PKI¶
- class dane_discovery.pki.PKI¶
- classmethod build_public_key_object_from_der(der)¶
Return a Python cryptography public key object.
- classmethod build_x509_object(certificate)¶
Return a cryptography.x509.Certificate object.
- Parameters
certificate (str) – Certificate in PEM or DER format.
- Returns
cryptography.x509.Certificate object.
- Raises
TLSAError if unable to parse. –
- classmethod certificate_association_to_der(certificate_association)¶
Return DER bytes from a TLSA record’s
certificate_association
.- Parameters
certificate_association (str) – Certificate association information extracted from a TLSA record.
- Returns
DER-formatted certificate.
- Return type
bytes
- classmethod clean_up_certificate(certificate)¶
This method returns a clean PEM-encoded certificate.
This is useful for removing the human-readable certificate metadata that sometimes ends up in certificates produced by OpenSSL.
- classmethod der_to_pem(der_cert)¶
Return the PEM representation of a TLSA certificate_association.
- Parameters
der (str) – A certificate in DER format.
- Returns
PEM-formatted certificate.
- Return type
bytes
- classmethod format_keyid(keyid)¶
Return dash-delimited string from keyid.
- classmethod get_authority_key_id_from_certificate(certificate)¶
Extract and return the authorityKeyIdentifier from the certificate.
- Parameters
certificate (str) – Certificate in PEM or DER format.
- classmethod get_cert_meta(cert_der)¶
Return a dictionary containing certificate metadata.
- classmethod get_dnsnames_from_cert(x5_obj)¶
Return the dnsnames from the certificate’s SAN.
- Parameters
x5_obj (cryptography.x509) – Certificate object.
- Returns
str: dNSNames from certificate SAN.
- Return type
list
- classmethod get_subject_key_id_from_certificate(certificate)¶
Return the subjectKeyIdentifier for the certificate.
- Parameters
certificate (str) – Certificate in PEM or DER format.
- classmethod is_a_ca_certificate(certificate)¶
Return True if
certificate
is a CA certificate.
- classmethod load_private_key(private_key)¶
Return a private key.
Wraps cryptography.hazmat.primitives.serialization.load_pem_private_key and returns the appropriate type.
- Parameters
private_key (str) – Private key in PEM format.
- Returns
Private key object, or None if
private_key
arg is None.- Raises
ValueError if there's an error loading the key. –
- classmethod parse_extension(x509_ext)¶
Return a dictionary representation of the x509 extension.
- classmethod serialize_cert(certificate, fmt)¶
Return certificate bytes in the selected format.
- Parameters
certificate (cryptography.x509.Certificate) – Certificate to parse.
fmt (str) – DER, PEM, or RPK_DER. RPK_DER is raw public key, DER encoding.
- Returns
Serialized certificate.
- Return type
bytes
- Raises
ValueError if an invalid format was requested. –
- classmethod validate_certificate_association(certificate)¶
Raise TLSAError if certificate association is not a certificate or public key, or return None.
- Parameters
certificate (str) – Certificate association data from TLSA record.
- Returns
None
- Raises
TLSAError if parsing fails. –
- classmethod validate_certificate_chain(entity_certificate, ca_certificates)¶
Return True if PKI trust chain is established from entity to CA.
This method attempts cryptographic validation of
entity_certificate
against the list ofca_certificates
. This method only checks public keys and signatures, independent of any x509v3 extensions.The validation process completes successfully if a self-signed CA certificate is encountered in
ca_certificates
, which terminates a cryptographically-validated chain from the entity certificate.- Parameters
entity_certificate (str) – Entity certificate to be verified.
ca_certificates (list of str) – List of CA certificates for validating
entity_certificate
.
- Returns
(True, None) if certificate validates. (False, str) if certificate does not validate, and str will contain the reason.
- classmethod verify_certificate_signature(certificate, ca_certificate)¶
Return True if certificate was signed by ca_certificate.
- Parameters
entity_certificate (str) – entity certificate in DER or PEM format.
ca_certificate (str) – CA certificate in DER or PEM format.
- Returns
True if the ca_certificate validates the entity_certificate.
- Return type
bool
- classmethod verify_dnsname(dns_name, certificate)¶
Return True if the first dNSName in the SAN matches.