1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
|
.. _openssl-crypto:
:py:mod:`crypto` --- Generic cryptographic module
=================================================
.. py:module:: OpenSSL.crypto
:synopsis: Generic cryptographic module
Elliptic curves
---------------
.. py:function:: get_elliptic_curves
Return a set of objects representing the elliptic curves supported in the
OpenSSL build in use.
The curve objects have a :py:class:`unicode` ``name`` attribute by which
they identify themselves.
The curve objects are useful as values for the argument accepted by
:py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be
used for ECDHE key exchange.
.. py:function:: get_elliptic_curve(name)
Return a single curve object selected by *name*.
See :py:func:`get_elliptic_curves` for information about curve objects.
If the named curve is not supported then :py:class:`ValueError` is raised.
Serialization and deserialization
---------------------------------
The following serialization functions take one of these constants to determine the format.
.. py:data:: FILETYPE_PEM
:data:`FILETYPE_PEM` serializes data to a Base64-encoded encoded representation of the underlying ASN.1 data structure. This representation includes delimiters that define what data structure is contained within the Base64-encoded block: for example, for a certificate, the delimiters are ``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----``.
.. py:data:: FILETYPE_ASN1
:data:`FILETYPE_ASN1` serializes data to the underlying ASN.1 data structure. The format used by :data:`FILETYPE_ASN1` is also sometimes referred to as DER.
Certificates
~~~~~~~~~~~~
.. py:function:: dump_certificate(type, cert)
Dump the certificate *cert* into a buffer string encoded with the type
*type*.
.. py:function:: load_certificate(type, buffer)
Load a certificate (X509) from the string *buffer* encoded with the
type *type*.
Certificate signing requests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. py:function:: dump_certificate_request(type, req)
Dump the certificate request *req* into a buffer string encoded with the
type *type*.
.. py:function:: load_certificate_request(type, buffer)
Load a certificate request (X509Req) from the string *buffer* encoded with
the type *type*.
Private keys
~~~~~~~~~~~~
.. py:function:: dump_privatekey(type, pkey[, cipher, passphrase])
Dump the private key *pkey* into a buffer string encoded with the type
*type*, optionally (if *type* is :py:const:`FILETYPE_PEM`) encrypting it
using *cipher* and *passphrase*.
*passphrase* must be either a string or a callback for providing the
pass phrase.
.. py:function:: load_privatekey(type, buffer[, passphrase])
Load a private key (PKey) from the string *buffer* encoded with the type
*type* (must be one of :py:const:`FILETYPE_PEM` and
:py:const:`FILETYPE_ASN1`).
*passphrase* must be either a string or a callback for providing the pass
phrase.
Public keys
~~~~~~~~~~~
.. autofunction:: dump_publickey
.. autofunction:: load_publickey
Certificate revocation lists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. autofunction:: dump_crl
.. py:function:: load_crl(type, buffer)
Load Certificate Revocation List (CRL) data from a string *buffer*.
*buffer* encoded with the type *type*. The type *type* must either
:py:const:`FILETYPE_PEM` or :py:const:`FILETYPE_ASN1`).
.. py:function:: load_pkcs7_data(type, buffer)
Load pkcs7 data from the string *buffer* encoded with the type
*type*. The type *type* must either :py:const:`FILETYPE_PEM` or
:py:const:`FILETYPE_ASN1`).
.. py:function:: load_pkcs12(buffer[, passphrase])
Load pkcs12 data from the string *buffer*. If the pkcs12 structure is
encrypted, a *passphrase* must be included. The MAC is always
checked and thus required.
See also the man page for the C function :py:func:`PKCS12_parse`.
Signing and verifying signatures
--------------------------------
.. py:function:: sign(key, data, digest)
Sign a data string using the given key and message digest.
*key* is a :py:class:`PKey` instance. *data* is a ``str`` instance.
*digest* is a ``str`` naming a supported message digest type, for example
:py:const:`sha1`.
.. versionadded:: 0.11
.. py:function:: verify(certificate, signature, data, digest)
Verify the signature for a data string.
*certificate* is a :py:class:`X509` instance corresponding to the private
key which generated the signature. *signature* is a *str* instance giving
the signature itself. *data* is a *str* instance giving the data to which
the signature applies. *digest* is a *str* instance naming the message
digest type of the signature, for example :py:const:`sha1`.
.. versionadded:: 0.11
.. _openssl-x509:
X509 objects
------------
.. autoclass:: X509
:members:
.. _openssl-x509name:
X509Name objects
----------------
.. autoclass:: X509Name
:members:
:special-members:
:exclude-members: __repr__, __getattr__, __weakref__
.. _openssl-x509req:
X509Req objects
---------------
.. autoclass:: X509Req
:members:
:special-members:
:exclude-members: __weakref__
.. _openssl-x509store:
X509Store objects
-----------------
.. autoclass:: X509Store
:members:
.. _openssl-x509storecontexterror:
X509StoreContextError objects
-----------------------------
.. autoclass:: X509StoreContextError
:members:
.. _openssl-x509storecontext:
X509StoreContext objects
------------------------
.. autoclass:: X509StoreContext
:members:
.. _openssl-pkey:
PKey objects
------------
.. autoclass:: PKey
:members:
.. _openssl-pkcs7:
.. py:data:: TYPE_RSA
TYPE_DSA
Key type constants.
PKCS7 objects
-------------
PKCS7 objects have the following methods:
.. py:method:: PKCS7.type_is_signed()
FIXME
.. py:method:: PKCS7.type_is_enveloped()
FIXME
.. py:method:: PKCS7.type_is_signedAndEnveloped()
FIXME
.. py:method:: PKCS7.type_is_data()
FIXME
.. py:method:: PKCS7.get_type_name()
Get the type name of the PKCS7.
.. _openssl-pkcs12:
PKCS12 objects
--------------
.. autoclass:: PKCS12
:members:
.. _openssl-509ext:
X509Extension objects
---------------------
.. autoclass:: X509Extension
:members:
:special-members:
:exclude-members: __weakref__
.. _openssl-netscape-spki:
NetscapeSPKI objects
--------------------
.. autoclass:: NetscapeSPKI
:members:
:special-members:
:exclude-members: __weakref__
.. _crl:
CRL objects
-----------
.. autoclass:: CRL
:members:
:special-members:
:exclude-members: __weakref__
.. _revoked:
Revoked objects
---------------
.. autoclass:: Revoked
:members:
Exceptions
----------
.. py:exception:: Error
Generic exception used in the :py:mod:`.crypto` module.
Digest names
------------
Several of the functions and methods in this module take a digest
name. These must be strings describing a digest algorithm supported by
OpenSSL (by ``EVP_get_digestbyname``, specifically). For example,
:py:const:`b"md5"` or :py:const:`b"sha1"`.
More information and a list of these digest names can be found in the
``EVP_DigestInit(3)`` man page of your OpenSSL installation. This page
can be found online for the latest version of OpenSSL:
https://www.openssl.org/docs/crypto/EVP_DigestInit.html
Backwards compatible type names
-------------------------------
When PyOpenSSL was originally written, the most current version of
Python was 2.1. It made a distinction between classes and types. None
of the versions of Python currently supported by PyOpenSSL still
enforce that distinction: the type of an instance of an
:py:class:`X509` object is now simply :py:class:`X509`. Originally,
the type would have been :py:class:`X509Type`. These days,
:py:class:`X509Type` and :py:class:`X509` are literally the same
object. PyOpenSSL maintains these old names for backwards
compatibility.
Here's a table of these backwards-compatible names:
========================= =============================
Type name Backwards-compatible name
========================= =============================
:py:class:`X509` :py:class:`X509Type`
:py:class:`X509Name` :py:class:`X509NameType`
:py:class:`X509Req` :py:class:`X509ReqType`
:py:class:`X509Store` :py:class:`X509StoreType`
:py:class:`X509Extension` :py:class:`X509ExtensionType`
:py:class:`PKey` :py:class:`PKeyType`
:py:class:`PKCS7` :py:class:`PKCS7Type`
:py:class:`PKCS12` :py:class:`PKCS12Type`
:py:class:`NetscapeSPKI` :py:class:`NetscapeSPKIType`
:py:class:`CRL` :py:class:`CRLType`
========================= =============================
Some objects, such as :py:class`Revoked`, don't have ``Type``
equivalents, because they were added after the restriction had been
lifted.
|
