Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 1 | .. _openssl-crypto: |
| 2 | |
| 3 | :py:mod:`crypto` --- Generic cryptographic module |
| 4 | ================================================= |
| 5 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 6 | .. py:module:: OpenSSL.crypto |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 7 | :synopsis: Generic cryptographic module |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 8 | |
| 9 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 10 | .. py:class:: X509() |
| 11 | |
| 12 | A class representing X.509 certificates. |
| 13 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 14 | .. py:class:: X509Req() |
| 15 | |
| 16 | A class representing X.509 certificate requests. |
| 17 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 18 | .. py:class:: NetscapeSPKI([enc]) |
| 19 | |
| 20 | A class representing Netscape SPKI objects. |
| 21 | |
| 22 | If the *enc* argument is present, it should be a base64-encoded string |
| 23 | representing a NetscapeSPKI object, as returned by the :py:meth:`b64_encode` |
| 24 | method. |
| 25 | |
| 26 | |
| 27 | .. py:class:: CRL() |
| 28 | |
| 29 | A class representing Certifcate Revocation List objects. |
| 30 | |
| 31 | |
| 32 | .. py:class:: Revoked() |
| 33 | |
| 34 | A class representing Revocation objects of CRL. |
| 35 | |
| 36 | |
| 37 | .. py:data:: FILETYPE_PEM |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 38 | FILETYPE_ASN1 |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 39 | |
| 40 | File type constants. |
| 41 | |
| 42 | |
| 43 | .. py:data:: TYPE_RSA |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 44 | TYPE_DSA |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 45 | |
| 46 | Key type constants. |
| 47 | |
| 48 | |
| 49 | .. py:exception:: Error |
| 50 | |
| 51 | Generic exception used in the :py:mod:`.crypto` module. |
| 52 | |
| 53 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 54 | .. py:function:: get_elliptic_curves |
| 55 | |
| 56 | Return a set of objects representing the elliptic curves supported in the |
| 57 | OpenSSL build in use. |
| 58 | |
| 59 | The curve objects have a :py:class:`unicode` ``name`` attribute by which |
Jean-Paul Calderone | aaf516d | 2014-04-19 09:10:45 -0400 | [diff] [blame] | 60 | they identify themselves. |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 61 | |
| 62 | The curve objects are useful as values for the argument accepted by |
Jean-Paul Calderone | 3b04e35 | 2014-04-19 09:29:10 -0400 | [diff] [blame] | 63 | :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be |
| 64 | used for ECDHE key exchange. |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 65 | |
| 66 | |
| 67 | .. py:function:: get_elliptic_curve |
| 68 | |
| 69 | Return a single curve object selected by name. |
| 70 | |
| 71 | See :py:func:`get_elliptic_curves` for information about curve objects. |
| 72 | |
| 73 | If the named curve is not supported then :py:class:`ValueError` is raised. |
| 74 | |
| 75 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 76 | .. py:function:: dump_certificate(type, cert) |
| 77 | |
| 78 | Dump the certificate *cert* into a buffer string encoded with the type |
| 79 | *type*. |
| 80 | |
| 81 | |
| 82 | .. py:function:: dump_certificate_request(type, req) |
| 83 | |
| 84 | Dump the certificate request *req* into a buffer string encoded with the |
| 85 | type *type*. |
| 86 | |
| 87 | |
| 88 | .. py:function:: dump_privatekey(type, pkey[, cipher, passphrase]) |
| 89 | |
| 90 | Dump the private key *pkey* into a buffer string encoded with the type |
| 91 | *type*, optionally (if *type* is :py:const:`FILETYPE_PEM`) encrypting it |
| 92 | using *cipher* and *passphrase*. |
| 93 | |
| 94 | *passphrase* must be either a string or a callback for providing the |
| 95 | pass phrase. |
| 96 | |
| 97 | |
| 98 | .. py:function:: load_certificate(type, buffer) |
| 99 | |
| 100 | Load a certificate (X509) from the string *buffer* encoded with the |
| 101 | type *type*. |
| 102 | |
| 103 | |
| 104 | .. py:function:: load_certificate_request(type, buffer) |
| 105 | |
| 106 | Load a certificate request (X509Req) from the string *buffer* encoded with |
| 107 | the type *type*. |
| 108 | |
| 109 | |
| 110 | .. py:function:: load_privatekey(type, buffer[, passphrase]) |
| 111 | |
| 112 | Load a private key (PKey) from the string *buffer* encoded with the type |
| 113 | *type* (must be one of :py:const:`FILETYPE_PEM` and |
| 114 | :py:const:`FILETYPE_ASN1`). |
| 115 | |
| 116 | *passphrase* must be either a string or a callback for providing the pass |
| 117 | phrase. |
| 118 | |
| 119 | |
| 120 | .. py:function:: load_crl(type, buffer) |
| 121 | |
| 122 | Load Certificate Revocation List (CRL) data from a string *buffer*. |
| 123 | *buffer* encoded with the type *type*. The type *type* must either |
| 124 | :py:const:`FILETYPE_PEM` or :py:const:`FILETYPE_ASN1`). |
| 125 | |
| 126 | |
| 127 | .. py:function:: load_pkcs7_data(type, buffer) |
| 128 | |
| 129 | Load pkcs7 data from the string *buffer* encoded with the type *type*. |
| 130 | |
| 131 | |
| 132 | .. py:function:: load_pkcs12(buffer[, passphrase]) |
| 133 | |
| 134 | Load pkcs12 data from the string *buffer*. If the pkcs12 structure is |
| 135 | encrypted, a *passphrase* must be included. The MAC is always |
| 136 | checked and thus required. |
| 137 | |
| 138 | See also the man page for the C function :py:func:`PKCS12_parse`. |
| 139 | |
| 140 | |
| 141 | .. py:function:: sign(key, data, digest) |
| 142 | |
| 143 | Sign a data string using the given key and message digest. |
| 144 | |
| 145 | *key* is a :py:class:`PKey` instance. *data* is a ``str`` instance. |
| 146 | *digest* is a ``str`` naming a supported message digest type, for example |
| 147 | :py:const:`sha1`. |
| 148 | |
| 149 | .. versionadded:: 0.11 |
| 150 | |
| 151 | |
| 152 | .. py:function:: verify(certificate, signature, data, digest) |
| 153 | |
| 154 | Verify the signature for a data string. |
| 155 | |
| 156 | *certificate* is a :py:class:`X509` instance corresponding to the private |
| 157 | key which generated the signature. *signature* is a *str* instance giving |
| 158 | the signature itself. *data* is a *str* instance giving the data to which |
| 159 | the signature applies. *digest* is a *str* instance naming the message |
| 160 | digest type of the signature, for example :py:const:`sha1`. |
| 161 | |
| 162 | .. versionadded:: 0.11 |
| 163 | |
| 164 | |
| 165 | .. _openssl-x509: |
| 166 | |
| 167 | X509 objects |
| 168 | ------------ |
| 169 | |
| 170 | X509 objects have the following methods: |
| 171 | |
| 172 | .. py:method:: X509.get_issuer() |
| 173 | |
| 174 | Return an X509Name object representing the issuer of the certificate. |
| 175 | |
| 176 | |
| 177 | .. py:method:: X509.get_pubkey() |
| 178 | |
| 179 | Return a :py:class:`PKey` object representing the public key of the certificate. |
| 180 | |
| 181 | |
| 182 | .. py:method:: X509.get_serial_number() |
| 183 | |
| 184 | Return the certificate serial number. |
| 185 | |
| 186 | |
| 187 | .. py:method:: X509.get_signature_algorithm() |
| 188 | |
| 189 | Return the signature algorithm used in the certificate. If the algorithm is |
| 190 | undefined, raise :py:data:`ValueError`. |
| 191 | |
Jean-Paul Calderone | 54cc390 | 2012-09-12 10:49:07 -0400 | [diff] [blame] | 192 | ..versionadded:: 0.13 |
| 193 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 194 | |
| 195 | .. py:method:: X509.get_subject() |
| 196 | |
| 197 | Return an :py:class:`X509Name` object representing the subject of the certificate. |
| 198 | |
| 199 | |
| 200 | .. py:method:: X509.get_version() |
| 201 | |
| 202 | Return the certificate version. |
| 203 | |
| 204 | |
| 205 | .. py:method:: X509.get_notBefore() |
| 206 | |
| 207 | Return a string giving the time before which the certificate is not valid. The |
| 208 | string is formatted as an ASN1 GENERALIZEDTIME:: |
| 209 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 210 | YYYYMMDDhhmmssZ |
| 211 | YYYYMMDDhhmmss+hhmm |
| 212 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 213 | |
| 214 | If no value exists for this field, :py:data:`None` is returned. |
| 215 | |
| 216 | |
| 217 | .. py:method:: X509.get_notAfter() |
| 218 | |
| 219 | Return a string giving the time after which the certificate is not valid. The |
| 220 | string is formatted as an ASN1 GENERALIZEDTIME:: |
| 221 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 222 | YYYYMMDDhhmmssZ |
| 223 | YYYYMMDDhhmmss+hhmm |
| 224 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 225 | |
| 226 | If no value exists for this field, :py:data:`None` is returned. |
| 227 | |
| 228 | |
| 229 | .. py:method:: X509.set_notBefore(when) |
| 230 | |
| 231 | Change the time before which the certificate is not valid. *when* is a |
| 232 | string formatted as an ASN1 GENERALIZEDTIME:: |
| 233 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 234 | YYYYMMDDhhmmssZ |
| 235 | YYYYMMDDhhmmss+hhmm |
| 236 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 237 | |
| 238 | |
| 239 | .. py:method:: X509.set_notAfter(when) |
| 240 | |
| 241 | Change the time after which the certificate is not valid. *when* is a |
| 242 | string formatted as an ASN1 GENERALIZEDTIME:: |
| 243 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 244 | YYYYMMDDhhmmssZ |
| 245 | YYYYMMDDhhmmss+hhmm |
| 246 | YYYYMMDDhhmmss-hhmm |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 247 | |
| 248 | |
| 249 | |
| 250 | .. py:method:: X509.gmtime_adj_notBefore(time) |
| 251 | |
| 252 | Adjust the timestamp (in GMT) when the certificate starts being valid. |
| 253 | |
| 254 | |
| 255 | .. py:method:: X509.gmtime_adj_notAfter(time) |
| 256 | |
| 257 | Adjust the timestamp (in GMT) when the certificate stops being valid. |
| 258 | |
| 259 | |
| 260 | .. py:method:: X509.has_expired() |
| 261 | |
| 262 | Checks the certificate's time stamp against current time. Returns true if the |
| 263 | certificate has expired and false otherwise. |
| 264 | |
| 265 | |
| 266 | .. py:method:: X509.set_issuer(issuer) |
| 267 | |
| 268 | Set the issuer of the certificate to *issuer*. |
| 269 | |
| 270 | |
| 271 | .. py:method:: X509.set_pubkey(pkey) |
| 272 | |
| 273 | Set the public key of the certificate to *pkey*. |
| 274 | |
| 275 | |
| 276 | .. py:method:: X509.set_serial_number(serialno) |
| 277 | |
| 278 | Set the serial number of the certificate to *serialno*. |
| 279 | |
| 280 | |
| 281 | .. py:method:: X509.set_subject(subject) |
| 282 | |
| 283 | Set the subject of the certificate to *subject*. |
| 284 | |
| 285 | |
| 286 | .. py:method:: X509.set_version(version) |
| 287 | |
| 288 | Set the certificate version to *version*. |
| 289 | |
| 290 | |
| 291 | .. py:method:: X509.sign(pkey, digest) |
| 292 | |
| 293 | Sign the certificate, using the key *pkey* and the message digest algorithm |
| 294 | identified by the string *digest*. |
| 295 | |
| 296 | |
| 297 | .. py:method:: X509.subject_name_hash() |
| 298 | |
| 299 | Return the hash of the certificate subject. |
| 300 | |
| 301 | .. py:method:: X509.digest(digest_name) |
| 302 | |
| 303 | Return a digest of the certificate, using the *digest_name* method. |
| 304 | *digest_name* must be a string describing a digest algorithm supported |
| 305 | by OpenSSL (by EVP_get_digestbyname, specifically). For example, |
| 306 | :py:const:`"md5"` or :py:const:`"sha1"`. |
| 307 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 308 | .. py:method:: X509.add_extensions(extensions) |
| 309 | |
| 310 | Add the extensions in the sequence *extensions* to the certificate. |
| 311 | |
| 312 | |
| 313 | .. py:method:: X509.get_extension_count() |
| 314 | |
| 315 | Return the number of extensions on this certificate. |
| 316 | |
| 317 | .. versionadded:: 0.12 |
| 318 | |
| 319 | |
| 320 | .. py:method:: X509.get_extension(index) |
| 321 | |
| 322 | Retrieve the extension on this certificate at the given index. |
| 323 | |
| 324 | Extensions on a certificate are kept in order. The index parameter selects |
| 325 | which extension will be returned. The returned object will be an |
| 326 | :py:class:`X509Extension` instance. |
| 327 | |
| 328 | .. versionadded:: 0.12 |
| 329 | |
| 330 | |
| 331 | .. _openssl-x509name: |
| 332 | |
| 333 | X509Name objects |
| 334 | ---------------- |
| 335 | |
Laurens Van Houtven | 196195b | 2014-06-17 17:06:34 +0200 | [diff] [blame] | 336 | .. autoclass:: X509Name |
| 337 | :members: |
| 338 | :special-members: |
| 339 | :exclude-members: __repr__, __getattr__, __weakref__ |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 340 | |
| 341 | .. _openssl-x509req: |
| 342 | |
| 343 | X509Req objects |
| 344 | --------------- |
| 345 | |
| 346 | X509Req objects have the following methods: |
| 347 | |
| 348 | .. py:method:: X509Req.get_pubkey() |
| 349 | |
| 350 | Return a :py:class:`PKey` object representing the public key of the certificate request. |
| 351 | |
| 352 | |
| 353 | .. py:method:: X509Req.get_subject() |
| 354 | |
| 355 | Return an :py:class:`X509Name` object representing the subject of the certificate. |
| 356 | |
| 357 | |
| 358 | .. py:method:: X509Req.set_pubkey(pkey) |
| 359 | |
| 360 | Set the public key of the certificate request to *pkey*. |
| 361 | |
| 362 | |
| 363 | .. py:method:: X509Req.sign(pkey, digest) |
| 364 | |
| 365 | Sign the certificate request, using the key *pkey* and the message digest |
| 366 | algorithm identified by the string *digest*. |
| 367 | |
| 368 | |
| 369 | .. py:method:: X509Req.verify(pkey) |
| 370 | |
| 371 | Verify a certificate request using the public key *pkey*. |
| 372 | |
| 373 | |
| 374 | .. py:method:: X509Req.set_version(version) |
| 375 | |
| 376 | Set the version (RFC 2459, 4.1.2.1) of the certificate request to |
| 377 | *version*. |
| 378 | |
| 379 | |
| 380 | .. py:method:: X509Req.get_version() |
| 381 | |
| 382 | Get the version (RFC 2459, 4.1.2.1) of the certificate request. |
| 383 | |
| 384 | |
Jean-Paul Calderone | 26e07d6 | 2014-03-02 08:08:23 -0500 | [diff] [blame] | 385 | .. py:method:: X509Req.get_extensions() |
| 386 | |
| 387 | Get extensions to the request. |
| 388 | |
| 389 | .. versionadded:: 0.15 |
| 390 | |
| 391 | |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 392 | .. _openssl-x509store: |
| 393 | |
| 394 | X509Store objects |
| 395 | ----------------- |
| 396 | |
Laurens Van Houtven | 8aeafdd | 2014-06-17 15:33:42 +0200 | [diff] [blame] | 397 | .. autoclass:: X509Store |
| 398 | :members: |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 399 | |
| 400 | .. _openssl-pkey: |
| 401 | |
| 402 | PKey objects |
| 403 | ------------ |
| 404 | |
Laurens Van Houtven | 6e7dd43 | 2014-06-17 16:10:57 +0200 | [diff] [blame] | 405 | .. autoclass:: PKey |
| 406 | :members: |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 407 | |
| 408 | .. _openssl-pkcs7: |
| 409 | |
| 410 | PKCS7 objects |
| 411 | ------------- |
| 412 | |
| 413 | PKCS7 objects have the following methods: |
| 414 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 415 | .. py:method:: PKCS7.type_is_signed() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 416 | |
| 417 | FIXME |
| 418 | |
| 419 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 420 | .. py:method:: PKCS7.type_is_enveloped() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 421 | |
| 422 | FIXME |
| 423 | |
| 424 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 425 | .. py:method:: PKCS7.type_is_signedAndEnveloped() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 426 | |
| 427 | FIXME |
| 428 | |
| 429 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 430 | .. py:method:: PKCS7.type_is_data() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 431 | |
| 432 | FIXME |
| 433 | |
| 434 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 435 | .. py:method:: PKCS7.get_type_name() |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 436 | |
| 437 | Get the type name of the PKCS7. |
| 438 | |
| 439 | |
| 440 | .. _openssl-pkcs12: |
| 441 | |
| 442 | PKCS12 objects |
| 443 | -------------- |
| 444 | |
| 445 | PKCS12 objects have the following methods: |
| 446 | |
Jonathan Ballet | 6381da3 | 2011-07-20 16:43:38 +0900 | [diff] [blame] | 447 | .. py:method:: PKCS12.export([passphrase=None][, iter=2048][, maciter=1]) |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 448 | |
| 449 | Returns a PKCS12 object as a string. |
| 450 | |
| 451 | The optional *passphrase* must be a string not a callback. |
| 452 | |
| 453 | See also the man page for the C function :py:func:`PKCS12_create`. |
| 454 | |
| 455 | |
| 456 | .. py:method:: PKCS12.get_ca_certificates() |
| 457 | |
| 458 | Return CA certificates within the PKCS12 object as a tuple. Returns |
| 459 | :py:const:`None` if no CA certificates are present. |
| 460 | |
| 461 | |
| 462 | .. py:method:: PKCS12.get_certificate() |
| 463 | |
| 464 | Return certificate portion of the PKCS12 structure. |
| 465 | |
| 466 | |
| 467 | .. py:method:: PKCS12.get_friendlyname() |
| 468 | |
| 469 | Return friendlyName portion of the PKCS12 structure. |
| 470 | |
| 471 | |
| 472 | .. py:method:: PKCS12.get_privatekey() |
| 473 | |
| 474 | Return private key portion of the PKCS12 structure |
| 475 | |
| 476 | |
| 477 | .. py:method:: PKCS12.set_ca_certificates(cacerts) |
| 478 | |
| 479 | Replace or set the CA certificates within the PKCS12 object with the sequence *cacerts*. |
| 480 | |
| 481 | Set *cacerts* to :py:const:`None` to remove all CA certificates. |
| 482 | |
| 483 | |
| 484 | .. py:method:: PKCS12.set_certificate(cert) |
| 485 | |
| 486 | Replace or set the certificate portion of the PKCS12 structure. |
| 487 | |
| 488 | |
| 489 | .. py:method:: PKCS12.set_friendlyname(name) |
| 490 | |
| 491 | Replace or set the friendlyName portion of the PKCS12 structure. |
| 492 | |
| 493 | |
| 494 | .. py:method:: PKCS12.set_privatekey(pkey) |
| 495 | |
| 496 | Replace or set private key portion of the PKCS12 structure |
| 497 | |
| 498 | |
| 499 | .. _openssl-509ext: |
| 500 | |
| 501 | X509Extension objects |
| 502 | --------------------- |
| 503 | |
Laurens Van Houtven | 2650de5 | 2014-06-18 13:47:47 +0200 | [diff] [blame^] | 504 | .. autoclass:: X509Extension |
| 505 | :members: |
| 506 | :special-members: |
| 507 | :exclude-members: __weakref__ |
Jonathan Ballet | c9e066c | 2011-07-17 22:56:05 +0900 | [diff] [blame] | 508 | |
| 509 | .. _openssl-netscape-spki: |
| 510 | |
| 511 | NetscapeSPKI objects |
| 512 | -------------------- |
| 513 | |
| 514 | NetscapeSPKI objects have the following methods: |
| 515 | |
| 516 | .. py:method:: NetscapeSPKI.b64_encode() |
| 517 | |
| 518 | Return a base64-encoded string representation of the object. |
| 519 | |
| 520 | |
| 521 | .. py:method:: NetscapeSPKI.get_pubkey() |
| 522 | |
| 523 | Return the public key of object. |
| 524 | |
| 525 | |
| 526 | .. py:method:: NetscapeSPKI.set_pubkey(key) |
| 527 | |
| 528 | Set the public key of the object to *key*. |
| 529 | |
| 530 | |
| 531 | .. py:method:: NetscapeSPKI.sign(key, digest_name) |
| 532 | |
| 533 | Sign the NetscapeSPKI object using the given *key* and *digest_name*. |
| 534 | *digest_name* must be a string describing a digest algorithm supported by |
| 535 | OpenSSL (by EVP_get_digestbyname, specifically). For example, |
| 536 | :py:const:`"md5"` or :py:const:`"sha1"`. |
| 537 | |
| 538 | |
| 539 | .. py:method:: NetscapeSPKI.verify(key) |
| 540 | |
| 541 | Verify the NetscapeSPKI object using the given *key*. |
| 542 | |
| 543 | |
| 544 | .. _crl: |
| 545 | |
| 546 | CRL objects |
| 547 | ----------- |
| 548 | |
| 549 | CRL objects have the following methods: |
| 550 | |
| 551 | .. py:method:: CRL.add_revoked(revoked) |
| 552 | |
| 553 | Add a Revoked object to the CRL, by value not reference. |
| 554 | |
| 555 | |
| 556 | .. py:method:: CRL.export(cert, key[, type=FILETYPE_PEM][, days=100]) |
| 557 | |
| 558 | Use *cert* and *key* to sign the CRL and return the CRL as a string. |
| 559 | *days* is the number of days before the next CRL is due. |
| 560 | |
| 561 | |
| 562 | .. py:method:: CRL.get_revoked() |
| 563 | |
| 564 | Return a tuple of Revoked objects, by value not reference. |
| 565 | |
| 566 | |
| 567 | .. _revoked: |
| 568 | |
| 569 | Revoked objects |
| 570 | --------------- |
| 571 | |
| 572 | Revoked objects have the following methods: |
| 573 | |
| 574 | .. py:method:: Revoked.all_reasons() |
| 575 | |
| 576 | Return a list of all supported reasons. |
| 577 | |
| 578 | |
| 579 | .. py:method:: Revoked.get_reason() |
| 580 | |
| 581 | Return the revocation reason as a str. Can be |
| 582 | None, which differs from "Unspecified". |
| 583 | |
| 584 | |
| 585 | .. py:method:: Revoked.get_rev_date() |
| 586 | |
| 587 | Return the revocation date as a str. |
| 588 | The string is formatted as an ASN1 GENERALIZEDTIME. |
| 589 | |
| 590 | |
| 591 | .. py:method:: Revoked.get_serial() |
| 592 | |
| 593 | Return a str containing a hex number of the serial of the revoked certificate. |
| 594 | |
| 595 | |
| 596 | .. py:method:: Revoked.set_reason(reason) |
| 597 | |
| 598 | Set the revocation reason. *reason* must be None or a string, but the |
| 599 | values are limited. Spaces and case are ignored. See |
| 600 | :py:meth:`all_reasons`. |
| 601 | |
| 602 | |
| 603 | .. py:method:: Revoked.set_rev_date(date) |
| 604 | |
| 605 | Set the revocation date. |
| 606 | The string is formatted as an ASN1 GENERALIZEDTIME. |
| 607 | |
| 608 | |
| 609 | .. py:method:: Revoked.set_serial(serial) |
| 610 | |
| 611 | *serial* is a string containing a hex number of the serial of the revoked certificate. |
Laurens Van Houtven | 13d56ba | 2014-06-17 16:00:26 +0200 | [diff] [blame] | 612 | |
| 613 | Backwards compatible type names |
| 614 | ------------------------------- |
| 615 | |
| 616 | When PyOpenSSL was originally written, the most current version of |
| 617 | Python was 2.1. It made a distinction between classes and types. None |
| 618 | of the versions of Python currently supported by PyOpenSSL still |
| 619 | enforce that distinction: the type of an instance of an |
| 620 | :py:class:`X509` object is now simply :py:class:`X509`. Originally, |
| 621 | the type would have been :py:class:`X509Type`. These days, |
| 622 | :py:class:`X509Type` and :py:class:`X509` are literally the same |
| 623 | object. PyOpenSSL maintains these old names for backwards |
| 624 | compatibility. |
| 625 | |
| 626 | Here's a table of these backwards-compatible names: |
| 627 | |
| 628 | ========================= ============================= |
| 629 | Type name Backwards-compatible name |
| 630 | ========================= ============================= |
| 631 | :py:class:`X509` :py:class:`X509Type` |
| 632 | :py:class:`X509Name` :py:class:`X509NameType` |
| 633 | :py:class:`X509Req` :py:class:`X509ReqType` |
| 634 | :py:class:`X509Store` :py:class:`X509StoreType` |
| 635 | :py:class:`X509Extension` :py:class:`X509ExtensionType` |
| 636 | :py:class:`PKey` :py:class:`PKeyType` |
| 637 | :py:class:`PKCS7` :py:class:`PKCS7Type` |
| 638 | :py:class:`PKCS12` :py:class:`PKCS12Type` |
| 639 | :py:class:`NetscapeSPKI` :py:class:`NetscapeSPKIType` |
| 640 | :py:class:`CRL` :py:class:`CRLType` |
| 641 | ========================= ============================= |
| 642 | |
| 643 | Soem objects, such as py:class`Revoked`, don't have ``Type`` |
| 644 | equivalents, because they were added after the restriction had been |
| 645 | lifted. |