pyeudiw.x509 package

Submodules

pyeudiw.x509.chain_builder module

class pyeudiw.x509.chain_builder.ChainBuilder

Bases: object

gen_certificate(cn: str, organization_name: str, country_name: str, email_address: str, dns: str, uri: str, ca: bool, path_length: int | None, serial_number: int | None = None, private_key: EllipticCurvePrivateKey | RSAPrivateKey | None = None, crl_distr_point: str | None = None, not_valid_before: datetime = datetime.datetime(2026, 2, 10, 14, 7, 27, 361657), not_valid_after: datetime = datetime.datetime(2027, 2, 11, 14, 7, 27, 361662), excluded_subtrees: list[DNSName | UniformResourceIdentifier] | None = None, permitted_subtrees: list[DNSName | UniformResourceIdentifier] | None = None, key_usage: KeyUsage | None = None, organization_identifier: str | None = None) → None

Generate a certificate and add it to the chain.

Parameters:

• cn (str) – Common Name

• organization_name (str | None) – Organization name for the certificate

• country_name (str) – Country Name

• dns (str) – DNS Name

• private_key (ec.EllipticCurvePrivateKey | rsa.RSAPrivateKey | None) – Private key to use for signing the certificate

• ca (bool) – Whether the certificate is a CA certificate

• path_length (int | None) – Path length for the CA certificate, None if not a CA

• serial_number (int | None) – Serial number of the certificate, random if None

• crl_distr_point (str | None) – CRL Distribution Point URI, None if not set

• not_valid_before (datetime) – Start date of the certificate validity

• not_valid_after (datetime) – End date of the certificate validity

• excluded_subtrees (list[x509.DNSName | x509.UniformResourceIdentifier]) – List of DNS names to exclude from the certificate

• permitted_subtrees (list[x509.DNSName | x509.UniformResourceIdentifier]) – List of DNS names to permit in the certificate

• key_usage (x509.KeyUsage | None) – Key usage for the certificate

• organization_identifier (str | None) – Organization identifier for the certificate

Returns:

None

get_ca(encoding: Literal['DER', 'PEM'] = 'DER') → bytes | str

Get the CA certificate.

Returns:

The CA certificate

Return type:

bytes | str

get_chain(encoding: Literal['DER', 'PEM'] = 'DER') → list[bytes] | list[str]

Get the certificate chain.

Returns:

The certificate chain

Return type:

list[bytes] | list[str]

pyeudiw.x509.crl_builder module

class pyeudiw.x509.crl_builder.CRLBuilder(issuer: str, private_key: RSAPrivateKey | EllipticCurvePrivateKey, next_update: int = 30)

Bases: object

Class to build a Certificate Revocation List (CRL).

add_revoked_certificate(serial_number: int, revocation_date: datetime)

Add a revoked certificate to the CRL.

Parameters:

• serial_number (int) – The serial number of the revoked certificate.

• revocation_date (datetime) – The date when the certificate was revoked.

sign() → CertificateRevocationList

Sign the CRL with the issuer’s private key.

Returns:

The signed CRL.

Return type:

x509.CertificateRevocationList

to_der() → bytes

Convert the CRL to DER format.

Returns:

The CRL in DER format.

Return type:

bytes

to_pem() → bytes

Convert the CRL to PEM format.

Returns:

The CRL in PEM format.

Return type:

bytes

pyeudiw.x509.crl_helper module

class pyeudiw.x509.crl_helper.CRLHelper(crl: CertificateRevocationList, uri: str)

Bases: object

Helper class to handle CRL (Certificate Revocation List) operations.

static from_certificate(cert: str | bytes) → list[CRLHelper]

Load CRL distribution points from a given certificate. This method extracts the CRL distribution points from the certificate and loads them into CRLHelper instances.

Parameters:

cert (str | bytes) – The certificate in PEM or DER format.

Raises:

CRLReadError – If the certificate does not contain CRL distribution points or if loading fails.

Returns:

A list of CRLHelper instances containing the loaded CRLs.

Return type:

list[CRLHelper]

static from_crl(crl: str | bytes, uri: str) → CRLHelper

Load a CRL from a given PEM or DER formatted string or bytes.

Parameters:

crl (str | bytes) – The CRL in PEM or DER format.

Raises:

CRLParseError – If the CRL file is not in the expected format.

Returns:

An instance of CRLHelper containing the loaded CRL.

Return type:

CRLHelper

static from_url(crl_url: str, httpc_params: dict = {'connection': {'ssl': True}, 'session': {'timeout': 4}}) → CRLHelper

Load a CRL from a given URL. This method fetches the CRL file from the specified URL and loads it into a CRL object.

Parameters:

• crl_url (str) – URL of the CRL file.

• httpc_params (dict | None) – Optional HTTP client parameters.

Raises:

• CRLHTTPError – If the HTTP request fails or the response is not valid.

• CRLParseError – If the CRL file is not in the expected format.

Returns:

An instance of CRLHelper containing the loaded CRL.

Return type:

CRLHelper

get_revocation_date(serial_number: str | int) → datetime | None

Get the revocation date of a certificate with the given serial number.

Parameters:

serial_number (str | int) – The serial number of the certificate to check. Can be in hex format (string) or integer.

Raises:

CRLReadError – If the serial number is invalid or if the revocation list is not loaded.

Returns:

The revocation date if revoked, None otherwise.

Return type:

str | None

is_crl_expired() → bool

Check if the CRL is valid (not expired).

Raises:

CRLReadError – If the CRL is not loaded or if the expiration date cannot be determined.

Returns:

True if the CRL is valid, False otherwise.

Return type:

bool

is_revoked(serial_number: str | int) → bool

Check if a certificate with the given serial number is revoked.

Parameters:

serial_number (str | int) – The serial number of the certificate to check. Can be in hex format (string) or integer.

Raises:

CRLReadError – If the serial number is invalid or if the revocation list is not loaded.

Returns:

True if the certificate is revoked, False otherwise.

Return type:

bool

serialize() → dict[str, str]

Serialize the CRL to a specified encoding format.

Parameters:

encoding (str) – The encoding format. Can be “pem” or “der”. Defaults to “pem”.

Returns:

The serialized CRL with the uri.

Return type:

dict[str, str]

update(httpc_params: dict = {'connection': {'ssl': True}, 'session': {'timeout': 4}}) → None

Update the CRL by fetching it from the URI. This method fetches the CRL file from the specified URI and loads it into the CRL object.

Parameters:

httpc_params (dict | None) – Optional HTTP client parameters.

Raises:

• CRLHTTPError – If the HTTP request fails or the response is not valid.

• CRLParseError – If the CRL file is not in the expected format.

pyeudiw.x509.exceptions module

exception pyeudiw.x509.exceptions.CRLHTTPError

Bases: Exception

Exception raised for errors in the CRL HTTP request.

exception pyeudiw.x509.exceptions.CRLParseError

Bases: Exception

Exception raised for errors in parsing the CRL.

exception pyeudiw.x509.exceptions.CRLReadError

Bases: Exception

Exception raised for errors in reading the CRL.

pyeudiw.x509.verify module

pyeudiw.x509.verify.B64DER_cert_to_DER_cert(cert: str) → bytes

Takes a certificate Base64 encoded DER and returns the certificate in DER format.

pyeudiw.x509.verify.B64DER_cert_to_PEM_cert(cert: str) → str

Takes a certificate Base64 encoded DER and returns the certificate in ANSII PEM format.

pyeudiw.x509.verify.DER_cert_to_B64DER_cert(cert: bytes) → str

Encode in Base64 a DER certificate.

pyeudiw.x509.verify.PEM_cert_to_B64DER_cert(cert: str) → str

Takes a certificate in ANSII PEM format and returns the base64 encoding of the corresponding DER certificate.

pyeudiw.x509.verify.get_certificate_type(cert: str | bytes) → str

pyeudiw.x509.verify.get_expiry_date_from_x5c(x5c: list[bytes] | list[str]) → datetime

Get the expiry date from the x509 certificate chain.

Parameters:

x5c (list[bytes]) – The x509 certificate chain

Returns:

The expiry date

Return type:

datetime

pyeudiw.x509.verify.get_get_subject_name(der: bytes) → str | None

Get the subject name from the x509 certificate.

Parameters:

der (bytes) – The x509 certificate

Returns:

The subject name

Return type:

str

pyeudiw.x509.verify.get_issuer_from_x5c(x5c: list[bytes] | list[str]) → str | None

Get the issuer from the x509 certificate chain.

Parameters:

x5c (list[bytes]) – The x509 certificate chain

Returns:

The issuer

Return type:

str

pyeudiw.x509.verify.get_public_key_from_x509_chain(x5c: list[bytes]) → ECKey | RSAKey | dict

pyeudiw.x509.verify.get_trust_anchor_from_x5c(x5c: list[bytes] | list[str]) → str | None

Get the issuer from the x509 certificate chain.

Parameters:

x5c (list[bytes]) – The x509 certificate chain

Returns:

The issuer

Return type:

str

pyeudiw.x509.verify.get_x509_info(cert: bytes | str, san_dns: bool = True) → str

Get the x509 certificate information.

Parameters:

• cert (bytes | str) – The x509 certificate

• info_type (str) – The information type

Returns:

The certificate information

Return type:

str

pyeudiw.x509.verify.is_der_format(cert: bytes) → bool

Check if the certificate is in DER format.

Parameters:

cert (bytes) – The certificate

Returns:

True if the certificate is in DER format else False

Return type:

bool

pyeudiw.x509.verify.is_pem_format(cert: str | bytes) → bool

Check if the certificate is in PEM format.

Parameters:

cert (bytes) – The certificate

Returns:

True if the certificate is in PEM format else False

Return type:

bool

pyeudiw.x509.verify.pem_to_pems_list(cert: str) → list[str]

Split a string containing one or more PEM blocks (e.g. certificates) into a list of PEM strings. Uses stdlib/re only; no pyOpenSSL or pem dependency.

Parameters:

cert (str) – The x509 certificate chain in PEM format (one or more concatenated PEM blocks)

Returns:

The x509 certificate chain as a list of PEM strings

Return type:

list[str]

pyeudiw.x509.verify.to_DER_cert(cert: str | bytes) → bytes

This function takes in a certificate with unknown representation (allegedly, PEM, DER or Base64 encoded DER) and applies some heuristics to convert it to a DER certificate.

This function should be treated as UNSAFE and inefficient. Do NOT use it unless you do NOT hany prior way to know the actual representation format of a certificate

pyeudiw.x509.verify.to_PEM_cert(cert: str | bytes) → str

This function takes in a certificate with unknown representation (allegedly, PEM, DER or Base64 encoded DER) and applies some heuristics to convert it to a PEM certificate.

This function should be treated as UNSAFE and inefficient. Do NOT use it unless you do NOT hany prior way to know the actual representation format of a certificate

pyeudiw.x509.verify.to_der_list(pem_list: list[str] | list[bytes]) → list[bytes]

If the input is a list of PEM certificates, it will be converted to a list of DER certificates. If the input is a list of DER certificates, it will be returned as is.

Parameters:

pem_list (list[str]) – The x509 certificate chain in PEM format

Returns:

The x509 certificate chain in DER format

Return type:

list[bytes]

pyeudiw.x509.verify.to_pem_list(der_list: list[bytes] | list[str]) → list[str]

If the input is a list of DER certificates, it will be converted to a list of PEM certificates. If the input is a list of PEM certificates, it will be returned as is.

Parameters:

der (list[bytes]) – The x509 certificate chain in DER format

Returns:

The x509 certificate chain in PEM format

Return type:

list[str]

pyeudiw.x509.verify.verify_x509_anchor(pem_str: str) → bool

Verify the x509 anchor certificate.

Parameters:

pem_str (str) – The x509 anchor certificate

Returns:

True if the x509 anchor certificate is valid else False

Return type:

bool

pyeudiw.x509.verify.verify_x509_attestation_chain(x5c: list[bytes], crls: list[CRLHelper] = []) → bool

Verify the x509 attestation certificate chain.

Parameters:

x5c (list[bytes]) – The x509 attestation certificate chain

Returns:

True if the x509 attestation certificate chain is valid else False

Return type:

bool

Module contents