CertificateChain

class CertificateChain(**properties: Any)

Superclasses: Object

Represents a chain of certificates, normally used to validate the trust in a certificate. An X.509 certificate chain has one endpoint certificate (the one for which trust is being verified) and then in turn the certificate that issued each previous certificate in the chain.

This functionality is for building of certificate chains not for validating them. Use your favorite crypto library to validate trust in a certificate chain once its built.

The order of certificates in the chain should be first the endpoint certificates and then the signing certificates.

Create a new certificate chain with new and then add the certificates with add.

You can then use build to build the remainder of the chain. This will lookup missing certificates in PKCS#11 modules and also check that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.

Once the certificate chain has been built, you can access its status through get_status. The status signifies whether the chain is anchored on a trust root, self-signed, incomplete etc. See CertificateChainStatus for information on the various statuses.

It’s important to understand that the building of a certificate chain is merely the first step towards verifying trust in a certificate.

Constructors

class CertificateChain

classmethod new() → CertificateChain

Create a new CertificateChain.

Methods

class CertificateChain

add(certificate: Certificate) → None

Add certificate to the chain. The order of certificates in the chain are important. The first certificate should be the endpoint certificate, and then come the signers (certificate authorities) each in turn. If a root certificate authority is present, it should come last.

Adding a certificate an already built chain (see build()) resets the type of the certificate chain to UNKNOWN

Parameters:

certificate – a Certificate to add to the chain

build(purpose: str, peer: str | None, flags: CertificateChainFlags, cancellable: Cancellable | None = None) → bool

Complete a certificate chain. Once a certificate chain has been built its status can be examined.

This operation will lookup missing certificates in PKCS#11 modules and also that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.

It’s important to understand that building of a certificate chain does not constitute verifying that chain. This is merely the first step towards trust verification.

The purpose is a string like PURPOSE_CLIENT_AUTH and is the purpose for which the certificate chain will be used. Trust anchors are looked up for this purpose. This argument is required.

The peer is usually the host name of the peer whith which this certificate chain is being used. It is used to look up pinned certificates that have been stored for this peer. If None then no pinned certificates will be considered.

If the NO_LOOKUPS flag is specified then no lookups for anchors or pinned certificates are done, and the resulting chain will be neither anchored or pinned. Additionally no missing certificate authorities are looked up in PKCS#11

This call will block, see build_async() for the asynchronous version.

Parameters:

• purpose – the purpose the certificate chain will be used for

• peer – the peer the certificate chain will be used with, or None

• flags – chain completion flags

• cancellable – a Cancellable or None

build_async(purpose: str, peer: str | None, flags: CertificateChainFlags, cancellable: Cancellable | None = None, callback: Callable[[...], None] | None = None, *user_data: Any) → None

Complete a certificate chain. Once a certificate chain has been built its status can be examined.

This will lookup missing certificates in PKCS#11 modules and also that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.

It’s important to understand that building of a certificate chain does not constitute verifying that chain. This is merely the first step towards trust verification.

The purpose is a string like PURPOSE_CLIENT_AUTH and is the purpose for which the certificate chain will be used. Trust anchors are looked up for this purpose. This argument is required.

The peer is usually the host name of the peer whith which this certificate chain is being used. It is used to look up pinned certificates that have been stored for this peer. If None then no pinned certificates will be considered.

If the NO_LOOKUPS flag is specified then no lookups for anchors or pinned certificates are done, and the resulting chain will be neither anchored or pinned. Additionally no missing certificate authorities are looked up in PKCS#11

When the operation is finished, callback will be called. You can then call build_finish() to get the result of the operation.

Parameters:

• purpose – the purpose the certificate chain will be used for

• peer – the peer the certificate chain will be used with, or None

• flags – chain completion flags

• cancellable – a Cancellable or None

• callback – this will be called when the operation completes.

• user_data – data to pass to the callback

build_finish(result: AsyncResult) → bool

Finishes an asynchronous operation started by build_async().

Parameters:

result – the AsyncResult passed to the callback

get_anchor() → Certificate

If the certificate chain has been built and is of status ANCHORED, then this will return the anchor certificate that was found. This is not necessarily a root certificate authority. If an intermediate certificate authority in the chain was found to be anchored, then that certificate will be returned.

If an anchor is returned it does not mean that the certificate chain has been verified, but merely that an anchor has been found.

get_certificate(index: int) → Certificate

Get a certificate in the chain. It is an error to call this function with an invalid index.

Parameters:

index – index of the certificate to get

get_endpoint() → Certificate

Get the endpoint certificate in the chain. This is always the first certificate in the chain. The endpoint certificate cannot be anchored.

get_length() → int

Get the length of the certificate chain.

get_status() → CertificateChainStatus

Get the status of a certificate chain. If the certificate chain has not been built, then the status will be UNKNOWN.

A status of ANCHORED does not mean that the certificate chain has been verified, but merely that an anchor has been found.

Properties

class CertificateChain

props.length: int

The length of the certificate chain.

Fields

class CertificateChain

parent

pv