CertificateChain#
Superclasses: Object
Represents a chain of certificates, normally used to validate the trust in a certificate. An X.509 certificate chain has one endpoint certificate (the one for which trust is being verified) and then in turn the certificate that issued each previous certificate in the chain.
This functionality is for building of certificate chains not for validating them. Use your favorite crypto library to validate trust in a certificate chain once its built.
The order of certificates in the chain should be first the endpoint certificates and then the signing certificates.
Create a new certificate chain with new
and then
add the certificates with add
.
You can then use build
to build the remainder of
the chain. This will lookup missing certificates in PKCS#11 modules and
also check that each certificate in the chain is the signer of the previous
one. If a trust anchor, pinned certificate, or self-signed certificate is
found, then the chain is considered built. Any extra certificates are
removed from the chain.
Once the certificate chain has been built, you can access its status
through get_status
. The status signifies whether
the chain is anchored on a trust root, self-signed, incomplete etc. See
CertificateChainStatus
for information on the various statuses.
It’s important to understand that the building of a certificate chain is merely the first step towards verifying trust in a certificate.
Constructors#
- class CertificateChain
- classmethod new() CertificateChain #
Create a new
CertificateChain
.
Methods#
- class CertificateChain
- add(certificate: Certificate) None #
Add
certificate
to the chain. The order of certificates in the chain are important. The first certificate should be the endpoint certificate, and then come the signers (certificate authorities) each in turn. If a root certificate authority is present, it should come last.Adding a certificate an already built chain (see
build()
) resets the type of the certificate chain toUNKNOWN
- Parameters:
certificate – a
Certificate
to add to the chain
- build(purpose: str, peer: str | None, flags: CertificateChainFlags, cancellable: Cancellable | None = None) bool #
Complete a certificate chain. Once a certificate chain has been built its status can be examined.
This operation will lookup missing certificates in PKCS#11 modules and also that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.
It’s important to understand that building of a certificate chain does not constitute verifying that chain. This is merely the first step towards trust verification.
The
purpose
is a string likePURPOSE_CLIENT_AUTH
and is the purpose for which the certificate chain will be used. Trust anchors are looked up for this purpose. This argument is required.The
peer
is usually the host name of the peer whith which this certificate chain is being used. It is used to look up pinned certificates that have been stored for this peer. IfNone
then no pinned certificates will be considered.If the
NO_LOOKUPS
flag is specified then no lookups for anchors or pinned certificates are done, and the resulting chain will be neither anchored or pinned. Additionally no missing certificate authorities are looked up in PKCS#11This call will block, see
build_async()
for the asynchronous version.- Parameters:
purpose – the purpose the certificate chain will be used for
peer – the peer the certificate chain will be used with, or
None
flags – chain completion flags
cancellable – a
Cancellable
orNone
- build_async(purpose: str, peer: str | None, flags: CertificateChainFlags, cancellable: Cancellable | None = None, callback: Callable[[...], None] | None = None, *user_data: Any) None #
Complete a certificate chain. Once a certificate chain has been built its status can be examined.
This will lookup missing certificates in PKCS#11 modules and also that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.
It’s important to understand that building of a certificate chain does not constitute verifying that chain. This is merely the first step towards trust verification.
The
purpose
is a string likePURPOSE_CLIENT_AUTH
and is the purpose for which the certificate chain will be used. Trust anchors are looked up for this purpose. This argument is required.The
peer
is usually the host name of the peer whith which this certificate chain is being used. It is used to look up pinned certificates that have been stored for this peer. IfNone
then no pinned certificates will be considered.If the
NO_LOOKUPS
flag is specified then no lookups for anchors or pinned certificates are done, and the resulting chain will be neither anchored or pinned. Additionally no missing certificate authorities are looked up in PKCS#11When the operation is finished,
callback
will be called. You can then callbuild_finish()
to get the result of the operation.- Parameters:
purpose – the purpose the certificate chain will be used for
peer – the peer the certificate chain will be used with, or
None
flags – chain completion flags
cancellable – a
Cancellable
orNone
callback – this will be called when the operation completes.
user_data – data to pass to the callback
- build_finish(result: AsyncResult) bool #
Finishes an asynchronous operation started by
build_async()
.- Parameters:
result – the
AsyncResult
passed to the callback
- get_anchor() Certificate #
If the certificate chain has been built and is of status
ANCHORED
, then this will return the anchor certificate that was found. This is not necessarily a root certificate authority. If an intermediate certificate authority in the chain was found to be anchored, then that certificate will be returned.If an anchor is returned it does not mean that the certificate chain has been verified, but merely that an anchor has been found.
- get_certificate(index: int) Certificate #
Get a certificate in the chain. It is an error to call this function with an invalid index.
- Parameters:
index – index of the certificate to get
- get_endpoint() Certificate #
Get the endpoint certificate in the chain. This is always the first certificate in the chain. The endpoint certificate cannot be anchored.
- get_status() CertificateChainStatus #
Get the status of a certificate chain. If the certificate chain has not been built, then the status will be
UNKNOWN
.A status of
ANCHORED
does not mean that the certificate chain has been verified, but merely that an anchor has been found.