blob: 237c7ae57bc885f8f79899ad3b549c1c0f74d8c6 [file] [log] [blame]
Jonathan Ballet6381da32011-07-20 16:43:38 +09001.. _openssl-crypto:
2
3:py:mod:`crypto` --- Generic cryptographic module
4=================================================
5
Jonathan Balletc9e066c2011-07-17 22:56:05 +09006.. py:module:: OpenSSL.crypto
Jonathan Ballet6381da32011-07-20 16:43:38 +09007 :synopsis: Generic cryptographic module
Jonathan Ballet648875f2011-07-16 14:14:58 +09008
Jonathan Balletc9e066c2011-07-17 22:56:05 +09009.. py:data:: TYPE_RSA
Jonathan Ballet6381da32011-07-20 16:43:38 +090010 TYPE_DSA
Jonathan Balletc9e066c2011-07-17 22:56:05 +090011
12 Key type constants.
13
Jonathan Balletc9e066c2011-07-17 22:56:05 +090014.. py:exception:: Error
15
16 Generic exception used in the :py:mod:`.crypto` module.
17
Laurens Van Houtven07051d32014-06-19 12:00:30 +020018Elliptic curves
19---------------
Jonathan Balletc9e066c2011-07-17 22:56:05 +090020
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040021.. py:function:: get_elliptic_curves
22
23 Return a set of objects representing the elliptic curves supported in the
24 OpenSSL build in use.
25
26 The curve objects have a :py:class:`unicode` ``name`` attribute by which
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -040027 they identify themselves.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040028
29 The curve objects are useful as values for the argument accepted by
Jean-Paul Calderone3b04e352014-04-19 09:29:10 -040030 :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be
31 used for ECDHE key exchange.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040032
33
34.. py:function:: get_elliptic_curve
35
36 Return a single curve object selected by name.
37
38 See :py:func:`get_elliptic_curves` for information about curve objects.
39
40 If the named curve is not supported then :py:class:`ValueError` is raised.
41
42
Laurens Van Houtven07051d32014-06-19 12:00:30 +020043Serialization and deserialization
44---------------------------------
45
46The following serialization functions take one of these constants to
47determine the format:
48
49.. py:data:: FILETYPE_PEM
50 FILETYPE_ASN1
51
52Certificates
53~~~~~~~~~~~~
54
Jonathan Balletc9e066c2011-07-17 22:56:05 +090055.. py:function:: dump_certificate(type, cert)
56
57 Dump the certificate *cert* into a buffer string encoded with the type
58 *type*.
59
Laurens Van Houtven07051d32014-06-19 12:00:30 +020060.. py:function:: load_certificate(type, buffer)
61
62 Load a certificate (X509) from the string *buffer* encoded with the
63 type *type*.
64
65Certificate signing requests
66~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jonathan Balletc9e066c2011-07-17 22:56:05 +090067
68.. py:function:: dump_certificate_request(type, req)
69
70 Dump the certificate request *req* into a buffer string encoded with the
71 type *type*.
72
Laurens Van Houtven07051d32014-06-19 12:00:30 +020073.. py:function:: load_certificate_request(type, buffer)
74
75 Load a certificate request (X509Req) from the string *buffer* encoded with
76 the type *type*.
77
78Private keys
79~~~~~~~~~~~~
Jonathan Balletc9e066c2011-07-17 22:56:05 +090080
81.. py:function:: dump_privatekey(type, pkey[, cipher, passphrase])
82
83 Dump the private key *pkey* into a buffer string encoded with the type
84 *type*, optionally (if *type* is :py:const:`FILETYPE_PEM`) encrypting it
85 using *cipher* and *passphrase*.
86
87 *passphrase* must be either a string or a callback for providing the
88 pass phrase.
89
Jonathan Balletc9e066c2011-07-17 22:56:05 +090090.. py:function:: load_privatekey(type, buffer[, passphrase])
91
92 Load a private key (PKey) from the string *buffer* encoded with the type
93 *type* (must be one of :py:const:`FILETYPE_PEM` and
94 :py:const:`FILETYPE_ASN1`).
95
96 *passphrase* must be either a string or a callback for providing the pass
97 phrase.
98
Laurens Van Houtven07051d32014-06-19 12:00:30 +020099Certificate revocation lists
100~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900101
102.. py:function:: load_crl(type, buffer)
103
104 Load Certificate Revocation List (CRL) data from a string *buffer*.
105 *buffer* encoded with the type *type*. The type *type* must either
106 :py:const:`FILETYPE_PEM` or :py:const:`FILETYPE_ASN1`).
107
108
109.. py:function:: load_pkcs7_data(type, buffer)
110
111 Load pkcs7 data from the string *buffer* encoded with the type *type*.
112
113
114.. py:function:: load_pkcs12(buffer[, passphrase])
115
116 Load pkcs12 data from the string *buffer*. If the pkcs12 structure is
117 encrypted, a *passphrase* must be included. The MAC is always
118 checked and thus required.
119
120 See also the man page for the C function :py:func:`PKCS12_parse`.
121
Laurens Van Houtven07051d32014-06-19 12:00:30 +0200122Signing and verifying signatures
123--------------------------------
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900124
125.. py:function:: sign(key, data, digest)
126
127 Sign a data string using the given key and message digest.
128
129 *key* is a :py:class:`PKey` instance. *data* is a ``str`` instance.
130 *digest* is a ``str`` naming a supported message digest type, for example
131 :py:const:`sha1`.
132
133 .. versionadded:: 0.11
134
135
136.. py:function:: verify(certificate, signature, data, digest)
137
138 Verify the signature for a data string.
139
140 *certificate* is a :py:class:`X509` instance corresponding to the private
141 key which generated the signature. *signature* is a *str* instance giving
142 the signature itself. *data* is a *str* instance giving the data to which
143 the signature applies. *digest* is a *str* instance naming the message
144 digest type of the signature, for example :py:const:`sha1`.
145
146 .. versionadded:: 0.11
147
148
149.. _openssl-x509:
150
151X509 objects
152------------
153
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200154.. autoclass:: X509
155 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900156
157.. _openssl-x509name:
158
159X509Name objects
160----------------
161
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200162.. autoclass:: X509Name
163 :members:
164 :special-members:
165 :exclude-members: __repr__, __getattr__, __weakref__
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900166
167.. _openssl-x509req:
168
169X509Req objects
170---------------
171
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200172.. autoclass:: X509Req
173 :members:
174 :special-members:
175 :exclude-members: __weakref__
Jean-Paul Calderone26e07d62014-03-02 08:08:23 -0500176
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900177.. _openssl-x509store:
178
179X509Store objects
180-----------------
181
Laurens Van Houtven8aeafdd2014-06-17 15:33:42 +0200182.. autoclass:: X509Store
183 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900184
185.. _openssl-pkey:
186
187PKey objects
188------------
189
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200190.. autoclass:: PKey
191 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900192
193.. _openssl-pkcs7:
194
195PKCS7 objects
196-------------
197
198PKCS7 objects have the following methods:
199
Jonathan Ballet6381da32011-07-20 16:43:38 +0900200.. py:method:: PKCS7.type_is_signed()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900201
202 FIXME
203
Jonathan Ballet6381da32011-07-20 16:43:38 +0900204.. py:method:: PKCS7.type_is_enveloped()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900205
206 FIXME
207
Jonathan Ballet6381da32011-07-20 16:43:38 +0900208.. py:method:: PKCS7.type_is_signedAndEnveloped()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900209
210 FIXME
211
Jonathan Ballet6381da32011-07-20 16:43:38 +0900212.. py:method:: PKCS7.type_is_data()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900213
214 FIXME
215
Jonathan Ballet6381da32011-07-20 16:43:38 +0900216.. py:method:: PKCS7.get_type_name()
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900217
218 Get the type name of the PKCS7.
219
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900220.. _openssl-pkcs12:
221
222PKCS12 objects
223--------------
224
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200225.. autoclass:: PKCS12
226 :members:
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900227
228.. _openssl-509ext:
229
230X509Extension objects
231---------------------
232
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200233.. autoclass:: X509Extension
234 :members:
235 :special-members:
236 :exclude-members: __weakref__
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900237
238.. _openssl-netscape-spki:
239
240NetscapeSPKI objects
241--------------------
242
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200243.. autoclass:: NetscapeSPKI
244 :members:
245 :special-members:
246 :exclude-members: __weakref__
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900247
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900248.. _crl:
249
250CRL objects
251-----------
252
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200253.. autoclass:: CRL
254 :members:
255 :special-members:
256 :exclude-members: __weakref__
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900257
Jonathan Balletc9e066c2011-07-17 22:56:05 +0900258.. _revoked:
259
260Revoked objects
261---------------
262
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200263.. autoclass:: Revoked
264 :members:
Laurens Van Houtven13d56ba2014-06-17 16:00:26 +0200265
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200266Digest names
267------------
268
269Several of the functions and methods in this module take a digest
270name. These must be strings describing a digest algorithm supported by
271OpenSSL (by ``EVP_get_digestbyname``, specifically). For example,
272:py:const:`b"md5"` or :py:const:`b"sha1"`.
273
274More information and a list of these digest names can be found in the
275``EVP_DigestInit(3)`` man page of your OpenSSL installation. This page
276can be found online for the latest version of OpenSSL:
277https://www.openssl.org/docs/crypto/EVP_DigestInit.html
278
Laurens Van Houtven13d56ba2014-06-17 16:00:26 +0200279Backwards compatible type names
280-------------------------------
281
282When PyOpenSSL was originally written, the most current version of
283Python was 2.1. It made a distinction between classes and types. None
284of the versions of Python currently supported by PyOpenSSL still
285enforce that distinction: the type of an instance of an
286:py:class:`X509` object is now simply :py:class:`X509`. Originally,
287the type would have been :py:class:`X509Type`. These days,
288:py:class:`X509Type` and :py:class:`X509` are literally the same
289object. PyOpenSSL maintains these old names for backwards
290compatibility.
291
292Here's a table of these backwards-compatible names:
293
294========================= =============================
295Type name Backwards-compatible name
296========================= =============================
297:py:class:`X509` :py:class:`X509Type`
298:py:class:`X509Name` :py:class:`X509NameType`
299:py:class:`X509Req` :py:class:`X509ReqType`
300:py:class:`X509Store` :py:class:`X509StoreType`
301:py:class:`X509Extension` :py:class:`X509ExtensionType`
302:py:class:`PKey` :py:class:`PKeyType`
303:py:class:`PKCS7` :py:class:`PKCS7Type`
304:py:class:`PKCS12` :py:class:`PKCS12Type`
305:py:class:`NetscapeSPKI` :py:class:`NetscapeSPKIType`
306:py:class:`CRL` :py:class:`CRLType`
307========================= =============================
308
309Soem objects, such as py:class`Revoked`, don't have ``Type``
310equivalents, because they were added after the restriction had been
311lifted.