CertificateChain#

class CertificateChain(**properties: Any)#

Superclasses: Object

Represents a chain of certificates, normally used to validate the trust in a certificate. An X.509 certificate chain has one endpoint certificate (the one for which trust is being verified) and then in turn the certificate that issued each previous certificate in the chain.

This functionality is for building of certificate chains not for validating them. Use your favorite crypto library to validate trust in a certificate chain once its built.

The order of certificates in the chain should be first the endpoint certificates and then the signing certificates.

Create a new certificate chain with new and then add the certificates with add.

You can then use build to build the remainder of the chain. This will lookup missing certificates in PKCS#11 modules and also check that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.

Once the certificate chain has been built, you can access its status through get_status. The status signifies whether the chain is anchored on a trust root, self-signed, incomplete etc. See CertificateChainStatus for information on the various statuses.

It’s important to understand that the building of a certificate chain is merely the first step towards verifying trust in a certificate.

Constructors#

class CertificateChain
classmethod new() CertificateChain#

Create a new CertificateChain.

Methods#

class CertificateChain
add(certificate: Certificate) None#

Add certificate to the chain. The order of certificates in the chain are important. The first certificate should be the endpoint certificate, and then come the signers (certificate authorities) each in turn. If a root certificate authority is present, it should come last.

Adding a certificate an already built chain (see build()) resets the type of the certificate chain to UNKNOWN

Parameters:

certificate – a Certificate to add to the chain

build(purpose: str, peer: str | None, flags: CertificateChainFlags, cancellable: Cancellable | None = None) bool#

Complete a certificate chain. Once a certificate chain has been built its status can be examined.

This operation will lookup missing certificates in PKCS#11 modules and also that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.

It’s important to understand that building of a certificate chain does not constitute verifying that chain. This is merely the first step towards trust verification.

The purpose is a string like PURPOSE_CLIENT_AUTH and is the purpose for which the certificate chain will be used. Trust anchors are looked up for this purpose. This argument is required.

The peer is usually the host name of the peer whith which this certificate chain is being used. It is used to look up pinned certificates that have been stored for this peer. If None then no pinned certificates will be considered.

If the NO_LOOKUPS flag is specified then no lookups for anchors or pinned certificates are done, and the resulting chain will be neither anchored or pinned. Additionally no missing certificate authorities are looked up in PKCS#11

This call will block, see build_async() for the asynchronous version.

Parameters:
  • purpose – the purpose the certificate chain will be used for

  • peer – the peer the certificate chain will be used with, or None

  • flags – chain completion flags

  • cancellable – a Cancellable or None

build_async(purpose: str, peer: str | None, flags: CertificateChainFlags, cancellable: Cancellable | None = None, callback: Callable[[...], None] | None = None, *user_data: Any) None#

Complete a certificate chain. Once a certificate chain has been built its status can be examined.

This will lookup missing certificates in PKCS#11 modules and also that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.

It’s important to understand that building of a certificate chain does not constitute verifying that chain. This is merely the first step towards trust verification.

The purpose is a string like PURPOSE_CLIENT_AUTH and is the purpose for which the certificate chain will be used. Trust anchors are looked up for this purpose. This argument is required.

The peer is usually the host name of the peer whith which this certificate chain is being used. It is used to look up pinned certificates that have been stored for this peer. If None then no pinned certificates will be considered.

If the NO_LOOKUPS flag is specified then no lookups for anchors or pinned certificates are done, and the resulting chain will be neither anchored or pinned. Additionally no missing certificate authorities are looked up in PKCS#11

When the operation is finished, callback will be called. You can then call build_finish() to get the result of the operation.

Parameters:
  • purpose – the purpose the certificate chain will be used for

  • peer – the peer the certificate chain will be used with, or None

  • flags – chain completion flags

  • cancellable – a Cancellable or None

  • callback – this will be called when the operation completes.

  • user_data – data to pass to the callback

build_finish(result: AsyncResult) bool#

Finishes an asynchronous operation started by build_async().

Parameters:

result – the AsyncResult passed to the callback

get_anchor() Certificate#

If the certificate chain has been built and is of status ANCHORED, then this will return the anchor certificate that was found. This is not necessarily a root certificate authority. If an intermediate certificate authority in the chain was found to be anchored, then that certificate will be returned.

If an anchor is returned it does not mean that the certificate chain has been verified, but merely that an anchor has been found.

get_certificate(index: int) Certificate#

Get a certificate in the chain. It is an error to call this function with an invalid index.

Parameters:

index – index of the certificate to get

get_endpoint() Certificate#

Get the endpoint certificate in the chain. This is always the first certificate in the chain. The endpoint certificate cannot be anchored.

get_length() int#

Get the length of the certificate chain.

get_status() CertificateChainStatus#

Get the status of a certificate chain. If the certificate chain has not been built, then the status will be UNKNOWN.

A status of ANCHORED does not mean that the certificate chain has been verified, but merely that an anchor has been found.

Properties#

class CertificateChain
props.length: int#

The type of the None singleton.

Fields#

class CertificateChain
parent#
pv#