehrerfedf4f42015-02-06 11:22:07 -0600[diff] [blame]400 The dotted string value of the OID (e.g. ``"2.5.4.3"``)
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]401
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame^]402.. _general_name_classes:
403
404General Name Classes
405~~~~~~~~~~~~~~~~~~~~
406
407.. class:: GeneralName
408
409 .. versionadded:: 0.9
410
411 This is the generic interface that all the following classes are registered
412 against.
413
414.. class:: RFC822Name
415
416 .. versionadded:: 0.9
417
418 This corresponds to an email address. For example, ``user@example.com``.
419
420 .. attribute:: value
421
422 :type: :term:`text`
423
424.. class:: DNSName
425
426 .. versionadded:: 0.9
427
428 This corresponds to a domain name. For example, ``cryptography.io``.
429
430 .. attribute:: value
431
432 :type: :term:`text`
433
434.. class:: DirectoryName
435
436 .. versionadded:: 0.9
437
438 This corresponds to a directory name.
439
440 .. attribute:: value
441
442 :type: :class:`Name`
443
444.. class:: UniformResourceIdentifier
445
446 .. versionadded:: 0.9
447
448 This corresponds to a uniform resource identifier. For example,
449 ``https://cryptography.io``.
450
451 .. attribute:: value
452
453 :type: :term:`text`
454
455.. class:: IPAddress
456
457 .. versionadded:: 0.9
458
459 This corresponds to an IP address.
460
461 .. attribute:: value
462
463 :type: :class:`~ipaddress.IPv4Address` or
464 :class:`~ipaddress.IPv6Address`.
465
466.. class:: RegisteredID
467
468 .. versionadded:: 0.9
469
470 This corresponds to a registered ID.
471
472 .. attribute:: value
473
474 :type: :class:`ObjectIdentifier`
475
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]476X.509 Extensions
477~~~~~~~~~~~~~~~~
478
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]479.. class:: Extensions
480
481 .. versionadded:: 0.9
482
483 An X.509 Extensions instance is an ordered list of extensions. The object
484 is iterable to get every extension.
485
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]486 .. method:: get_extension_for_oid(oid)
487
488 :param oid: An :class:`ObjectIdentifier` instance.
489
490 :returns: An instance of the extension class.
491
492 :raises cryptography.x509.ExtensionNotFound: If the certificate does
493 not have the extension requested.
494
495 :raises cryptography.x509.UnsupportedExtension: If the certificate
496 contains an extension that is not supported.
497
498 .. doctest::
499
500 >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
501 <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
502
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]503.. class:: Extension
504
505 .. versionadded:: 0.9
506
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]507 .. attribute:: oid
508
509 :type: :class:`ObjectIdentifier`
510
Paul Kehrer5553d572015-03-23 21:08:01 -0500[diff] [blame]511 The :ref:`extension OID <extension_oids>`.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]512
513 .. attribute:: critical
514
515 :type: bool
516
Paul Kehrer58b75692015-03-22 23:24:58 -0500[diff] [blame]517 Determines whether a given extension is critical or not. :rfc:`5280`
518 requires that "A certificate-using system MUST reject the certificate
519 if it encounters a critical extension it does not recognize or a
520 critical extension that contains information that it cannot process".
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]521
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]522 .. attribute:: value
523
524 Returns an instance of the extension type corresponding to the OID.
525
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]526.. class:: KeyUsage
527
528 .. versionadded:: 0.9
529
530 The key usage extension defines the purpose of the key contained in the
531 certificate. The usage restriction might be employed when a key that could
532 be used for more than one operation is to be restricted. It corresponds to
533 :data:`OID_KEY_USAGE`.
534
535 .. attribute:: digital_signature
536
537 :type: bool
538
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]539 This purpose is set to true when the subject public key is used for verifying
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]540 digital signatures, other than signatures on certificates
541 (``key_cert_sign``) and CRLs (``crl_sign``).
542
543 .. attribute:: content_commitment
544
545 :type: bool
546
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]547 This purpose is set to true when the subject public key is used for verifying
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]548 digital signatures, other than signatures on certificates
549 (``key_cert_sign``) and CRLs (``crl_sign``). It is used to provide a
550 non-repudiation service that protects against the signing entity
551 falsely denying some action. In the case of later conflict, a
552 reliable third party may determine the authenticity of the signed
553 data. This was called ``non_repudiation`` in older revisions of the
554 X.509 specification.
555
556 .. attribute:: key_encipherment
557
558 :type: bool
559
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]560 This purpose is set to true when the subject public key is used for
561 enciphering private or secret keys.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]562
563 .. attribute:: data_encipherment
564
565 :type: bool
566
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]567 This purpose is set to true when the subject public key is used for
568 directly enciphering raw user data without the use of an intermediate
569 symmetric cipher.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]570
571 .. attribute:: key_agreement
572
573 :type: bool
574
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]575 This purpose is set to true when the subject public key is used for key
576 agreement. For example, when a Diffie-Hellman key is to be used for
577 key management, then this purpose is set to true.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]578
579 .. attribute:: key_cert_sign
580
581 :type: bool
582
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]583 This purpose is set to true when the subject public key is used for
584 verifying signatures on public key certificates. If this purpose is set
585 to true then ``ca`` must be true in the :class:`BasicConstraints`
586 extension.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]587
588 .. attribute:: crl_sign
589
590 :type: bool
591
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]592 This purpose is set to true when the subject public key is used for
593 verifying signatures on certificate revocation lists.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]594
595 .. attribute:: encipher_only
596
597 :type: bool
598
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]599 When this purposes is set to true and the ``key_agreement`` purpose is
600 also set, the subject public key may be used only for enciphering data
601 while performing key agreement.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]602
603 :raises ValueError: This is raised if accessed when ``key_agreement``
604 is false.
605
606 .. attribute:: decipher_only
607
608 :type: bool
609
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]610 When this purposes is set to true and the ``key_agreement`` purpose is
611 also set, the subject public key may be used only for deciphering data
612 while performing key agreement.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]613
614 :raises ValueError: This is raised if accessed when ``key_agreement``
615 is false.
616
617
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]618.. class:: BasicConstraints
619
620 .. versionadded:: 0.9
621
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]622 Basic constraints is an X.509 extension type that defines whether a given
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]623 certificate is allowed to sign additional certificates and what path
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]624 length restrictions may exist. It corresponds to
625 :data:`OID_BASIC_CONSTRAINTS`.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]626
627 .. attribute:: ca
628
629 :type: bool
630
631 Whether the certificate can sign certificates.
632
633 .. attribute:: path_length
634
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]635 :type: int or None
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]636
637 The maximum path length for certificates subordinate to this
638 certificate. This attribute only has meaning if ``ca`` is true.
639 If ``ca`` is true then a path length of None means there's no
640 restriction on the number of subordinate CAs in the certificate chain.
641 If it is zero or greater then that number defines the maximum length.
642 For example, a ``path_length`` of 1 means the certificate can sign a
643 subordinate CA, but the subordinate CA is not allowed to create
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]644 subordinates with ``ca`` set to true.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]645
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]646.. class:: ExtendedKeyUsage
647
648 .. versionadded:: 0.9
649
650 This extension indicates one or more purposes for which the certified
651 public key may be used, in addition to or in place of the basic
652 purposes indicated in the key usage extension. The object is
653 iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
654
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]655.. class:: SubjectKeyIdentifier
656
657 .. versionadded:: 0.9
658
659 The subject key identifier extension provides a means of identifying
660 certificates that contain a particular public key.
661
662 .. attribute:: digest
663
664 :type: bytes
665
666 The binary value of the identifier.
667
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame^]668.. class:: SubjectAlternativeName
669
670 .. versionadded:: 0.9
671
672 Subject alternative name is an X.509 extension that provides a list of
673 :ref:`general name <general_name_classes>` instances that provide a set
674 of identities for which the certificate is valid. The object is iterable to
675 get every element.
676
677 .. method:: get_values_for_type(type)
678
679 :param type: A :class:`GeneralName` provider. This is one of the
680 :ref:`general name classes <general_name_classes>`.
681
682 :returns: A list of values extracted from the matched general names.
683
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]684
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]685Object Identifiers
686~~~~~~~~~~~~~~~~~~
687
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]688X.509 elements are frequently identified by :class:`ObjectIdentifier`
689instances. The following common OIDs are available as constants.
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]690
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]691Name OIDs
692~~~~~~~~~
693
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]694.. data:: OID_COMMON_NAME
695
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]696 Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
697 name would be encoded here for server certificates. :rfc:`2818` deprecates
698 this practice and names of that type should now be located in a
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]699 SubjectAlternativeName extension. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]700
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]701.. data:: OID_COUNTRY_NAME
702
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]703 Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
704 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]705
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]706.. data:: OID_LOCALITY_NAME
707
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]708 Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
709 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]710
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]711.. data:: OID_STATE_OR_PROVINCE_NAME
712
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]713 Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
714 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]715
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]716.. data:: OID_ORGANIZATION_NAME
717
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]718 Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
719 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]720
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]721.. data:: OID_ORGANIZATIONAL_UNIT_NAME
722
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]723 Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
724 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]725
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]726.. data:: OID_SERIAL_NUMBER
727
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]728 Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
729 serial number of the certificate itself (which can be obtained with
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]730 :func:`Certificate.serial`). This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]731
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]732.. data:: OID_SURNAME
733
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]734 Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
735 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]736
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]737.. data:: OID_GIVEN_NAME
738
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]739 Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
740 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]741
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]742.. data:: OID_TITLE
743
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]744 Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
745 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]746
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]747.. data:: OID_GENERATION_QUALIFIER
748
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]749 Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
750 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]751
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]752.. data:: OID_DN_QUALIFIER
753
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]754 Corresponds to the dotted string ``"2.5.4.46"``. This specifies
755 disambiguating information to add to the relative distinguished name of an
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]756 entry. See :rfc:`2256`. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]757
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]758.. data:: OID_PSEUDONYM
759
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]760 Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
761 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]762
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]763.. data:: OID_DOMAIN_COMPONENT
764
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]765 Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]766 holding one component of a domain name. See :rfc:`4519`. This OID is
767 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]768
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]769.. data:: OID_EMAIL_ADDRESS
770
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]771 Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
772 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]773
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]774Signature Algorithm OIDs
775~~~~~~~~~~~~~~~~~~~~~~~~
776
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]777.. data:: OID_RSA_WITH_MD5
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]778
779 Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
780 an MD5 digest signed by an RSA key.
781
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]782.. data:: OID_RSA_WITH_SHA1
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]783
784 Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
785 a SHA1 digest signed by an RSA key.
786
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]787.. data:: OID_RSA_WITH_SHA224
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]788
789 Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
790 a SHA224 digest signed by an RSA key.
791
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]792.. data:: OID_RSA_WITH_SHA256
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]793
794 Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
795 a SHA256 digest signed by an RSA key.
796
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]797.. data:: OID_RSA_WITH_SHA384
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]798
799 Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
800 a SHA384 digest signed by an RSA key.
801
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]802.. data:: OID_RSA_WITH_SHA512
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]803
804 Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
805 a SHA512 digest signed by an RSA key.
806
807.. data:: OID_ECDSA_WITH_SHA224
808
809 Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
810 a SHA224 digest signed by an ECDSA key.
811
812.. data:: OID_ECDSA_WITH_SHA256
813
814 Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
815 a SHA256 digest signed by an ECDSA key.
816
817.. data:: OID_ECDSA_WITH_SHA384
818
819 Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
820 a SHA384 digest signed by an ECDSA key.
821
822.. data:: OID_ECDSA_WITH_SHA512
823
824 Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
825 a SHA512 digest signed by an ECDSA key.
826
827.. data:: OID_DSA_WITH_SHA1
828
829 Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
830 a SHA1 digest signed by a DSA key.
831
832.. data:: OID_DSA_WITH_SHA224
833
834 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
835 a SHA224 digest signed by a DSA key.
836
837.. data:: OID_DSA_WITH_SHA256
838
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]839 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]840 a SHA256 digest signed by a DSA key.
841
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]842.. _eku_oids:
843
Paul Kehrere1513fa2015-03-30 23:08:17 -0500[diff] [blame]844Extended Key Usage OIDs
845~~~~~~~~~~~~~~~~~~~~~~~
846
847.. data:: OID_SERVER_AUTH
848
849 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used to
850 denote that a certificate may be used for TLS web server authentication.
851
852.. data:: OID_CLIENT_AUTH
853
854 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used to
855 denote that a certificate may be used for TLS web client authentication.
856
857.. data:: OID_CODE_SIGNING
858
859 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used to
860 denote that a certificate may be used for code signing.
861
862.. data:: OID_EMAIL_PROTECTION
863
864 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used to
865 denote that a certificate may be used for email protection.
866
867.. data:: OID_TIME_STAMPING
868
869 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used to
870 denote that a certificate may be used for time stamping.
871
872.. data:: OID_OCSP_SIGNING
873
874 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used to
875 denote that a certificate may be used for signing OCSP responses.
876
Paul Kehrer5553d572015-03-23 21:08:01 -0500[diff] [blame]877.. _extension_oids:
878
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]879Extension OIDs
880~~~~~~~~~~~~~~
881
882.. data:: OID_BASIC_CONSTRAINTS
883
884 Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
Paul Kehrer611d3d32015-03-22 13:31:18 -0500[diff] [blame]885 :class:`BasicConstraints` extension type.
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]886
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]887.. data:: OID_KEY_USAGE
888
889 Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the
890 :class:`KeyUsage` extension type.
891
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]892
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]893Exceptions
894~~~~~~~~~~
895
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]896.. class:: InvalidVersion
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]897
898 This is raised when an X.509 certificate has an invalid version number.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]899
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]900 .. attribute:: parsed_version
901
Paul Kehrerbbffc402014-12-17 13:33:55 -0600[diff] [blame]902 :type: int
903
904 Returns the raw version that was parsed from the certificate.
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]905
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]906.. class:: DuplicateExtension
907
908 This is raised when more than one X.509 extension of the same type is
909 found within a certificate.
910
911 .. attribute:: oid
912
913 :type: :class:`ObjectIdentifier`
914
915 Returns the OID.
916
917.. class:: UnsupportedExtension
918
919 This is raised when a certificate contains an unsupported extension type.
920
921 .. attribute:: oid
922
923 :type: :class:`ObjectIdentifier`
924
925 Returns the OID.
926
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]927.. class:: ExtensionNotFound
928
929 This is raised when calling :meth:`Extensions.get_extension_for_oid` with
930 an extension OID that is not present in the certificate.
931
932 .. attribute:: oid
933
934 :type: :class:`ObjectIdentifier`
935
936 Returns the OID.
937
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]938
939.. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]940.. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security