Home | Trees | Indices | Help |
---|
|
object --+ | Certificate
Certificate(data, certdb=get_default_certdb(), perm=False, nickname=None)
An X509 Certificate object.
The Certificate is initialized from the supplied DER data. The Certificate is added to the NSS temporary database. If perm is True then the Certificate is also permanently written into certdb.
|
|||
|
|||
a new object with type S, a subtype of T |
|
||
|
|||
|
|||
|
|||
kea_type |
|
||
string) |
|
||
[(level, string),...] |
|
||
(Certificate, ...) |
|
||
CertificateExtension |
|
||
bool |
|
||
boolean |
|
||
string |
|
||
|
|||
['flag_name', ...] |
|
||
|
|||
bool |
|
||
|
|||
|
|
|||
cert_type integer bitmask of NS_CERT_TYPE_* flags, see nss.cert\_type\_flags() |
|||
der_data raw certificate DER data as data buffer |
|||
email_trust_flags certificate email trust flags as integer bitmask, or None if not defined |
|||
email_trust_str certificate email trust flags as array of strings, or None if trust is not defined |
|||
extensions certificate extensions as a tuple of CertificateExtension objects |
|||
issuer certificate issuer as a DN object |
|||
serial_number certificate serial number |
|||
signature_algorithm certificate signature algorithm |
|||
signed_data certificate signature as SignedData object |
|||
signing_trust_flags certificate object signing trust flags as integer bitmask, or None if not defined |
|||
signing_trust_str certificate object signing trust flags as array of strings, or None if trust is not defined |
|||
ssl_trust_flags certificate SSL trust flags as integer bitmask, or None if not defined |
|||
ssl_trust_str certificate SSL trust flags as array of strings, or None if trust is not defined |
|||
subject certificate subject as a DN object |
|||
subject_common_name certificate subject |
|||
subject_public_key_info certificate public info as SubjectPublicKeyInfo object |
|||
valid_not_after certificate not valid after this time (floating point value expressed as microseconds since the epoch, midnight January 1st 1970, UTC) |
|||
valid_not_after_str certificate not valid after this time (string value expressed, UTC) |
|||
valid_not_before certificate not valid before this time (floating point value expressed as microseconds since the epoch, midnight January 1st 1970 UTC) |
|||
valid_not_before_str certificate not valid before this time (string value expressed, UTC) |
|||
version certificate version |
|
|
|
|
check_ocsp_status(certdb, time, [user_data1, ...]) -> boolean Checks the status of a certificate via OCSP. Will only check status for a certificate that has an AIA (Authority Information Access) extension for OCSP or when a "default responder" is specified and enabled. (If no AIA extension for OCSP and no default responder in place, the cert is considered to have a good status. Returns True if an approved OCSP responder knows the cert and returns a non-revoked status for it. Otherwise a error.NSPRError is raised and it's error_code property may be one of the following:
Other errors are possible failures in cert verification (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when verifying the signer's cert, or other low-level problems.
|
check_valid_times(time=now, allow_override=False) --> validity Checks whether a specified time is within a certificate's validity period. Returns one of:
|
Returns key exchange type of the keys in an SSL server certificate.
|
|
Formats the object into a sequence of lines with indent level information. The return value is a list where each list item is a tuple. The first item in the tuple is an integer representing the indentation level for that line. Any remaining items in the tuple are strings to be output on that line. The output of this function can be formatted into a single string by calling nss.nss.indented\_format(), e.g.: print indented_format(obj.format_lines()) The reason this function returns a tuple as opposed to an single indented string is to support other text formatting systems such as GUI's with indentation controls. See nss.nss.indented\_format() for a complete explanation.
|
|
Given an oid identifying the extension try to locate it in the certificate and return it as generic CertificateExtension object. If the extension is not present raise a KeyError. The generic CertificateExtension object is not terribly useful on it's own, howerver it's value property can be used to intialize instances of a class representing the extension. Or it may be passed to functions that convert the value into some other usable format. Although one might believe this function should do these conversions for you automatically there are too many possible variations. Plus one might simple be interested to know if an extension is present or not. So why perform conversion work that might not be needed or might not be in the format needed? Therefore this function is just one simple element in a larger toolbox. Below are some suggestions on how to convert the generic CertificateExtension object (this list may not be complete).
|
|
is_ca_cert(True) -> boolean, cert_type Returns True if the cert is a CA cert, False otherwise. The function optionally can return a bitmask of NS_CERT_TYPE_* flags if return_cert_type is True. This is the updated cert type after applying logic in the context of deciding if the cert is a CA cert or not. Hint: the cert_type value can be converted to text with nss.cert\_type\_flags(). Hint: the unmodified cert type flags can be obtained with the Certificate.cert\_type property.
|
Returns a nickname for the certificate guaranteed to be unique within the the current NSS database. The nickname is composed thusly:
|
|
Given an integer with trust flags encoded as a bitmask return a sorted list of their values as specified in the repr_kind This is a class method.
|
verify(certdb, check_sig, required_usages, time, [user_data1, ...]) -> valid_usages Verify a certificate by checking if it's valid and that we trust the issuer.
Returns valid_usages, a bitfield of certificate usages. If required_usages is non-zero, the returned bitmap is only for those required usages, otherwise it is for all possible usages. Hint: You can obtain a printable representation of the usage flags via cert\_usage\_flags. Note: Anytime a NSPR or NSS function returns an error in python-nss it raises a NSPRError exception. When an exception is raised the normal return values are discarded because the flow of control continues at the first except block prepared to catch the exception. Normally this is what is desired because the return values would be invalid due to the error. However the certificate verification functions are an exception (no pun intended). An error might be returned indicating the cert failed verification but you may still need access to the returned usage bitmask and the log (if using the log variant). To handle this a special error exception CertVerifyError (derived from NSPRError) is defined which in addition to the normal NSPRError fields will also contain the returned usages and optionally the CertVerifyLog object. If no exception is raised these are returned as normal return values.
|
A restricted regular expression syntax is used to test if the common name specified in the subject DN of the certificate is a match, returning True if so, False otherwise.
|
verify_now(certdb, check_sig, required_usages, [user_data1, ...]) -> valid_usages Verify a certificate by checking if it's valid and that we trust the issuer.
Returns valid_usages, a bitfield of certificate usages. If required_usages is non-zero, the returned bitmap is only for those required usages, otherwise it is for all possible usages. Hint: You can obtain a printable representation of the usage flags via cert\_usage\_flags. Note: See the Certificate.verify documentation for details on how the Certificate verification functions handle errors.
|
verify_with_log(certdb, check_sig, required_usages, time, [user_data1, ...]) -> valid_usages, log Verify a certificate by checking if it's valid and that we trust the issuer.
Returns valid_usages, a bitfield of certificate usages and a nss.CertVerifyLog object with diagnostic information detailing the reasons for a validation failure. If required_usages is non-zero, the returned bitmap is only for those required usages, otherwise it is for all possible usages. Hint: You can obtain a printable representation of the usage flags via cert\_usage\_flags. Note: See the Certificate.verify documentation for details on how the Certificate verification functions handle errors.
|
Home | Trees | Indices | Help |
---|
Generated by Epydoc 3.0.1 | http://epydoc.sourceforge.net |