Skip to main content

Validates X.509 certificates and paths; forked from wbond/certvalidator

Project description

certvalidator

Forked from wbond/certvalidator, with patches for pyHanko.

A Python library for validating X.509 certificates or paths. Supports various options, including: validation at a specific moment in time, whitelisting and revocation checks.

Features

  • X.509 path building
  • X.509 basic path validation
    • Signatures
      • RSA (including PSS padding), DSA and EC algorithms
    • Name chaining
    • Validity dates
    • Basic constraints extension
      • CA flag
      • Path length constraint
    • Key usage extension
    • Extended key usage extension
    • Certificate policies
      • Policy constraints
      • Policy mapping
      • Inhibit anyPolicy
    • Failure on unknown/unsupported critical extensions
  • TLS/SSL server validation
  • Whitelisting certificates
  • Blacklisting hash algorithms
  • Revocation checks
    • CRLs
      • Indirect CRLs
      • Delta CRLs
    • OCSP checks
      • Delegated OCSP responders
    • Disable, require or allow soft failures
    • Caching of CRLs/OCSP responses
  • CRL and OCSP HTTP clients
  • Point-in-time validation
  • Name constraints

Current Release

pypi - changelog

Dependencies

  • asn1crypto
  • cryptography
  • uritools
  • oscrypto
  • requests or aiohttp (use the latter for more efficient asyncio, requires resource management)
  • Python 3.7, 3.8 or 3.9

Note on compatibility

Starting with pyhanko-certvalidator version 0.17.0, the library has been refactored to use asynchronous I/O as much as possible. Most high-level API entrypoints can still be used synchronously, but have been deprecated in favour of their asyncio equivalents. As part of this move, the OCSP and CRL clients now have two separate implementations: a requests-based one, and an aiohttp-based one. The latter is probably more performant, but requires more resource management efforts on the caller's part, which was impossible to implement without making major breaking changes to the public API that would make the migration path more complicated. Therefore, the requests-based fetcher will remain the default for the time being.

NOTE: version 0.17.0 has not been released yet, details will be in the change log.

Installation

pip install pyhanko-certvalidator

License

certvalidator is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Documentation

certvalidator documentation

Continuous Integration

Various combinations of platforms and versions of Python are tested via:

Testing

Tests are written using unittest and require no third-party packages.

Depending on what type of source is available for the package, the following commands can be used to run the test suite.

Git Repository

When working within a Git working copy, or an archive of the Git repository, the full test suite is run via:

python run.py tests

To run only some tests, pass a regular expression as a parameter to tests.

python run.py tests path

PyPi Source Distribution

When working within an extracted source distribution (aka .tar.gz) from PyPi, the full test suite is run via:

python setup.py test

Test Cases

The test cases for the library are comprised of:

Development

To install the package used for linting, execute:

pip install --user -r requires/lint

The following command will run the linter:

python run.py lint

To install the packages requires to generate the API documentation, run:

pip install --user -r requires/api_docs

The documentation can then be generated by running:

python run.py api_docs

The following will run a test that connects to all (non-adult) sites in the Alexa top 1000 that respond on port 443:

python run.py stress_test

Once the script is complete, results that differ between the OS validation and the certvalidator validation will be listed for further debugging.

To change the version number of the package, run:

python run.py version {pep440_version}

To install the necessary packages for releasing a new version on PyPI, run:

pip install --user -r requires/release

Releases are created by:

  • Making a git tag in PEP 440 format

  • Running the command:

    python run.py release
    

Existing releases can be found at https://pypi.org/project/pyhanko-certvalidator.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyhanko-certvalidator-0.17.2.tar.gz (54.4 kB view hashes)

Uploaded Source

Built Distribution

pyhanko_certvalidator-0.17.2-py3-none-any.whl (65.1 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page