Class: QgsAuthCertUtils

class qgis.core.QgsAuthCertUtils

Bases: sip.wrapper

Utilities for working with certificates and keys

Methods

casFromFile

Returns a list of concatenated CAs from a PEM or DER formatted file

casMerge

casMerge merges two certificate bundles in a single one removing duplicates, the certificates from the bundle2 are appended to bundle1 if not already there

casRemoveSelfSigned

casRemoveSelfSigned remove self-signed CA certificates from caList

certFromFile

Returns the first cert from a PEM or DER formatted file

certIsCurrent

certIsCurrent checks if cert is viable for its not before and not after dates

certIsViable

certIsViable checks for viability errors of cert and whether it is NULL

certKeyBundleToPem

Returns list of certificate, private key and algorithm (as PEM text) from file path components

certViabilityErrors

certViabilityErrors checks basic characteristics (validity dates, blocklisting, etc.) of given cert

certificateIsAuthority

Gets whether a certificate is an Authority

certificateIsAuthorityOrIssuer

Gets whether a certificate is an Authority or can at least sign other certificates

certificateIsIssuer

Gets whether a certificate can sign other certificates

certificateIsSslClient

Gets whether a certificate is probably used for a client identity

certificateIsSslServer

Gets whether a certificate is probably used for a SSL server

certificateUsageTypes

Try to determine the certificates usage types

certsFromFile

Returns a list of concatenated certs from a PEM or DER formatted file

certsFromString

Returns a list of concatenated certs from a PEM Base64 text block

certsToPemText

certsToPemText dump a list of QSslCertificates to PEM text

fileData

Returns data from a local file via a read-only operation

getCaSourceName

Gets the general name for CA source enum type

getCertTrustName

Gets the general name for certificate trust

getColonDelimited

Gets string with colon delimiters every 2 characters

getSslProtocolName

SSL Protocol name strings per enum

keyFromFile

Returns non-encrypted key from a PEM or DER formatted file

mapDigestToCerts

Map certificate sha1 to certificate as simple cache

mapDigestToSslConfigs

Map SSL custom configs’ certificate sha1 to custom config as simple cache

pemIsPkcs8

Determine if the PEM-encoded text of a key is PKCS#8 format

pemTextToTempFile

Write a temporary file for a PEM text of cert/key/CAs bundle component

pkcs12BundleCas

Returns list of CA certificates (as QSslCertificate) for a PKCS#12 bundle

pkcs12BundleToPem

Returns list of certificate, private key and algorithm (as PEM text) for a PKCS#12 bundle

resolvedCertName

Gets the general name via RFC 5280 resolution

shaHexForCert

Gets the sha1 hash for certificate

sslErrorEnumString

Gets short strings describing an SSL error

validateCertChain

validateCertChain validates the given certificateChain

validatePKIBundle

validatePKIBundle validate the PKI bundle by checking the certificate chain, the expiration and effective dates, optionally trusts the root CA

Attributes

AnyOrUnspecifiedUsage

CRLSigningUsage

CertAuthorityUsage

CertIssuerUsage

CodeSigningUsage

Connection

DefaultTrust

EmailProtectionUsage

ExtendedKeyUsage

FromFile

InDatabase

KeyUsage

NoPolicy

SystemRoot

TimeStampingUsage

TlsClientUsage

TlsServerEvUsage

TlsServerUsage

Trusted

UndeterminedUsage

Untrusted

AnyOrUnspecifiedUsage = 1
CRLSigningUsage = 10
class CaCertSource

Bases: int

CertAuthorityUsage = 2
CertIssuerUsage = 3
class CertTrustPolicy

Bases: int

class CertUsageType

Bases: int

CodeSigningUsage = 7
Connection = 3
class ConstraintGroup

Bases: int

DefaultTrust = 0
EmailProtectionUsage = 8
ExtendedKeyUsage = 1
FromFile = 1
InDatabase = 2
KeyUsage = 0
NoPolicy = 3
SystemRoot = 0
TimeStampingUsage = 9
TlsClientUsage = 6
TlsServerEvUsage = 5
TlsServerUsage = 4
Trusted = 1
UndeterminedUsage = 0
Untrusted = 2
casFromFile(certspath: str) List[QSslCertificate]

Returns a list of concatenated CAs from a PEM or DER formatted file

Parameters

certspath (str) –

Return type

List[QSslCertificate]

casMerge(bundle1: Iterable[QSslCertificate], bundle2: Iterable[QSslCertificate]) List[QSslCertificate]

casMerge merges two certificate bundles in a single one removing duplicates, the certificates from the bundle2 are appended to bundle1 if not already there

Parameters
  • bundle1 (Iterable[QSslCertificate]) – first bundle

  • bundle2 (Iterable[QSslCertificate]) – second bundle

Return type

List[QSslCertificate]

Returns

a list of unique certificates

casRemoveSelfSigned(caList: Iterable[QSslCertificate]) List[QSslCertificate]

casRemoveSelfSigned remove self-signed CA certificates from caList

Parameters

caList (Iterable[QSslCertificate]) – list of CA certificates

Return type

List[QSslCertificate]

Returns

a list of non self-signed certificates

certFromFile(certpath: str) QSslCertificate

Returns the first cert from a PEM or DER formatted file

Parameters

certpath (str) –

Return type

QSslCertificate

certIsCurrent(cert: QSslCertificate) bool

certIsCurrent checks if cert is viable for its not before and not after dates

Parameters

cert (QSslCertificate) – certificate to be checked

Return type

bool

certIsViable(cert: QSslCertificate) bool

certIsViable checks for viability errors of cert and whether it is NULL

Parameters

cert (QSslCertificate) – certificate to be checked

Return type

bool

Returns

False if cert is NULL or has viability errors

certKeyBundleToPem(certpath: str, keypath: str, keypass: str = '', reencrypt: bool = True) List[str]

Returns list of certificate, private key and algorithm (as PEM text) from file path components

Parameters
  • certpath (str) – File path to certificate

  • keypath (str) – File path to private key

  • keypass (str = '') – Passphrase for private key

  • reencrypt (bool = True) – Whether to re-encrypt the private key with the passphrase

Return type

List[str]

Returns

certificate, private key, key’s algorithm type

certViabilityErrors(cert: QSslCertificate) List[QSslError]

certViabilityErrors checks basic characteristics (validity dates, blocklisting, etc.) of given cert

Parameters

cert (QSslCertificate) – certificate to be checked

Return type

List[QSslError]

Returns

list of QSslError (will return NO ERRORS if a null QSslCertificate is passed)

certificateIsAuthority(cert: QSslCertificate) bool

Gets whether a certificate is an Authority

Parameters

cert (QSslCertificate) –

Return type

bool

certificateIsAuthorityOrIssuer(cert: QSslCertificate) bool

Gets whether a certificate is an Authority or can at least sign other certificates

Parameters

cert (QSslCertificate) –

Return type

bool

certificateIsIssuer(cert: QSslCertificate) bool

Gets whether a certificate can sign other certificates

Parameters

cert (QSslCertificate) –

Return type

bool

certificateIsSslClient(cert: QSslCertificate) bool

Gets whether a certificate is probably used for a client identity

Parameters

cert (QSslCertificate) –

Return type

bool

certificateIsSslServer(cert: QSslCertificate) bool

Gets whether a certificate is probably used for a SSL server

Parameters

cert (QSslCertificate) –

Return type

bool

certificateUsageTypes(cert: QSslCertificate) List[QgsAuthCertUtils.CertUsageType]

Try to determine the certificates usage types

Parameters

cert (QSslCertificate) –

Return type

List[QgsAuthCertUtils.CertUsageType]

certsFromFile(certspath: str) List[QSslCertificate]

Returns a list of concatenated certs from a PEM or DER formatted file

Parameters

certspath (str) –

Return type

List[QSslCertificate]

certsFromString(pemtext: str) List[QSslCertificate]

Returns a list of concatenated certs from a PEM Base64 text block

Parameters

pemtext (str) –

Return type

List[QSslCertificate]

certsToPemText(certs: Iterable[QSslCertificate]) QByteArray

certsToPemText dump a list of QSslCertificates to PEM text

Parameters

certs (Iterable[QSslCertificate]) – list of certs

Return type

QByteArray

Returns

a byte array of concatenated certificates as PEM text

fileData(path: str) QByteArray

Returns data from a local file via a read-only operation

Parameters

path (str) – Path to file to read

Return type

QByteArray

Returns

All data contained in file or empty contents if file does not exist

getCaSourceName(source: QgsAuthCertUtils.CaCertSource, single: bool = False) str

Gets the general name for CA source enum type

Parameters
  • source (QgsAuthCertUtils.CaCertSource) – The enum source type for the CA

  • single (bool = False) – Whether to return singular or plural description

Return type

str

getCertTrustName(trust: QgsAuthCertUtils.CertTrustPolicy) str

Gets the general name for certificate trust

Parameters

trust (QgsAuthCertUtils.CertTrustPolicy) –

Return type

str

getColonDelimited(txt: str) str

Gets string with colon delimiters every 2 characters

Parameters

txt (str) –

Return type

str

getSslProtocolName(protocol: QSsl.SslProtocol) str

SSL Protocol name strings per enum

Parameters

protocol (QSsl.SslProtocol) –

Return type

str

keyFromFile(keypath: str, keypass: str = '', algtype: str = '') QSslKey

Returns non-encrypted key from a PEM or DER formatted file

Parameters
  • keypath (str) – File path to private key

  • keypass (str = '') – Passphrase for private key

  • algtype (str = '') – QString to set with resolved algorithm type

Return type

QSslKey

mapDigestToCerts(certs: Iterable[QSslCertificate]) Dict[str, QSslCertificate]

Map certificate sha1 to certificate as simple cache

Parameters

certs (Iterable[QSslCertificate]) –

Return type

Dict[str, QSslCertificate]

mapDigestToSslConfigs(configs: Iterable[QgsAuthConfigSslServer]) Dict[str, QgsAuthConfigSslServer]

Map SSL custom configs’ certificate sha1 to custom config as simple cache

Parameters

configs (Iterable[QgsAuthConfigSslServer]) –

Return type

Dict[str, QgsAuthConfigSslServer]

pemIsPkcs8(keyPemTxt: str) bool

Determine if the PEM-encoded text of a key is PKCS#8 format

Parameters

keyPemTxt (str) – PEM-encoded text

Return type

bool

Returns

True if PKCS#8, otherwise False

pemTextToTempFile(name: str, pemtext: Union[QByteArray, bytes, bytearray]) str

Write a temporary file for a PEM text of cert/key/CAs bundle component

Parameters
  • pemtext (Union[QByteArray) – Component content as PEM text

  • name (str) – Name of file

Return type

str

Returns

File path to temporary file

pkcs12BundleCas(bundlepath: str, bundlepass: str = '') List[QSslCertificate]

Returns list of CA certificates (as QSslCertificate) for a PKCS#12 bundle

Parameters
  • bundlepath (str) – File path to the PKCS bundle

  • bundlepass (str = '') – Passphrase for bundle

Return type

List[QSslCertificate]

Returns

list of certificate

pkcs12BundleToPem(bundlepath: str, bundlepass: str = '', reencrypt: bool = True) List[str]

Returns list of certificate, private key and algorithm (as PEM text) for a PKCS#12 bundle

Parameters
  • bundlepath (str) – File path to the PKCS bundle

  • bundlepass (str = '') – Passphrase for bundle

  • reencrypt (bool = True) – Whether to re-encrypt the private key with the passphrase

Return type

List[str]

Returns

certificate, private key, key’s algorithm type

resolvedCertName(cert: QSslCertificate, issuer: bool = False) str

Gets the general name via RFC 5280 resolution

Parameters
  • cert (QSslCertificate) –

  • issuer (bool = False) –

Return type

str

shaHexForCert(cert: QSslCertificate, formatted: bool = False) str

Gets the sha1 hash for certificate

Parameters
  • cert (QSslCertificate) – Qt SSL certificate to generate hash from

  • formatted (bool = False) – Whether to colon-delimit the hash

Return type

str

sslErrorEnumString(errenum: QSslError.SslError) str

Gets short strings describing an SSL error

Parameters

errenum (QSslError.SslError) –

Return type

str

validateCertChain(certificateChain: Iterable[QSslCertificate], hostName: str = '', trustRootCa: bool = False) List[QSslError]

validateCertChain validates the given certificateChain

Parameters
  • certificateChain (Iterable[QSslCertificate]) – list of certificates to be checked, with leaf first and with optional root CA last

  • hostName (str = '') – (optional) name of the host to be verified

  • trustRootCa (bool = False) – if True the CA will be added to the trusted CAs for this validation check

Return type

List[QSslError]

Returns

list of QSslError, if the list is empty then the cert chain is valid

validatePKIBundle(bundle: QgsPkiBundle, useIntermediates: bool = True, trustRootCa: bool = False) List[str]

validatePKIBundle validate the PKI bundle by checking the certificate chain, the expiration and effective dates, optionally trusts the root CA

Parameters
  • bundle (QgsPkiBundle) –

  • useIntermediates (bool = True) – if True the intermediate certs are also checked

  • trustRootCa (bool = False) – if True the CA will be added to the trusted CAs for this validation check (if useIntermediates is False) this option is ignored and set to False

Return type

List[str]

Returns

a list of error strings, if the list is empty then the PKI bundle is valid