blob: ef81892b1efd04cdbfb5f259dc1a8e7d43909e2a [file] [log] [blame]
Jonathan Ballet6381da32011-07-20 16:43:38 +09001.. _openssl-crypto:
2
3:py:mod:`crypto` --- Generic cryptographic module
4=================================================
5
Jonathan Balletc9e066c2011-07-17 22:56:05 +09006.. py:module:: OpenSSL.crypto
Jonathan Ballet6381da32011-07-20 16:43:38 +09007 :synopsis: Generic cryptographic module
Jonathan Ballet648875f2011-07-16 14:14:58 +09008
Laurens Van Houtven07051d32014-06-19 12:00:30 +02009Elliptic curves
10---------------
Jonathan Balletc9e066c2011-07-17 22:56:05 +090011
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040012.. py:function:: get_elliptic_curves
13
14 Return a set of objects representing the elliptic curves supported in the
15 OpenSSL build in use.
16
17 The curve objects have a :py:class:`unicode` ``name`` attribute by which
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -040018 they identify themselves.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040019
20 The curve objects are useful as values for the argument accepted by
Jean-Paul Calderone3b04e352014-04-19 09:29:10 -040021 :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be
22 used for ECDHE key exchange.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040023
24
Akihiro Yamazakib8450442015-09-04 16:55:04 +090025.. py:function:: get_elliptic_curve(name)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040026
27 Return a single curve object selected by name.
28
29 See :py:func:`get_elliptic_curves` for information about curve objects.
30
31 If the named curve is not supported then :py:class:`ValueError` is raised.
32
33
Laurens Van Houtven07051d32014-06-19 12:00:30 +020034Serialization and deserialization
35---------------------------------
36
37The following serialization functions take one of these constants to
38determine the format:
39
40.. py:data:: FILETYPE_PEM
41 FILETYPE_ASN1
42
43Certificates
44~~~~~~~~~~~~
45
Jonathan Balletc9e066c2011-07-17 22:56:05 +090046.. py:function:: dump_certificate(type, cert)
47
48 Dump the certificate *cert* into a buffer string encoded with the type
49 *type*.
50
Laurens Van Houtven07051d32014-06-19 12:00:30 +020051.. py:function:: load_certificate(type, buffer)
52
53 Load a certificate (X509) from the string *buffer* encoded with the
54 type *type*.
55
56Certificate signing requests
57~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jonathan Balletc9e066c2011-07-17 22:56:05 +090058
59.. py:function:: dump_certificate_request(type, req)
60
61 Dump the certificate request *req* into a buffer string encoded with the
62 type *type*.
63
Laurens Van Houtven07051d32014-06-19 12:00:30 +020064.. py:function:: load_certificate_request(type, buffer)
65
66 Load a certificate request (X509Req) from the string *buffer* encoded with
67 the type *type*.
68
69Private keys
70~~~~~~~~~~~~
Jonathan Balletc9e066c2011-07-17 22:56:05 +090071
72.. py:function:: dump_privatekey(type, pkey[, cipher, passphrase])
73
74 Dump the private key *pkey* into a buffer string encoded with the type
75 *type*, optionally (if *type* is :py:const:`FILETYPE_PEM`) encrypting it
76 using *cipher* and *passphrase*.
77
78 *passphrase* must be either a string or a callback for providing the
79 pass phrase.
80
Jonathan Balletc9e066c2011-07-17 22:56:05 +090081.. py:function:: load_privatekey(type, buffer[, passphrase])
82
83 Load a private key (PKey) from the string *buffer* encoded with the type
84 *type* (must be one of :py:const:`FILETYPE_PEM` and
85 :py:const:`FILETYPE_ASN1`).
86
87 *passphrase* must be either a string or a callback for providing the pass
88 phrase.
89
Laurens Van Houtven07051d32014-06-19 12:00:30 +020090Certificate revocation lists
91~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jonathan Balletc9e066c2011-07-17 22:56:05 +090092
93.. py:function:: load_crl(type, buffer)
94
95 Load Certificate Revocation List (CRL) data from a string *buffer*.
96 *buffer* encoded with the type *type*. The type *type* must either
97 :py:const:`FILETYPE_PEM` or :py:const:`FILETYPE_ASN1`).
98
99
100.. py:function:: load_pkcs7_data(type, buffer)
101
Laurens Van Houtven0f820872015-04-20 11:25:57 -0700102 Load pkcs7 data from the string *buffer* encoded with the type
103 *type*. The type *type* must either :py:const:`FILETYPE_PEM` or
104 :py:const:`FILETYPE_ASN1`).
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900105
106
107.. py:function:: load_pkcs12(buffer[, passphrase])
108
109 Load pkcs12 data from the string *buffer*. If the pkcs12 structure is
110 encrypted, a *passphrase* must be included. The MAC is always
111 checked and thus required.
112
113 See also the man page for the C function :py:func:`PKCS12_parse`.
114
Laurens Van Houtven07051d32014-06-19 12:00:30 +0200115Signing and verifying signatures
116--------------------------------
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900117
118.. py:function:: sign(key, data, digest)
119
120 Sign a data string using the given key and message digest.
121
122 *key* is a :py:class:`PKey` instance. *data* is a ``str`` instance.
123 *digest* is a ``str`` naming a supported message digest type, for example
124 :py:const:`sha1`.
125
126 .. versionadded:: 0.11
127
128
129.. py:function:: verify(certificate, signature, data, digest)
130
131 Verify the signature for a data string.
132
133 *certificate* is a :py:class:`X509` instance corresponding to the private
134 key which generated the signature. *signature* is a *str* instance giving
135 the signature itself. *data* is a *str* instance giving the data to which
136 the signature applies. *digest* is a *str* instance naming the message
137 digest type of the signature, for example :py:const:`sha1`.
138
139 .. versionadded:: 0.11
140
141
142.. _openssl-x509:
143
144X509 objects
145------------
146
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200147.. autoclass:: X509
148 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900149
150.. _openssl-x509name:
151
152X509Name objects
153----------------
154
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200155.. autoclass:: X509Name
156 :members:
157 :special-members:
158 :exclude-members: __repr__, __getattr__, __weakref__
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900159
160.. _openssl-x509req:
161
162X509Req objects
163---------------
164
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200165.. autoclass:: X509Req
166 :members:
167 :special-members:
168 :exclude-members: __weakref__
Jean-Paul Calderone26e07d62014-03-02 08:08:23 -0500169
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900170.. _openssl-x509store:
171
172X509Store objects
173-----------------
174
Laurens Van Houtven8aeafdd2014-06-17 15:33:42 +0200175.. autoclass:: X509Store
176 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900177
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700178.. _openssl-x509storecontexterror:
179
Stephen Holsapple95a46652015-02-09 19:34:25 -0800180X509StoreContextError objects
181-----------------------------
182
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700183.. autoclass:: X509StoreContextError
184 :members:
Stephen Holsapple95a46652015-02-09 19:34:25 -0800185
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700186.. _openssl-x509storecontext:
Stephen Holsapple95a46652015-02-09 19:34:25 -0800187
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800188X509StoreContext objects
189------------------------
190
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700191.. autoclass:: X509StoreContext
192 :members:
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800193
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900194.. _openssl-pkey:
195
196PKey objects
197------------
198
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200199.. autoclass:: PKey
200 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900201
202.. _openssl-pkcs7:
203
Laurens Van Houtven9d4c0742015-04-20 11:58:39 -0700204.. py:data:: TYPE_RSA
205 TYPE_DSA
206
207 Key type constants.
208
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900209PKCS7 objects
210-------------
211
212PKCS7 objects have the following methods:
213
Jonathan Ballet6381da32011-07-20 16:43:38 +0900214.. py:method:: PKCS7.type_is_signed()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900215
216 FIXME
217
Jonathan Ballet6381da32011-07-20 16:43:38 +0900218.. py:method:: PKCS7.type_is_enveloped()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900219
220 FIXME
221
Jonathan Ballet6381da32011-07-20 16:43:38 +0900222.. py:method:: PKCS7.type_is_signedAndEnveloped()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900223
224 FIXME
225
Jonathan Ballet6381da32011-07-20 16:43:38 +0900226.. py:method:: PKCS7.type_is_data()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900227
228 FIXME
229
Jonathan Ballet6381da32011-07-20 16:43:38 +0900230.. py:method:: PKCS7.get_type_name()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900231
232 Get the type name of the PKCS7.
233
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900234.. _openssl-pkcs12:
235
236PKCS12 objects
237--------------
238
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200239.. autoclass:: PKCS12
240 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900241
242.. _openssl-509ext:
243
244X509Extension objects
245---------------------
246
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200247.. autoclass:: X509Extension
248 :members:
249 :special-members:
250 :exclude-members: __weakref__
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900251
252.. _openssl-netscape-spki:
253
254NetscapeSPKI objects
255--------------------
256
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200257.. autoclass:: NetscapeSPKI
258 :members:
259 :special-members:
260 :exclude-members: __weakref__
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900261
Laurens Van Houtven889b9d22015-04-20 12:18:28 -0700262.. _crl:
263
264CRL objects
265-----------
266
267.. autoclass:: CRL
268 :members:
269 :special-members:
270 :exclude-members: __weakref__
271
272.. _revoked:
273
274Revoked objects
275---------------
276
277.. autoclass:: Revoked
278 :members:
279
Laurens Van Houtven3de6b2b2015-04-20 12:20:42 -0700280Exceptions
281----------
282
283.. py:exception:: Error
284
285 Generic exception used in the :py:mod:`.crypto` module.
286
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200287Digest names
288------------
289
290Several of the functions and methods in this module take a digest
291name. These must be strings describing a digest algorithm supported by
292OpenSSL (by ``EVP_get_digestbyname``, specifically). For example,
293:py:const:`b"md5"` or :py:const:`b"sha1"`.
294
295More information and a list of these digest names can be found in the
296``EVP_DigestInit(3)`` man page of your OpenSSL installation. This page
297can be found online for the latest version of OpenSSL:
298https://www.openssl.org/docs/crypto/EVP_DigestInit.html
299
Laurens Van Houtven13d56ba2014-06-17 16:00:26 +0200300Backwards compatible type names
301-------------------------------
302
303When PyOpenSSL was originally written, the most current version of
304Python was 2.1. It made a distinction between classes and types. None
305of the versions of Python currently supported by PyOpenSSL still
306enforce that distinction: the type of an instance of an
307:py:class:`X509` object is now simply :py:class:`X509`. Originally,
308the type would have been :py:class:`X509Type`. These days,
309:py:class:`X509Type` and :py:class:`X509` are literally the same
310object. PyOpenSSL maintains these old names for backwards
311compatibility.
312
313Here's a table of these backwards-compatible names:
314
315========================= =============================
316Type name Backwards-compatible name
317========================= =============================
318:py:class:`X509` :py:class:`X509Type`
319:py:class:`X509Name` :py:class:`X509NameType`
320:py:class:`X509Req` :py:class:`X509ReqType`
321:py:class:`X509Store` :py:class:`X509StoreType`
322:py:class:`X509Extension` :py:class:`X509ExtensionType`
323:py:class:`PKey` :py:class:`PKeyType`
324:py:class:`PKCS7` :py:class:`PKCS7Type`
325:py:class:`PKCS12` :py:class:`PKCS12Type`
326:py:class:`NetscapeSPKI` :py:class:`NetscapeSPKIType`
327:py:class:`CRL` :py:class:`CRLType`
328========================= =============================
329
Laurens Van Houtven5faa2812015-04-23 10:44:10 -0700330Some objects, such as :py:class`Revoked`, don't have ``Type``
Laurens Van Houtven13d56ba2014-06-17 16:00:26 +0200331equivalents, because they were added after the restriction had been
332lifted.