Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / fd1444cfa97bb897eaee6ceca35175357317623b / . / docs / x509.rst
blob: 8024258119790e9dfe90521c99f64f36177818f0 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1X.509
2=====
3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]4.. currentmodule:: cryptography.x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]5
6X.509 is an ITU-T standard for a `public key infrastructure`_. X.509v3 is
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]7defined in :rfc:`5280` (which obsoletes :rfc:`2459` and :rfc:`3280`). X.509
8certificates are commonly used in protocols like `TLS`_.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]9
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]10
11Loading Certificates
12~~~~~~~~~~~~~~~~~~~~
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]13
14.. function:: load_pem_x509_certificate(data, backend)
15
16 .. versionadded:: 0.7
17
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]18 Deserialize a certificate from PEM encoded data. PEM certificates are
19 base64 decoded and have delimiters that look like
20 ``-----BEGIN CERTIFICATE-----``.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]21
22 :param bytes data: The PEM encoded certificate data.
23
24 :param backend: A backend supporting the
25 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
26 interface.
27
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]28 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]29
30.. function:: load_der_x509_certificate(data, backend)
31
32 .. versionadded:: 0.7
33
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]34 Deserialize a certificate from DER encoded data. DER is a binary format
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]35 and is commonly found in files with the ``.cer`` extension (although file
36 extensions are not a guarantee of encoding type).
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]37
38 :param bytes data: The DER encoded certificate data.
39
40 :param backend: A backend supporting the
41 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
42 interface.
43
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]44 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]45
46.. testsetup::
47
48 pem_data = b"""
49 -----BEGIN CERTIFICATE-----
50 MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
51 MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
52 QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowQDELMAkGA1UE
53 BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExEDAOBgNVBAMT
54 B0dvb2QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQWJpHYo37
55 Xfb7oJSPe+WvfTlzIG21WQ7MyMbGtK/m8mejCzR6c+f/pJhEH/OcDSMsXq8h5kXa
56 BGqWK+vSwD/Pzp5OYGptXmGPcthDtAwlrafkGOS4GqIJ8+k9XGKs+vQUXJKsOk47
57 RuzD6PZupq4s16xaLVqYbUC26UcY08GpnoLNHJZS/EmXw1ZZ3d4YZjNlpIpWFNHn
58 UGmdiGKXUPX/9H0fVjIAaQwjnGAbpgyCumWgzIwPpX+ElFOUr3z7BoVnFKhIXze+
59 VmQGSWxZxvWDUN90Ul0tLEpLgk3OVxUB4VUGuf15OJOpgo1xibINPmWt14Vda2N9
60 yrNKloJGZNqLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFOR9X9FclYYILAWuvnW2ZafZ
61 XahmMB0GA1UdDgQWBBRYAYQkG7wrUpRKPaUQchRR9a86yTAOBgNVHQ8BAf8EBAMC
62 AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
63 KoZIhvcNAQELBQADggEBADWHlxbmdTXNwBL/llwhQqwnazK7CC2WsXBBqgNPWj7m
64 tvQ+aLG8/50Qc2Sun7o2VnwF9D18UUe8Gj3uPUYH+oSI1vDdyKcjmMbKRU4rk0eo
65 3UHNDXwqIVc9CQS9smyV+x1HCwL4TTrq+LXLKx/qVij0Yqk+UJfAtrg2jnYKXsCu
66 FMBQQnWCGrwa1g1TphRp/RmYHnMynYFmZrXtzFz+U9XEA7C+gPq4kqDI/iVfIT1s
67 6lBtdB50lrDVwl2oYfAvW/6sC2se2QleZidUmrziVNP4oEeXINokU6T6p//HM1FG
68 QYw2jOvpKcKtWCSAnegEbgsGYzATKjmPJPJ0npHFqzM=
69 -----END CERTIFICATE-----
70 """.strip()
71
72.. doctest::
73
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]74 >>> from cryptography import x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]75 >>> from cryptography.hazmat.backends import default_backend
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]76 >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]77 >>> cert.serial
78 2
79
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]80X.509 Certificate Object
81~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]82
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]83.. class:: Certificate
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]84
85 .. versionadded:: 0.7
86
87 .. attribute:: version
88
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]89 :type: :class:`~cryptography.x509.Version`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]90
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]91 The certificate version as an enumeration. Version 3 certificates are
92 the latest version and also the only type you should see in practice.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]93
Alex Gaynor89c4dc82014-12-16 16:49:33 -0800[diff] [blame]94 :raises cryptography.x509.InvalidVersion: If the version in the
Alex Gaynor6d7ab4c2014-12-16 16:50:33 -0800[diff] [blame]95 certificate is not a known
96 :class:`X.509 version <cryptography.x509.Version>`.
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]97
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]98 .. doctest::
99
100 >>> cert.version
101 <Version.v3: 2>
102
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]103 .. method:: fingerprint(algorithm)
104
105 :param algorithm: The
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]106 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]107 that will be used to generate the fingerprint.
108
109 :return bytes: The fingerprint using the supplied hash algorithm as
110 bytes.
111
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]112 .. doctest::
113
114 >>> from cryptography.hazmat.primitives import hashes
115 >>> cert.fingerprint(hashes.SHA256())
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]116 '\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]117
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]118 .. attribute:: serial
119
120 :type: int
121
122 The serial as a Python integer.
123
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]124 .. doctest::
125
126 >>> cert.serial
127 2
128
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]129 .. method:: public_key()
130
131 :type:
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]132 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]133 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
134 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]135
136 The public key associated with the certificate.
137
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]138 .. doctest::
139
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]140 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]141 >>> public_key = cert.public_key()
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]142 >>> isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]143 True
144
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]145 .. attribute:: not_valid_before
146
147 :type: :class:`datetime.datetime`
148
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]149 A naïve datetime representing the beginning of the validity period for
150 the certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]151
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]152 .. doctest::
153
154 >>> cert.not_valid_before
155 datetime.datetime(2010, 1, 1, 8, 30)
156
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]157 .. attribute:: not_valid_after
158
159 :type: :class:`datetime.datetime`
160
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]161 A naïve datetime representing the end of the validity period for the
162 certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]163
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]164 .. doctest::
165
166 >>> cert.not_valid_after
167 datetime.datetime(2030, 12, 31, 8, 30)
168
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]169 .. attribute:: issuer
170
171 .. versionadded:: 0.8
172
173 :type: :class:`Name`
174
175 The :class:`Name` of the issuer.
176
177 .. attribute:: subject
178
179 .. versionadded:: 0.8
180
181 :type: :class:`Name`
182
183 The :class:`Name` of the subject.
184
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]185 .. attribute:: signature_hash_algorithm
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]186
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]187 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]188
Paul Kehrere612ec72015-02-16 14:33:35 -0600[diff] [blame]189 Returns the
Paul Kehrer71d40c62015-02-19 08:21:04 -0600[diff] [blame]190 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]191 was used in signing this certificate.
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]192
193 .. doctest::
194
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]195 >>> from cryptography.hazmat.primitives import hashes
196 >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
197 True
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]198
199.. class:: Name
200
201 .. versionadded:: 0.8
202
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]203 An X509 Name is an ordered list of attributes. The object is iterable to
Paul Kehrerd21596e2015-02-14 09:17:26 -0600[diff] [blame]204 get every attribute or you can use :meth:`Name.get_attributes_for_oid` to
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]205 obtain the specific type you want. Names are sometimes represented as a
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]206 slash or comma delimited string (e.g. ``/CN=mydomain.com/O=My Org/C=US`` or
207 ``CN=mydomain.com, O=My Org, C=US``).
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]208
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]209 .. doctest::
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]210
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]211 >>> len(cert.subject)
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]212 3
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]213 >>> for attribute in cert.subject:
214 ... print(attribute)
215 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
216 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
217 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]218
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]219 .. method:: get_attributes_for_oid(oid)
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]220
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]221 :param oid: An :class:`ObjectIdentifier` instance.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]222
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]223 :returns: A list of :class:`NameAttribute` instances that match the
224 OID provided. If nothing matches an empty list will be returned.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]225
226 .. doctest::
227
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]228 >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
229 [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]230
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]231.. class:: Version
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]232
233 .. versionadded:: 0.7
234
235 An enumeration for X.509 versions.
236
237 .. attribute:: v1
238
239 For version 1 X.509 certificates.
240
241 .. attribute:: v3
242
243 For version 3 X.509 certificates.
244
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]245.. class:: NameAttribute
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]246
247 .. versionadded:: 0.8
248
Paul Kehrer834d22f2015-02-06 11:01:07 -0600[diff] [blame]249 An X.509 name consists of a list of NameAttribute instances.
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]250
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]251 .. attribute:: oid
252
253 :type: :class:`ObjectIdentifier`
254
255 The attribute OID.
256
257 .. attribute:: value
258
Paul Kehrerd5852cb2015-01-30 08:25:23 -0600[diff] [blame]259 :type: :term:`text`
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]260
261 The value of the attribute.
262
263.. class:: ObjectIdentifier
264
265 .. versionadded:: 0.8
266
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]267 Object identifiers (frequently seen abbreviated as OID) identify the type
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]268 of a value (see: :class:`NameAttribute`).
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]269
Paul Kehrerd44f9a62015-02-04 14:47:34 -0600[diff] [blame]270 .. attribute:: dotted_string
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]271
272 :type: :class:`str`
273
Paul Kehrerfedf4f42015-02-06 11:22:07 -0600[diff] [blame]274 The dotted string value of the OID (e.g. ``"2.5.4.3"``)
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]275
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]276X.509 Extensions
277~~~~~~~~~~~~~~~~
278
279.. class:: Extension
280
281 .. versionadded:: 0.9
282
283 All X.509 extensions are registered against this interface.
284
285 .. attribute:: critical
286
287 :type: bool
288
289 Determines whether a given extension is critical or not.
290
291.. class:: BasicConstraints
292
293 .. versionadded:: 0.9
294
295 Basic constraints is an X.509 extension that defines whether a given
296 certificate is allowed to sign additional certificates and what path
297 length restrictions may exist.
298
299 .. attribute:: ca
300
301 :type: bool
302
303 Whether the certificate can sign certificates.
304
305 .. attribute:: path_length
306
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame^]307 :type: int or None
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]308
309 The maximum path length for certificates subordinate to this
310 certificate. This attribute only has meaning if ``ca`` is true.
311 If ``ca`` is true then a path length of None means there's no
312 restriction on the number of subordinate CAs in the certificate chain.
313 If it is zero or greater then that number defines the maximum length.
314 For example, a ``path_length`` of 1 means the certificate can sign a
315 subordinate CA, but the subordinate CA is not allowed to create
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame^]316 subordinates with ``ca`` set to true.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]317
318
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]319Object Identifiers
320~~~~~~~~~~~~~~~~~~
321
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]322X.509 elements are frequently identified by :class:`ObjectIdentifier`
323instances. The following common OIDs are available as constants.
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]324
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]325Name OIDs
326~~~~~~~~~
327
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]328.. data:: OID_COMMON_NAME
329
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]330 Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
331 name would be encoded here for server certificates. :rfc:`2818` deprecates
332 this practice and names of that type should now be located in a
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]333 SubjectAlternativeName extension. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]334
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]335.. data:: OID_COUNTRY_NAME
336
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]337 Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
338 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]339
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]340.. data:: OID_LOCALITY_NAME
341
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]342 Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
343 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]344
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]345.. data:: OID_STATE_OR_PROVINCE_NAME
346
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]347 Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
348 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]349
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]350.. data:: OID_ORGANIZATION_NAME
351
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]352 Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
353 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]354
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]355.. data:: OID_ORGANIZATIONAL_UNIT_NAME
356
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]357 Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
358 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]359
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]360.. data:: OID_SERIAL_NUMBER
361
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]362 Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
363 serial number of the certificate itself (which can be obtained with
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]364 :func:`Certificate.serial`). This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]365
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]366.. data:: OID_SURNAME
367
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]368 Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
369 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]370
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]371.. data:: OID_GIVEN_NAME
372
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]373 Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
374 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]375
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]376.. data:: OID_TITLE
377
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]378 Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
379 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]380
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]381.. data:: OID_GENERATION_QUALIFIER
382
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]383 Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
384 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]385
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]386.. data:: OID_DN_QUALIFIER
387
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]388 Corresponds to the dotted string ``"2.5.4.46"``. This specifies
389 disambiguating information to add to the relative distinguished name of an
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]390 entry. See :rfc:`2256`. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]391
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]392.. data:: OID_PSEUDONYM
393
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]394 Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
395 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]396
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]397.. data:: OID_DOMAIN_COMPONENT
398
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]399 Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]400 holding one component of a domain name. See :rfc:`4519`. This OID is
401 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]402
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]403.. data:: OID_EMAIL_ADDRESS
404
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]405 Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
406 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]407
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]408Signature Algorithm OIDs
409~~~~~~~~~~~~~~~~~~~~~~~~
410
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]411.. data:: OID_RSA_WITH_MD5
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]412
413 Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
414 an MD5 digest signed by an RSA key.
415
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]416.. data:: OID_RSA_WITH_SHA1
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]417
418 Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
419 a SHA1 digest signed by an RSA key.
420
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]421.. data:: OID_RSA_WITH_SHA224
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]422
423 Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
424 a SHA224 digest signed by an RSA key.
425
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]426.. data:: OID_RSA_WITH_SHA256
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]427
428 Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
429 a SHA256 digest signed by an RSA key.
430
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]431.. data:: OID_RSA_WITH_SHA384
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]432
433 Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
434 a SHA384 digest signed by an RSA key.
435
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]436.. data:: OID_RSA_WITH_SHA512
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]437
438 Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
439 a SHA512 digest signed by an RSA key.
440
441.. data:: OID_ECDSA_WITH_SHA224
442
443 Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
444 a SHA224 digest signed by an ECDSA key.
445
446.. data:: OID_ECDSA_WITH_SHA256
447
448 Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
449 a SHA256 digest signed by an ECDSA key.
450
451.. data:: OID_ECDSA_WITH_SHA384
452
453 Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
454 a SHA384 digest signed by an ECDSA key.
455
456.. data:: OID_ECDSA_WITH_SHA512
457
458 Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
459 a SHA512 digest signed by an ECDSA key.
460
461.. data:: OID_DSA_WITH_SHA1
462
463 Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
464 a SHA1 digest signed by a DSA key.
465
466.. data:: OID_DSA_WITH_SHA224
467
468 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
469 a SHA224 digest signed by a DSA key.
470
471.. data:: OID_DSA_WITH_SHA256
472
473 Corresponds to the dotted string ``2.16.840.1.101.3.4.3.2"``. This is
474 a SHA256 digest signed by a DSA key.
475
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]476Extension OIDs
477~~~~~~~~~~~~~~
478
479.. data:: OID_BASIC_CONSTRAINTS
480
481 Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
482 basic constraints extension.
483
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]484
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]485Exceptions
486~~~~~~~~~~
487
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]488.. class:: InvalidVersion
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]489
490 This is raised when an X.509 certificate has an invalid version number.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]491
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]492 .. attribute:: parsed_version
493
Paul Kehrerbbffc402014-12-17 13:33:55 -0600[diff] [blame]494 :type: int
495
496 Returns the raw version that was parsed from the certificate.
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]497
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]498
499.. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]500.. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security