Utilities that assist with trust relationship checking of X.509 Certificates for various end-user devices with disparate root trust stores.
Project description
tlstrust
Utilities that assist with trust relationship checking of X.509 Certificates for various end-user devices with disparate root trust stores.
Documentation
On the command-line:
tlstrust --help
produces:
usage: tlstrust [-h] [-C CLIENT_PEM] [--disable-sni] [-O JSON_FILE] [-v] [-vv] [-vvv] [-vvvv] [--version] [targets ...]
positional arguments:
targets All unnamed arguments are hosts (and ports) targets to test. ~$ tlstrust apple.com:443 github.io
localhost:3000
options:
-h, --help show this help message and exit
-C CLIENT_PEM, --client-pem CLIENT_PEM
path to PEM encoded client certificate, url or file path accepted
--disable-sni Do not negotiate SNI using INDA encoded host
-O JSON_FILE, --json-file JSON_FILE
Store to file as JSON
-v, --errors-only set logging level to ERROR (default CRITICAL)
-vv, --warning set logging level to WARNING (default CRITICAL)
-vvv, --info set logging level to INFO (default CRITICAL)
-vvvv, --debug set logging level to DEBUG (default CRITICAL)
--version
Trust Stores
Only the following are distinct Root CA Certificate bundles, also refered to as Trust Stores:
- Common Certificate Authority Database (CCADB)
- Java(TM) SE Runtime Environment
- Google Trust Services
- Rustls (curated CCADB)
- libcurl (curated CCADB)
- Dart Native (curated CCADB)
- Certifi (curated CCADB)
- MinTsifry Rossii
Others may exist so please inform us of any we don't already track.
There are many contexts that rely on one of the above, including Microsoft, Apple, Linux, and Mozilla that all rely on CCADB directly.
Python module usage
In your app you can:
import os
from pathlib import Path
from OpenSSL.crypto import FILETYPE_ASN1
from tlstrust import TrustStore
der = Path(os.path.join(os.path.dirname(__file__), "cacert.der")).read_bytes()
trust_store = TrustStore(FILETYPE_ASN1, der)
print(trust_store.check_trust())
Platform specific checking
all_trusted = trust_store.check_trust()
assert all_trusted is True
assert trust_store.android
assert trust_store.linux
assert trust_store.ccadb # Windows, Mozilla, and Apple (from December 1st 2021)
assert trust_store.java
assert trust_store.certifi
Basic usage
Using CCADB for demonstration purposes (includes Apple, Microsoft, and Mozilla)
from tlstrust.context import SOURCE_CCADB
assert trust_store.exists(SOURCE_CCADB)
assert trust_store.expired_in_store(SOURCE_CCADB)
assert trust_store.get_certificate_from_store(SOURCE_CCADB)
assert trust_store.check_trust(SOURCE_CCADB)
Other Platforms
from tlstrust.context import PLATFORM_ANDROID
from tlstrust.context import PLATFORM_JAVA
from tlstrust.context import PLATFORM_LINUX
from tlstrust.context import PLATFORM_APPLE
Apple (before CCADB)
Apple (legacy) Trust Store support exists in earlier versions of tlstrust
, it was removed in version 2.0.0
so installing prior versions will allow you to access this functionality.
Android versions
from tlstrust.context import PLATFORM_ANDROID2_2
from tlstrust.context import PLATFORM_ANDROID2_3
from tlstrust.context import PLATFORM_ANDROID3
from tlstrust.context import PLATFORM_ANDROID4
from tlstrust.context import PLATFORM_ANDROID4_4
from tlstrust.context import PLATFORM_ANDROID7
from tlstrust.context import PLATFORM_ANDROID8
from tlstrust.context import PLATFORM_ANDROID9
from tlstrust.context import PLATFORM_ANDROID10
from tlstrust.context import PLATFORM_ANDROID11
from tlstrust.context import PLATFORM_ANDROID12
Browser Trust Stores
from tlstrust import context
assert trust_store.check_trust(context.BROWSER_AMAZON_SILK)
assert trust_store.check_trust(context.BROWSER_SAMSUNG_INTERNET_BROWSER)
assert trust_store.check_trust(context.BROWSER_GOOGLE_CHROME)
assert trust_store.check_trust(context.BROWSER_CHROMIUM)
assert trust_store.check_trust(context.BROWSER_FIREFOX)
assert trust_store.check_trust(context.BROWSER_BRAVE)
assert trust_store.check_trust(context.BROWSER_SAFARI)
assert trust_store.check_trust(context.BROWSER_MICROSOFT_EDGE)
assert trust_store.check_trust(context.BROWSER_YANDEX_BROWSER)
assert trust_store.check_trust(context.BROWSER_OPERA)
assert trust_store.check_trust(context.BROWSER_VIVALDI)
assert trust_store.check_trust(context.BROWSER_TOR_BROWSER)
Programming Language Trust (Microservice architecture and APIs)
Python:
from tlstrust import context
assert trust_store.check_trust(context.LANGUAGE_PYTHON_WINDOWS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_PYTHON_LINUX_SERVER)
assert trust_store.check_trust(context.LANGUAGE_PYTHON_MACOS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_PYTHON_CERTIFI)
assert trust_store.check_trust(context.LANGUAGE_PYTHON_URLLIB)
assert trust_store.check_trust(context.LANGUAGE_PYTHON_REQUESTS)
assert trust_store.check_trust(context.LANGUAGE_PYTHON_DJANGO)
Go:
```py
from tlstrust import context
assert trust_store.check_trust(context.LANGUAGE_GO_WINDOWS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_GO_LINUX_SERVER)
assert trust_store.check_trust(context.LANGUAGE_GO_MACOS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_GO_CERTIFI)
Node.js:
from tlstrust import context
assert trust_store.check_trust(context.LANGUAGE_NODE_WINDOWS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_NODE_LINUX_SERVER)
assert trust_store.check_trust(context.LANGUAGE_NODE_MACOS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_NODE_CERTIFI)
Ruby:
from tlstrust import context
assert trust_store.check_trust(context.LANGUAGE_RUBY_WINDOWS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_RUBY_LINUX_SERVER)
assert trust_store.check_trust(context.LANGUAGE_RUBY_MACOS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_RUBY_CERTIFI)
Erlang:
from tlstrust import context
assert trust_store.check_trust(context.LANGUAGE_ERLANG_WINDOWS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_ERLANG_LINUX_SERVER)
assert trust_store.check_trust(context.LANGUAGE_ERLANG_MACOS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_ERLANG_CERTIFI)
Rust:
from tlstrust import context
assert trust_store.check_trust(context.LANGUAGE_RUST_WINDOWS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_RUST_LINUX_SERVER)
assert trust_store.check_trust(context.LANGUAGE_RUST_MACOS_SERVER)
assert trust_store.check_trust(context.LANGUAGE_RUST_RUSTLS)
assert trust_store.check_trust(context.LANGUAGE_RUST_WEBPKI)
Change Log
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for tlstrust-2.6.5-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6c160d96bc695ddf9a986d3eca44fe088b9a43dd5b54891956f8e1f4315ea476 |
|
MD5 | 9edd40e0b06fa17b4cacce997c4aa8fa |
|
BLAKE2b-256 | df9eb0171527e6f2d1ac19b6b66951b76155f99316c474003cdbc7f62f3b400e |