ciecplib.x509 module

ciecplib.x509.check_cert(cert, hours=1, proxy=None, rfc3820=True)

Validate an X509 certificate

Parameters:

• cert (cryptography.x509.Certificate) – the certificate object to check

• hours (float, optional) – minimum number of hours remaining before expiry

• proxy (bool, None, optional) – if True (False), validate that the certificate is (is not) an impersonation proxy, if None (default) don’t check.

• rfc3820 (bool, optional) – if True assert that, if the certificate is a proxy, that it is RFC 3820 compliant

ciecplib.x509.generate_proxy(cert, key, minhours=168, limited=False, bits=2048)

Generate a proxy certificate based on a certificate.

Parameters:

• cert (cryptography.X509.Certificate) – The certificate object.

• key (cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey) – The RSA key object used to sign the original certificate.

• minhours (float) – The minimum lifetime of the proxy certificate. This is bounded by the lifetime of the original certificate.

• limited (bool) – If True, generate a limited proxy.

• bits (int) – The number of bits (size) to use for the private key used to sign the proxy certificate.

Returns:

• proxycert (cryptography.X509.Certificate) – The proxy certificate.

• proxykey (cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey) – The RSA private key used to sign the proxy certificate.

ciecplib.x509.load_cert(path)

Load an X.509 certificate from file containing PEM-encoded data.

Parameters:

path (str, pathlib.Path) – the file path from which to read

Returns:

cert (cryptography.x509.Certificate) – the parsed certificate

ciecplib.x509.load_pkcs12(raw, password)

Load an X.509 certificate and key from a PKCS12 blob.

ciecplib.x509.print_cert_info(x509, path=None, display=None, verbose=True, stream=<_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>)

Print info about an X.509 certificate

Parameters:

• x509 (cryptography.x509.Certificate) – the certificate to parse

• path (str, optional) – the path of the certificate file on disk

• display (list, optional) – list of certificate parameters to display; if given each is displayed in order in plaintext

• verbose (bool, optional) – if True (default) print the full text of the certificate

• stream (file, optional) – the file object to print to, defaults to sys.stdout

ciecplib.x509.time_left(cert)

Returns the number of seconds left on this certificate

If the certificate has expired, 0 is returned.

Parameters:

cert (cryptography.x509.Certificate) – The certificate to inspect.

ciecplib.x509.write_cert(path, cert, key, use_proxy=False, minhours=168)

Write a PKCS12 certificate archive to file in X509 format

Parameters:

• path (str, pathlib.Path) – the desired location of the final X509 file

• pkcs12 (OpenSSL.crypto.PKCS12) – a PKCS12 archive

• use_proxy (bool, optional) – if True, generate an impersonation proxy, otherwise generate a standard end entity credential certificate

• minhours (int, optional) – the minimum duration of the proxy certificate, only used if proxy=True is given