PKI

class dane_discovery.pki.PKI
classmethod build_public_key_object_from_der(der)

Return a Python cryptography public key object.

classmethod build_x509_object(certificate)

Return a cryptography.x509.Certificate object.

Parameters

certificate (str) – Certificate in PEM or DER format.

Returns

cryptography.x509.Certificate object.

Raises

TLSAError if unable to parse.

classmethod certificate_association_to_der(certificate_association)

Return DER bytes from a TLSA record’s certificate_association.

Parameters

certificate_association (str) – Certificate association information extracted from a TLSA record.

Returns

DER-formatted certificate.

Return type

bytes

classmethod clean_up_certificate(certificate)

This method returns a clean PEM-encoded certificate.

This is useful for removing the human-readable certificate metadata that sometimes ends up in certificates produced by OpenSSL.

classmethod der_to_pem(der_cert)

Return the PEM representation of a TLSA certificate_association.

Parameters

der (str) – A certificate in DER format.

Returns

PEM-formatted certificate.

Return type

bytes

classmethod format_keyid(keyid)

Return dash-delimited string from keyid.

classmethod get_authority_key_id_from_certificate(certificate)

Extract and return the authorityKeyIdentifier from the certificate.

Parameters

certificate (str) – Certificate in PEM or DER format.

classmethod get_cert_meta(cert_der)

Return a dictionary containing certificate metadata.

classmethod get_dnsnames_from_cert(x5_obj)

Return the dnsnames from the certificate’s SAN.

Parameters

x5_obj (cryptography.x509) – Certificate object.

Returns

str: dNSNames from certificate SAN.

Return type

list

classmethod get_subject_key_id_from_certificate(certificate)

Return the subjectKeyIdentifier for the certificate.

Parameters

certificate (str) – Certificate in PEM or DER format.

classmethod is_a_ca_certificate(certificate)

Return True if certificate is a CA certificate.

classmethod load_private_key(private_key)

Return a private key.

Wraps cryptography.hazmat.primitives.serialization.load_pem_private_key and returns the appropriate type.

Parameters

private_key (str) – Private key in PEM format.

Returns

Private key object, or None if private_key arg is None.

Raises

ValueError if there's an error loading the key.

classmethod parse_extension(x509_ext)

Return a dictionary representation of the x509 extension.

classmethod serialize_cert(certificate, fmt)

Return certificate bytes in the selected format.

Parameters

  • certificate (cryptography.x509.Certificate) – Certificate to parse.

  • fmt (str) – DER, PEM, or RPK_DER. RPK_DER is raw public key, DER encoding.

Returns

Serialized certificate.

Return type

bytes

Raises

ValueError if an invalid format was requested.

classmethod validate_certificate_association(certificate)

Raise TLSAError if certificate association is not a certificate or public key, or return None.

Parameters

certificate (str) – Certificate association data from TLSA record.

Returns

None

Raises

TLSAError if parsing fails.

classmethod validate_certificate_chain(entity_certificate, ca_certificates)

Return True if PKI trust chain is established from entity to CA.

This method attempts cryptographic validation of entity_certificate against the list of ca_certificates. This method only checks public keys and signatures, independent of any x509v3 extensions.

The validation process completes successfully if a self-signed CA certificate is encountered in ca_certificates, which terminates a cryptographically-validated chain from the entity certificate.

Parameters

  • entity_certificate (str) – Entity certificate to be verified.

  • ca_certificates (list of str) – List of CA certificates for validating entity_certificate.

Returns

(True, None) if certificate validates. (False, str) if certificate does not validate, and str will contain the reason.

classmethod verify_certificate_signature(certificate, ca_certificate)

Return True if certificate was signed by ca_certificate.

Parameters

  • entity_certificate (str) – entity certificate in DER or PEM format.

  • ca_certificate (str) – CA certificate in DER or PEM format.

Returns

True if the ca_certificate validates the entity_certificate.

Return type

bool

classmethod verify_dnsname(dns_name, certificate)

Return True if the first dNSName in the SAN matches.