Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 1 | .. _openssl-crypto: |
| 2 | |
| 3 | :py:mod:`crypto` --- Generic cryptographic module |
| 4 | ================================================= |
| 5 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 6 | .. py:module:: OpenSSL.crypto |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 7 | :synopsis: Generic cryptographic module |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 8 | |
| 9 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 10 | .. py:data:: X509Type |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 11 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 12 | See :py:class:`X509`. |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 13 | |
| 14 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 15 | .. py:class:: X509() |
| 16 | |
| 17 | A class representing X.509 certificates. |
| 18 | |
| 19 | |
| 20 | .. py:data:: X509NameType |
| 21 | |
| 22 | See :py:class:`X509Name`. |
| 23 | |
| 24 | |
| 25 | .. py:class:: X509Name(x509name) |
| 26 | |
| 27 | A class representing X.509 Distinguished Names. |
| 28 | |
| 29 | This constructor creates a copy of *x509name* which should be an |
| 30 | instance of :py:class:`X509Name`. |
| 31 | |
| 32 | |
| 33 | .. py:data:: X509ReqType |
| 34 | |
| 35 | See :py:class:`X509Req`. |
| 36 | |
| 37 | |
| 38 | .. py:class:: X509Req() |
| 39 | |
| 40 | A class representing X.509 certificate requests. |
| 41 | |
| 42 | |
| 43 | .. py:data:: X509StoreType |
| 44 | |
| 45 | A Python type object representing the X509Store object type. |
| 46 | |
| 47 | |
| 48 | .. py:data:: PKeyType |
| 49 | |
| 50 | See :py:class:`PKey`. |
| 51 | |
| 52 | |
| 53 | .. py:class:: PKey() |
| 54 | |
| 55 | A class representing DSA or RSA keys. |
| 56 | |
| 57 | |
| 58 | .. py:data:: PKCS7Type |
| 59 | |
| 60 | A Python type object representing the PKCS7 object type. |
| 61 | |
| 62 | |
| 63 | .. py:data:: PKCS12Type |
| 64 | |
| 65 | A Python type object representing the PKCS12 object type. |
| 66 | |
| 67 | |
| 68 | .. py:data:: X509ExtensionType |
| 69 | |
| 70 | See :py:class:`X509Extension`. |
| 71 | |
| 72 | |
| 73 | .. py:class:: X509Extension(typename, critical, value[, subject][, issuer]) |
| 74 | |
| 75 | A class representing an X.509 v3 certificate extensions. See |
| 76 | http://openssl.org/docs/apps/x509v3_config.html#STANDARD_EXTENSIONS for |
| 77 | *typename* strings and their options. Optional parameters *subject* and |
| 78 | *issuer* must be X509 objects. |
| 79 | |
| 80 | |
| 81 | .. py:data:: NetscapeSPKIType |
| 82 | |
| 83 | See :py:class:`NetscapeSPKI`. |
| 84 | |
| 85 | |
| 86 | .. py:class:: NetscapeSPKI([enc]) |
| 87 | |
| 88 | A class representing Netscape SPKI objects. |
| 89 | |
| 90 | If the *enc* argument is present, it should be a base64-encoded string |
| 91 | representing a NetscapeSPKI object, as returned by the :py:meth:`b64_encode` |
| 92 | method. |
| 93 | |
| 94 | |
| 95 | .. py:class:: CRL() |
| 96 | |
| 97 | A class representing Certifcate Revocation List objects. |
| 98 | |
| 99 | |
| 100 | .. py:class:: Revoked() |
| 101 | |
| 102 | A class representing Revocation objects of CRL. |
| 103 | |
| 104 | |
| 105 | .. py:data:: FILETYPE_PEM |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 106 | FILETYPE_ASN1 |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 107 | |
| 108 | File type constants. |
| 109 | |
| 110 | |
| 111 | .. py:data:: TYPE_RSA |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 112 | TYPE_DSA |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 113 | |
| 114 | Key type constants. |
| 115 | |
| 116 | |
| 117 | .. py:exception:: Error |
| 118 | |
| 119 | Generic exception used in the :py:mod:`.crypto` module. |
| 120 | |
| 121 | |
| 122 | .. py:function:: dump_certificate(type, cert) |
| 123 | |
| 124 | Dump the certificate *cert* into a buffer string encoded with the type |
| 125 | *type*. |
| 126 | |
| 127 | |
| 128 | .. py:function:: dump_certificate_request(type, req) |
| 129 | |
| 130 | Dump the certificate request *req* into a buffer string encoded with the |
| 131 | type *type*. |
| 132 | |
| 133 | |
| 134 | .. py:function:: dump_privatekey(type, pkey[, cipher, passphrase]) |
| 135 | |
| 136 | Dump the private key *pkey* into a buffer string encoded with the type |
| 137 | *type*, optionally (if *type* is :py:const:`FILETYPE_PEM`) encrypting it |
| 138 | using *cipher* and *passphrase*. |
| 139 | |
| 140 | *passphrase* must be either a string or a callback for providing the |
| 141 | pass phrase. |
| 142 | |
| 143 | |
| 144 | .. py:function:: load_certificate(type, buffer) |
| 145 | |
| 146 | Load a certificate (X509) from the string *buffer* encoded with the |
| 147 | type *type*. |
| 148 | |
| 149 | |
| 150 | .. py:function:: load_certificate_request(type, buffer) |
| 151 | |
| 152 | Load a certificate request (X509Req) from the string *buffer* encoded with |
| 153 | the type *type*. |
| 154 | |
| 155 | |
| 156 | .. py:function:: load_privatekey(type, buffer[, passphrase]) |
| 157 | |
| 158 | Load a private key (PKey) from the string *buffer* encoded with the type |
| 159 | *type* (must be one of :py:const:`FILETYPE_PEM` and |
| 160 | :py:const:`FILETYPE_ASN1`). |
| 161 | |
| 162 | *passphrase* must be either a string or a callback for providing the pass |
| 163 | phrase. |
| 164 | |
| 165 | |
| 166 | .. py:function:: load_crl(type, buffer) |
| 167 | |
| 168 | Load Certificate Revocation List (CRL) data from a string *buffer*. |
| 169 | *buffer* encoded with the type *type*. The type *type* must either |
| 170 | :py:const:`FILETYPE_PEM` or :py:const:`FILETYPE_ASN1`). |
| 171 | |
| 172 | |
| 173 | .. py:function:: load_pkcs7_data(type, buffer) |
| 174 | |
| 175 | Load pkcs7 data from the string *buffer* encoded with the type *type*. |
| 176 | |
| 177 | |
| 178 | .. py:function:: load_pkcs12(buffer[, passphrase]) |
| 179 | |
| 180 | Load pkcs12 data from the string *buffer*. If the pkcs12 structure is |
| 181 | encrypted, a *passphrase* must be included. The MAC is always |
| 182 | checked and thus required. |
| 183 | |
| 184 | See also the man page for the C function :py:func:`PKCS12_parse`. |
| 185 | |
| 186 | |
| 187 | .. py:function:: sign(key, data, digest) |
| 188 | |
| 189 | Sign a data string using the given key and message digest. |
| 190 | |
| 191 | *key* is a :py:class:`PKey` instance. *data* is a ``str`` instance. |
| 192 | *digest* is a ``str`` naming a supported message digest type, for example |
| 193 | :py:const:`sha1`. |
| 194 | |
| 195 | .. versionadded:: 0.11 |
| 196 | |
| 197 | |
| 198 | .. py:function:: verify(certificate, signature, data, digest) |
| 199 | |
| 200 | Verify the signature for a data string. |
| 201 | |
| 202 | *certificate* is a :py:class:`X509` instance corresponding to the private |
| 203 | key which generated the signature. *signature* is a *str* instance giving |
| 204 | the signature itself. *data* is a *str* instance giving the data to which |
| 205 | the signature applies. *digest* is a *str* instance naming the message |
| 206 | digest type of the signature, for example :py:const:`sha1`. |
| 207 | |
| 208 | .. versionadded:: 0.11 |
| 209 | |
| 210 | |
| 211 | .. _openssl-x509: |
| 212 | |
| 213 | X509 objects |
| 214 | ------------ |
| 215 | |
| 216 | X509 objects have the following methods: |
| 217 | |
| 218 | .. py:method:: X509.get_issuer() |
| 219 | |
| 220 | Return an X509Name object representing the issuer of the certificate. |
| 221 | |
| 222 | |
| 223 | .. py:method:: X509.get_pubkey() |
| 224 | |
| 225 | Return a :py:class:`PKey` object representing the public key of the certificate. |
| 226 | |
| 227 | |
| 228 | .. py:method:: X509.get_serial_number() |
| 229 | |
| 230 | Return the certificate serial number. |
| 231 | |
| 232 | |
| 233 | .. py:method:: X509.get_signature_algorithm() |
| 234 | |
| 235 | Return the signature algorithm used in the certificate. If the algorithm is |
| 236 | undefined, raise :py:data:`ValueError`. |
| 237 | |
Jean-Paul Calderone | 54cc390 | 2012-09-12 10:49:07 -0400 | [diff] [blame] | 238 | ..versionadded:: 0.13 |
| 239 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 240 | |
| 241 | .. py:method:: X509.get_subject() |
| 242 | |
| 243 | Return an :py:class:`X509Name` object representing the subject of the certificate. |
| 244 | |
| 245 | |
| 246 | .. py:method:: X509.get_version() |
| 247 | |
| 248 | Return the certificate version. |
| 249 | |
| 250 | |
| 251 | .. py:method:: X509.get_notBefore() |
| 252 | |
| 253 | Return a string giving the time before which the certificate is not valid. The |
| 254 | string is formatted as an ASN1 GENERALIZEDTIME:: |
| 255 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 256 | YYYYMMDDhhmmssZ |
| 257 | YYYYMMDDhhmmss+hhmm |
| 258 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 259 | |
| 260 | If no value exists for this field, :py:data:`None` is returned. |
| 261 | |
| 262 | |
| 263 | .. py:method:: X509.get_notAfter() |
| 264 | |
| 265 | Return a string giving the time after which the certificate is not valid. The |
| 266 | string is formatted as an ASN1 GENERALIZEDTIME:: |
| 267 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 268 | YYYYMMDDhhmmssZ |
| 269 | YYYYMMDDhhmmss+hhmm |
| 270 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 271 | |
| 272 | If no value exists for this field, :py:data:`None` is returned. |
| 273 | |
| 274 | |
| 275 | .. py:method:: X509.set_notBefore(when) |
| 276 | |
| 277 | Change the time before which the certificate is not valid. *when* is a |
| 278 | string formatted as an ASN1 GENERALIZEDTIME:: |
| 279 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 280 | YYYYMMDDhhmmssZ |
| 281 | YYYYMMDDhhmmss+hhmm |
| 282 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 283 | |
| 284 | |
| 285 | .. py:method:: X509.set_notAfter(when) |
| 286 | |
| 287 | Change the time after which the certificate is not valid. *when* is a |
| 288 | string formatted as an ASN1 GENERALIZEDTIME:: |
| 289 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 290 | YYYYMMDDhhmmssZ |
| 291 | YYYYMMDDhhmmss+hhmm |
| 292 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 293 | |
| 294 | |
| 295 | |
| 296 | .. py:method:: X509.gmtime_adj_notBefore(time) |
| 297 | |
| 298 | Adjust the timestamp (in GMT) when the certificate starts being valid. |
| 299 | |
| 300 | |
| 301 | .. py:method:: X509.gmtime_adj_notAfter(time) |
| 302 | |
| 303 | Adjust the timestamp (in GMT) when the certificate stops being valid. |
| 304 | |
| 305 | |
| 306 | .. py:method:: X509.has_expired() |
| 307 | |
| 308 | Checks the certificate's time stamp against current time. Returns true if the |
| 309 | certificate has expired and false otherwise. |
| 310 | |
| 311 | |
| 312 | .. py:method:: X509.set_issuer(issuer) |
| 313 | |
| 314 | Set the issuer of the certificate to *issuer*. |
| 315 | |
| 316 | |
| 317 | .. py:method:: X509.set_pubkey(pkey) |
| 318 | |
| 319 | Set the public key of the certificate to *pkey*. |
| 320 | |
| 321 | |
| 322 | .. py:method:: X509.set_serial_number(serialno) |
| 323 | |
| 324 | Set the serial number of the certificate to *serialno*. |
| 325 | |
| 326 | |
| 327 | .. py:method:: X509.set_subject(subject) |
| 328 | |
| 329 | Set the subject of the certificate to *subject*. |
| 330 | |
| 331 | |
| 332 | .. py:method:: X509.set_version(version) |
| 333 | |
| 334 | Set the certificate version to *version*. |
| 335 | |
| 336 | |
| 337 | .. py:method:: X509.sign(pkey, digest) |
| 338 | |
| 339 | Sign the certificate, using the key *pkey* and the message digest algorithm |
| 340 | identified by the string *digest*. |
| 341 | |
| 342 | |
| 343 | .. py:method:: X509.subject_name_hash() |
| 344 | |
| 345 | Return the hash of the certificate subject. |
| 346 | |
| 347 | .. py:method:: X509.digest(digest_name) |
| 348 | |
| 349 | Return a digest of the certificate, using the *digest_name* method. |
| 350 | *digest_name* must be a string describing a digest algorithm supported |
| 351 | by OpenSSL (by EVP_get_digestbyname, specifically). For example, |
| 352 | :py:const:`"md5"` or :py:const:`"sha1"`. |
| 353 | |
| 354 | |
| 355 | .. py:method:: X509.add_extensions(extensions) |
| 356 | |
| 357 | Add the extensions in the sequence *extensions* to the certificate. |
| 358 | |
| 359 | |
| 360 | .. py:method:: X509.get_extension_count() |
| 361 | |
| 362 | Return the number of extensions on this certificate. |
| 363 | |
| 364 | .. versionadded:: 0.12 |
| 365 | |
| 366 | |
| 367 | .. py:method:: X509.get_extension(index) |
| 368 | |
| 369 | Retrieve the extension on this certificate at the given index. |
| 370 | |
| 371 | Extensions on a certificate are kept in order. The index parameter selects |
| 372 | which extension will be returned. The returned object will be an |
| 373 | :py:class:`X509Extension` instance. |
| 374 | |
| 375 | .. versionadded:: 0.12 |
| 376 | |
| 377 | |
| 378 | .. _openssl-x509name: |
| 379 | |
| 380 | X509Name objects |
| 381 | ---------------- |
| 382 | |
| 383 | X509Name objects have the following methods: |
| 384 | |
| 385 | .. py:method:: X509Name.hash() |
| 386 | |
| 387 | Return an integer giving the first four bytes of the MD5 digest of the DER |
| 388 | representation of the name. |
| 389 | |
| 390 | |
| 391 | .. py:method:: X509Name.der() |
| 392 | |
| 393 | Return a string giving the DER representation of the name. |
| 394 | |
| 395 | |
| 396 | .. py:method:: X509Name.get_components() |
| 397 | |
| 398 | Return a list of two-tuples of strings giving the components of the name. |
| 399 | |
| 400 | |
| 401 | X509Name objects have the following members: |
| 402 | |
| 403 | .. py:attribute:: X509Name.countryName |
| 404 | |
| 405 | The country of the entity. :py:attr:`C` may be used as an alias for |
| 406 | :py:attr:`countryName`. |
| 407 | |
| 408 | |
| 409 | .. py:attribute:: X509Name.stateOrProvinceName |
| 410 | |
| 411 | The state or province of the entity. :py:attr:`ST` may be used as an alias for |
Jean-Paul Calderone | f1b7030 | 2011-09-11 09:00:00 -0400 | [diff] [blame] | 412 | :py:attr:`stateOrProvinceName`. |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 413 | |
| 414 | |
| 415 | .. py:attribute:: X509Name.localityName |
| 416 | |
| 417 | The locality of the entity. :py:attr:`L` may be used as an alias for |
| 418 | :py:attr:`localityName`. |
| 419 | |
| 420 | |
| 421 | .. py:attribute:: X509Name.organizationName |
| 422 | |
| 423 | The organization name of the entity. :py:attr:`O` may be used as an alias for |
| 424 | :py:attr:`organizationName`. |
| 425 | |
| 426 | |
| 427 | .. py:attribute:: X509Name.organizationalUnitName |
| 428 | |
| 429 | The organizational unit of the entity. :py:attr:`OU` may be used as an alias for |
| 430 | :py:attr:`organizationalUnitName`. |
| 431 | |
| 432 | |
| 433 | .. py:attribute:: X509Name.commonName |
| 434 | |
| 435 | The common name of the entity. :py:attr:`CN` may be used as an alias for |
| 436 | :py:attr:`commonName`. |
| 437 | |
| 438 | |
| 439 | .. py:attribute:: X509Name.emailAddress |
| 440 | |
| 441 | The e-mail address of the entity. |
| 442 | |
| 443 | |
| 444 | .. _openssl-x509req: |
| 445 | |
| 446 | X509Req objects |
| 447 | --------------- |
| 448 | |
| 449 | X509Req objects have the following methods: |
| 450 | |
| 451 | .. py:method:: X509Req.get_pubkey() |
| 452 | |
| 453 | Return a :py:class:`PKey` object representing the public key of the certificate request. |
| 454 | |
| 455 | |
| 456 | .. py:method:: X509Req.get_subject() |
| 457 | |
| 458 | Return an :py:class:`X509Name` object representing the subject of the certificate. |
| 459 | |
| 460 | |
| 461 | .. py:method:: X509Req.set_pubkey(pkey) |
| 462 | |
| 463 | Set the public key of the certificate request to *pkey*. |
| 464 | |
| 465 | |
| 466 | .. py:method:: X509Req.sign(pkey, digest) |
| 467 | |
| 468 | Sign the certificate request, using the key *pkey* and the message digest |
| 469 | algorithm identified by the string *digest*. |
| 470 | |
| 471 | |
| 472 | .. py:method:: X509Req.verify(pkey) |
| 473 | |
| 474 | Verify a certificate request using the public key *pkey*. |
| 475 | |
| 476 | |
| 477 | .. py:method:: X509Req.set_version(version) |
| 478 | |
| 479 | Set the version (RFC 2459, 4.1.2.1) of the certificate request to |
| 480 | *version*. |
| 481 | |
| 482 | |
| 483 | .. py:method:: X509Req.get_version() |
| 484 | |
| 485 | Get the version (RFC 2459, 4.1.2.1) of the certificate request. |
| 486 | |
| 487 | |
Jean-Paul Calderone | 26e07d6 | 2014-03-02 08:08:23 -0500 | [diff] [blame^] | 488 | .. py:method:: X509Req.get_extensions() |
| 489 | |
| 490 | Get extensions to the request. |
| 491 | |
| 492 | .. versionadded:: 0.15 |
| 493 | |
| 494 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 495 | .. _openssl-x509store: |
| 496 | |
| 497 | X509Store objects |
| 498 | ----------------- |
| 499 | |
| 500 | The X509Store object has currently just one method: |
| 501 | |
| 502 | .. py:method:: X509Store.add_cert(cert) |
| 503 | |
| 504 | Add the certificate *cert* to the certificate store. |
| 505 | |
| 506 | |
| 507 | .. _openssl-pkey: |
| 508 | |
| 509 | PKey objects |
| 510 | ------------ |
| 511 | |
| 512 | The PKey object has the following methods: |
| 513 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 514 | .. py:method:: PKey.bits() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 515 | |
| 516 | Return the number of bits of the key. |
| 517 | |
| 518 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 519 | .. py:method:: PKey.generate_key(type, bits) |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 520 | |
| 521 | Generate a public/private key pair of the type *type* (one of |
| 522 | :py:const:`TYPE_RSA` and :py:const:`TYPE_DSA`) with the size *bits*. |
| 523 | |
| 524 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 525 | .. py:method:: PKey.type() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 526 | |
| 527 | Return the type of the key. |
| 528 | |
| 529 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 530 | .. py:method:: PKey.check() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 531 | |
| 532 | Check the consistency of this key, returning True if it is consistent and |
| 533 | raising an exception otherwise. This is only valid for RSA keys. See the |
| 534 | OpenSSL RSA_check_key man page for further limitations. |
| 535 | |
| 536 | |
| 537 | .. _openssl-pkcs7: |
| 538 | |
| 539 | PKCS7 objects |
| 540 | ------------- |
| 541 | |
| 542 | PKCS7 objects have the following methods: |
| 543 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 544 | .. py:method:: PKCS7.type_is_signed() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 545 | |
| 546 | FIXME |
| 547 | |
| 548 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 549 | .. py:method:: PKCS7.type_is_enveloped() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 550 | |
| 551 | FIXME |
| 552 | |
| 553 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 554 | .. py:method:: PKCS7.type_is_signedAndEnveloped() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 555 | |
| 556 | FIXME |
| 557 | |
| 558 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 559 | .. py:method:: PKCS7.type_is_data() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 560 | |
| 561 | FIXME |
| 562 | |
| 563 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 564 | .. py:method:: PKCS7.get_type_name() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 565 | |
| 566 | Get the type name of the PKCS7. |
| 567 | |
| 568 | |
| 569 | .. _openssl-pkcs12: |
| 570 | |
| 571 | PKCS12 objects |
| 572 | -------------- |
| 573 | |
| 574 | PKCS12 objects have the following methods: |
| 575 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 576 | .. py:method:: PKCS12.export([passphrase=None][, iter=2048][, maciter=1]) |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 577 | |
| 578 | Returns a PKCS12 object as a string. |
| 579 | |
| 580 | The optional *passphrase* must be a string not a callback. |
| 581 | |
| 582 | See also the man page for the C function :py:func:`PKCS12_create`. |
| 583 | |
| 584 | |
| 585 | .. py:method:: PKCS12.get_ca_certificates() |
| 586 | |
| 587 | Return CA certificates within the PKCS12 object as a tuple. Returns |
| 588 | :py:const:`None` if no CA certificates are present. |
| 589 | |
| 590 | |
| 591 | .. py:method:: PKCS12.get_certificate() |
| 592 | |
| 593 | Return certificate portion of the PKCS12 structure. |
| 594 | |
| 595 | |
| 596 | .. py:method:: PKCS12.get_friendlyname() |
| 597 | |
| 598 | Return friendlyName portion of the PKCS12 structure. |
| 599 | |
| 600 | |
| 601 | .. py:method:: PKCS12.get_privatekey() |
| 602 | |
| 603 | Return private key portion of the PKCS12 structure |
| 604 | |
| 605 | |
| 606 | .. py:method:: PKCS12.set_ca_certificates(cacerts) |
| 607 | |
| 608 | Replace or set the CA certificates within the PKCS12 object with the sequence *cacerts*. |
| 609 | |
| 610 | Set *cacerts* to :py:const:`None` to remove all CA certificates. |
| 611 | |
| 612 | |
| 613 | .. py:method:: PKCS12.set_certificate(cert) |
| 614 | |
| 615 | Replace or set the certificate portion of the PKCS12 structure. |
| 616 | |
| 617 | |
| 618 | .. py:method:: PKCS12.set_friendlyname(name) |
| 619 | |
| 620 | Replace or set the friendlyName portion of the PKCS12 structure. |
| 621 | |
| 622 | |
| 623 | .. py:method:: PKCS12.set_privatekey(pkey) |
| 624 | |
| 625 | Replace or set private key portion of the PKCS12 structure |
| 626 | |
| 627 | |
| 628 | .. _openssl-509ext: |
| 629 | |
| 630 | X509Extension objects |
| 631 | --------------------- |
| 632 | |
| 633 | X509Extension objects have several methods: |
| 634 | |
| 635 | .. py:method:: X509Extension.get_critical() |
| 636 | |
| 637 | Return the critical field of the extension object. |
| 638 | |
| 639 | |
| 640 | .. py:method:: X509Extension.get_short_name() |
| 641 | |
| 642 | Retrieve the short descriptive name for this extension. |
| 643 | |
| 644 | The result is a byte string like :py:const:`basicConstraints`. |
| 645 | |
| 646 | .. versionadded:: 0.12 |
| 647 | |
| 648 | |
| 649 | .. py:method:: X509Extension.get_data() |
| 650 | |
| 651 | Retrieve the data for this extension. |
| 652 | |
| 653 | The result is the ASN.1 encoded form of the extension data as a byte string. |
| 654 | |
| 655 | .. versionadded:: 0.12 |
| 656 | |
| 657 | |
| 658 | .. _openssl-netscape-spki: |
| 659 | |
| 660 | NetscapeSPKI objects |
| 661 | -------------------- |
| 662 | |
| 663 | NetscapeSPKI objects have the following methods: |
| 664 | |
| 665 | .. py:method:: NetscapeSPKI.b64_encode() |
| 666 | |
| 667 | Return a base64-encoded string representation of the object. |
| 668 | |
| 669 | |
| 670 | .. py:method:: NetscapeSPKI.get_pubkey() |
| 671 | |
| 672 | Return the public key of object. |
| 673 | |
| 674 | |
| 675 | .. py:method:: NetscapeSPKI.set_pubkey(key) |
| 676 | |
| 677 | Set the public key of the object to *key*. |
| 678 | |
| 679 | |
| 680 | .. py:method:: NetscapeSPKI.sign(key, digest_name) |
| 681 | |
| 682 | Sign the NetscapeSPKI object using the given *key* and *digest_name*. |
| 683 | *digest_name* must be a string describing a digest algorithm supported by |
| 684 | OpenSSL (by EVP_get_digestbyname, specifically). For example, |
| 685 | :py:const:`"md5"` or :py:const:`"sha1"`. |
| 686 | |
| 687 | |
| 688 | .. py:method:: NetscapeSPKI.verify(key) |
| 689 | |
| 690 | Verify the NetscapeSPKI object using the given *key*. |
| 691 | |
| 692 | |
| 693 | .. _crl: |
| 694 | |
| 695 | CRL objects |
| 696 | ----------- |
| 697 | |
| 698 | CRL objects have the following methods: |
| 699 | |
| 700 | .. py:method:: CRL.add_revoked(revoked) |
| 701 | |
| 702 | Add a Revoked object to the CRL, by value not reference. |
| 703 | |
| 704 | |
| 705 | .. py:method:: CRL.export(cert, key[, type=FILETYPE_PEM][, days=100]) |
| 706 | |
| 707 | Use *cert* and *key* to sign the CRL and return the CRL as a string. |
| 708 | *days* is the number of days before the next CRL is due. |
| 709 | |
| 710 | |
| 711 | .. py:method:: CRL.get_revoked() |
| 712 | |
| 713 | Return a tuple of Revoked objects, by value not reference. |
| 714 | |
| 715 | |
| 716 | .. _revoked: |
| 717 | |
| 718 | Revoked objects |
| 719 | --------------- |
| 720 | |
| 721 | Revoked objects have the following methods: |
| 722 | |
| 723 | .. py:method:: Revoked.all_reasons() |
| 724 | |
| 725 | Return a list of all supported reasons. |
| 726 | |
| 727 | |
| 728 | .. py:method:: Revoked.get_reason() |
| 729 | |
| 730 | Return the revocation reason as a str. Can be |
| 731 | None, which differs from "Unspecified". |
| 732 | |
| 733 | |
| 734 | .. py:method:: Revoked.get_rev_date() |
| 735 | |
| 736 | Return the revocation date as a str. |
| 737 | The string is formatted as an ASN1 GENERALIZEDTIME. |
| 738 | |
| 739 | |
| 740 | .. py:method:: Revoked.get_serial() |
| 741 | |
| 742 | Return a str containing a hex number of the serial of the revoked certificate. |
| 743 | |
| 744 | |
| 745 | .. py:method:: Revoked.set_reason(reason) |
| 746 | |
| 747 | Set the revocation reason. *reason* must be None or a string, but the |
| 748 | values are limited. Spaces and case are ignored. See |
| 749 | :py:meth:`all_reasons`. |
| 750 | |
| 751 | |
| 752 | .. py:method:: Revoked.set_rev_date(date) |
| 753 | |
| 754 | Set the revocation date. |
| 755 | The string is formatted as an ASN1 GENERALIZEDTIME. |
| 756 | |
| 757 | |
| 758 | .. py:method:: Revoked.set_serial(serial) |
| 759 | |
| 760 | *serial* is a string containing a hex number of the serial of the revoked certificate. |