Subgroup: Auth

Class: QgsAuthCertUtils

class qgis.core.QgsAuthCertUtils

Bases: sip.wrapper

Utilities for working with certificates and keys

Methods

casFromFile Returns a list of concatenated CAs from a PEM or DER formatted file
casMerge casMerge merges two certificate bundles in a single one removing duplicates, the certificates from the bundle2 are appended to bundle1 if not already there
casRemoveSelfSigned casRemoveSelfSigned remove self-signed CA certificates from caList
certFromFile Returns the first cert from a PEM or DER formatted file
certIsCurrent certIsCurrent checks if cert is viable for its not before and not after dates
certIsViable certIsViable checks for viability errors of cert and whether it is NULL
certKeyBundleToPem Returns list of certificate, private key and algorithm (as PEM text) from file path components
certViabilityErrors certViabilityErrors checks basic characteristics (validity dates, blacklisting, etc.) of given cert
certificateIsAuthority Gets whether a certificate is an Authority
certificateIsAuthorityOrIssuer Gets whether a certificate is an Authority or can at least sign other certificates
certificateIsIssuer Gets whether a certificate can sign other certificates
certificateIsSslClient Gets whether a certificate is probably used for a client identity
certificateIsSslServer Gets whether a certificate is probably used for a SSL server
certificateUsageTypes Try to determine the certificates usage types
certsFromFile Returns a list of concatenated certs from a PEM or DER formatted file
certsFromString Returns a list of concatenated certs from a PEM Base64 text block
certsToPemText certsToPemText dump a list of QSslCertificates to PEM text
fileData Returns data from a local file via a read-only operation
getCaSourceName Gets the general name for CA source enum type
getCertTrustName Gets the general name for certificate trust
getColonDelimited Gets string with colon delimiters every 2 characters
getSslProtocolName SSL Protocol name strings per enum
keyFromFile Returns non-encrypted key from a PEM or DER formatted file
mapDigestToCerts Map certificate sha1 to certificate as simple cache
mapDigestToSslConfigs Map SSL custom configs’ certificate sha1 to custom config as simple cache
pemIsPkcs8 Determine if the PEM-encoded text of a key is PKCS#8 format
pemTextToTempFile Write a temporary file for a PEM text of cert/key/CAs bundle component
pkcs12BundleCas Returns list of CA certificates (as QSslCertificate) for a PKCS#12 bundle
pkcs12BundleToPem Returns list of certificate, private key and algorithm (as PEM text) for a PKCS#12 bundle
resolvedCertName Gets the general name via RFC 5280 resolution
shaHexForCert Gets the sha1 hash for certificate
sslErrorEnumString Gets short strings describing an SSL error
validateCertChain validateCertChain validates the given certificateChain
validatePKIBundle validatePKIBundle validate the PKI bundle by checking the certificate chain, the expiration and effective dates, optionally trusts the root CA

Signals

Attributes

AnyOrUnspecifiedUsage
CRLSigningUsage
CertAuthorityUsage
CertIssuerUsage
CodeSigningUsage
Connection
DefaultTrust
EmailProtectionUsage
ExtendedKeyUsage
FromFile
InDatabase
KeyUsage
NoPolicy
SystemRoot
TimeStampingUsage
TlsClientUsage
TlsServerEvUsage
TlsServerUsage
Trusted
UndeterminedUsage
Untrusted
AnyOrUnspecifiedUsage = 1
CRLSigningUsage = 10
class CaCertSource

Bases: int

CertAuthorityUsage = 2
CertIssuerUsage = 3
class CertTrustPolicy

Bases: int

class CertUsageType

Bases: int

CodeSigningUsage = 7
Connection = 3
class ConstraintGroup

Bases: int

DefaultTrust = 0
EmailProtectionUsage = 8
ExtendedKeyUsage = 1
FromFile = 1
InDatabase = 2
KeyUsage = 0
NoPolicy = 3
SystemRoot = 0
TimeStampingUsage = 9
TlsClientUsage = 6
TlsServerEvUsage = 5
TlsServerUsage = 4
Trusted = 1
UndeterminedUsage = 0
Untrusted = 2
casFromFile(certspath: str) → List[QSslCertificate]

Returns a list of concatenated CAs from a PEM or DER formatted file

casMerge(bundle1: Iterable[QSslCertificate], bundle2: Iterable[QSslCertificate]) → List[QSslCertificate]

casMerge merges two certificate bundles in a single one removing duplicates, the certificates from the bundle2 are appended to bundle1 if not already there

Parameters:
  • bundle1 – first bundle
  • bundle2 – second bundle
Returns:

a list of unique certificates

casRemoveSelfSigned(caList: Iterable[QSslCertificate]) → List[QSslCertificate]

casRemoveSelfSigned remove self-signed CA certificates from caList

Parameters:caList – list of CA certificates
Returns:a list of non self-signed certificates
certFromFile(certpath: str) → QSslCertificate

Returns the first cert from a PEM or DER formatted file

certIsCurrent(cert: QSslCertificate) → bool

certIsCurrent checks if cert is viable for its not before and not after dates

Parameters:cert – certificate to be checked
certIsViable(cert: QSslCertificate) → bool

certIsViable checks for viability errors of cert and whether it is NULL

Parameters:cert – certificate to be checked
Returns:false if cert is NULL or has viability errors
certKeyBundleToPem(certpath: str, keypath: str, keypass: str = '', reencrypt: bool = True) → List[str]

Returns list of certificate, private key and algorithm (as PEM text) from file path components

Parameters:
  • certpath – File path to certificate
  • keypath – File path to private key
  • keypass – Passphrase for private key
  • reencrypt – Whether to re-encrypt the private key with the passphrase
Returns:

certificate, private key, key’s algorithm type

certViabilityErrors(cert: QSslCertificate) → List[QSslError]

certViabilityErrors checks basic characteristics (validity dates, blacklisting, etc.) of given cert

Parameters:cert – certificate to be checked
Returns:list of QSslError (will return NO ERRORS if a null QSslCertificate is passed)
certificateIsAuthority(cert: QSslCertificate) → bool

Gets whether a certificate is an Authority

certificateIsAuthorityOrIssuer(cert: QSslCertificate) → bool

Gets whether a certificate is an Authority or can at least sign other certificates

certificateIsIssuer(cert: QSslCertificate) → bool

Gets whether a certificate can sign other certificates

certificateIsSslClient(cert: QSslCertificate) → bool

Gets whether a certificate is probably used for a client identity

certificateIsSslServer(cert: QSslCertificate) → bool

Gets whether a certificate is probably used for a SSL server

certificateUsageTypes(cert: QSslCertificate) → object

Try to determine the certificates usage types

certsFromFile(certspath: str) → List[QSslCertificate]

Returns a list of concatenated certs from a PEM or DER formatted file

certsFromString(pemtext: str) → List[QSslCertificate]

Returns a list of concatenated certs from a PEM Base64 text block

certsToPemText(certs: Iterable[QSslCertificate]) → QByteArray

certsToPemText dump a list of QSslCertificates to PEM text

Parameters:certs – list of certs
Returns:a byte array of concatenated certificates as PEM text
fileData(path: str) → QByteArray

Returns data from a local file via a read-only operation

Parameters:path – Path to file to read
Returns:All data contained in file or empty contents if file does not exist
getCaSourceName(source: QgsAuthCertUtils.CaCertSource, single: bool = False) → str

Gets the general name for CA source enum type

Parameters:
  • source – The enum source type for the CA
  • single – Whether to return singular or plural description
getCertTrustName(trust: QgsAuthCertUtils.CertTrustPolicy) → str

Gets the general name for certificate trust

getColonDelimited(txt: str) → str

Gets string with colon delimiters every 2 characters

getSslProtocolName(protocol: QSsl.SslProtocol) → str

SSL Protocol name strings per enum

keyFromFile(keypath: str, keypass: str = '', algtype: str = '') → QSslKey

Returns non-encrypted key from a PEM or DER formatted file

Parameters:
  • keypath – File path to private key
  • keypass – Passphrase for private key
  • algtype – QString to set with resolved algorithm type
mapDigestToCerts(certs: Iterable[QSslCertificate]) → object

Map certificate sha1 to certificate as simple cache

mapDigestToSslConfigs(configs: object) → object

Map SSL custom configs’ certificate sha1 to custom config as simple cache

pemIsPkcs8(keyPemTxt: str) → bool

Determine if the PEM-encoded text of a key is PKCS#8 format

Parameters:keyPemTxt – PEM-encoded text
Returns:True if PKCS#8, otherwise false
pemTextToTempFile(name: str, pemtext: Union[QByteArray, bytes, bytearray]) → str

Write a temporary file for a PEM text of cert/key/CAs bundle component

Parameters:
  • pemtext – Component content as PEM text
  • name – Name of file
Returns:

File path to temporary file

pkcs12BundleCas(bundlepath: str, bundlepass: str = '') → List[QSslCertificate]

Returns list of CA certificates (as QSslCertificate) for a PKCS#12 bundle

Parameters:
  • bundlepath – File path to the PKCS bundle
  • bundlepass – Passphrase for bundle
Returns:

list of certificate

pkcs12BundleToPem(bundlepath: str, bundlepass: str = '', reencrypt: bool = True) → List[str]

Returns list of certificate, private key and algorithm (as PEM text) for a PKCS#12 bundle

Parameters:
  • bundlepath – File path to the PKCS bundle
  • bundlepass – Passphrase for bundle
  • reencrypt – Whether to re-encrypt the private key with the passphrase
Returns:

certificate, private key, key’s algorithm type

resolvedCertName(cert: QSslCertificate, issuer: bool = False) → str

Gets the general name via RFC 5280 resolution

shaHexForCert(cert: QSslCertificate, formatted: bool = False) → str

Gets the sha1 hash for certificate

Parameters:
  • cert – Qt SSL certificate to generate hash from
  • formatted – Whether to colon-delimit the hash
sslErrorEnumString(errenum: QSslError.SslError) → str

Gets short strings describing an SSL error

validateCertChain(certificateChain: Iterable[QSslCertificate], hostName: str = '', trustRootCa: bool = False) → List[QSslError]

validateCertChain validates the given certificateChain

Parameters:
  • certificateChain – list of certificates to be checked, with leaf first and with optional root CA last
  • hostName – (optional) name of the host to be verified
  • trustRootCa – if true the CA will be added to the trusted CAs for this validation check
Returns:

list of QSslError, if the list is empty then the cert chain is valid

validatePKIBundle(bundle: QgsPkiBundle, useIntermediates: bool = True, trustRootCa: bool = False) → List[str]

validatePKIBundle validate the PKI bundle by checking the certificate chain, the expiration and effective dates, optionally trusts the root CA

Parameters:
  • bundle
  • useIntermediates – if true the intermediate certs are also checked
  • trustRootCa – if true the CA will be added to the trusted CAs for this validation check (if useIntermediates is false) this option is ignored and set to false
Returns:

a list of error strings, if the list is empty then the PKI bundle is valid