Utilities for working with OpenSSL x509 certificates and their keypairs.
OpenSSLInvalidFormat
[source]¶Bases: exceptions.Exception
Raised if the specified file format is unsupported by OpenSSL.
attachKey
(key, cert, selfsign=True, digest='sha1', pem=False)[source]¶Attach a key to a cert and optionally self-sign the cert.
Parameters: |
|
---|
Warning
Enabling the pem parameter when passing in a key which has only the public RSA modulus (as described above) will result in nasty OpenSSL errors. Trust me, you do not want to try to parse OpenSSL’s errors.
Raises: | An infinite, labyrinthine mire of non-Euclidean OpenSSL errors with non-deterministic messages and self-referential errorcodes, tangled upon itself in contempt of sanity, hope, and decent software engineering practices. |
---|---|
Returns: | If pem is True , then the values described there are
returned. Otherwise, returns the cert with the key attached to
it. |
createTLSCert
(lifetime=None)[source]¶Create a TLS certificate.
Parameters: | lifetime (int) – The time, in seconds, that the certificate should remain valid for. |
---|---|
Return type: | OpenSSL.crypto.X509 |
Returns: | A certificate, unsigned, and without a key attached to it. |
createTLSLinkCert
(lifetime=7200)[source]¶Create a certificate for the TLS link layer.
The TLS certificate used for the link layer between Tor relays, and between clients and their bridges/guards, has a shorter lifetime than the other certificates. Currently, in Tor, these certificates expire after two hours.
Parameters: | lifetime (int) – The time, in seconds, that the certificate should remain valid for. |
---|---|
Return type: | OpenSSL.crypto.X509 |
Returns: | A certificate, unsigned, and without a key attached to it. |
getPublicKey
(cert, fileformat='PEM')[source]¶Retrieve the PEM public key, with Tor headers, from a certificate.
Parameters: |
|
---|---|
Return type: | |
Returns: | The public key in the specified fileformat. |