certbot.crypto_util module
Certbot client crypto utility functions.
- certbot.crypto_util.generate_key(key_size: int, key_dir: str | None, key_type: str = 'rsa', elliptic_curve: str = 'secp256r1', keyname: str = 'key-certbot.pem', strict_permissions: bool = True) Key [source]
Initializes and saves a privkey.
Inits key and saves it in PEM format on the filesystem.
Note
keyname is the attempted filename, it may be different if a file already exists at the path.
- Parameters:
key_size (int) – key size in bits if key size is rsa.
key_dir (str) – Optional key save directory.
key_type (str) – Key Type [rsa, ecdsa]
elliptic_curve (str) – Name of the elliptic curve if key type is ecdsa.
keyname (str) – Filename of key
strict_permissions (bool) – If true and key_dir exists, an exception is raised if the directory doesn’t have 0700 permissions or isn’t owned by the current user.
- Returns:
Key
- Return type:
- Raises:
ValueError – If unable to generate the key given key_size.
- certbot.crypto_util.generate_csr(privkey: Key, names: List[str] | Set[str], path: str | None, must_staple: bool = False, strict_permissions: bool = True) CSR [source]
Initialize a CSR with the given private key.
- Parameters:
privkey (
certbot.util.Key
) – Key to include in the CSRpath (str) – Optional certificate save directory.
must_staple (bool) – If true, include the TLS Feature extension “OCSP Must-Staple”
strict_permissions (bool) – If true and path exists, an exception is raised if the directory doesn’t have 0755 permissions or isn’t owned by the current user.
- Returns:
CSR
- Return type:
- certbot.crypto_util.valid_csr(csr: bytes) bool [source]
Validate CSR.
Check if
csr
is a valid CSR for the given domains.
- certbot.crypto_util.csr_matches_pubkey(csr: bytes, privkey: bytes) bool [source]
Does private key correspond to the subject public key in the CSR?
- certbot.crypto_util.import_csr_file(csrfile: str, data: bytes) Tuple[int, CSR, List[str]] [source]
Import a CSR file, which can be either PEM or DER.
- certbot.crypto_util.make_key(bits: int = 2048, key_type: str = 'rsa', elliptic_curve: str | None = None) bytes [source]
Generate PEM encoded RSA|EC key.
- Parameters:
- Returns:
new RSA or ECDSA key in PEM form with specified number of bits or of type ec_curve when key_type ecdsa is used.
- Return type:
- certbot.crypto_util.valid_privkey(privkey: str | bytes) bool [source]
Is valid RSA private key?
- Parameters:
privkey – Private key file contents in PEM
- Returns:
Validity of private key.
- Return type:
- certbot.crypto_util.verify_renewable_cert(renewable_cert: RenewableCert) None [source]
For checking that your certs were not corrupted on disk.
- Several things are checked:
Signature verification for the cert.
That fullchain matches cert and chain when concatenated.
Check that the private key matches the certificate.
- Parameters:
renewable_cert (certbot.interfaces.RenewableCert) – cert to verify
- Raises:
errors.Error – If verification fails.
- certbot.crypto_util.verify_renewable_cert_sig(renewable_cert: RenewableCert) None [source]
Verifies the signature of a RenewableCert object.
- Parameters:
renewable_cert (certbot.interfaces.RenewableCert) – cert to verify
- Raises:
errors.Error – If signature verification fails.
- certbot.crypto_util.verify_signed_payload(public_key: DSAPublicKey | Ed25519PublicKey | Ed448PublicKey | EllipticCurvePublicKey | RSAPublicKey | X25519PublicKey | X448PublicKey, signature: bytes, payload: bytes, signature_hash_algorithm: HashAlgorithm) None [source]
Check the signature of a payload.
- Parameters:
- Raises:
InvalidSignature – If signature verification fails.
errors.Error – If public key type is not supported
- certbot.crypto_util.verify_cert_matches_priv_key(cert_path: str, key_path: str) None [source]
Verifies that the private key and cert match.
- Parameters:
- Raises:
errors.Error – If they don’t match.
- certbot.crypto_util.verify_fullchain(renewable_cert: RenewableCert) None [source]
Verifies that fullchain is indeed cert concatenated with chain.
- Parameters:
renewable_cert (certbot.interfaces.RenewableCert) – cert to verify
- Raises:
errors.Error – If cert and chain do not combine to fullchain.
- certbot.crypto_util.pyopenssl_load_certificate(data: bytes) Tuple[X509, int] [source]
Load PEM/DER certificate.
- Raises:
- certbot.crypto_util.get_sans_from_cert(cert: bytes, typ: int = 1) List[str] [source]
Get a list of Subject Alternative Names from a certificate.
- certbot.crypto_util.get_names_from_cert(cert: bytes, typ: int = 1) List[str] [source]
Get a list of domains from a cert, including the CN if it is set.
- certbot.crypto_util.get_names_from_req(csr: bytes, typ: int = 1) List[str] [source]
Get a list of domains from a CSR, including the CN if it is set.
- certbot.crypto_util.dump_pyopenssl_chain(chain: List[X509] | List[ComparableX509], filetype: int = 1) bytes [source]
Dump certificate chain into a bundle.
- Parameters:
chain (list) – List of
crypto.X509
(or wrapped injosepy.util.ComparableX509
).
- certbot.crypto_util.notBefore(cert_path: str) datetime [source]
When does the cert at cert_path start being valid?
- Parameters:
cert_path (str) – path to a cert in PEM format
- Returns:
the notBefore value from the cert at cert_path
- Return type:
- certbot.crypto_util.notAfter(cert_path: str) datetime [source]
When does the cert at cert_path stop being valid?
- Parameters:
cert_path (str) – path to a cert in PEM format
- Returns:
the notAfter value from the cert at cert_path
- Return type:
- certbot.crypto_util.sha256sum(filename: str) str [source]
Compute a sha256sum of a file.
NB: In given file, platform specific newlines characters will be converted into their equivalent unicode counterparts before calculating the hash.
- certbot.crypto_util.cert_and_chain_from_fullchain(fullchain_pem: str) Tuple[str, str] [source]
Split fullchain_pem into cert_pem and chain_pem
- Parameters:
fullchain_pem (str) – concatenated cert + chain
- Returns:
tuple of string cert_pem and chain_pem
- Return type:
- Raises:
errors.Error – If there are less than 2 certificates in the chain.
- certbot.crypto_util.get_serial_from_cert(cert_path: str) int [source]
Retrieve the serial number of a certificate from certificate path
- certbot.crypto_util.find_chain_with_issuer(fullchains: List[str], issuer_cn: str, warn_on_no_match: bool = False) str [source]
Chooses the first certificate chain from fullchains whose topmost intermediate has an Issuer Common Name matching issuer_cn (in other words the first chain which chains to a root whose name matches issuer_cn).