Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (pypi.python.org).
Help us improve Python packaging - Donate today!

Python library to convert X.509 certificates to and from W3C XML Signature KeyInfo structures

Project Description

Python library to convert X.509 certificates to and from W3C XML Signature KeyInfo structures

Description

This library provides functionlity to convert X.509 certificates to and from W3C XML Signature KeyInfo structures.

For X.509, the module is based on the python “cryptography” module (which in turn is based on OpenSSL). The keyinfo library converts to and from cryptography.x509.certificate objects. For XML, the module is based on the lxml library. (Future versions may also use the simpler ElementTree library).

If you want to generate KeyInfo structures, your code needs to use existing functionality in that library to create certificates, or to load certificates in common file formats like PEM. The keyinfo module then allows you to convert these certificate objects to KeyInfo XML trees. Then, using the lxml library, you can save those trees to file or otherwise process them. There first two export functions are the following:

  • to_keyinfo_sig1 export to XML Signature version 1.0. In this case the issuer and serial number are provided.
  • to_keyinfo_sig11 exports to XML Signature version 1.1. In this case SHA256 and SHA512 X509 digests are provided.

These functions take either a certificate or a list of certificate objects representing a certificate chain as parameters.

From version 0.4, ff the SHA3 library is availble, additionally SHA3-256 and SHA3-515 digests are provided.

The following code show how to load a certificate from a PEM format and save it as a KeyInfo XML file.

from keyinfo import keyinfo
from cryptography.x509 import load_pem_x509_certificate
from cryptography.hazmat.backends import default_backend
from lxml import etree

# set infile, outfile
with open(infile, 'r') as f:
    data = f.read()
    cert = load_pem_x509_certificate(data, default_backend())
    cert_xml = keyinfo.to_keyinfo_sig1(cert)
    fd = open(outfile,'w')
    fd.write(etree.tostring(cert_xml, pretty_print=True))
    fd.close()

It turns out the load_pem_x509_certificate actually only loads the first certificate. To load a chain from a PEM file, you can use load_pem_x509_certificate_chain from keyinfo.

from keyinfo import keyinfo
from lxml import etree

# set infile, outfile
with open(infile, 'r') as f:
    data = f.read()
    cert_list = keyinfo.load_pem_x509_certificate_chain(data)
    cert_xml = keyinfo.to_keyinfo_sig1(cert_list)
    fd = open(outfile,'w')
    fd.write(etree.tostring(cert_xml, pretty_print=True))
    fd.close()

If you want to parse KeyInfo structures, your code needs to parse the XML data using lxml. You can then use the from_keyinfo(keyinfo) function to create a cryptography.x509.certificate object. For backwards compatibility reasons, these functions return the first certificate only.

To load the full chain, you can an optional chain parameter, i.e. from_keyinfo(keyinfo, chain=True). The result then is a list of certificate objects.

Validation

When loading certificates from KeyInfo, some consistency checks are done between the X509Digest and X509Issuerserial element and the X509Certificate objects. If you want additional certificate validation, including path validation, you can use pyopenssl or wait for a future release of cryptography that will provide this functionality.

Tests and Examples

The tests subdirectory has a complete test suite and tests/data has sample KeyInfo and PEM files used by the tests.

Version History

0.9, 2017.01.12 Support for DSA keys

0.8, 2017.01.08 Experimental support for elliptic curve keys; some open questions asked at cryptography-dev

0.7, 2017.01.04 Bug fix, chain parameter not passed.

0.6, 2016.12.30 Added support for Whirlpool, https://tools.ietf.org/html/rfc6931#section-2.1.4

0.5, 2016.12.08 Added support for SHA1 for verification. (For generation, only SHA2 or SHA3 are used)

0.4, 2016.12.07 SHA3 feature added

0.3.*, 2016.10.09 Fixed README

0.3, 2016.10.08. Support for certificate chains added.

0.2, 2016.04.01. Provided readme, tests, examples, validation.

0.1.3, 2016.03.27. First public Release.

Release History

Release History

This version
History Node

0.9.1

History Node

0.8

History Node

0.7.1

History Node

0.6

History Node

0.5

History Node

0.4.2

History Node

0.3.6

History Node

0.3.5

History Node

0.3.3

History Node

0.3

History Node

0.2

History Node

0.1.3

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
keyinfo-0.9.1.tar.gz (30.0 kB) Copy SHA256 Checksum SHA256 Source Jan 12, 2017

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting