tlslite.x509 module

Class representing an X.509 certificate.

class tlslite.x509.Credential(valid_time=0, dc_cert_verify_algorithm=None, subject_public_key_info=None, bytes=None)[source]

Bases: object

This class represents a credential.

Variables:

  • valid_time (int) – time, after which the delegated credential is no longer valid.

  • dc_cert_verify_algorithm (tuple(int,int)) – the signature algorithm of the credential key pair.

  • subject_public_key_info (bytearray (ASN1_subjectPublicKeyInfo)) – the credential’s public key, a DER- encoded.

__init__(valid_time=0, dc_cert_verify_algorithm=None, subject_public_key_info=None, bytes=None)[source]

Create empty credential object.

static marshal(valid_time, dc_cert_verify_algorithm, subject_public_key_info)[source]

Encode the credential raw bytes.

Variables:

  • valid_time (int) – time, after which the delegated credential is no longer valid.

  • dc_cert_verify_algorithm (tuple(int,int)) – the signature algorithm of the credential key pair.

  • subject_public_key_info (bytearray (ASN1_subjectPublicKeyInfo)) – the credential’s public key, a DER- encoded.

parse_pub_key()[source]

Parse a DER-encoded [X.690] SubjectPublicKeyInfo to extract public key

class tlslite.x509.DelegatedCredential(cred=None, algorithm=None, signature=None)[source]

Bases: object

This class represents a delegated credential.

Variables:

  • cred (Credential) – the credential structure

  • algorithm (tuple(int,int)) – The signature algorithm used to create DelegatedCredential.signature.

  • signature (bytearray) – The delegation, a signature that binds the credential to the end-entity certificate’s public key.

__init__(cred=None, algorithm=None, signature=None)[source]

Create empty credential object.

static compute_certificate_dc_sig_context(cert_bytes, cred_bytes, dc_alg)[source]

Reconstructs the certificate signature context over the delegated credential.

parse(parser)[source]

Parsing Delegating Credendial.

verify(certificate_entry, client_hello, cert_verify)[source]

Verify that the delegated credential is valid.

Checks if the the delegated credential did not expire, the algorithms are of a type advertized by the client, the verify alg matches the scheme in peer’s message.

write()[source]

Serialise object to a DER encoded string.

class tlslite.x509.X509[source]

Bases: object

This class represents an X.509 certificate.

Variables:

  • bytes (bytearray) – The DER-encoded ASN.1 certificate

  • publicKey (RSAKey) – The subject public key from the certificate.

  • subject (bytearray) – The DER-encoded ASN.1 subject distinguished name.

  • certAlg (str) – algorithm of the public key, “rsa” for RSASSA-PKCS#1 v1.5, “rsa-pss” for RSASSA-PSS, “ecdsa” for ECDSA

__init__()[source]

Create empty certificate object.

getFingerprint()[source]

Get the hex-encoded fingerprint of this certificate.

Return type:

str

Returns:

A hex-encoded fingerprint.

parse(s)[source]

Parse a PEM-encoded X.509 certificate.

Parameters:

s (str) – A PEM-encoded X.509 certificate (i.e. a base64-encoded certificate wrapped with “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” tags).

parseBinary(cert_bytes)[source]

Parse a DER-encoded X.509 certificate.

Parameters:

bytes (L{str} (in python2) or L{bytearray} of unsigned bytes) – A DER-encoded X.509 certificate.

writeBytes()[source]

Serialise object to a DER encoded string.

tlslite.x509.bytes_to_int(bytes, byteorder='big', *, signed=False)

Return the integer represented by the given array of bytes.

bytes

Holds the array of bytes to convert. The argument must either support the buffer protocol or be an iterable object producing bytes. Bytes and bytearray are examples of built-in objects that support the buffer protocol.

byteorder

The byte order used to represent the integer. If byteorder is ‘big’, the most significant byte is at the beginning of the byte array. If byteorder is ‘little’, the most significant byte is at the end of the byte array. To request the native byte order of the host system, use `sys.byteorder’ as the byte order value. Default is to use ‘big’.

signed

Indicates whether two’s complement is used to represent the integer.

tlslite.x509.get_algorithm(alg_identifier)[source]

Retrive the algoritm from the AlgorithmIdentifier