Crypto_util

Crypto utilities.

class acme.crypto_util.Format(value, names=<not given>, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]

File format to be used when parsing or serializing X.509 structures.

Backwards compatible with the FILETYPE_ASN1 and FILETYPE_PEM constants from pyOpenSSL.

to_cryptography_encoding() Encoding[source]

Converts the Format to the corresponding cryptography Encoding.

class acme.crypto_util.SSLSocket(sock: socket, certs: Mapping[bytes, Tuple[PKey, X509] | Tuple[Ed25519PrivateKey | Ed448PrivateKey | RSAPrivateKey | DSAPrivateKey | EllipticCurvePrivateKey, Certificate]] | None = None, method: int = 7, alpn_selection: Callable[[Connection, List[bytes]], bytes] | None = None, cert_selection: Callable[[Connection], Tuple[PKey, X509] | Tuple[Ed25519PrivateKey | Ed448PrivateKey | RSAPrivateKey | DSAPrivateKey | EllipticCurvePrivateKey, Certificate] | None] | None = None)[source]

SSL wrapper for sockets.

Variables:

  • sock (socket) – Original wrapped socket.

  • certs (dict) – Mapping from domain names (bytes) to OpenSSL.crypto.X509.

  • method – See OpenSSL.SSL.Context for allowed values.

  • alpn_selection – Hook to select negotiated ALPN protocol for connection.

  • cert_selection – Hook to select certificate for connection. If given, certs parameter would be ignored, and therefore must be empty.

class FakeConnection(connection: Connection)[source]

Fake OpenSSL.SSL.Connection.

acme.crypto_util.probe_sni(name: bytes, host: bytes, port: int = 443, timeout: int = 300, method: int = 7, source_address: Tuple[str, int] = ('', 0), alpn_protocols: Sequence[bytes] | None = None) Certificate[source]

Probe SNI server for SSL certificate.

Parameters:

  • name (bytes) – Byte string to send as the server name in the client hello message.

  • host (bytes) – Host to connect to.

  • port (int) – Port to connect to.

  • timeout (int) – Timeout in seconds.

  • method – See OpenSSL.SSL.Context for allowed values.

  • source_address (tuple) – Enables multi-path probing (selection of source interface). See socket.creation_connection for more info. Available only in Python 2.7+.

  • alpn_protocols (Sequence of bytes) – Protocols to request using ALPN.

Raises:

acme.errors.Error – In case of any problems.

Returns:

SSL certificate presented by the server.

Return type:

cryptography.x509.Certificate

acme.crypto_util.make_csr(private_key_pem: bytes, domains: Set[str] | List[str] | None = None, must_staple: bool = False, ipaddrs: List[IPv4Address | IPv6Address] | None = None) bytes[source]

Generate a CSR containing domains or IPs as subjectAltNames.

Parameters are ordered this way for backwards compatibility when called using positional arguments.

Parameters:

  • private_key_pem (buffer) – Private key, in PEM PKCS#8 format.

  • domains (list) – List of DNS names to include in subjectAltNames of CSR.

  • must_staple (bool) – Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633).

  • ipaddrs (list) – List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address) names to include in subbjectAltNames of CSR.

Returns:

buffer PEM-encoded Certificate Signing Request.

acme.crypto_util.get_names_from_subject_and_extensions(subject: Name, exts: Extensions) List[str][source]

Gets all DNS SAN names as well as the first Common Name from subject.

Parameters:

  • subject (cryptography.x509.Name) – Name of the x509 object, which may include Common Name

  • exts (cryptography.x509.Extensions) – Extensions of the x509 object, which may include SANs

Returns:

List of DNS Subject Alternative Names and first Common Name

Return type:

list of str

acme.crypto_util.make_self_signed_cert(private_key: Ed25519PrivateKey | Ed448PrivateKey | RSAPrivateKey | DSAPrivateKey | EllipticCurvePrivateKey, domains: List[str] | None = None, not_before: datetime | None = None, validity: timedelta | None = None, force_san: bool = True, extensions: List[Extension] | None = None, ips: List[IPv4Address | IPv6Address] | None = None) Certificate[source]

Generate new self-signed certificate. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :type domains: list of str :param int not_before: A datetime after which the cert is valid. If no timezone is specified, UTC is assumed :type not_before: datetime.datetime :param validity: Duration for which the cert will be valid. Defaults to 1 week :type validity: datetime.timedelta :param buffer private_key_pem: One of cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes :param bool force_san: :param extensions: List of additional extensions to include in the cert. :type extensions: list of x509.Extension[x509.ExtensionType] :type ips: list of (ipaddress.IPv4Address or ipaddress.IPv6Address) If more than one domain is provided, all of the domains are put into subjectAltName X.509 extension and first domain is set as the subject CN. If only one domain is provided no subjectAltName extension is used, unless force_san is True.

acme.crypto_util.dump_cryptography_chain(chain: ~typing.List[~cryptography.x509.base.Certificate], encoding: ~typing.Literal[Encoding.PEM, Encoding.DER] = <Encoding.PEM: 'PEM'>) bytes[source]

Dump certificate chain into a bundle.

Parameters:

chain (list) – List of cryptography.x509.Certificate.

Returns:

certificate chain bundle

Return type:

bytes

Deprecated .. deprecated: 3.2.1