ciecplib.x509 module

ciecplib.x509.check_cert(cert, hours=1, proxy=None, rfc3820=True)

Validate an X509 certificate

Parameters:
  • cert (cryptography.x509.Certificate) – the certificate object to check

  • hours (float, optional) – minimum number of hours remaining before expiry

  • proxy (bool, None, optional) – if True (False), validate that the certificate is (is not) an impersonation proxy, if None (default) don’t check.

  • rfc3820 (bool, optional) – if True assert that, if the certificate is a proxy, that it is RFC 3820 compliant

ciecplib.x509.generate_proxy(cert, key, minhours=168, limited=False, bits=2048)

Generate a proxy certificate based on a certificate.

Parameters:
  • cert (cryptography.X509.Certificate) – The certificate object.

  • key (cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey) – The RSA key object used to sign the original certificate.

  • minhours (float) – The minimum lifetime of the proxy certificate. This is bounded by the lifetime of the original certificate.

  • limited (bool) – If True, generate a limited proxy.

  • bits (int) – The number of bits (size) to use for the private key used to sign the proxy certificate.

Returns:

ciecplib.x509.load_cert(path)

Load an X.509 certificate from file containing PEM-encoded data.

Parameters:

path (str, pathlib.Path) – the file path from which to read

Returns:

cert (cryptography.x509.Certificate) – the parsed certificate

ciecplib.x509.load_pkcs12(raw, password)

Load an X.509 certificate and key from a PKCS12 blob.

ciecplib.x509.print_cert_info(x509, path=None, display=None, verbose=True, stream=<_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>)

Print info about an X.509 certificate

Parameters:
  • x509 (cryptography.x509.Certificate) – the certificate to parse

  • path (str, optional) – the path of the certificate file on disk

  • display (list, optional) – list of certificate parameters to display; if given each is displayed in order in plaintext

  • verbose (bool, optional) – if True (default) print the full text of the certificate

  • stream (file, optional) – the file object to print to, defaults to sys.stdout

ciecplib.x509.time_left(cert)

Returns the number of seconds left on this certificate

If the certificate has expired, 0 is returned.

Parameters:

cert (cryptography.x509.Certificate) – The certificate to inspect.

ciecplib.x509.write_cert(path, cert, key, use_proxy=False, minhours=168)

Write a PKCS12 certificate archive to file in X509 format

Parameters:
  • path (str, pathlib.Path) – the desired location of the final X509 file

  • pkcs12 (OpenSSL.crypto.PKCS12) – a PKCS12 archive

  • use_proxy (bool, optional) – if True, generate an impersonation proxy, otherwise generate a standard end entity credential certificate

  • minhours (int, optional) – the minimum duration of the proxy certificate, only used if proxy=True is given