Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 8589466c0a12835cda03bf91043cf51b657d9e46 / . / docs / x509.rst
blob: 7eb47a315e212ee6c4459bfcc559425a1762d8b3 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1X.509
2=====
3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]4.. currentmodule:: cryptography.x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]5
6X.509 is an ITU-T standard for a `public key infrastructure`_. X.509v3 is
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]7defined in :rfc:`5280` (which obsoletes :rfc:`2459` and :rfc:`3280`). X.509
8certificates are commonly used in protocols like `TLS`_.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]9
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]10
11Loading Certificates
12~~~~~~~~~~~~~~~~~~~~
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]13
14.. function:: load_pem_x509_certificate(data, backend)
15
16 .. versionadded:: 0.7
17
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]18 Deserialize a certificate from PEM encoded data. PEM certificates are
19 base64 decoded and have delimiters that look like
20 ``-----BEGIN CERTIFICATE-----``.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]21
22 :param bytes data: The PEM encoded certificate data.
23
24 :param backend: A backend supporting the
25 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
26 interface.
27
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]28 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]29
30.. function:: load_der_x509_certificate(data, backend)
31
32 .. versionadded:: 0.7
33
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]34 Deserialize a certificate from DER encoded data. DER is a binary format
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]35 and is commonly found in files with the ``.cer`` extension (although file
36 extensions are not a guarantee of encoding type).
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]37
38 :param bytes data: The DER encoded certificate data.
39
40 :param backend: A backend supporting the
41 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
42 interface.
43
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]44 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]45
46.. testsetup::
47
48 pem_data = b"""
49 -----BEGIN CERTIFICATE-----
50 MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
51 MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
52 QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowQDELMAkGA1UE
53 BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExEDAOBgNVBAMT
54 B0dvb2QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQWJpHYo37
55 Xfb7oJSPe+WvfTlzIG21WQ7MyMbGtK/m8mejCzR6c+f/pJhEH/OcDSMsXq8h5kXa
56 BGqWK+vSwD/Pzp5OYGptXmGPcthDtAwlrafkGOS4GqIJ8+k9XGKs+vQUXJKsOk47
57 RuzD6PZupq4s16xaLVqYbUC26UcY08GpnoLNHJZS/EmXw1ZZ3d4YZjNlpIpWFNHn
58 UGmdiGKXUPX/9H0fVjIAaQwjnGAbpgyCumWgzIwPpX+ElFOUr3z7BoVnFKhIXze+
59 VmQGSWxZxvWDUN90Ul0tLEpLgk3OVxUB4VUGuf15OJOpgo1xibINPmWt14Vda2N9
60 yrNKloJGZNqLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFOR9X9FclYYILAWuvnW2ZafZ
61 XahmMB0GA1UdDgQWBBRYAYQkG7wrUpRKPaUQchRR9a86yTAOBgNVHQ8BAf8EBAMC
62 AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
63 KoZIhvcNAQELBQADggEBADWHlxbmdTXNwBL/llwhQqwnazK7CC2WsXBBqgNPWj7m
64 tvQ+aLG8/50Qc2Sun7o2VnwF9D18UUe8Gj3uPUYH+oSI1vDdyKcjmMbKRU4rk0eo
65 3UHNDXwqIVc9CQS9smyV+x1HCwL4TTrq+LXLKx/qVij0Yqk+UJfAtrg2jnYKXsCu
66 FMBQQnWCGrwa1g1TphRp/RmYHnMynYFmZrXtzFz+U9XEA7C+gPq4kqDI/iVfIT1s
67 6lBtdB50lrDVwl2oYfAvW/6sC2se2QleZidUmrziVNP4oEeXINokU6T6p//HM1FG
68 QYw2jOvpKcKtWCSAnegEbgsGYzATKjmPJPJ0npHFqzM=
69 -----END CERTIFICATE-----
70 """.strip()
71
72.. doctest::
73
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]74 >>> from cryptography import x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]75 >>> from cryptography.hazmat.backends import default_backend
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]76 >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]77 >>> cert.serial
78 2
79
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]80X.509 Certificate Object
81~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]82
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]83.. class:: Certificate
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]84
85 .. versionadded:: 0.7
86
87 .. attribute:: version
88
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]89 :type: :class:`~cryptography.x509.Version`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]90
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]91 The certificate version as an enumeration. Version 3 certificates are
92 the latest version and also the only type you should see in practice.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]93
Alex Gaynor89c4dc82014-12-16 16:49:33 -0800[diff] [blame]94 :raises cryptography.x509.InvalidVersion: If the version in the
Alex Gaynor6d7ab4c2014-12-16 16:50:33 -0800[diff] [blame]95 certificate is not a known
96 :class:`X.509 version <cryptography.x509.Version>`.
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]97
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]98 .. doctest::
99
100 >>> cert.version
101 <Version.v3: 2>
102
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]103 .. method:: fingerprint(algorithm)
104
105 :param algorithm: The
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]106 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]107 that will be used to generate the fingerprint.
108
109 :return bytes: The fingerprint using the supplied hash algorithm as
110 bytes.
111
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]112 .. doctest::
113
114 >>> from cryptography.hazmat.primitives import hashes
115 >>> cert.fingerprint(hashes.SHA256())
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]116 '\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]117
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]118 .. attribute:: serial
119
120 :type: int
121
122 The serial as a Python integer.
123
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]124 .. doctest::
125
126 >>> cert.serial
127 2
128
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]129 .. method:: public_key()
130
131 :type:
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]132 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]133 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
134 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]135
136 The public key associated with the certificate.
137
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]138 .. doctest::
139
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]140 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]141 >>> public_key = cert.public_key()
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]142 >>> isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]143 True
144
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]145 .. attribute:: not_valid_before
146
147 :type: :class:`datetime.datetime`
148
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]149 A naïve datetime representing the beginning of the validity period for
150 the certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]151
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]152 .. doctest::
153
154 >>> cert.not_valid_before
155 datetime.datetime(2010, 1, 1, 8, 30)
156
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]157 .. attribute:: not_valid_after
158
159 :type: :class:`datetime.datetime`
160
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]161 A naïve datetime representing the end of the validity period for the
162 certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]163
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]164 .. doctest::
165
166 >>> cert.not_valid_after
167 datetime.datetime(2030, 12, 31, 8, 30)
168
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]169 .. attribute:: issuer
170
171 .. versionadded:: 0.8
172
173 :type: :class:`Name`
174
175 The :class:`Name` of the issuer.
176
177 .. attribute:: subject
178
179 .. versionadded:: 0.8
180
181 :type: :class:`Name`
182
183 The :class:`Name` of the subject.
184
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]185 .. attribute:: signature_hash_algorithm
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]186
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]187 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]188
Paul Kehrere612ec72015-02-16 14:33:35 -0600[diff] [blame]189 Returns the
Paul Kehrer71d40c62015-02-19 08:21:04 -0600[diff] [blame]190 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]191 was used in signing this certificate.
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]192
193 .. doctest::
194
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]195 >>> from cryptography.hazmat.primitives import hashes
196 >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
197 True
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]198
199.. class:: Name
200
201 .. versionadded:: 0.8
202
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]203 An X509 Name is an ordered list of attributes. The object is iterable to
Paul Kehrerd21596e2015-02-14 09:17:26 -0600[diff] [blame]204 get every attribute or you can use :meth:`Name.get_attributes_for_oid` to
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]205 obtain the specific type you want. Names are sometimes represented as a
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]206 slash or comma delimited string (e.g. ``/CN=mydomain.com/O=My Org/C=US`` or
207 ``CN=mydomain.com, O=My Org, C=US``).
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]208
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]209 .. doctest::
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]210
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]211 >>> len(cert.subject)
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]212 3
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]213 >>> for attribute in cert.subject:
214 ... print(attribute)
215 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
216 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
217 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]218
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]219 .. method:: get_attributes_for_oid(oid)
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]220
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]221 :param oid: An :class:`ObjectIdentifier` instance.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]222
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]223 :returns: A list of :class:`NameAttribute` instances that match the
224 OID provided. If nothing matches an empty list will be returned.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]225
226 .. doctest::
227
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]228 >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
229 [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]230
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]231.. class:: Version
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]232
233 .. versionadded:: 0.7
234
235 An enumeration for X.509 versions.
236
237 .. attribute:: v1
238
239 For version 1 X.509 certificates.
240
241 .. attribute:: v3
242
243 For version 3 X.509 certificates.
244
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]245.. class:: NameAttribute
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]246
247 .. versionadded:: 0.8
248
Paul Kehrer834d22f2015-02-06 11:01:07 -0600[diff] [blame]249 An X.509 name consists of a list of NameAttribute instances.
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]250
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]251 .. attribute:: oid
252
253 :type: :class:`ObjectIdentifier`
254
255 The attribute OID.
256
257 .. attribute:: value
258
Paul Kehrerd5852cb2015-01-30 08:25:23 -0600[diff] [blame]259 :type: :term:`text`
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]260
261 The value of the attribute.
262
263.. class:: ObjectIdentifier
264
265 .. versionadded:: 0.8
266
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]267 Object identifiers (frequently seen abbreviated as OID) identify the type
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]268 of a value (see: :class:`NameAttribute`).
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]269
Paul Kehrerd44f9a62015-02-04 14:47:34 -0600[diff] [blame]270 .. attribute:: dotted_string
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]271
272 :type: :class:`str`
273
Paul Kehrerfedf4f42015-02-06 11:22:07 -0600[diff] [blame]274 The dotted string value of the OID (e.g. ``"2.5.4.3"``)
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]275
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]276X.509 Extensions
277~~~~~~~~~~~~~~~~
278
279.. class:: Extension
280
281 .. versionadded:: 0.9
282
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame^]283 .. attribute:: oid
284
285 :type: :class:`ObjectIdentifier`
286
287 The attribute OID.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]288
289 .. attribute:: critical
290
291 :type: bool
292
293 Determines whether a given extension is critical or not.
294
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame^]295 .. attribute:: value
296
297 Returns an instance of the extension type corresponding to the OID.
298
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]299.. class:: BasicConstraints
300
301 .. versionadded:: 0.9
302
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame^]303 Basic constraints is an X.509 extension type that defines whether a given
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]304 certificate is allowed to sign additional certificates and what path
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame^]305 length restrictions may exist. It corresponds to
306 :data:`OID_BASIC_CONSTRAINTS`.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]307
308 .. attribute:: ca
309
310 :type: bool
311
312 Whether the certificate can sign certificates.
313
314 .. attribute:: path_length
315
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]316 :type: int or None
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]317
318 The maximum path length for certificates subordinate to this
319 certificate. This attribute only has meaning if ``ca`` is true.
320 If ``ca`` is true then a path length of None means there's no
321 restriction on the number of subordinate CAs in the certificate chain.
322 If it is zero or greater then that number defines the maximum length.
323 For example, a ``path_length`` of 1 means the certificate can sign a
324 subordinate CA, but the subordinate CA is not allowed to create
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]325 subordinates with ``ca`` set to true.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]326
327
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]328Object Identifiers
329~~~~~~~~~~~~~~~~~~
330
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]331X.509 elements are frequently identified by :class:`ObjectIdentifier`
332instances. The following common OIDs are available as constants.
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]333
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]334Name OIDs
335~~~~~~~~~
336
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]337.. data:: OID_COMMON_NAME
338
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]339 Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
340 name would be encoded here for server certificates. :rfc:`2818` deprecates
341 this practice and names of that type should now be located in a
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]342 SubjectAlternativeName extension. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]343
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]344.. data:: OID_COUNTRY_NAME
345
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]346 Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
347 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]348
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]349.. data:: OID_LOCALITY_NAME
350
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]351 Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
352 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]353
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]354.. data:: OID_STATE_OR_PROVINCE_NAME
355
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]356 Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
357 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]358
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]359.. data:: OID_ORGANIZATION_NAME
360
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]361 Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
362 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]363
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]364.. data:: OID_ORGANIZATIONAL_UNIT_NAME
365
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]366 Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
367 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]368
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]369.. data:: OID_SERIAL_NUMBER
370
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]371 Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
372 serial number of the certificate itself (which can be obtained with
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]373 :func:`Certificate.serial`). This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]374
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]375.. data:: OID_SURNAME
376
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]377 Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
378 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]379
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]380.. data:: OID_GIVEN_NAME
381
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]382 Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
383 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]384
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]385.. data:: OID_TITLE
386
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]387 Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
388 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]389
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]390.. data:: OID_GENERATION_QUALIFIER
391
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]392 Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
393 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]394
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]395.. data:: OID_DN_QUALIFIER
396
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]397 Corresponds to the dotted string ``"2.5.4.46"``. This specifies
398 disambiguating information to add to the relative distinguished name of an
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]399 entry. See :rfc:`2256`. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]400
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]401.. data:: OID_PSEUDONYM
402
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]403 Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
404 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]405
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]406.. data:: OID_DOMAIN_COMPONENT
407
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]408 Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]409 holding one component of a domain name. See :rfc:`4519`. This OID is
410 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]411
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]412.. data:: OID_EMAIL_ADDRESS
413
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]414 Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
415 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]416
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]417Signature Algorithm OIDs
418~~~~~~~~~~~~~~~~~~~~~~~~
419
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]420.. data:: OID_RSA_WITH_MD5
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]421
422 Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
423 an MD5 digest signed by an RSA key.
424
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]425.. data:: OID_RSA_WITH_SHA1
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]426
427 Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
428 a SHA1 digest signed by an RSA key.
429
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]430.. data:: OID_RSA_WITH_SHA224
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]431
432 Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
433 a SHA224 digest signed by an RSA key.
434
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]435.. data:: OID_RSA_WITH_SHA256
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]436
437 Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
438 a SHA256 digest signed by an RSA key.
439
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]440.. data:: OID_RSA_WITH_SHA384
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]441
442 Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
443 a SHA384 digest signed by an RSA key.
444
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]445.. data:: OID_RSA_WITH_SHA512
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]446
447 Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
448 a SHA512 digest signed by an RSA key.
449
450.. data:: OID_ECDSA_WITH_SHA224
451
452 Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
453 a SHA224 digest signed by an ECDSA key.
454
455.. data:: OID_ECDSA_WITH_SHA256
456
457 Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
458 a SHA256 digest signed by an ECDSA key.
459
460.. data:: OID_ECDSA_WITH_SHA384
461
462 Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
463 a SHA384 digest signed by an ECDSA key.
464
465.. data:: OID_ECDSA_WITH_SHA512
466
467 Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
468 a SHA512 digest signed by an ECDSA key.
469
470.. data:: OID_DSA_WITH_SHA1
471
472 Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
473 a SHA1 digest signed by a DSA key.
474
475.. data:: OID_DSA_WITH_SHA224
476
477 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
478 a SHA224 digest signed by a DSA key.
479
480.. data:: OID_DSA_WITH_SHA256
481
482 Corresponds to the dotted string ``2.16.840.1.101.3.4.3.2"``. This is
483 a SHA256 digest signed by a DSA key.
484
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]485Extension OIDs
486~~~~~~~~~~~~~~
487
488.. data:: OID_BASIC_CONSTRAINTS
489
490 Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
491 basic constraints extension.
492
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]493
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]494Exceptions
495~~~~~~~~~~
496
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]497.. class:: InvalidVersion
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]498
499 This is raised when an X.509 certificate has an invalid version number.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]500
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]501 .. attribute:: parsed_version
502
Paul Kehrerbbffc402014-12-17 13:33:55 -0600[diff] [blame]503 :type: int
504
505 Returns the raw version that was parsed from the certificate.
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]506
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]507
508.. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]509.. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security