ciecplib.x509 module¶
- ciecplib.x509.check_cert(cert, hours=1, proxy=None, rfc3820=True)¶
Validate an X509 certificate
- Parameters:
cert (
cryptography.x509.Certificate
) – the certificate object to checkhours (
float
, optional) – minimum number of hours remaining before expiryproxy (
bool
,None
, optional) – ifTrue
(False
), validate that the certificate is (is not) an impersonation proxy, ifNone
(default) don’t check.rfc3820 (
bool
, optional) – ifTrue
assert that, if the certificate is a proxy, that it is RFC 3820 compliant
- ciecplib.x509.generate_proxy(cert, key, minhours=168, limited=False, bits=2048)¶
Generate a proxy certificate based on a certificate.
- Parameters:
cert (
cryptography.X509.Certificate
) – The certificate object.key (
cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey
) – The RSA key object used to sign the original certificate.minhours (
float
) – The minimum lifetime of the proxy certificate. This is bounded by the lifetime of the original certificate.bits (
int
) – The number of bits (size) to use for the private key used to sign the proxy certificate.
- Returns:
proxycert (
cryptography.X509.Certificate
) – The proxy certificate.proxykey (
cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey
) – The RSA private key used to sign the proxy certificate.
- ciecplib.x509.load_cert(path)¶
Load an X.509 certificate from file containing PEM-encoded data.
- Parameters:
path (
str
,pathlib.Path
) – the file path from which to read- Returns:
cert (
cryptography.x509.Certificate
) – the parsed certificate
- ciecplib.x509.load_pkcs12(raw, password)¶
Load an X.509 certificate and key from a PKCS12 blob.
- ciecplib.x509.print_cert_info(x509, path=None, display=None, verbose=True, stream=<_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>)¶
Print info about an X.509 certificate
- Parameters:
x509 (
cryptography.x509.Certificate
) – the certificate to parsepath (
str
, optional) – the path of the certificate file on diskdisplay (
list
, optional) – list of certificate parameters to display; if given each is displayed in order in plaintextverbose (
bool
, optional) – ifTrue
(default) print the full text of the certificatestream (
file
, optional) – the file object to print to, defaults tosys.stdout
- ciecplib.x509.time_left(cert)¶
Returns the number of seconds left on this certificate
If the certificate has expired,
0
is returned.- Parameters:
cert (
cryptography.x509.Certificate
) – The certificate to inspect.
- ciecplib.x509.write_cert(path, cert, key, use_proxy=False, minhours=168)¶
Write a PKCS12 certificate archive to file in X509 format
- Parameters:
path (
str
,pathlib.Path
) – the desired location of the final X509 filepkcs12 (
OpenSSL.crypto.PKCS12
) – a PKCS12 archiveuse_proxy (
bool
, optional) – ifTrue
, generate an impersonation proxy, otherwise generate a standard end entity credential certificateminhours (
int
, optional) – the minimum duration of the proxy certificate, only used ifproxy=True
is given