The cert Module

Geniwrapper uses two crypto libraries: pyOpenSSL and M2Crypto to implement the necessary crypto functionality. Ideally just one of these libraries would be used, but unfortunately each of these libraries is independently lacking. The pyOpenSSL library is missing many necessary functions, and the M2Crypto library has crashed inside of some of the functions. The design decision is to use pyOpenSSL whenever possible as it seems more stable, and only use M2Crypto for those functions that are not possible in pyOpenSSL. This module exports two classes: Keypair and Certificate.

Certificate(create=False, subject=None, string=None, filename=None) (class) [#]

The certificate class implements a general purpose X509 certificate, making use of the appropriate pyOpenSSL or M2Crypto abstractions.

For more information about this class, see The Certificate Class.

Keypair(create=False, string=None, filename=None) (class) [#]

Public-private key pairs are implemented by the Keypair class.

For more information about this class, see The Keypair Class.

The Certificate Class

Certificate(create=False, subject=None, string=None, filename=None) (class) [#]

The certificate class implements a general purpose X509 certificate, making use of the appropriate pyOpenSSL or M2Crypto abstractions. It also adds several addition features, such as the ability to maintain a chain of parent certificates, and storage of application-specific data. Certificates include the ability to maintain a chain of parents. Each certificate includes a pointer to it's parent certificate. When loaded from a file or a string, the parent chain will be automatically loaded. When saving a certificate to a file or a string, the caller can choose whether to save the parent certificates as well.

__init__(create=False, subject=None, string=None, filename=None) [#]

Create a certificate object.

create

If create==True, then also create a blank X509 certificate.

subject

If subject!=None, then create a blank certificate and set it's subject name.

string

If string!=None, load the certificate from the string.

filename

If filename!=None, load the certificate from the file.

add_extension(name, critical, value) [#]

Add an X509 extension to the certificate. Add_extension can only be called once for a particular extension name, due to limitations in the underlying library.

name

string containing name of extension

value

string containing value of the extension

create() [#]

Create a blank X509 certificate and store it in this object.

get_data() [#]

Return the data string that was previously set with set_data

get_extension(name) [#]

Get an X509 extension from the certificate

get_issuer(which="CN") [#]

Get the issuer name

get_parent() [#]

Return the certificate object of the parent of this certificate.

get_pubkey() [#]

Get the public key of the certificate. It is returned in the form of a Keypair object.

get_subject(which="CN") [#]

Get the subject name of the certificate

is_pubkey(pkey) [#]

Return True if pkey is identical to the public key that is contained in the certificate.

pkey

Keypair object

is_signed_by_cert(cert) [#]

Given a certificate cert, verify that this certificate was signed by the public key contained in cert. Throw an exception otherwise.

cert

certificate object

load_from_file(filename) [#]

Load the certificate from a file

load_from_pyopenssl_x509(x509) [#]

Given a pyOpenSSL X509 object, store that object inside of this certificate object.

load_from_string(string) [#]

Load the certificate from a string

save_to_file(filename, save_parents=False) [#]

Save the certificate to a file.

save_parents

If save_parents==True, then also save the parent certificates.

save_to_string(save_parents=False) [#]

Save the certificate to a string.

save_parents

If save_parents==True, then also save the parent certificates.

set_data(str) [#]

Set_data is a wrapper around add_extension. It stores the parameter str in the X509 subject_alt_name extension. Set_data can only be called once, due to limitations in the underlying library.

set_issuer(key, subject=None, cert=None) [#]

Sets the issuer private key and name

key

Keypair object containing the private key of the issuer

subject

String containing the name of the issuer

cert

(optional) Certificate object containing the name of the issuer

set_parent(p) [#]

Set the parent certificate.

p

certificate object.

set_pubkey(key) [#]

Get the public key of the certificate.

key

Keypair object containing the public key

set_subject(name) [#]

Set the subject name of the certificate

sign() [#]

Sign the certificate using the issuer private key and issuer subject previous set with set_issuer().

verify(pkey) [#]

Verify the authenticity of a certificate.

pkey

is a Keypair object representing a public key. If Pkey did not sign the certificate, then an exception will be thrown.

verify_chain(trusted_certs=None) [#]

Verification examines a chain of certificates to ensure that each parent signs the child, and that some certificate in the chain is signed by a trusted certificate. Verification is a basic recursion:

    if this_certificate was signed by trusted_certs:
        return
    else
        return verify_chain(parent, trusted_certs)

At each recursion, the parent is tested to ensure that it did sign the child. If a parent did not sign a child, then an exception is thrown. If the bottom of the recursion is reached and the certificate does not match a trusted root, then an exception is thrown.

Trusted_certs

is a list of certificates that are trusted.

The Keypair Class

Keypair(create=False, string=None, filename=None) (class) [#]

Public-private key pairs are implemented by the Keypair class. A Keypair object may represent both a public and private key pair, or it may represent only a public key (this usage is consistent with OpenSSL).

__init__(create=False, string=None, filename=None) [#]

Creates a Keypair object

create

If create==True, creates a new public/private key and stores it in the object

string

If string!=None, load the keypair from the string (PEM)

filename

If filename!=None, load the keypair from the file

as_pem() [#]

Return the private key in PEM format.

create() [#]

Create a RSA public/private key pair and store it inside the keypair object

get_m2_pkey() [#]

Return an OpenSSL pkey object

get_openssl_pkey() [#]

Given another Keypair object, return TRUE if the two keys are the same.

load_from_file(filename) [#]

Load the private key from a file. Implicity the private key includes the public key.

load_from_string(string) [#]

Load the private key from a string. Implicitly the private key includes the public key.

load_pubkey_from_file(filename) [#]

Load the public key from a string. No private key is loaded.

load_pubkey_from_string(string) [#]

Load the public key from a string. No private key is loaded.

save_to_file(filename) [#]

Save the private key to a file

filename

name of file to store the keypair in