Subgroup: Auth

Class: QgsAuthCertUtils

class qgis.core.QgsAuthCertUtils

Bases: sip.wrapper

Utilities for working with certificates and keys

Methods

casFromFile Return list of concatenated CAs from a PEM or DER formatted file
casMerge casMerge merges two certificate bundles in a single one removing duplicates, the certificates from the bundle2 are appended to bundle1 if not already there
casRemoveSelfSigned casRemoveSelfSigned remove self-signed CA certificates from caList
certFromFile Return first cert from a PEM or DER formatted file
certIsCurrent certIsCurrent checks if cert is viable for its not before and not after dates
certIsViable certIsViable checks for viability errors of cert and whether it is NULL
certKeyBundleToPem Return list of certificate, private key and algorithm (as PEM text) from file path components
certViabilityErrors certViabilityErrors checks basic characteristics (validity dates, blacklisting, etc.
certificateIsAuthority Get whether a certificate is an Authority
certificateIsAuthorityOrIssuer Get whether a certificate is an Authority or can at least sign other certificates
certificateIsIssuer Get whether a certificate can sign other certificates
certificateIsSslClient Get whether a certificate is probably used for a client identity
certificateIsSslServer Get whether a certificate is probably used for a SSL server
certificateUsageTypes Try to determine the certificates usage types
certsFromFile Return list of concatenated certs from a PEM or DER formatted file
certsFromString Return list of concatenated certs from a PEM Base64 text block
certsToPemText certsToPemText dump a list of QSslCertificates to PEM text
fileData Return data from a local file via a read-only operation
getCaSourceName Get the general name for CA source enum type
getCertTrustName Get the general name for certificate trust
getColonDelimited Get string with colon delimiters every 2 characters
getSslProtocolName SSL Protocol name strings per enum
keyFromFile Return non-encrypted key from a PEM or DER formatted file
mapDigestToCerts Map certificate sha1 to certificate as simple cache
mapDigestToSslConfigs Map SSL custom configs’ certificate sha1 to custom config as simple cache
pemIsPkcs8 Determine if the PEM-encoded text of a key is PKCS#8 format
pemTextToTempFile Write a temporary file for a PEM text of cert/key/CAs bundle component
pkcs12BundleCas Return list of CA certificates (as QSslCertificate) for a PKCS#12 bundle
pkcs12BundleToPem Return list of certificate, private key and algorithm (as PEM text) for a PKCS#12 bundle
resolvedCertName Get the general name via RFC 5280 resolution
shaHexForCert Get the sha1 hash for certificate
sslErrorEnumString Get short strings describing an SSL error
validateCertChain validateCertChain validates the given certificateChain
validatePKIBundle validatePKIBundle validate the PKI bundle by checking the certificate chain, the expiration and effective dates, optionally trusts the root CA

Signals

Attributes

AnyOrUnspecifiedUsage
CRLSigningUsage
CertAuthorityUsage
CertIssuerUsage
CodeSigningUsage
Connection
DefaultTrust
EmailProtectionUsage
ExtendedKeyUsage
FromFile
InDatabase
KeyUsage
NoPolicy
SystemRoot
TimeStampingUsage
TlsClientUsage
TlsServerEvUsage
TlsServerUsage
Trusted
UndeterminedUsage
Untrusted
AnyOrUnspecifiedUsage = 1
CRLSigningUsage = 10
class CaCertSource

Bases: int

CertAuthorityUsage = 2
CertIssuerUsage = 3
class CertTrustPolicy

Bases: int

class CertUsageType

Bases: int

CodeSigningUsage = 7
Connection = 3
class ConstraintGroup

Bases: int

DefaultTrust = 0
EmailProtectionUsage = 8
ExtendedKeyUsage = 1
FromFile = 1
InDatabase = 2
KeyUsage = 0
NoPolicy = 3
SystemRoot = 0
TimeStampingUsage = 9
TlsClientUsage = 6
TlsServerEvUsage = 5
TlsServerUsage = 4
Trusted = 1
UndeterminedUsage = 0
Untrusted = 2
casFromFile(certspath: str) → List[QSslCertificate]

Return list of concatenated CAs from a PEM or DER formatted file

casMerge(bundle1: Iterable[QSslCertificate], bundle2: Iterable[QSslCertificate]) → List[QSslCertificate]

casMerge merges two certificate bundles in a single one removing duplicates, the certificates from the bundle2 are appended to bundle1 if not already there

Parameters:
  • bundle1 – first bundle
  • bundle2 – second bundle
Returns:

a list of unique certificates

casRemoveSelfSigned(caList: Iterable[QSslCertificate]) → List[QSslCertificate]

casRemoveSelfSigned remove self-signed CA certificates from caList

Parameters:caList – list of CA certificates
Returns:a list of non self-signed certificates
certFromFile(certpath: str) → QSslCertificate

Return first cert from a PEM or DER formatted file

certIsCurrent(cert: QSslCertificate) → bool

certIsCurrent checks if cert is viable for its not before and not after dates

Parameters:cert – certificate to be checked
certIsViable(cert: QSslCertificate) → bool

certIsViable checks for viability errors of cert and whether it is NULL

Parameters:cert – certificate to be checked
Returns:false if cert is NULL or has viability errors
certKeyBundleToPem(certpath: str, keypath: str, keypass: str = '', reencrypt: bool = True) → List[str]

Return list of certificate, private key and algorithm (as PEM text) from file path components

Parameters:
  • certpath – File path to certificate
  • keypath – File path to private key
  • keypass – Passphrase for private key
  • reencrypt – Whether to re-encrypt the private key with the passphrase
Returns:

certificate, private key, key’s algorithm type

certViabilityErrors(cert: QSslCertificate) → List[QSslError]

certViabilityErrors checks basic characteristics (validity dates, blacklisting, etc.) of given cert

Parameters:cert – certificate to be checked
Returns:list of QSslError (will return NO ERRORS if a null QSslCertificate is passed)
certificateIsAuthority(cert: QSslCertificate) → bool

Get whether a certificate is an Authority

certificateIsAuthorityOrIssuer(cert: QSslCertificate) → bool

Get whether a certificate is an Authority or can at least sign other certificates

certificateIsIssuer(cert: QSslCertificate) → bool

Get whether a certificate can sign other certificates

certificateIsSslClient(cert: QSslCertificate) → bool

Get whether a certificate is probably used for a client identity

certificateIsSslServer(cert: QSslCertificate) → bool

Get whether a certificate is probably used for a SSL server

certificateUsageTypes(cert: QSslCertificate) → object

Try to determine the certificates usage types

certsFromFile(certspath: str) → List[QSslCertificate]

Return list of concatenated certs from a PEM or DER formatted file

certsFromString(pemtext: str) → List[QSslCertificate]

Return list of concatenated certs from a PEM Base64 text block

certsToPemText(certs: Iterable[QSslCertificate]) → QByteArray

certsToPemText dump a list of QSslCertificates to PEM text

Parameters:certs – list of certs
Returns:a byte array of concatenated certificates as PEM text
fileData(path: str) → QByteArray

Return data from a local file via a read-only operation

Parameters:path – Path to file to read
Returns:All data contained in file or empty contents if file does not exist
getCaSourceName(source: QgsAuthCertUtils.CaCertSource, single: bool = False) → str

Get the general name for CA source enum type

Parameters:
  • source – The enum source type for the CA
  • single – Whether to return singular or plural description
getCertTrustName(trust: QgsAuthCertUtils.CertTrustPolicy) → str

Get the general name for certificate trust

getColonDelimited(txt: str) → str

Get string with colon delimiters every 2 characters

getSslProtocolName(protocol: QSsl.SslProtocol) → str

SSL Protocol name strings per enum

keyFromFile(keypath: str, keypass: str = '', algtype: str = '') → QSslKey

Return non-encrypted key from a PEM or DER formatted file

Parameters:
  • keypath – File path to private key
  • keypass – Passphrase for private key
  • algtype – QString to set with resolved algorithm type
mapDigestToCerts(certs: Iterable[QSslCertificate]) → object

Map certificate sha1 to certificate as simple cache

mapDigestToSslConfigs(configs: object) → object

Map SSL custom configs’ certificate sha1 to custom config as simple cache

pemIsPkcs8(keyPemTxt: str) → bool

Determine if the PEM-encoded text of a key is PKCS#8 format

Parameters:keyPemTxt – PEM-encoded text
Returns:True if PKCS#8, otherwise false
pemTextToTempFile(name: str, pemtext: Union[QByteArray, bytes, bytearray]) → str

Write a temporary file for a PEM text of cert/key/CAs bundle component

Parameters:
  • pemtext – Component content as PEM text
  • name – Name of file
Returns:

File path to temporary file

pkcs12BundleCas(bundlepath: str, bundlepass: str = '') → List[QSslCertificate]

Return list of CA certificates (as QSslCertificate) for a PKCS#12 bundle

Parameters:
  • bundlepath – File path to the PKCS bundle
  • bundlepass – Passphrase for bundle
Returns:

list of certificate

pkcs12BundleToPem(bundlepath: str, bundlepass: str = '', reencrypt: bool = True) → List[str]

Return list of certificate, private key and algorithm (as PEM text) for a PKCS#12 bundle

Parameters:
  • bundlepath – File path to the PKCS bundle
  • bundlepass – Passphrase for bundle
  • reencrypt – Whether to re-encrypt the private key with the passphrase
Returns:

certificate, private key, key’s algorithm type

resolvedCertName(cert: QSslCertificate, issuer: bool = False) → str

Get the general name via RFC 5280 resolution

shaHexForCert(cert: QSslCertificate, formatted: bool = False) → str

Get the sha1 hash for certificate

Parameters:
  • cert – Qt SSL certificate to generate hash from
  • formatted – Whether to colon-delimit the hash
sslErrorEnumString(errenum: QSslError.SslError) → str

Get short strings describing an SSL error

validateCertChain(certificateChain: Iterable[QSslCertificate], hostName: str = '', trustRootCa: bool = False) → List[QSslError]

validateCertChain validates the given certificateChain

Parameters:
  • certificateChain – list of certificates to be checked, with leaf first and with optional root CA last
  • hostName – (optional) name of the host to be verified
  • trustRootCa – if true the CA will be added to the trusted CAs for this validation check
Returns:

list of QSslError, if the list is empty then the cert chain is valid

validatePKIBundle(bundle: QgsPkiBundle, useIntermediates: bool = True, trustRootCa: bool = False) → List[str]

validatePKIBundle validate the PKI bundle by checking the certificate chain, the expiration and effective dates, optionally trusts the root CA

Parameters:
  • bundle
  • useIntermediates – if true the intermediate certs are also checked
  • trustRootCa – if true the CA will be added to the trusted CAs for this validation check (if useIntermediates is false)

this option is ignored and set to false

Returns:a list of error strings, if the list is empty then the PKI bundle is valid