1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
X.509 Verification
==================
.. currentmodule:: cryptography.x509.verification
.. module:: cryptography.x509.verification
Support for X.509 certificate verification, also known as path validation
or chain building.
.. note::
While usable, these APIs should be considered unstable and not yet
subject to our backwards compatibility policy.
Example usage, with `certifi <https://pypi.org/project/certifi/>`_ providing
the root of trust:
.. testsetup::
from cryptography.x509 import load_pem_x509_certificate, load_pem_x509_certificates
from datetime import datetime
peer = load_pem_x509_certificate(b"""
-----BEGIN CERTIFICATE-----
MIIDgTCCAwegAwIBAgISBJUzlK20QGqPf5xI0aoE8OIBMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
MTAeFw0yMzExMjIyMDUyNDBaFw0yNDAyMjAyMDUyMzlaMBoxGDAWBgNVBAMTD2Ny
eXB0b2dyYXBoeS5pbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAh2A0yuOByJ
lxK3ps5vbSOT6ZmvAlflGLn8kEseeodIAockm0ISTb/NGSpu/SY4ITefAOSaulKn
BzDgmqjGRKujggITMIICDzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJu7f03HjjwJ
MU6rfwDBzxySTrs5MB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUG
CCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3Jn
MCIGCCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGC
D2NyeXB0b2dyYXBoeS5pbzATBgNVHSAEDDAKMAgGBmeBDAECATCCAQYGCisGAQQB
1nkCBAIEgfcEgfQA8gB3AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRz
AAABi/kFXv4AAAQDAEgwRgIhAI9uF526YzU/DEfpmWRA28fn9gryrWMUCXQnEejQ
K/trAiEA12ePSql3sGJ/QgXc6ceQB/XAdwzwDB+2CHr6T14vvvUAdwDuzdBk1dsa
zsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYv5BV8kAAAEAwBIMEYCIQD1mqTn
b1hOpZWAUlwVM4EJLYA9HtlOvF70bfrGHpAX4gIhAI8pktDxrUwfTXPuA+eMFPbC
QraG6dMkB+HOmTz+hgKyMAoGCCqGSM49BAMDA2gAMGUCMQC+PwiHciKMaJyRJkGa
KFjT/1ICAUsCm8o5h4Xxm0LoOCJVggaXeamDEYnPWbxGETgCME5TJzLIDuF3z6vX
1SLZDdvHEHLKfOL8/h8KctkjLQ8OJycxwIc+zK+xexVoIuxRhA==
-----END CERTIFICATE-----
"""
)
untrusted_intermediates = load_pem_x509_certificates(b"""
-----BEGIN CERTIFICATE-----
MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL
MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo
IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN
MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j
cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c
S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj
+240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB
BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V
yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E
IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG
Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+
Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q
YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/
-----END CERTIFICATE-----
""")
verification_time = datetime.fromisoformat("2024-01-12T00:00:00Z")
.. doctest::
>>> from cryptography.x509 import Certificate, DNSName, load_pem_x509_certificates
>>> from cryptography.x509.verification import PolicyBuilder, Store
>>> import certifi
>>> from datetime import datetime
>>> with open(certifi.where(), "rb") as pems:
... store = Store(load_pem_x509_certificates(pems.read()))
>>> builder = PolicyBuilder().store(store)
>>> builder = builder.time(verification_time)
>>> verifier = builder.build_server_verifier(DNSName("cryptography.io"))
>>> # NOTE: peer and untrusted_intermediates are Certificate and
>>> # list[Certificate] respectively, and should be loaded from the
>>> # application context that needs them verified, such as a
>>> # TLS socket.
>>> chain = verifier.verify(peer, untrusted_intermediates)
.. class:: Store(certs)
.. versionadded:: 42.0.0
A Store is an opaque set of public keys and subject identifiers that are
considered trusted *a priori*. Stores are typically created from the host
OS's root of trust, from a well-known source such as a browser CA bundle,
or from a small set of manually pre-trusted entities.
:param certs: A list of one or more :class:`cryptography.x509.Certificate`
instances.
.. class:: Subject
.. versionadded:: 42.0.0
Type alias: A union of all subject types supported:
:class:`cryptography.x509.general_name.DNSName`,
:class:`cryptography.x509.general_name.IPAddress`.
.. class:: VerifiedClient
.. versionadded:: 43.0.0
.. attribute:: subjects
:type: list of :class:`~cryptography.x509.GeneralName`
The subjects presented in the verified client's Subject Alternative Name
extension.
.. attribute:: chain
:type: A list of :class:`~cryptography.x509.Certificate`, in leaf-first order
The chain of certificates that forms the valid chain to the client
certificate.
.. class:: ClientVerifier
.. versionadded:: 43.0.0
A ClientVerifier verifies client certificates.
It contains and describes various pieces of configurable path
validation logic, such as how deep prospective validation chains may go,
which signature algorithms are allowed, and so forth.
ClientVerifier instances cannot be constructed directly;
:class:`PolicyBuilder` must be used.
.. attribute:: validation_time
:type: :class:`datetime.datetime`
The verifier's validation time.
.. attribute:: max_chain_depth
:type: :class:`int`
The verifier's maximum intermediate CA chain depth.
.. attribute:: store
:type: :class:`Store`
The verifier's trust store.
.. method:: verify(leaf, intermediates)
Performs path validation on ``leaf``, returning a valid path
if one exists. The path is returned in leaf-first order:
the first member is ``leaf``, followed by the intermediates used
(if any), followed by a member of the ``store``.
:param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate
:param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use
:returns:
A new instance of :class:`VerifiedClient`
:raises VerificationError: If a valid chain cannot be constructed
:raises UnsupportedGeneralNameType: If a valid chain exists, but contains an unsupported general name type
.. class:: ServerVerifier
.. versionadded:: 42.0.0
A ServerVerifier verifies server certificates.
It contains and describes various pieces of configurable path
validation logic, such as which subject to expect, how deep prospective
validation chains may go, which signature algorithms are allowed, and
so forth.
ServerVerifier instances cannot be constructed directly;
:class:`PolicyBuilder` must be used.
.. attribute:: subject
:type: :class:`Subject`
The verifier's subject.
.. attribute:: validation_time
:type: :class:`datetime.datetime`
The verifier's validation time.
.. attribute:: max_chain_depth
:type: :class:`int`
The verifier's maximum intermediate CA chain depth.
.. attribute:: store
:type: :class:`Store`
The verifier's trust store.
.. method:: verify(leaf, intermediates)
Performs path validation on ``leaf``, returning a valid path
if one exists. The path is returned in leaf-first order:
the first member is ``leaf``, followed by the intermediates used
(if any), followed by a member of the ``store``.
:param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate
:param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use
:returns: A list containing a valid chain from ``leaf`` to a member of :class:`ServerVerifier.store`.
:raises VerificationError: If a valid chain cannot be constructed
.. class:: VerificationError
.. versionadded:: 42.0.0
The error raised when path validation fails.
.. class:: PolicyBuilder
.. versionadded:: 42.0.0
A PolicyBuilder provides a builder-style interface for constructing a
Verifier.
.. method:: time(new_time)
Sets the verifier's verification time.
If not called explicitly, this is set to :meth:`datetime.datetime.now`
when :meth:`build_server_verifier` or :meth:`build_client_verifier`
is called.
:param new_time: The :class:`datetime.datetime` to use in the verifier
:returns: A new instance of :class:`PolicyBuilder`
.. method:: store(new_store)
Sets the verifier's trust store.
:param new_store: The :class:`Store` to use in the verifier
:returns: A new instance of :class:`PolicyBuilder`
.. method:: max_chain_depth(new_max_chain_depth)
Sets the verifier's maximum chain building depth.
This depth behaves tracks the length of the intermediate CA
chain: a maximum depth of zero means that the leaf must be directly
issued by a member of the store, a depth of one means no more than
one intermediate CA, and so forth. Note that self-issued intermediates
don't count against the chain depth, per RFC 5280.
:param new_max_chain_depth: The maximum depth to allow in the verifier
:returns: A new instance of :class:`PolicyBuilder`
.. method:: build_server_verifier(subject)
Builds a verifier for verifying server certificates.
:param subject: A :class:`Subject` to use in the verifier
:returns: An instance of :class:`ServerVerifier`
.. method:: build_client_verifier()
.. versionadded:: 43.0.0
Builds a verifier for verifying client certificates.
.. warning::
This API is not suitable for website (i.e. server) certificate
verification. You **must** use :meth:`build_server_verifier`
for server verification.
:returns: An instance of :class:`ClientVerifier`
|
