Skip to content

Python library for validating X.509 certificates and paths

License

Notifications You must be signed in to change notification settings

mzegla/certvalidator

 
 

Repository files navigation

certvalidator

A Python library for validating X.509 certificates or paths. Supports various options, including: validation at a specific moment in time, whitelisting and revocation checks.

Travis CI AppVeyor CircleCI Codecov PyPI

Features

  • X.509 path building
  • X.509 basic path validation
    • Signatures
      • RSA, DSA and EC algorithms
    • Name chaining
    • Validity dates
    • Basic constraints extension
      • CA flag
      • Path length constraint
    • Key usage extension
    • Extended key usage extension
    • Certificate policies
      • Policy constraints
      • Policy mapping
      • Inhibit anyPolicy
    • Failure on unknown/unsupported critical extensions
  • TLS/SSL server validation
  • Whitelisting certificates
  • Blacklisting hash algorithms
  • Revocation checks
    • CRLs
      • Indirect CRLs
      • Delta CRLs
    • OCSP checks
      • Delegated OCSP responders
    • Disable, require or allow soft failures
    • Caching of CRLs/OCSP responses
  • CRL and OCSP HTTP clients
  • Point-in-time validation

Unsupported features:

  • Name constraints

Related Crypto Libraries

certvalidator is part of the modularcrypto family of Python packages:

Current Release

0.11.1 - changelog

Dependencies

  • asn1crypto
  • oscrypto
  • Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6 or pypy

Installation

pip install certvalidator

License

certvalidator is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Documentation

certvalidator documentation

Continuous Integration

Testing

Tests are written using unittest and require no third-party packages:

python run.py tests

To run only some tests, pass a regular expression as a parameter to tests.

python run.py tests path

Test Cases

The test cases for the library are comprised of:

Development

To install the package used for linting, execute:

pip install --user -r requires/lint

The following command will run the linter:

python run.py lint

Support for code coverage can be installed via:

pip install --user -r requires/coverage

Coverage is measured by running:

python run.py coverage

To install the packages requires to generate the API documentation, run:

pip install --user -r requires/api_docs

The documentation can then be generated by running:

python run.py api_docs

The following will run a test that connects to all (non-adult) sites in the Alexa top 1000 that respond on port 443:

python run.py stress_test

Once the script is complete, results that differ between the OS validation and the certvalidator validation will be listed for further debugging.

To install the necessary packages for releasing a new version on PyPI, run:

pip install --user -r requires/release

Releases are created by:

  • Making a git tag in semver format

  • Running the command:

    python run.py release

Existing releases can be found at https://pypi.python.org/pypi/certvalidator.

CI Tasks

A task named deps exists to ensure a modern version of pip is installed, along with all necessary testing dependencies.

The ci task runs lint (if flake8 is avaiable for the version of Python) and coverage (or tests if coverage is not available for the version of Python). If the current directory is a clean git working copy, the coverage data is submitted to codecov.io.

python run.py deps
python run.py ci

About

Python library for validating X.509 certificates and paths

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 100.0%