letsencrypt.crypto_util

Let’s Encrypt client crypto utility functions.

Todo

Make the transition to use PSS rather than PKCS1_v1_5 when the server is capable of handling the signatures.

letsencrypt.crypto_util.init_save_key(key_size, key_dir, keyname='key-letsencrypt.pem')[source]

Initializes and saves a privkey.

Inits key and saves it in PEM format on the filesystem.

Note

keyname is the attempted filename, it may be different if a file already exists at the path.

Parameters:
  • key_size (int) – RSA key size in bits
  • key_dir (str) – Key save directory.
  • keyname (str) – Filename of key
Returns:

Key
Return type:

letsencrypt.le_util.Key
Raises ValueError:
 

If unable to generate the key given key_size.
letsencrypt.crypto_util.init_save_csr(privkey, names, path, csrname='csr-letsencrypt.pem')[source]

Initialize a CSR with the given private key.

Parameters:
Returns:

CSR
Return type:

letsencrypt.le_util.CSR
letsencrypt.crypto_util.make_csr(key_str, domains)[source]

Generate a CSR.

Parameters:
  • key_str (str) – PEM-encoded RSA key.
  • domains (list) – Domains included in the certificate.

Todo

Detect duplicates in domains? Using a set doesn’t preserve order...

Returns:new CSR in PEM and DER form containing all domains
Return type:tuple
letsencrypt.crypto_util.valid_csr(csr)[source]

Validate CSR.

Check if csr is a valid CSR for the given domains.

Parameters:csr (str) – CSR in PEM.
Returns:Validity of CSR.
Return type:bool
letsencrypt.crypto_util.csr_matches_pubkey(csr, privkey)[source]

Does private key correspond to the subject public key in the CSR?

Parameters:
  • csr (str) – CSR in PEM.
  • privkey (str) – Private key file contents (PEM)
Returns:

Correspondence of private key to CSR subject public key.
Return type:

bool
letsencrypt.crypto_util.make_key(bits)[source]

Generate PEM encoded RSA key.

Parameters:bits (int) – Number of bits, at least 1024.
Returns:new RSA key in PEM form with specified number of bits
Return type:str
letsencrypt.crypto_util.valid_privkey(privkey)[source]

Is valid RSA private key?

Parameters:privkey (str) – Private key file contents in PEM
Returns:Validity of private key.
Return type:bool
letsencrypt.crypto_util.pyopenssl_load_certificate(data)[source]

Load PEM/DER certificate.

Raises errors.Error:
 
letsencrypt.crypto_util.get_sans_from_cert(cert, typ=1)[source]

Get a list of Subject Alternative Names from a certificate.

Parameters:
  • cert (str) – Certificate (encoded).
  • typOpenSSL.crypto.FILETYPE_PEM or OpenSSL.crypto.FILETYPE_ASN1
Returns:

A list of Subject Alternative Names.
Return type:

list
letsencrypt.crypto_util.get_sans_from_csr(csr, typ=1)[source]

Get a list of Subject Alternative Names from a CSR.

Parameters:
  • csr (str) – CSR (encoded).
  • typOpenSSL.crypto.FILETYPE_PEM or OpenSSL.crypto.FILETYPE_ASN1
Returns:

A list of Subject Alternative Names.
Return type:

list
letsencrypt.crypto_util.dump_pyopenssl_chain(chain, filetype=1)[source]

Dump certificate chain into a bundle.

Parameters:chain (list) – List of OpenSSL.crypto.X509 (or wrapped in acme.jose.ComparableX509).
letsencrypt.crypto_util.notBefore(cert_path)[source]

When does the cert at cert_path start being valid?

Parameters:cert_path (str) – path to a cert in PEM format
Returns:the notBefore value from the cert at cert_path
Return type:datetime.datetime
letsencrypt.crypto_util.notAfter(cert_path)[source]

When does the cert at cert_path stop being valid?

Parameters:cert_path (str) – path to a cert in PEM format
Returns:the notAfter value from the cert at cert_path
Return type:datetime.datetime
letsencrypt.crypto_util._notAfterBefore(cert_path, method)[source]

Internal helper function for finding notbefore/notafter.

Parameters:
  • cert_path (str) – path to a cert in PEM format
  • method (function) – one of OpenSSL.crypto.X509.get_notBefore or OpenSSL.crypto.X509.get_notAfter
Returns:

the notBefore or notAfter value from the cert at cert_path
Return type:

datetime.datetime