Crypto_util

Crypto utilities.

class acme.crypto_util.Format(*values)[source]

File format to be used when parsing or serializing X.509 structures.

Backwards compatible with the FILETYPE_ASN1 and FILETYPE_PEM constants from pyOpenSSL.

to_cryptography_encoding() → Encoding[source]: Converts the Format to the corresponding cryptography Encoding.

acme.crypto_util.make_csr(private_key_pem: bytes, domains: set[str] | list[str] | None = None, must_staple: bool = False, ipaddrs: list[IPv4Address | IPv6Address] | None = None) → bytes[source]

Generate a CSR containing domains or IPs as subjectAltNames.

Parameters are ordered this way for backwards compatibility when called using positional arguments.

Parameters:

private_key_pem (buffer) – Private key, in PEM PKCS#8 format.
domains (list) – List of DNS names to include in subjectAltNames of CSR.
must_staple (bool) – Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
ipaddrs (list) – List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address) names to include in subbjectAltNames of CSR.

Returns:

buffer PEM-encoded Certificate Signing Request.

acme.crypto_util.get_names_from_subject_and_extensions(subject: Name, exts: Extensions) → list[str][source]

Gets all DNS SANs as well as the first Common Name from subject.

Parameters:

subject (cryptography.x509.Name) – Name of the x509 object, which may include Common Name
exts (cryptography.x509.Extensions) – Extensions of the x509 object, which may include SANs

Returns:

List of DNS Subject Alternative Names and first Common Name

Return type:

list of str

acme.crypto_util.get_identifiers_from_x509(subject: Name, exts: Extensions) → tuple[list[str], list[str]][source]

Gets all DNS and/or IP address SANs as well as the first Common Name from subject.

The CN will be first in the list of DNS names, if present.

Parameters:

subject (cryptography.x509.Name) – Name of the x509 object, which may include Common Name
exts (cryptography.x509.Extensions) – Extensions of the x509 object, which may include SANs

Returns:

Tuple containing DNS names and IP addresses.

acme.crypto_util.make_self_signed_cert(private_key: Ed25519PrivateKey | Ed448PrivateKey | RSAPrivateKey | DSAPrivateKey | EllipticCurvePrivateKey, domains: list[str] | None = None, not_before: datetime | None = None, validity: timedelta | None = None, force_san: bool = True, extensions: list[Extension] | None = None, ips: list[IPv4Address | IPv6Address] | None = None) → Certificate[source]: Generate new self-signed certificate. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :type domains: list of str :param int not_before: A datetime after which the cert is valid. If no timezone is specified, UTC is assumed :type not_before: datetime.datetime :param validity: Duration for which the cert will be valid. Defaults to 1 week :type validity: datetime.timedelta :param buffer private_key_pem: One of cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes :param bool force_san: :param extensions: List of additional extensions to include in the cert. :type extensions: list of x509.Extension[x509.ExtensionType] :type ips: list of (ipaddress.IPv4Address or ipaddress.IPv6Address) If more than one domain is provided, all of the domains are put into subjectAltName X.509 extension and first domain is set as the subject CN. If only one domain is provided no subjectAltName extension is used, unless force_san is True.

acme.crypto_util.dump_cryptography_chain(chain: list[~cryptography.hazmat.bindings._rust.x509.Certificate], encoding: ~typing.Literal[Encoding.PEM, Encoding.DER] = <Encoding.PEM: 'PEM'>) → bytes[source]

Dump certificate chain into a bundle.

Parameters:: chain (list) – List of cryptography.x509.Certificate.
Returns:: certificate chain bundle
Return type:: bytes

Deprecated .. deprecated: 3.2.1