Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 738407ba87472f7f474c164e2fd33ab037bab93f / . / docs / x509.rst
blob: afc9620add39338d4d717d6c61be9e525ce235f6 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1X.509
2=====
3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]4.. currentmodule:: cryptography.x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]5
Paul Kehrerd26c4db2015-03-15 15:36:24 -0500[diff] [blame]6.. testsetup::
7
8 pem_req_data = b"""
9 -----BEGIN CERTIFICATE REQUEST-----
10 MIIC0zCCAbsCAQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCElsbGlub2lzMRAw
11 DgYDVQQHDAdDaGljYWdvMREwDwYDVQQKDAhyNTA5IExMQzESMBAGA1UEAwwJaGVs
12 bG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqhZx+Mo9VRd9
13 vsnWWa6NBCws21rZ0+1B/JGgB4hDsZS7iDE4Bj5z4idheFRtl8bBbdjPknq7BfoF
14 8v15Zq/Zv7i2xMSDL+LUrTBZezRd4bRTGqCm6YJ5EYkhqdcqeZleHCFImguHoq1J
15 Fh0+kObQrTHXw3ZP57a3o1IvyIUA3nNoCBL0QQhwBXaDXOojMKNR+bqB5ve8GS1y
16 Elr0AM/+cJsfaIahNQUgFKx3Eu3GeEOMKYOAG1lycgdQdmTUybLrT3U7vkClTseM
17 xHg1r5En7ALjONIhqRuq3rddYahrP8HXozb3zUy3cJ7P6IeaosuvNzvMXOX9P6HD
18 Ha9urDAJ1wIDAQABoDUwMwYJKoZIhvcNAQkOMSYwJDAiBgNVHREEGzAZggl3b3Js
19 ZC5jb22CDHdoYXRldmVyLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAS4Ro6h+z52SK
20 YSLCYARpnEu/rmh4jdqndt8naqcNb6uLx9mlKZ2W9on9XDjnSdQD9q+ZP5aZfESw
21 R0+rJhW9ZrNa/g1pt6M24ihclHYDAxYMWxT1z/TXXGM3TmZZ6gfYlNE1kkBuODHa
22 UYsR/1Ht1E1EsmmUimt2n+zQR2K8T9Coa+boaUW/GsTEuz1aaJAkj5ZvTDiIhRG4
23 AOCqFZOLAQmCCNgJnnspD9hDz/Ons085LF5wnYjN4/Nsk5tS6AGs3xjZ3jPoOGGn
24 82WQ9m4dBGoVDZXsobVTaN592JEYwN5iu72zRn7Einb4V4H5y3yD2dD4yWPlt4pk
25 5wFkeYsZEA==
26 -----END CERTIFICATE REQUEST-----
27 """.strip()
28
Paul Kehrerd3dafbd2015-03-15 16:24:18 -0500[diff] [blame]29 pem_data = b"""
30 -----BEGIN CERTIFICATE-----
31 MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
32 MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
33 QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowQDELMAkGA1UE
34 BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExEDAOBgNVBAMT
35 B0dvb2QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQWJpHYo37
36 Xfb7oJSPe+WvfTlzIG21WQ7MyMbGtK/m8mejCzR6c+f/pJhEH/OcDSMsXq8h5kXa
37 BGqWK+vSwD/Pzp5OYGptXmGPcthDtAwlrafkGOS4GqIJ8+k9XGKs+vQUXJKsOk47
38 RuzD6PZupq4s16xaLVqYbUC26UcY08GpnoLNHJZS/EmXw1ZZ3d4YZjNlpIpWFNHn
39 UGmdiGKXUPX/9H0fVjIAaQwjnGAbpgyCumWgzIwPpX+ElFOUr3z7BoVnFKhIXze+
40 VmQGSWxZxvWDUN90Ul0tLEpLgk3OVxUB4VUGuf15OJOpgo1xibINPmWt14Vda2N9
41 yrNKloJGZNqLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFOR9X9FclYYILAWuvnW2ZafZ
42 XahmMB0GA1UdDgQWBBRYAYQkG7wrUpRKPaUQchRR9a86yTAOBgNVHQ8BAf8EBAMC
43 AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
44 KoZIhvcNAQELBQADggEBADWHlxbmdTXNwBL/llwhQqwnazK7CC2WsXBBqgNPWj7m
45 tvQ+aLG8/50Qc2Sun7o2VnwF9D18UUe8Gj3uPUYH+oSI1vDdyKcjmMbKRU4rk0eo
46 3UHNDXwqIVc9CQS9smyV+x1HCwL4TTrq+LXLKx/qVij0Yqk+UJfAtrg2jnYKXsCu
47 FMBQQnWCGrwa1g1TphRp/RmYHnMynYFmZrXtzFz+U9XEA7C+gPq4kqDI/iVfIT1s
48 6lBtdB50lrDVwl2oYfAvW/6sC2se2QleZidUmrziVNP4oEeXINokU6T6p//HM1FG
49 QYw2jOvpKcKtWCSAnegEbgsGYzATKjmPJPJ0npHFqzM=
50 -----END CERTIFICATE-----
51 """.strip()
52
53X.509 is an ITU-T standard for a `public key infrastructure`_. X.509v3 is
54defined in :rfc:`5280` (which obsoletes :rfc:`2459` and :rfc:`3280`). X.509
55certificates are commonly used in protocols like `TLS`_.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]56
57Loading Certificates
58~~~~~~~~~~~~~~~~~~~~
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]59
60.. function:: load_pem_x509_certificate(data, backend)
61
62 .. versionadded:: 0.7
63
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]64 Deserialize a certificate from PEM encoded data. PEM certificates are
65 base64 decoded and have delimiters that look like
66 ``-----BEGIN CERTIFICATE-----``.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]67
68 :param bytes data: The PEM encoded certificate data.
69
70 :param backend: A backend supporting the
71 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
72 interface.
73
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]74 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]75
76.. function:: load_der_x509_certificate(data, backend)
77
78 .. versionadded:: 0.7
79
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]80 Deserialize a certificate from DER encoded data. DER is a binary format
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]81 and is commonly found in files with the ``.cer`` extension (although file
82 extensions are not a guarantee of encoding type).
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]83
84 :param bytes data: The DER encoded certificate data.
85
86 :param backend: A backend supporting the
87 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
88 interface.
89
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]90 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]91
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]92.. doctest::
93
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]94 >>> from cryptography import x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]95 >>> from cryptography.hazmat.backends import default_backend
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]96 >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]97 >>> cert.serial
98 2
99
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]100Loading Certificate Signing Requests
101~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]102
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]103.. function:: load_pem_x509_csr(data, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]104
105 .. versionadded:: 0.9
106
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]107 Deserialize a certificate signing request (CSR) from PEM encoded data. PEM
Paul Kehrer5aadb9c2015-03-11 20:48:42 -0500[diff] [blame]108 requests are base64 decoded and have delimiters that look like
Paul Kehrerd3dafbd2015-03-15 16:24:18 -0500[diff] [blame]109 ``-----BEGIN CERTIFICATE REQUEST-----``. This format is also known as
110 PKCS#10.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]111
112 :param bytes data: The PEM encoded request data.
113
114 :param backend: A backend supporting the
115 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
116 interface.
117
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]118 :returns: An instance of
119 :class:`~cryptography.x509.CertificateSigningRequest`.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]120
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]121.. function:: load_der_x509_csr(data, backend)
122
123 .. versionadded:: 0.9
124
125 Deserialize a certificate signing request (CSR) from DER encoded data. DER
126 is a binary format and is not commonly used with CSRs.
127
128 :param bytes data: The DER encoded request data.
129
130 :param backend: A backend supporting the
131 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
132 interface.
133
134 :returns: An instance of
135 :class:`~cryptography.x509.CertificateSigningRequest`.
136
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]137.. doctest::
138
139 >>> from cryptography import x509
140 >>> from cryptography.hazmat.backends import default_backend
141 >>> from cryptography.hazmat.primitives import hashes
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]142 >>> csr = x509.load_pem_x509_csr(pem_req_data, default_backend())
143 >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]144 True
145
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]146X.509 Certificate Object
147~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]148
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]149.. class:: Certificate
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]150
151 .. versionadded:: 0.7
152
153 .. attribute:: version
154
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]155 :type: :class:`~cryptography.x509.Version`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]156
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]157 The certificate version as an enumeration. Version 3 certificates are
158 the latest version and also the only type you should see in practice.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]159
Alex Gaynor89c4dc82014-12-16 16:49:33 -0800[diff] [blame]160 :raises cryptography.x509.InvalidVersion: If the version in the
Alex Gaynor6d7ab4c2014-12-16 16:50:33 -0800[diff] [blame]161 certificate is not a known
162 :class:`X.509 version <cryptography.x509.Version>`.
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]163
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]164 .. doctest::
165
166 >>> cert.version
167 <Version.v3: 2>
168
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]169 .. method:: fingerprint(algorithm)
170
171 :param algorithm: The
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]172 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]173 that will be used to generate the fingerprint.
174
175 :return bytes: The fingerprint using the supplied hash algorithm as
176 bytes.
177
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]178 .. doctest::
179
180 >>> from cryptography.hazmat.primitives import hashes
181 >>> cert.fingerprint(hashes.SHA256())
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]182 '\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]183
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]184 .. attribute:: serial
185
186 :type: int
187
188 The serial as a Python integer.
189
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]190 .. doctest::
191
192 >>> cert.serial
193 2
194
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]195 .. method:: public_key()
196
197 :type:
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]198 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]199 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
200 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]201
202 The public key associated with the certificate.
203
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]204 .. doctest::
205
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]206 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]207 >>> public_key = cert.public_key()
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]208 >>> isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]209 True
210
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]211 .. attribute:: not_valid_before
212
213 :type: :class:`datetime.datetime`
214
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]215 A naïve datetime representing the beginning of the validity period for
216 the certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]217
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]218 .. doctest::
219
220 >>> cert.not_valid_before
221 datetime.datetime(2010, 1, 1, 8, 30)
222
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]223 .. attribute:: not_valid_after
224
225 :type: :class:`datetime.datetime`
226
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]227 A naïve datetime representing the end of the validity period for the
228 certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]229
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]230 .. doctest::
231
232 >>> cert.not_valid_after
233 datetime.datetime(2030, 12, 31, 8, 30)
234
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]235 .. attribute:: issuer
236
237 .. versionadded:: 0.8
238
239 :type: :class:`Name`
240
241 The :class:`Name` of the issuer.
242
243 .. attribute:: subject
244
245 .. versionadded:: 0.8
246
247 :type: :class:`Name`
248
249 The :class:`Name` of the subject.
250
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]251 .. attribute:: signature_hash_algorithm
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]252
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]253 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]254
Paul Kehrere612ec72015-02-16 14:33:35 -0600[diff] [blame]255 Returns the
Paul Kehrer71d40c62015-02-19 08:21:04 -0600[diff] [blame]256 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]257 was used in signing this certificate.
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]258
259 .. doctest::
260
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]261 >>> from cryptography.hazmat.primitives import hashes
262 >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
263 True
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]264
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]265 .. attribute:: extensions
266
267 :type: :class:`Extensions`
268
269 The extensions encoded in the certificate.
270
271 :raises cryptography.x509.DuplicateExtension: If more than one
272 extension of the same type is found within the certificate.
273
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]274 .. doctest::
275
276 >>> for ext in cert.extensions:
277 ... print(ext)
278 <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
279
Paul Kehrer5aadb9c2015-03-11 20:48:42 -0500[diff] [blame]280X.509 CSR (Certificate Signing Request) Object
281~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]282
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]283.. class:: CertificateSigningRequest
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]284
285 .. versionadded:: 0.9
286
287 .. method:: public_key()
288
289 :type:
290 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
291 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
292 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
293
294 The public key associated with the request.
295
296 .. doctest::
297
298 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]299 >>> public_key = csr.public_key()
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]300 >>> isinstance(public_key, rsa.RSAPublicKey)
301 True
302
303 .. attribute:: subject
304
305 :type: :class:`Name`
306
307 The :class:`Name` of the subject.
308
309 .. attribute:: signature_hash_algorithm
310
311 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
312
313 Returns the
314 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
315 was used in signing this request.
316
317 .. doctest::
318
319 >>> from cryptography.hazmat.primitives import hashes
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]320 >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]321 True
322
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]323.. class:: Name
324
325 .. versionadded:: 0.8
326
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]327 An X509 Name is an ordered list of attributes. The object is iterable to
Paul Kehrerd21596e2015-02-14 09:17:26 -0600[diff] [blame]328 get every attribute or you can use :meth:`Name.get_attributes_for_oid` to
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]329 obtain the specific type you want. Names are sometimes represented as a
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]330 slash or comma delimited string (e.g. ``/CN=mydomain.com/O=My Org/C=US`` or
331 ``CN=mydomain.com, O=My Org, C=US``).
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]332
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]333 .. doctest::
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]334
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]335 >>> len(cert.subject)
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]336 3
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]337 >>> for attribute in cert.subject:
338 ... print(attribute)
339 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
340 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
341 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]342
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]343 .. method:: get_attributes_for_oid(oid)
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]344
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]345 :param oid: An :class:`ObjectIdentifier` instance.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]346
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]347 :returns: A list of :class:`NameAttribute` instances that match the
348 OID provided. If nothing matches an empty list will be returned.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]349
350 .. doctest::
351
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]352 >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
353 [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]354
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]355.. class:: Version
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]356
357 .. versionadded:: 0.7
358
359 An enumeration for X.509 versions.
360
361 .. attribute:: v1
362
363 For version 1 X.509 certificates.
364
365 .. attribute:: v3
366
367 For version 3 X.509 certificates.
368
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]369.. class:: NameAttribute
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]370
371 .. versionadded:: 0.8
372
Paul Kehrer834d22f2015-02-06 11:01:07 -0600[diff] [blame]373 An X.509 name consists of a list of NameAttribute instances.
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]374
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]375 .. attribute:: oid
376
377 :type: :class:`ObjectIdentifier`
378
379 The attribute OID.
380
381 .. attribute:: value
382
Paul Kehrerd5852cb2015-01-30 08:25:23 -0600[diff] [blame]383 :type: :term:`text`
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]384
385 The value of the attribute.
386
387.. class:: ObjectIdentifier
388
389 .. versionadded:: 0.8
390
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]391 Object identifiers (frequently seen abbreviated as OID) identify the type
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]392 of a value (see: :class:`NameAttribute`).
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]393
Paul Kehrerd44f9a62015-02-04 14:47:34 -0600[diff] [blame]394 .. attribute:: dotted_string
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]395
396 :type: :class:`str`
397
Paul Kehrerfedf4f42015-02-06 11:22:07 -0600[diff] [blame]398 The dotted string value of the OID (e.g. ``"2.5.4.3"``)
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]399
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]400X.509 Extensions
401~~~~~~~~~~~~~~~~
402
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]403.. class:: Extensions
404
405 .. versionadded:: 0.9
406
407 An X.509 Extensions instance is an ordered list of extensions. The object
408 is iterable to get every extension.
409
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]410 .. method:: get_extension_for_oid(oid)
411
412 :param oid: An :class:`ObjectIdentifier` instance.
413
414 :returns: An instance of the extension class.
415
416 :raises cryptography.x509.ExtensionNotFound: If the certificate does
417 not have the extension requested.
418
419 :raises cryptography.x509.UnsupportedExtension: If the certificate
420 contains an extension that is not supported.
421
422 .. doctest::
423
424 >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
425 <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
426
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]427.. class:: Extension
428
429 .. versionadded:: 0.9
430
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]431 .. attribute:: oid
432
433 :type: :class:`ObjectIdentifier`
434
Paul Kehrer5553d572015-03-23 21:08:01 -0500[diff] [blame]435 The :ref:`extension OID <extension_oids>`.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]436
437 .. attribute:: critical
438
439 :type: bool
440
Paul Kehrer58b75692015-03-22 23:24:58 -0500[diff] [blame]441 Determines whether a given extension is critical or not. :rfc:`5280`
442 requires that "A certificate-using system MUST reject the certificate
443 if it encounters a critical extension it does not recognize or a
444 critical extension that contains information that it cannot process".
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]445
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]446 .. attribute:: value
447
448 Returns an instance of the extension type corresponding to the OID.
449
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]450.. class:: KeyUsage
451
452 .. versionadded:: 0.9
453
454 The key usage extension defines the purpose of the key contained in the
455 certificate. The usage restriction might be employed when a key that could
456 be used for more than one operation is to be restricted. It corresponds to
457 :data:`OID_KEY_USAGE`.
458
459 .. attribute:: digital_signature
460
461 :type: bool
462
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]463 This purpose is set to true when the subject public key is used for verifying
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]464 digital signatures, other than signatures on certificates
465 (``key_cert_sign``) and CRLs (``crl_sign``).
466
467 .. attribute:: content_commitment
468
469 :type: bool
470
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]471 This purpose is set to true when the subject public key is used for verifying
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]472 digital signatures, other than signatures on certificates
473 (``key_cert_sign``) and CRLs (``crl_sign``). It is used to provide a
474 non-repudiation service that protects against the signing entity
475 falsely denying some action. In the case of later conflict, a
476 reliable third party may determine the authenticity of the signed
477 data. This was called ``non_repudiation`` in older revisions of the
478 X.509 specification.
479
480 .. attribute:: key_encipherment
481
482 :type: bool
483
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]484 This purpose is set to true when the subject public key is used for
485 enciphering private or secret keys.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]486
487 .. attribute:: data_encipherment
488
489 :type: bool
490
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]491 This purpose is set to true when the subject public key is used for
492 directly enciphering raw user data without the use of an intermediate
493 symmetric cipher.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]494
495 .. attribute:: key_agreement
496
497 :type: bool
498
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]499 This purpose is set to true when the subject public key is used for key
500 agreement. For example, when a Diffie-Hellman key is to be used for
501 key management, then this purpose is set to true.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]502
503 .. attribute:: key_cert_sign
504
505 :type: bool
506
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]507 This purpose is set to true when the subject public key is used for
508 verifying signatures on public key certificates. If this purpose is set
509 to true then ``ca`` must be true in the :class:`BasicConstraints`
510 extension.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]511
512 .. attribute:: crl_sign
513
514 :type: bool
515
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]516 This purpose is set to true when the subject public key is used for
517 verifying signatures on certificate revocation lists.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]518
519 .. attribute:: encipher_only
520
521 :type: bool
522
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]523 When this purposes is set to true and the ``key_agreement`` purpose is
524 also set, the subject public key may be used only for enciphering data
525 while performing key agreement.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]526
527 :raises ValueError: This is raised if accessed when ``key_agreement``
528 is false.
529
530 .. attribute:: decipher_only
531
532 :type: bool
533
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame^]534 When this purposes is set to true and the ``key_agreement`` purpose is
535 also set, the subject public key may be used only for deciphering data
536 while performing key agreement.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]537
538 :raises ValueError: This is raised if accessed when ``key_agreement``
539 is false.
540
541
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]542.. class:: BasicConstraints
543
544 .. versionadded:: 0.9
545
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]546 Basic constraints is an X.509 extension type that defines whether a given
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]547 certificate is allowed to sign additional certificates and what path
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]548 length restrictions may exist. It corresponds to
549 :data:`OID_BASIC_CONSTRAINTS`.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]550
551 .. attribute:: ca
552
553 :type: bool
554
555 Whether the certificate can sign certificates.
556
557 .. attribute:: path_length
558
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]559 :type: int or None
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]560
561 The maximum path length for certificates subordinate to this
562 certificate. This attribute only has meaning if ``ca`` is true.
563 If ``ca`` is true then a path length of None means there's no
564 restriction on the number of subordinate CAs in the certificate chain.
565 If it is zero or greater then that number defines the maximum length.
566 For example, a ``path_length`` of 1 means the certificate can sign a
567 subordinate CA, but the subordinate CA is not allowed to create
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]568 subordinates with ``ca`` set to true.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]569
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]570.. class:: ExtendedKeyUsage
571
572 .. versionadded:: 0.9
573
574 This extension indicates one or more purposes for which the certified
575 public key may be used, in addition to or in place of the basic
576 purposes indicated in the key usage extension. The object is
577 iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
578
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]579
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]580Object Identifiers
581~~~~~~~~~~~~~~~~~~
582
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]583X.509 elements are frequently identified by :class:`ObjectIdentifier`
584instances. The following common OIDs are available as constants.
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]585
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]586Name OIDs
587~~~~~~~~~
588
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]589.. data:: OID_COMMON_NAME
590
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]591 Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
592 name would be encoded here for server certificates. :rfc:`2818` deprecates
593 this practice and names of that type should now be located in a
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]594 SubjectAlternativeName extension. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]595
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]596.. data:: OID_COUNTRY_NAME
597
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]598 Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
599 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]600
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]601.. data:: OID_LOCALITY_NAME
602
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]603 Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
604 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]605
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]606.. data:: OID_STATE_OR_PROVINCE_NAME
607
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]608 Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
609 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]610
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]611.. data:: OID_ORGANIZATION_NAME
612
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]613 Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
614 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]615
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]616.. data:: OID_ORGANIZATIONAL_UNIT_NAME
617
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]618 Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
619 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]620
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]621.. data:: OID_SERIAL_NUMBER
622
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]623 Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
624 serial number of the certificate itself (which can be obtained with
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]625 :func:`Certificate.serial`). This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]626
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]627.. data:: OID_SURNAME
628
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]629 Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
630 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]631
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]632.. data:: OID_GIVEN_NAME
633
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]634 Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
635 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]636
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]637.. data:: OID_TITLE
638
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]639 Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
640 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]641
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]642.. data:: OID_GENERATION_QUALIFIER
643
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]644 Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
645 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]646
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]647.. data:: OID_DN_QUALIFIER
648
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]649 Corresponds to the dotted string ``"2.5.4.46"``. This specifies
650 disambiguating information to add to the relative distinguished name of an
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]651 entry. See :rfc:`2256`. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]652
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]653.. data:: OID_PSEUDONYM
654
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]655 Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
656 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]657
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]658.. data:: OID_DOMAIN_COMPONENT
659
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]660 Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]661 holding one component of a domain name. See :rfc:`4519`. This OID is
662 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]663
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]664.. data:: OID_EMAIL_ADDRESS
665
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]666 Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
667 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]668
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]669Signature Algorithm OIDs
670~~~~~~~~~~~~~~~~~~~~~~~~
671
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]672.. data:: OID_RSA_WITH_MD5
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]673
674 Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
675 an MD5 digest signed by an RSA key.
676
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]677.. data:: OID_RSA_WITH_SHA1
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]678
679 Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
680 a SHA1 digest signed by an RSA key.
681
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]682.. data:: OID_RSA_WITH_SHA224
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]683
684 Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
685 a SHA224 digest signed by an RSA key.
686
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]687.. data:: OID_RSA_WITH_SHA256
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]688
689 Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
690 a SHA256 digest signed by an RSA key.
691
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]692.. data:: OID_RSA_WITH_SHA384
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]693
694 Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
695 a SHA384 digest signed by an RSA key.
696
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]697.. data:: OID_RSA_WITH_SHA512
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]698
699 Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
700 a SHA512 digest signed by an RSA key.
701
702.. data:: OID_ECDSA_WITH_SHA224
703
704 Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
705 a SHA224 digest signed by an ECDSA key.
706
707.. data:: OID_ECDSA_WITH_SHA256
708
709 Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
710 a SHA256 digest signed by an ECDSA key.
711
712.. data:: OID_ECDSA_WITH_SHA384
713
714 Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
715 a SHA384 digest signed by an ECDSA key.
716
717.. data:: OID_ECDSA_WITH_SHA512
718
719 Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
720 a SHA512 digest signed by an ECDSA key.
721
722.. data:: OID_DSA_WITH_SHA1
723
724 Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
725 a SHA1 digest signed by a DSA key.
726
727.. data:: OID_DSA_WITH_SHA224
728
729 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
730 a SHA224 digest signed by a DSA key.
731
732.. data:: OID_DSA_WITH_SHA256
733
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]734 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]735 a SHA256 digest signed by a DSA key.
736
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]737.. _eku_oids:
738
Paul Kehrere1513fa2015-03-30 23:08:17 -0500[diff] [blame]739Extended Key Usage OIDs
740~~~~~~~~~~~~~~~~~~~~~~~
741
742.. data:: OID_SERVER_AUTH
743
744 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used to
745 denote that a certificate may be used for TLS web server authentication.
746
747.. data:: OID_CLIENT_AUTH
748
749 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used to
750 denote that a certificate may be used for TLS web client authentication.
751
752.. data:: OID_CODE_SIGNING
753
754 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used to
755 denote that a certificate may be used for code signing.
756
757.. data:: OID_EMAIL_PROTECTION
758
759 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used to
760 denote that a certificate may be used for email protection.
761
762.. data:: OID_TIME_STAMPING
763
764 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used to
765 denote that a certificate may be used for time stamping.
766
767.. data:: OID_OCSP_SIGNING
768
769 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used to
770 denote that a certificate may be used for signing OCSP responses.
771
Paul Kehrer5553d572015-03-23 21:08:01 -0500[diff] [blame]772.. _extension_oids:
773
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]774Extension OIDs
775~~~~~~~~~~~~~~
776
777.. data:: OID_BASIC_CONSTRAINTS
778
779 Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
Paul Kehrer611d3d32015-03-22 13:31:18 -0500[diff] [blame]780 :class:`BasicConstraints` extension type.
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]781
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]782.. data:: OID_KEY_USAGE
783
784 Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the
785 :class:`KeyUsage` extension type.
786
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]787
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]788Exceptions
789~~~~~~~~~~
790
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]791.. class:: InvalidVersion
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]792
793 This is raised when an X.509 certificate has an invalid version number.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]794
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]795 .. attribute:: parsed_version
796
Paul Kehrerbbffc402014-12-17 13:33:55 -0600[diff] [blame]797 :type: int
798
799 Returns the raw version that was parsed from the certificate.
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]800
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]801.. class:: DuplicateExtension
802
803 This is raised when more than one X.509 extension of the same type is
804 found within a certificate.
805
806 .. attribute:: oid
807
808 :type: :class:`ObjectIdentifier`
809
810 Returns the OID.
811
812.. class:: UnsupportedExtension
813
814 This is raised when a certificate contains an unsupported extension type.
815
816 .. attribute:: oid
817
818 :type: :class:`ObjectIdentifier`
819
820 Returns the OID.
821
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]822.. class:: ExtensionNotFound
823
824 This is raised when calling :meth:`Extensions.get_extension_for_oid` with
825 an extension OID that is not present in the certificate.
826
827 .. attribute:: oid
828
829 :type: :class:`ObjectIdentifier`
830
831 Returns the OID.
832
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]833
834.. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]835.. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security