Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 3e6d558d1b845cf2df31efec08235b15998174d4 / . / docs / x509.rst
blob: f66178ab45a16e50c8e2a2e79530fb9da74ab33c [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1X.509
2=====
3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]4.. currentmodule:: cryptography.x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]5
Paul Kehrerd26c4db2015-03-15 15:36:24 -0500[diff] [blame]6.. testsetup::
7
8 pem_req_data = b"""
9 -----BEGIN CERTIFICATE REQUEST-----
10 MIIC0zCCAbsCAQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCElsbGlub2lzMRAw
11 DgYDVQQHDAdDaGljYWdvMREwDwYDVQQKDAhyNTA5IExMQzESMBAGA1UEAwwJaGVs
12 bG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqhZx+Mo9VRd9
13 vsnWWa6NBCws21rZ0+1B/JGgB4hDsZS7iDE4Bj5z4idheFRtl8bBbdjPknq7BfoF
14 8v15Zq/Zv7i2xMSDL+LUrTBZezRd4bRTGqCm6YJ5EYkhqdcqeZleHCFImguHoq1J
15 Fh0+kObQrTHXw3ZP57a3o1IvyIUA3nNoCBL0QQhwBXaDXOojMKNR+bqB5ve8GS1y
16 Elr0AM/+cJsfaIahNQUgFKx3Eu3GeEOMKYOAG1lycgdQdmTUybLrT3U7vkClTseM
17 xHg1r5En7ALjONIhqRuq3rddYahrP8HXozb3zUy3cJ7P6IeaosuvNzvMXOX9P6HD
18 Ha9urDAJ1wIDAQABoDUwMwYJKoZIhvcNAQkOMSYwJDAiBgNVHREEGzAZggl3b3Js
19 ZC5jb22CDHdoYXRldmVyLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAS4Ro6h+z52SK
20 YSLCYARpnEu/rmh4jdqndt8naqcNb6uLx9mlKZ2W9on9XDjnSdQD9q+ZP5aZfESw
21 R0+rJhW9ZrNa/g1pt6M24ihclHYDAxYMWxT1z/TXXGM3TmZZ6gfYlNE1kkBuODHa
22 UYsR/1Ht1E1EsmmUimt2n+zQR2K8T9Coa+boaUW/GsTEuz1aaJAkj5ZvTDiIhRG4
23 AOCqFZOLAQmCCNgJnnspD9hDz/Ons085LF5wnYjN4/Nsk5tS6AGs3xjZ3jPoOGGn
24 82WQ9m4dBGoVDZXsobVTaN592JEYwN5iu72zRn7Einb4V4H5y3yD2dD4yWPlt4pk
25 5wFkeYsZEA==
26 -----END CERTIFICATE REQUEST-----
27 """.strip()
28
Paul Kehrerd3dafbd2015-03-15 16:24:18 -0500[diff] [blame]29 pem_data = b"""
30 -----BEGIN CERTIFICATE-----
31 MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEf
32 MB0GA1UEChMWVGVzdCBDZXJ0aWZpY2F0ZXMgMjAxMTEVMBMGA1UEAxMMVHJ1c3Qg
33 QW5jaG9yMB4XDTEwMDEwMTA4MzAwMFoXDTMwMTIzMTA4MzAwMFowQDELMAkGA1UE
34 BhMCVVMxHzAdBgNVBAoTFlRlc3QgQ2VydGlmaWNhdGVzIDIwMTExEDAOBgNVBAMT
35 B0dvb2QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQWJpHYo37
36 Xfb7oJSPe+WvfTlzIG21WQ7MyMbGtK/m8mejCzR6c+f/pJhEH/OcDSMsXq8h5kXa
37 BGqWK+vSwD/Pzp5OYGptXmGPcthDtAwlrafkGOS4GqIJ8+k9XGKs+vQUXJKsOk47
38 RuzD6PZupq4s16xaLVqYbUC26UcY08GpnoLNHJZS/EmXw1ZZ3d4YZjNlpIpWFNHn
39 UGmdiGKXUPX/9H0fVjIAaQwjnGAbpgyCumWgzIwPpX+ElFOUr3z7BoVnFKhIXze+
40 VmQGSWxZxvWDUN90Ul0tLEpLgk3OVxUB4VUGuf15OJOpgo1xibINPmWt14Vda2N9
41 yrNKloJGZNqLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFOR9X9FclYYILAWuvnW2ZafZ
42 XahmMB0GA1UdDgQWBBRYAYQkG7wrUpRKPaUQchRR9a86yTAOBgNVHQ8BAf8EBAMC
43 AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
44 KoZIhvcNAQELBQADggEBADWHlxbmdTXNwBL/llwhQqwnazK7CC2WsXBBqgNPWj7m
45 tvQ+aLG8/50Qc2Sun7o2VnwF9D18UUe8Gj3uPUYH+oSI1vDdyKcjmMbKRU4rk0eo
46 3UHNDXwqIVc9CQS9smyV+x1HCwL4TTrq+LXLKx/qVij0Yqk+UJfAtrg2jnYKXsCu
47 FMBQQnWCGrwa1g1TphRp/RmYHnMynYFmZrXtzFz+U9XEA7C+gPq4kqDI/iVfIT1s
48 6lBtdB50lrDVwl2oYfAvW/6sC2se2QleZidUmrziVNP4oEeXINokU6T6p//HM1FG
49 QYw2jOvpKcKtWCSAnegEbgsGYzATKjmPJPJ0npHFqzM=
50 -----END CERTIFICATE-----
51 """.strip()
52
53X.509 is an ITU-T standard for a `public key infrastructure`_. X.509v3 is
54defined in :rfc:`5280` (which obsoletes :rfc:`2459` and :rfc:`3280`). X.509
55certificates are commonly used in protocols like `TLS`_.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]56
57Loading Certificates
58~~~~~~~~~~~~~~~~~~~~
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]59
60.. function:: load_pem_x509_certificate(data, backend)
61
62 .. versionadded:: 0.7
63
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]64 Deserialize a certificate from PEM encoded data. PEM certificates are
65 base64 decoded and have delimiters that look like
66 ``-----BEGIN CERTIFICATE-----``.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]67
68 :param bytes data: The PEM encoded certificate data.
69
70 :param backend: A backend supporting the
71 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
72 interface.
73
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]74 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]75
76.. function:: load_der_x509_certificate(data, backend)
77
78 .. versionadded:: 0.7
79
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]80 Deserialize a certificate from DER encoded data. DER is a binary format
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]81 and is commonly found in files with the ``.cer`` extension (although file
82 extensions are not a guarantee of encoding type).
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]83
84 :param bytes data: The DER encoded certificate data.
85
86 :param backend: A backend supporting the
87 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
88 interface.
89
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]90 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]91
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]92.. doctest::
93
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]94 >>> from cryptography import x509
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]95 >>> from cryptography.hazmat.backends import default_backend
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]96 >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]97 >>> cert.serial
98 2
99
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]100Loading Certificate Signing Requests
101~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]102
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]103.. function:: load_pem_x509_csr(data, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]104
105 .. versionadded:: 0.9
106
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]107 Deserialize a certificate signing request (CSR) from PEM encoded data. PEM
Paul Kehrer5aadb9c2015-03-11 20:48:42 -0500[diff] [blame]108 requests are base64 decoded and have delimiters that look like
Paul Kehrerd3dafbd2015-03-15 16:24:18 -0500[diff] [blame]109 ``-----BEGIN CERTIFICATE REQUEST-----``. This format is also known as
110 PKCS#10.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]111
112 :param bytes data: The PEM encoded request data.
113
114 :param backend: A backend supporting the
115 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
116 interface.
117
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]118 :returns: An instance of
119 :class:`~cryptography.x509.CertificateSigningRequest`.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]120
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]121.. function:: load_der_x509_csr(data, backend)
122
123 .. versionadded:: 0.9
124
125 Deserialize a certificate signing request (CSR) from DER encoded data. DER
126 is a binary format and is not commonly used with CSRs.
127
128 :param bytes data: The DER encoded request data.
129
130 :param backend: A backend supporting the
131 :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
132 interface.
133
134 :returns: An instance of
135 :class:`~cryptography.x509.CertificateSigningRequest`.
136
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]137.. doctest::
138
139 >>> from cryptography import x509
140 >>> from cryptography.hazmat.backends import default_backend
141 >>> from cryptography.hazmat.primitives import hashes
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]142 >>> csr = x509.load_pem_x509_csr(pem_req_data, default_backend())
143 >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]144 True
145
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]146X.509 Certificate Object
147~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]148
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]149.. class:: Certificate
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]150
151 .. versionadded:: 0.7
152
153 .. attribute:: version
154
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]155 :type: :class:`~cryptography.x509.Version`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]156
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]157 The certificate version as an enumeration. Version 3 certificates are
158 the latest version and also the only type you should see in practice.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]159
Alex Gaynor89c4dc82014-12-16 16:49:33 -0800[diff] [blame]160 :raises cryptography.x509.InvalidVersion: If the version in the
Alex Gaynor6d7ab4c2014-12-16 16:50:33 -0800[diff] [blame]161 certificate is not a known
162 :class:`X.509 version <cryptography.x509.Version>`.
Paul Kehrer92aac382014-12-15 16:25:28 -0600[diff] [blame]163
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]164 .. doctest::
165
166 >>> cert.version
167 <Version.v3: 2>
168
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]169 .. method:: fingerprint(algorithm)
170
171 :param algorithm: The
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]172 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]173 that will be used to generate the fingerprint.
174
175 :return bytes: The fingerprint using the supplied hash algorithm as
176 bytes.
177
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]178 .. doctest::
179
180 >>> from cryptography.hazmat.primitives import hashes
181 >>> cert.fingerprint(hashes.SHA256())
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]182 '\x86\xd2\x187Gc\xfc\xe7}[+E9\x8d\xb4\x8f\x10\xe5S\xda\x18u\xbe}a\x03\x08[\xac\xa04?'
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]183
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]184 .. attribute:: serial
185
186 :type: int
187
188 The serial as a Python integer.
189
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]190 .. doctest::
191
192 >>> cert.serial
193 2
194
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]195 .. method:: public_key()
196
197 :type:
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]198 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]199 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
200 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]201
202 The public key associated with the certificate.
203
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]204 .. doctest::
205
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]206 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]207 >>> public_key = cert.public_key()
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]208 >>> isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]209 True
210
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]211 .. attribute:: not_valid_before
212
213 :type: :class:`datetime.datetime`
214
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]215 A naïve datetime representing the beginning of the validity period for
216 the certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]217
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]218 .. doctest::
219
220 >>> cert.not_valid_before
221 datetime.datetime(2010, 1, 1, 8, 30)
222
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]223 .. attribute:: not_valid_after
224
225 :type: :class:`datetime.datetime`
226
Paul Kehrer78a81502014-12-16 14:47:52 -0600[diff] [blame]227 A naïve datetime representing the end of the validity period for the
228 certificate in UTC. This value is inclusive.
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]229
Paul Kehrercc8a26e2014-12-16 12:40:16 -0600[diff] [blame]230 .. doctest::
231
232 >>> cert.not_valid_after
233 datetime.datetime(2030, 12, 31, 8, 30)
234
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]235 .. attribute:: issuer
236
237 .. versionadded:: 0.8
238
239 :type: :class:`Name`
240
241 The :class:`Name` of the issuer.
242
243 .. attribute:: subject
244
245 .. versionadded:: 0.8
246
247 :type: :class:`Name`
248
249 The :class:`Name` of the subject.
250
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]251 .. attribute:: signature_hash_algorithm
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]252
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]253 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]254
Paul Kehrere612ec72015-02-16 14:33:35 -0600[diff] [blame]255 Returns the
Paul Kehrer71d40c62015-02-19 08:21:04 -0600[diff] [blame]256 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]257 was used in signing this certificate.
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]258
259 .. doctest::
260
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]261 >>> from cryptography.hazmat.primitives import hashes
262 >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
263 True
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]264
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]265 .. attribute:: extensions
266
267 :type: :class:`Extensions`
268
269 The extensions encoded in the certificate.
270
271 :raises cryptography.x509.DuplicateExtension: If more than one
272 extension of the same type is found within the certificate.
273
Paul Kehrerd8fc0be2015-04-21 08:31:10 -0500[diff] [blame]274 :raises cryptography.x509.UnsupportedExtension: If the certificate
275 contains an extension that is not supported.
276
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]277 :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
278 contains a general name that is not supported.
279
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]280 .. doctest::
281
282 >>> for ext in cert.extensions:
283 ... print(ext)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]284 <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9')>)>
Paul Kehrerb511ba82015-04-15 11:22:48 -0400[diff] [blame]285 <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=None, decipher_only=None)>)>
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]286 <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
287
Paul Kehrer5aadb9c2015-03-11 20:48:42 -0500[diff] [blame]288X.509 CSR (Certificate Signing Request) Object
289~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]290
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]291.. class:: CertificateSigningRequest
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]292
293 .. versionadded:: 0.9
294
295 .. method:: public_key()
296
297 :type:
298 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` or
299 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` or
300 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
301
302 The public key associated with the request.
303
304 .. doctest::
305
306 >>> from cryptography.hazmat.primitives.asymmetric import rsa
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]307 >>> public_key = csr.public_key()
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]308 >>> isinstance(public_key, rsa.RSAPublicKey)
309 True
310
311 .. attribute:: subject
312
313 :type: :class:`Name`
314
315 The :class:`Name` of the subject.
316
317 .. attribute:: signature_hash_algorithm
318
319 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
320
321 Returns the
322 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
323 was used in signing this request.
324
325 .. doctest::
326
327 >>> from cryptography.hazmat.primitives import hashes
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]328 >>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]329 True
330
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]331.. class:: Name
332
333 .. versionadded:: 0.8
334
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]335 An X509 Name is an ordered list of attributes. The object is iterable to
Paul Kehrerd21596e2015-02-14 09:17:26 -0600[diff] [blame]336 get every attribute or you can use :meth:`Name.get_attributes_for_oid` to
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]337 obtain the specific type you want. Names are sometimes represented as a
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]338 slash or comma delimited string (e.g. ``/CN=mydomain.com/O=My Org/C=US`` or
339 ``CN=mydomain.com, O=My Org, C=US``).
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]340
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]341 .. doctest::
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]342
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]343 >>> len(cert.subject)
Paul Kehrer53d8d492015-02-13 18:47:30 -0600[diff] [blame]344 3
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]345 >>> for attribute in cert.subject:
346 ... print(attribute)
347 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>
348 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Test Certificates 2011')>
349 <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]350
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]351 .. method:: get_attributes_for_oid(oid)
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]352
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]353 :param oid: An :class:`ObjectIdentifier` instance.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]354
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]355 :returns: A list of :class:`NameAttribute` instances that match the
356 OID provided. If nothing matches an empty list will be returned.
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]357
358 .. doctest::
359
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]360 >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
361 [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame]362
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]363.. class:: Version
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]364
365 .. versionadded:: 0.7
366
367 An enumeration for X.509 versions.
368
369 .. attribute:: v1
370
371 For version 1 X.509 certificates.
372
373 .. attribute:: v3
374
375 For version 3 X.509 certificates.
376
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]377.. class:: NameAttribute
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]378
379 .. versionadded:: 0.8
380
Paul Kehrer834d22f2015-02-06 11:01:07 -0600[diff] [blame]381 An X.509 name consists of a list of NameAttribute instances.
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]382
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]383 .. attribute:: oid
384
385 :type: :class:`ObjectIdentifier`
386
387 The attribute OID.
388
389 .. attribute:: value
390
Paul Kehrerd5852cb2015-01-30 08:25:23 -0600[diff] [blame]391 :type: :term:`text`
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]392
393 The value of the attribute.
394
395.. class:: ObjectIdentifier
396
397 .. versionadded:: 0.8
398
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]399 Object identifiers (frequently seen abbreviated as OID) identify the type
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]400 of a value (see: :class:`NameAttribute`).
Paul Kehrer5b0a8d62015-01-30 20:05:55 -0600[diff] [blame]401
Paul Kehrerd44f9a62015-02-04 14:47:34 -0600[diff] [blame]402 .. attribute:: dotted_string
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]403
404 :type: :class:`str`
405
Paul Kehrerfedf4f42015-02-06 11:22:07 -0600[diff] [blame]406 The dotted string value of the OID (e.g. ``"2.5.4.3"``)
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]407
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]408.. _general_name_classes:
409
410General Name Classes
411~~~~~~~~~~~~~~~~~~~~
412
413.. class:: GeneralName
414
415 .. versionadded:: 0.9
416
417 This is the generic interface that all the following classes are registered
418 against.
419
420.. class:: RFC822Name
421
422 .. versionadded:: 0.9
423
424 This corresponds to an email address. For example, ``user@example.com``.
425
426 .. attribute:: value
427
428 :type: :term:`text`
429
430.. class:: DNSName
431
432 .. versionadded:: 0.9
433
434 This corresponds to a domain name. For example, ``cryptography.io``.
435
436 .. attribute:: value
437
438 :type: :term:`text`
439
440.. class:: DirectoryName
441
442 .. versionadded:: 0.9
443
444 This corresponds to a directory name.
445
446 .. attribute:: value
447
448 :type: :class:`Name`
449
450.. class:: UniformResourceIdentifier
451
452 .. versionadded:: 0.9
453
454 This corresponds to a uniform resource identifier. For example,
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]455 ``https://cryptography.io``. The URI is parsed and IDNA decoded (see
456 :rfc:`5895`).
457
458 .. note::
459
460 URIs that do not contain ``://`` in them will not be decoded.
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]461
462 .. attribute:: value
463
464 :type: :term:`text`
465
466.. class:: IPAddress
467
468 .. versionadded:: 0.9
469
470 This corresponds to an IP address.
471
472 .. attribute:: value
473
474 :type: :class:`~ipaddress.IPv4Address` or
475 :class:`~ipaddress.IPv6Address`.
476
477.. class:: RegisteredID
478
479 .. versionadded:: 0.9
480
481 This corresponds to a registered ID.
482
483 .. attribute:: value
484
485 :type: :class:`ObjectIdentifier`
486
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]487X.509 Extensions
488~~~~~~~~~~~~~~~~
489
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]490.. class:: Extensions
491
492 .. versionadded:: 0.9
493
494 An X.509 Extensions instance is an ordered list of extensions. The object
495 is iterable to get every extension.
496
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]497 .. method:: get_extension_for_oid(oid)
498
499 :param oid: An :class:`ObjectIdentifier` instance.
500
501 :returns: An instance of the extension class.
502
503 :raises cryptography.x509.ExtensionNotFound: If the certificate does
504 not have the extension requested.
505
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]506 .. doctest::
507
508 >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
509 <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
510
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]511.. class:: Extension
512
513 .. versionadded:: 0.9
514
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]515 .. attribute:: oid
516
517 :type: :class:`ObjectIdentifier`
518
Paul Kehrer5553d572015-03-23 21:08:01 -0500[diff] [blame]519 The :ref:`extension OID <extension_oids>`.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]520
521 .. attribute:: critical
522
523 :type: bool
524
Paul Kehrer58b75692015-03-22 23:24:58 -0500[diff] [blame]525 Determines whether a given extension is critical or not. :rfc:`5280`
526 requires that "A certificate-using system MUST reject the certificate
527 if it encounters a critical extension it does not recognize or a
528 critical extension that contains information that it cannot process".
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]529
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]530 .. attribute:: value
531
532 Returns an instance of the extension type corresponding to the OID.
533
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]534.. class:: KeyUsage
535
536 .. versionadded:: 0.9
537
538 The key usage extension defines the purpose of the key contained in the
539 certificate. The usage restriction might be employed when a key that could
540 be used for more than one operation is to be restricted. It corresponds to
541 :data:`OID_KEY_USAGE`.
542
543 .. attribute:: digital_signature
544
545 :type: bool
546
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]547 This purpose is set to true when the subject public key is used for verifying
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]548 digital signatures, other than signatures on certificates
549 (``key_cert_sign``) and CRLs (``crl_sign``).
550
551 .. attribute:: content_commitment
552
553 :type: bool
554
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]555 This purpose is set to true when the subject public key is used for verifying
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]556 digital signatures, other than signatures on certificates
557 (``key_cert_sign``) and CRLs (``crl_sign``). It is used to provide a
558 non-repudiation service that protects against the signing entity
559 falsely denying some action. In the case of later conflict, a
560 reliable third party may determine the authenticity of the signed
561 data. This was called ``non_repudiation`` in older revisions of the
562 X.509 specification.
563
564 .. attribute:: key_encipherment
565
566 :type: bool
567
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]568 This purpose is set to true when the subject public key is used for
569 enciphering private or secret keys.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]570
571 .. attribute:: data_encipherment
572
573 :type: bool
574
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]575 This purpose is set to true when the subject public key is used for
576 directly enciphering raw user data without the use of an intermediate
577 symmetric cipher.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]578
579 .. attribute:: key_agreement
580
581 :type: bool
582
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]583 This purpose is set to true when the subject public key is used for key
584 agreement. For example, when a Diffie-Hellman key is to be used for
585 key management, then this purpose is set to true.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]586
587 .. attribute:: key_cert_sign
588
589 :type: bool
590
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]591 This purpose is set to true when the subject public key is used for
592 verifying signatures on public key certificates. If this purpose is set
593 to true then ``ca`` must be true in the :class:`BasicConstraints`
594 extension.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]595
596 .. attribute:: crl_sign
597
598 :type: bool
599
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]600 This purpose is set to true when the subject public key is used for
601 verifying signatures on certificate revocation lists.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]602
603 .. attribute:: encipher_only
604
605 :type: bool
606
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]607 When this purposes is set to true and the ``key_agreement`` purpose is
608 also set, the subject public key may be used only for enciphering data
609 while performing key agreement.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]610
611 :raises ValueError: This is raised if accessed when ``key_agreement``
612 is false.
613
614 .. attribute:: decipher_only
615
616 :type: bool
617
Paul Kehrer738407b2015-04-01 22:39:02 -0500[diff] [blame]618 When this purposes is set to true and the ``key_agreement`` purpose is
619 also set, the subject public key may be used only for deciphering data
620 while performing key agreement.
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]621
622 :raises ValueError: This is raised if accessed when ``key_agreement``
623 is false.
624
625
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]626.. class:: BasicConstraints
627
628 .. versionadded:: 0.9
629
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]630 Basic constraints is an X.509 extension type that defines whether a given
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]631 certificate is allowed to sign additional certificates and what path
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]632 length restrictions may exist. It corresponds to
633 :data:`OID_BASIC_CONSTRAINTS`.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]634
635 .. attribute:: ca
636
637 :type: bool
638
639 Whether the certificate can sign certificates.
640
641 .. attribute:: path_length
642
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]643 :type: int or None
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]644
645 The maximum path length for certificates subordinate to this
646 certificate. This attribute only has meaning if ``ca`` is true.
647 If ``ca`` is true then a path length of None means there's no
648 restriction on the number of subordinate CAs in the certificate chain.
649 If it is zero or greater then that number defines the maximum length.
650 For example, a ``path_length`` of 1 means the certificate can sign a
651 subordinate CA, but the subordinate CA is not allowed to create
Paul Kehrerfd1444c2015-03-21 19:47:05 -0500[diff] [blame]652 subordinates with ``ca`` set to true.
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]653
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]654.. class:: ExtendedKeyUsage
655
656 .. versionadded:: 0.9
657
658 This extension indicates one or more purposes for which the certified
659 public key may be used, in addition to or in place of the basic
660 purposes indicated in the key usage extension. The object is
661 iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
662
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]663.. class:: AuthorityKeyIdentifier
664
665 .. versionadded:: 0.9
666
667 The authority key identifier extension provides a means of identifying the
668 public key corresponding to the private key used to sign a certificate.
Paul Kehrer8c8cd722015-04-19 09:15:04 -0500[diff] [blame]669 This extension is typically used to assist in determining the appropriate
670 certificate chain. For more information about generation and use of this
671 extension see `RFC 5280 section 4.2.1.1`_.
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]672
673 .. attribute:: key_identifier
674
675 :type: bytes
676
Paul Kehrer9104b1d2015-04-18 09:23:44 -0500[diff] [blame]677 A value derived from the public key used to verify the certificate's
Paul Kehrer8c8cd722015-04-19 09:15:04 -0500[diff] [blame]678 signature.
Paul Kehrer9104b1d2015-04-18 09:23:44 -0500[diff] [blame]679
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]680 .. attribute:: authority_cert_issuer
681
682 :type: :class:`Name` or None
683
Paul Kehrer9104b1d2015-04-18 09:23:44 -0500[diff] [blame]684 The :class:`Name` of the issuer's issuer.
685
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]686 .. attribute:: authority_cert_serial_number
687
688 :type: int or None
689
Paul Kehrer9104b1d2015-04-18 09:23:44 -0500[diff] [blame]690 The serial number of the issuer's issuer.
691
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]692.. class:: SubjectKeyIdentifier
693
694 .. versionadded:: 0.9
695
696 The subject key identifier extension provides a means of identifying
697 certificates that contain a particular public key.
698
699 .. attribute:: digest
700
701 :type: bytes
702
703 The binary value of the identifier.
704
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]705.. class:: SubjectAlternativeName
706
707 .. versionadded:: 0.9
708
709 Subject alternative name is an X.509 extension that provides a list of
710 :ref:`general name <general_name_classes>` instances that provide a set
711 of identities for which the certificate is valid. The object is iterable to
712 get every element.
713
714 .. method:: get_values_for_type(type)
715
716 :param type: A :class:`GeneralName` provider. This is one of the
717 :ref:`general name classes <general_name_classes>`.
718
719 :returns: A list of values extracted from the matched general names.
720
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]721
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame^]722.. class:: AuthorityInformationAccess
723
724 .. versionadded:: 0.9
725
726 The authority information access extension indicates how to access
727 information and services for the issuer of the certificate in which
728 the extension appears. Information and services may include online
729 validation services (such as OCSP) and issuer data. It is an iterable,
730 containing one or more :class:`AccessDescription` instances.
731
732
733.. class:: AccessDescription
734
735 .. attribute:: access_method
736
737 :type: :class:`ObjectIdentifier`
738
739 Either :data:`OID_OCSP` or :data:`OID_CA_ISSUERS`
740
741 .. attribute:: access_location
742
743 :type: :class:`GeneralName`
744
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]745Object Identifiers
746~~~~~~~~~~~~~~~~~~
747
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]748X.509 elements are frequently identified by :class:`ObjectIdentifier`
749instances. The following common OIDs are available as constants.
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]750
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]751Name OIDs
752~~~~~~~~~
753
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]754.. data:: OID_COMMON_NAME
755
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]756 Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
757 name would be encoded here for server certificates. :rfc:`2818` deprecates
758 this practice and names of that type should now be located in a
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]759 SubjectAlternativeName extension. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]760
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]761.. data:: OID_COUNTRY_NAME
762
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]763 Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
764 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]765
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]766.. data:: OID_LOCALITY_NAME
767
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]768 Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
769 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]770
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]771.. data:: OID_STATE_OR_PROVINCE_NAME
772
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]773 Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
774 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]775
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]776.. data:: OID_ORGANIZATION_NAME
777
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]778 Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
779 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]780
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]781.. data:: OID_ORGANIZATIONAL_UNIT_NAME
782
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]783 Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
784 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]785
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]786.. data:: OID_SERIAL_NUMBER
787
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]788 Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
789 serial number of the certificate itself (which can be obtained with
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]790 :func:`Certificate.serial`). This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]791
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]792.. data:: OID_SURNAME
793
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]794 Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
795 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]796
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]797.. data:: OID_GIVEN_NAME
798
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]799 Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
800 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]801
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]802.. data:: OID_TITLE
803
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]804 Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
805 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]806
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]807.. data:: OID_GENERATION_QUALIFIER
808
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]809 Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
810 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]811
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]812.. data:: OID_DN_QUALIFIER
813
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]814 Corresponds to the dotted string ``"2.5.4.46"``. This specifies
815 disambiguating information to add to the relative distinguished name of an
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]816 entry. See :rfc:`2256`. This OID is typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]817
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]818.. data:: OID_PSEUDONYM
819
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]820 Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
821 in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]822
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]823.. data:: OID_DOMAIN_COMPONENT
824
Paul Kehrerfb5ac9e2015-02-07 16:29:37 -0600[diff] [blame]825 Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]826 holding one component of a domain name. See :rfc:`4519`. This OID is
827 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]828
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]829.. data:: OID_EMAIL_ADDRESS
830
Paul Kehrer4bb46492015-02-07 16:59:14 -0600[diff] [blame]831 Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
832 typically seen in X.509 names.
Paul Kehrer858b9b72015-02-05 09:50:31 -0600[diff] [blame]833
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]834Signature Algorithm OIDs
835~~~~~~~~~~~~~~~~~~~~~~~~
836
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]837.. data:: OID_RSA_WITH_MD5
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]838
839 Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
840 an MD5 digest signed by an RSA key.
841
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]842.. data:: OID_RSA_WITH_SHA1
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]843
844 Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
845 a SHA1 digest signed by an RSA key.
846
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]847.. data:: OID_RSA_WITH_SHA224
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]848
849 Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
850 a SHA224 digest signed by an RSA key.
851
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]852.. data:: OID_RSA_WITH_SHA256
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]853
854 Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
855 a SHA256 digest signed by an RSA key.
856
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]857.. data:: OID_RSA_WITH_SHA384
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]858
859 Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
860 a SHA384 digest signed by an RSA key.
861
Paul Kehrer1a7ba872015-02-19 18:09:05 -0600[diff] [blame]862.. data:: OID_RSA_WITH_SHA512
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]863
864 Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
865 a SHA512 digest signed by an RSA key.
866
867.. data:: OID_ECDSA_WITH_SHA224
868
869 Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
870 a SHA224 digest signed by an ECDSA key.
871
872.. data:: OID_ECDSA_WITH_SHA256
873
874 Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
875 a SHA256 digest signed by an ECDSA key.
876
877.. data:: OID_ECDSA_WITH_SHA384
878
879 Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
880 a SHA384 digest signed by an ECDSA key.
881
882.. data:: OID_ECDSA_WITH_SHA512
883
884 Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
885 a SHA512 digest signed by an ECDSA key.
886
887.. data:: OID_DSA_WITH_SHA1
888
889 Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
890 a SHA1 digest signed by a DSA key.
891
892.. data:: OID_DSA_WITH_SHA224
893
894 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
895 a SHA224 digest signed by a DSA key.
896
897.. data:: OID_DSA_WITH_SHA256
898
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]899 Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]900 a SHA256 digest signed by a DSA key.
901
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]902.. _eku_oids:
903
Paul Kehrere1513fa2015-03-30 23:08:17 -0500[diff] [blame]904Extended Key Usage OIDs
905~~~~~~~~~~~~~~~~~~~~~~~
906
907.. data:: OID_SERVER_AUTH
908
909 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used to
910 denote that a certificate may be used for TLS web server authentication.
911
912.. data:: OID_CLIENT_AUTH
913
914 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used to
915 denote that a certificate may be used for TLS web client authentication.
916
917.. data:: OID_CODE_SIGNING
918
919 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used to
920 denote that a certificate may be used for code signing.
921
922.. data:: OID_EMAIL_PROTECTION
923
924 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used to
925 denote that a certificate may be used for email protection.
926
927.. data:: OID_TIME_STAMPING
928
929 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used to
930 denote that a certificate may be used for time stamping.
931
932.. data:: OID_OCSP_SIGNING
933
934 Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used to
935 denote that a certificate may be used for signing OCSP responses.
936
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame^]937Authority Information Access OIDs
938~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
939
940.. data:: OID_OCSP
941
942 Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1"``. Used as the
943 identifier for OCSP data in :class:`AccessDescription` objects.
944
945.. data:: OID_CA_ISSUERS
946
947 Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the
948 identifier for CA issuer data in :class:`AccessDescription` objects.
949
Paul Kehrer5553d572015-03-23 21:08:01 -0500[diff] [blame]950.. _extension_oids:
951
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]952Extension OIDs
953~~~~~~~~~~~~~~
954
955.. data:: OID_BASIC_CONSTRAINTS
956
957 Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
Paul Kehrer611d3d32015-03-22 13:31:18 -0500[diff] [blame]958 :class:`BasicConstraints` extension type.
Paul Kehrer2bb94642015-03-21 09:54:17 -0500[diff] [blame]959
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]960.. data:: OID_KEY_USAGE
961
962 Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the
963 :class:`KeyUsage` extension type.
964
Paul Kehrer56da2a52015-02-11 23:35:07 -0600[diff] [blame]965
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]966Exceptions
967~~~~~~~~~~
968
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]969.. class:: InvalidVersion
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]970
971 This is raised when an X.509 certificate has an invalid version number.
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]972
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]973 .. attribute:: parsed_version
974
Paul Kehrerbbffc402014-12-17 13:33:55 -0600[diff] [blame]975 :type: int
976
977 Returns the raw version that was parsed from the certificate.
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]978
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]979.. class:: DuplicateExtension
980
981 This is raised when more than one X.509 extension of the same type is
982 found within a certificate.
983
984 .. attribute:: oid
985
986 :type: :class:`ObjectIdentifier`
987
988 Returns the OID.
989
990.. class:: UnsupportedExtension
991
992 This is raised when a certificate contains an unsupported extension type.
993
994 .. attribute:: oid
995
996 :type: :class:`ObjectIdentifier`
997
998 Returns the OID.
999
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1000.. class:: ExtensionNotFound
1001
1002 This is raised when calling :meth:`Extensions.get_extension_for_oid` with
1003 an extension OID that is not present in the certificate.
1004
1005 .. attribute:: oid
1006
1007 :type: :class:`ObjectIdentifier`
1008
1009 Returns the OID.
1010
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1011.. class:: UnsupportedGeneralNameType
1012
1013 This is raised when a certificate contains an unsupported general name
1014 type in an extension.
1015
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1016 .. attribute:: type
1017
Paul Kehrer0a621bf2015-04-22 09:22:56 -0500[diff] [blame]1018 :type: int
1019
1020 The integer value of the unsupported type. The complete list of
1021 types can be found in `RFC 5280 section 4.2.1.6`_.
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1022
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1023
1024.. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]1025.. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security
Paul Kehrerc7c9a432015-04-19 09:20:13 -0500[diff] [blame]1026.. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
Paul Kehrer0a621bf2015-04-22 09:22:56 -0500[diff] [blame]1027.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6