crypto — Generic cryptographic module

Elliptic curves

OpenSSL.crypto.get_elliptic_curves()

Return a set of objects representing the elliptic curves supported in the OpenSSL build in use.

The curve objects have a unicode name attribute by which they identify themselves.

The curve objects are useful as values for the argument accepted by Context.set_tmp_ecdh() to specify which elliptical curve should be used for ECDHE key exchange.

OpenSSL.crypto.get_elliptic_curve(name)

Return a single curve object selected by name.

See get_elliptic_curves() for information about curve objects.

If the named curve is not supported then ValueError is raised.

Serialization and deserialization

The following serialization functions take one of these constants to determine the format.

OpenSSL.crypto.FILETYPE_PEM

FILETYPE_PEM serializes data to a Base64-encoded encoded representation of the underlying ASN.1 data structure. This representation includes delimiters that define what data structure is contained within the Base64-encoded block: for example, for a certificate, the delimiters are -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

OpenSSL.crypto.FILETYPE_ASN1

FILETYPE_ASN1 serializes data to the underlying ASN.1 data structure. The format used by FILETYPE_ASN1 is also sometimes referred to as DER.

Certificates

OpenSSL.crypto.dump_certificate(type, cert)

Dump the certificate cert into a buffer string encoded with the type type.

OpenSSL.crypto.load_certificate(type, buffer)

Load a certificate (X509) from the string buffer encoded with the type type.

Certificate signing requests

OpenSSL.crypto.dump_certificate_request(type, req)

Dump the certificate request req into a buffer string encoded with the type type.

OpenSSL.crypto.load_certificate_request(type, buffer)

Load a certificate request (X509Req) from the string buffer encoded with the type type.

Private keys

OpenSSL.crypto.dump_privatekey(type, pkey, cipher=None, passphrase=None)

Dump the private key pkey into a buffer string encoded with the type type. Optionally (if type is FILETYPE_PEM) encrypting it using cipher and passphrase.

Parameters:
  • type – The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT)
  • pkey (PKey) – The PKey to dump
  • cipher – (optional) if encrypted PEM format, the cipher to use
  • passphrase – (optional) if encrypted PEM format, this can be either the passphrase to use, or a callback for providing the passphrase.
Returns:

The buffer with the dumped key in

Return type:

bytes

OpenSSL.crypto.load_privatekey(type, buffer[, passphrase])

Load a private key (PKey) from the string buffer encoded with the type type (must be one of FILETYPE_PEM and FILETYPE_ASN1).

passphrase must be either a string or a callback for providing the pass phrase.

Public keys

OpenSSL.crypto.dump_publickey(type, pkey)

Dump a public key to a buffer.

Parameters:
Returns:

The buffer with the dumped key in it.

Return type:

bytes

OpenSSL.crypto.load_publickey(type, buffer)

Load a public key from a buffer.

Parameters:
  • type – The file type (one of FILETYPE_PEM, FILETYPE_ASN1).
  • buffer (A Python string object, either unicode or bytestring.) – The buffer the key is stored in.
Returns:

The PKey object.

Return type:

PKey

Certificate revocation lists

OpenSSL.crypto.dump_crl(type, crl)

Dump a certificate revocation list to a buffer.

Parameters:
  • type – The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT).
  • crl (CRL) – The CRL to dump.
Returns:

The buffer with the CRL.

Return type:

bytes

OpenSSL.crypto.load_crl(type, buffer)

Load Certificate Revocation List (CRL) data from a string buffer. buffer encoded with the type type. The type type must either FILETYPE_PEM or FILETYPE_ASN1).

OpenSSL.crypto.load_pkcs7_data(type, buffer)

Load pkcs7 data from the string buffer encoded with the type type. The type type must either FILETYPE_PEM or FILETYPE_ASN1).

OpenSSL.crypto.load_pkcs12(buffer[, passphrase])

Load pkcs12 data from the string buffer. If the pkcs12 structure is encrypted, a passphrase must be included. The MAC is always checked and thus required.

See also the man page for the C function PKCS12_parse().

Signing and verifying signatures

OpenSSL.crypto.sign(key, data, digest)

Sign a data string using the given key and message digest.

key is a PKey instance. data is a str instance. digest is a str naming a supported message digest type, for example b"sha256".

New in version 0.11.

OpenSSL.crypto.verify(certificate, signature, data, digest)

Verify the signature for a data string.

certificate is a X509 instance corresponding to the private key which generated the signature. signature is a str instance giving the signature itself. data is a str instance giving the data to which the signature applies. digest is a str instance naming the message digest type of the signature, for example b"sha256".

New in version 0.11.

X509 objects

class OpenSSL.crypto.X509

An X.509 certificate.

add_extensions(extensions)

Add extensions to the certificate.

Parameters:extensions (An iterable of X509Extension objects.) – The extensions to add.
Returns:None
digest(digest_name)

Return the digest of the X509 object.

Parameters:digest_name (bytes) – The name of the digest algorithm to use.
Returns:The digest of the object, formatted as b":"-delimited hex pairs.
Return type:bytes
get_extension(index)

Get a specific extension of the certificate by index.

Extensions on a certificate are kept in order. The index parameter selects which extension will be returned.

Parameters:index (int) – The index of the extension to retrieve.
Returns:The extension at the specified index.
Return type:X509Extension
Raises:IndexError – If the extension index was out of bounds.

New in version 0.12.

get_extension_count()

Get the number of extensions on this certificate.

Returns:The number of extensions.
Return type:int

New in version 0.12.

get_issuer()

Return the issuer of this certificate.

This creates a new X509Name that wraps the underlying issuer name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other X509Name that refers to this issuer.

Returns:The issuer of this certificate.
Return type:X509Name
get_notAfter()

Get the timestamp at which the certificate stops being valid.

The timestamp is formatted as an ASN.1 GENERALIZEDTIME:

YYYYMMDDhhmmssZ
YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm
Returns:A timestamp string, or None if there is none.
Return type:bytes or NoneType
get_notBefore()

Get the timestamp at which the certificate starts being valid.

The timestamp is formatted as an ASN.1 GENERALIZEDTIME:

YYYYMMDDhhmmssZ
YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm
Returns:A timestamp string, or None if there is none.
Return type:bytes or NoneType
get_pubkey()

Get the public key of the certificate.

Returns:The public key.
Return type:PKey
get_serial_number()

Return the serial number of this certificate.

Returns:The serial number.
Return type:int
get_signature_algorithm()

Return the signature algorithm used in the certificate.

Returns:The name of the algorithm.
Return type:bytes
Raises:ValueError – If the signature algorithm is undefined.

New in version 0.13.

get_subject()

Return the subject of this certificate.

This creates a new X509Name that wraps the underlying subject name field on the certificate. Modifying it will modify the underlying certificate, and will have the effect of modifying any other X509Name that refers to this subject.

Returns:The subject of this certificate.
Return type:X509Name
get_version()

Return the version number of the certificate.

Returns:The version number of the certificate.
Return type:int
gmtime_adj_notAfter(amount)

Adjust the time stamp on which the certificate stops being valid.

Parameters:amount (int) – The number of seconds by which to adjust the timestamp.
Returns:None
gmtime_adj_notBefore(amount)

Adjust the timestamp on which the certificate starts being valid.

Parameters:amount – The number of seconds by which to adjust the timestamp.
Returns:None
has_expired()

Check whether the certificate has expired.

Returns:True if the certificate has expired, False otherwise.
Return type:bool
set_issuer(issuer)

Set the issuer of this certificate.

Parameters:issuer (X509Name) – The issuer.
Returns:None
set_notAfter(when)

Set the timestamp at which the certificate stops being valid.

The timestamp is formatted as an ASN.1 GENERALIZEDTIME:

YYYYMMDDhhmmssZ
YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm
Parameters:when (bytes) – A timestamp string.
Returns:None
set_notBefore(when)

Set the timestamp at which the certificate starts being valid.

The timestamp is formatted as an ASN.1 GENERALIZEDTIME:

YYYYMMDDhhmmssZ
YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm
Parameters:when (bytes) – A timestamp string.
Returns:None
set_pubkey(pkey)

Set the public key of the certificate.

Parameters:pkey (PKey) – The public key.
Returns:None
set_serial_number(serial)

Set the serial number of the certificate.

Parameters:serial (int) – The new serial number.
Returns::py:data`None`
set_subject(subject)

Set the subject of this certificate.

Parameters:subject (X509Name) – The subject.
Returns:None
set_version(version)

Set the version number of the certificate.

Parameters:version (int) – The version number of the certificate.
Returns:None
sign(pkey, digest)

Sign the certificate with this key and digest type.

Parameters:
  • pkey (PKey) – The key to sign with.
  • digest (bytes) – The name of the message digest to use.
Returns:

None

subject_name_hash()

Return the hash of the X509 subject.

Returns:The hash of the subject.
Return type:bytes

X509Name objects

class OpenSSL.crypto.X509Name(name)

An X.509 Distinguished Name.

Variables:
  • countryName – The country of the entity.
  • C – Alias for countryName.
  • stateOrProvinceName – The state or province of the entity.
  • ST – Alias for stateOrProvinceName.
  • localityName – The locality of the entity.
  • L – Alias for localityName.
  • organizationName – The organization name of the entity.
  • O – Alias for organizationName.
  • organizationalUnitName – The organizational unit of the entity.
  • OU – Alias for organizationalUnitName
  • commonName – The common name of the entity.
  • CN – Alias for commonName.
  • emailAddress – The e-mail address of the entity.
__init__(name)

Create a new X509Name, copying the given X509Name instance.

Parameters:name (X509Name) – The name to copy.
der()

Return the DER encoding of this name.

Returns:The DER encoded form of this name.
Return type:bytes
get_components()

Returns the components of this name, as a sequence of 2-tuples.

Returns:The components of this name.
Return type:list of name, value tuples.
hash()

Return an integer representation of the first four bytes of the MD5 digest of the DER representation of the name.

This is the Python equivalent of OpenSSL’s X509_NAME_hash.

Returns:The (integer) hash of this name.
Return type:int

X509Req objects

class OpenSSL.crypto.X509Req

An X.509 certificate signing requests.

add_extensions(extensions)

Add extensions to the certificate signing request.

Parameters:extensions (iterable of X509Extension) – The X.509 extensions to add.
Returns:None
get_extensions()

Get X.509 extensions in the certificate signing request.

Returns:The X.509 extensions in this request.
Return type:list of X509Extension objects.

New in version 0.15.

get_pubkey()

Get the public key of the certificate signing request.

Returns:The public key.
Return type:PKey
get_subject()

Return the subject of this certificate signing request.

This creates a new X509Name that wraps the underlying subject name field on the certificate signing request. Modifying it will modify the underlying signing request, and will have the effect of modifying any other X509Name that refers to this subject.

Returns:The subject of this certificate signing request.
Return type:X509Name
get_version()

Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate request.

Returns:The value of the version subfield.
Return type:int
set_pubkey(pkey)

Set the public key of the certificate signing request.

Parameters:pkey (PKey) – The public key to use.
Returns:None
set_version(version)

Set the version subfield (RFC 2459, section 4.1.2.1) of the certificate request.

Parameters:version (int) – The version number.
Returns:None
sign(pkey, digest)

Sign the certificate signing request with this key and digest type.

Parameters:
  • pkey (PKey) – The key pair to sign with.
  • digest (bytes) – The name of the message digest to use for the signature, e.g. b"sha256".
Returns:

None

verify(pkey)

Verifies the signature on this certificate signing request.

Parameters:key (PKey) – A public key.
Returns:True if the signature is correct.
Return type:bool
Raises:OpenSSL.crypto.Error – If the signature is invalid or there is a problem verifying the signature.

X509Store objects

class OpenSSL.crypto.X509Store

An X.509 store.

An X.509 store is used to describe a context in which to verify a certificate. A description of a context may include a set of certificates to trust, a set of certificate revocation lists, verification flags and more.

An X.509 store, being only a description, cannot be used by itself to verify a certificate. To carry out the actual verification process, see X509StoreContext.

add_cert(cert)

Adds a trusted certificate to this store.

Adding a certificate with this method adds this certificate as a trusted certificate.

Parameters:

cert (X509) – The certificate to add to this store.

Raises:
Returns:

None if the certificate was added successfully.

add_crl(crl)

Add a certificate revocation list to this store.

The certificate revocation lists added to a store will only be used if the associated flags are configured to check certificate revocation lists.

New in version 16.1.0.

Parameters:crl (CRL) – The certificate revocation list to add to this store.
Returns:None if the certificate revocation list was added successfully.
set_flags(flags)

Set verification flags to this store.

Verification flags can be combined by oring them together.

Note

Setting a verification flag sometimes requires clients to add additional information to the store, otherwise a suitable error will be raised.

For example, in setting flags to enable CRL checking a suitable CRL must be added to the store otherwise an error will be raised.

New in version 16.1.0.

Parameters:flags (int) – The verification flags to set on this store. See X509StoreFlags for available constants.
Returns:None if the verification flags were successfully set.
set_time(vfy_time)

Set the time against which the certificates are verified.

Normally the current time is used.

Note

For example, you can determine if a certificate was valid at a given time.

New in version 16.3.0.

Parameters:vfy_time (datetime) – The verification time to set on this store.
Returns:None if the verification time was successfully set.

X509StoreContextError objects

class OpenSSL.crypto.X509StoreContextError(message, certificate)

An exception raised when an error occurred while verifying a certificate using OpenSSL.X509StoreContext.verify_certificate.

Variables:certificate – The certificate which caused verificate failure.

X509StoreContext objects

class OpenSSL.crypto.X509StoreContext(store, certificate)

An X.509 store context.

An X.509 store context is used to carry out the actual verification process of a certificate in a described context. For describing such a context, see X509Store.

Variables:
  • _store_ctx – The underlying X509_STORE_CTX structure used by this instance. It is dynamically allocated and automatically garbage collected.
  • _store – See the store __init__ parameter.
  • _cert – See the certificate __init__ parameter.
Parameters:
  • store (X509Store) – The certificates which will be trusted for the purposes of any verifications.
  • certificate (X509) – The certificate to be verified.
set_store(store)

Set the context’s X.509 store.

New in version 0.15.

Parameters:store (X509Store) – The store description which will be used for the purposes of any future verifications.
verify_certificate()

Verify a certificate in a context.

New in version 0.15.

Raises:X509StoreContextError – If an error occurred when validating a certificate in the context. Sets certificate attribute to indicate which certificate caused the error.

X509StoreFlags constants

class OpenSSL.crypto.X509StoreFlags

Flags for X509 verification, used to change the behavior of X509Store.

See OpenSSL Verification Flags for details.

CRL_CHECK
CRL_CHECK_ALL
IGNORE_CRITICAL
X509_STRICT
ALLOW_PROXY_CERTS
POLICY_CHECK
EXPLICIT_POLICY
INHIBIT_MAP
NOTIFY_POLICY
CHECK_SS_SIGNATURE
CB_ISSUER_CHECK

PKey objects

class OpenSSL.crypto.PKey

A class representing an DSA or RSA public key or key pair.

bits()

Returns the number of bits of the key

Returns:The number of bits of the key.
check()

Check the consistency of an RSA private key.

This is the Python equivalent of OpenSSL’s RSA_check_key.

Returns:

True if key is consistent.

Raises:
  • OpenSSL.crypto.Error – if the key is inconsistent.
  • TypeError – if the key is of a type which cannot be checked. Only RSA keys can currently be checked.
classmethod from_cryptography_key(crypto_key)

Construct based on a cryptography crypto_key.

Parameters:crypto_key (One of cryptography‘s key interfaces.) – A cryptography key.
Return type:PKey

New in version 16.1.0.

generate_key(type, bits)

Generate a key pair of the given type, with the given number of bits.

This generates a key “into” the this object.

Parameters:
  • type (TYPE_RSA or TYPE_DSA) – The key type.
  • bits (int >= 0) – The number of bits.
Raises:
  • TypeError – If type or bits isn’t of the appropriate type.
  • ValueError – If the number of bits isn’t an integer of the appropriate size.
Returns:

None

to_cryptography_key()

Export as a cryptography key.

Return type:One of cryptography‘s key interfaces.

New in version 16.1.0.

type()

Returns the type of the key

Returns:The type of the key.
OpenSSL.crypto.TYPE_RSA
OpenSSL.crypto.TYPE_DSA

Key type constants.

PKCS7 objects

PKCS7 objects have the following methods:

PKCS7.type_is_signed()

FIXME

PKCS7.type_is_enveloped()

FIXME

PKCS7.type_is_signedAndEnveloped()

FIXME

PKCS7.type_is_data()

FIXME

PKCS7.get_type_name()

Get the type name of the PKCS7.

PKCS12 objects

class OpenSSL.crypto.PKCS12

A PKCS #12 archive.

export(passphrase=None, iter=2048, maciter=1)

Dump a PKCS12 object as a string.

For more information, see the PKCS12_create() man page.

Parameters:
  • passphrase (bytes) – The passphrase used to encrypt the structure. Unlike some other passphrase arguments, this must be a string, not a callback.
  • iter (int) – Number of times to repeat the encryption step.
  • maciter (int) – Number of times to repeat the MAC step.
Returns:

The string representation of the PKCS #12 structure.

Return type:

get_ca_certificates()

Get the CA certificates in the PKCS #12 structure.

Returns:A tuple with the CA certificates in the chain, or None if there are none.
Return type:tuple of X509 or None
get_certificate()

Get the certificate in the PKCS #12 structure.

Returns:The certificate, or None if there is none.
Return type:X509 or None
get_friendlyname()

Get the friendly name in the PKCS# 12 structure.

Returns:The friendly name, or None if there is none.
Return type:bytes or None
get_privatekey()

Get the private key in the PKCS #12 structure.

Returns:The private key, or None if there is none.
Return type:PKey
set_ca_certificates(cacerts)

Replace or set the CA certificates within the PKCS12 object.

Parameters:cacerts (An iterable of X509 or None) – The new CA certificates, or None to unset them.
Returns:None
set_certificate(cert)

Set the certificate in the PKCS #12 structure.

Parameters:cert (X509 or None) – The new certificate, or None to unset it.
Returns:None
set_friendlyname(name)

Set the friendly name in the PKCS #12 structure.

Parameters:name (bytes or None) – The new friendly name, or None to unset.
Returns:None
set_privatekey(pkey)

Set the certificate portion of the PKCS #12 structure.

Parameters:pkey (PKey or None) – The new private key, or None to unset it.
Returns:None

X509Extension objects

class OpenSSL.crypto.X509Extension(type_name, critical, value, subject=None, issuer=None)

An X.509 v3 certificate extension.

__init__(type_name, critical, value, subject=None, issuer=None)

Initializes an X509 extension.

Parameters:
  • type_name (bytes) – The name of the type of extension to create.
  • critical (bool) – A flag indicating whether this is a critical extension.
  • value (bytes) – The value of the extension.
  • subject (X509) – Optional X509 certificate to use as subject.
  • issuer (X509) – Optional X509 certificate to use as issuer.
__str__()
Returns:a nice text representation of the extension
get_critical()

Returns the critical field of this X.509 extension.

Returns:The critical field.
get_data()

Returns the data of the X509 extension, encoded as ASN.1.

Returns:The ASN.1 encoded data of this X509 extension.
Return type:bytes

New in version 0.12.

get_short_name()

Returns the short type name of this X.509 extension.

The result is a byte string such as b"basicConstraints".

Returns:The short type name.
Return type:bytes

New in version 0.12.

NetscapeSPKI objects

class OpenSSL.crypto.NetscapeSPKI

A Netscape SPKI object.

b64_encode()

Generate a base64 encoded representation of this SPKI object.

Returns:The base64 encoded string.
Return type:bytes
get_pubkey()

Get the public key of this certificate.

Returns:The public key.
Return type:PKey
set_pubkey(pkey)

Set the public key of the certificate

Parameters:pkey – The public key
Returns:None
sign(pkey, digest)

Sign the certificate request with this key and digest type.

Parameters:
  • pkey (PKey) – The private key to sign with.
  • digest (bytes) – The message digest to use.
Returns:

None

verify(key)

Verifies a signature on a certificate request.

Parameters:key (PKey) – The public key that signature is supposedly from.
Returns:True if the signature is correct.
Return type:bool
Raises:OpenSSL.crypto.Error – If the signature is invalid, or there was a problem verifying the signature.

CRL objects

class OpenSSL.crypto.CRL

A certificate revocation list.

add_revoked(revoked)

Add a revoked (by value not reference) to the CRL structure

This revocation will be added by value, not by reference. That means it’s okay to mutate it after adding: it won’t affect this CRL.

Parameters:revoked (Revoked) – The new revocation.
Returns:None
export(cert, key, type=1, days=100, digest=<object object>)

Export the CRL as a string.

Parameters:
  • cert (X509) – The certificate used to sign the CRL.
  • key (PKey) – The key used to sign the CRL.
  • type (int) – The export format, either FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT.
  • days (int) – The number of days until the next update of this CRL.
  • digest (bytes) – The name of the message digest to use (eg b"sha2566").
Return type:

bytes

get_issuer()

Get the CRL’s issuer.

New in version 16.1.0.

Return type:X509Name
get_revoked()

Return the revocations in this certificate revocation list.

These revocations will be provided by value, not by reference. That means it’s okay to mutate them: it won’t affect this CRL.

Returns:The revocations in this CRL.
Return type:tuple of Revocation
set_lastUpdate(when)

Set when the CRL was last updated.

The timestamp is formatted as an ASN.1 GENERALIZEDTIME:

YYYYMMDDhhmmssZ
YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm

New in version 16.1.0.

Parameters:when (bytes) – A timestamp string.
Returns:None
set_nextUpdate(when)

Set when the CRL will next be udpated.

The timestamp is formatted as an ASN.1 GENERALIZEDTIME:

YYYYMMDDhhmmssZ
YYYYMMDDhhmmss+hhmm
YYYYMMDDhhmmss-hhmm

New in version 16.1.0.

Parameters:when (bytes) – A timestamp string.
Returns:None
set_version(version)

Set the CRL version.

New in version 16.1.0.

Parameters:version (int) – The version of the CRL.
Returns:None
sign(issuer_cert, issuer_key, digest)

Sign the CRL.

Signing a CRL enables clients to associate the CRL itself with an issuer. Before a CRL is meaningful to other OpenSSL functions, it must be signed by an issuer.

This method implicitly sets the issuer’s name based on the issuer certificate and private key used to sign the CRL.

New in version 16.1.0.

Parameters:
  • issuer_cert (X509) – The issuer’s certificate.
  • issuer_key (PKey) – The issuer’s private key.
  • digest (bytes) – The digest method to sign the CRL with.

Revoked objects

class OpenSSL.crypto.Revoked

A certificate revocation.

all_reasons()

Return a list of all the supported reason strings.

This list is a copy; modifying it does not change the supported reason strings.

Returns:A list of reason strings.
Return type:list of bytes
get_reason()

Get the reason of this revocation.

Returns:The reason, or None if there is none.
Return type:bytes or NoneType

See also

all_reasons(), which gives you a list of all supported reasons this method might return.

get_rev_date()

Get the revocation timestamp.

Returns:The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
Return type:bytes
get_serial()

Get the serial number.

The serial number is formatted as a hexadecimal number encoded in ASCII.

Returns:The serial number.
Return type:bytes
set_reason(reason)

Set the reason of this revocation.

If reason is None, delete the reason instead.

Parameters:reason (bytes or NoneType) – The reason string.
Returns:None

See also

all_reasons(), which gives you a list of all supported reasons which you might pass to this method.

set_rev_date(when)

Set the revocation timestamp.

Parameters:when (bytes) – The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
Returns:None
set_serial(hex_str)

Set the serial number.

The serial number is formatted as a hexadecimal number encoded in ASCII.

Parameters:hex_str (bytes) – The new serial number.
Returns:None

Exceptions

exception OpenSSL.crypto.Error

Generic exception used in the crypto module.

Digest names

Several of the functions and methods in this module take a digest name. These must be strings describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, b"sha256" or b"sha384".

More information and a list of these digest names can be found in the EVP_DigestInit(3) man page of your OpenSSL installation. This page can be found online for the latest version of OpenSSL: https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html

Backwards compatible type names

When pyOpenSSL was originally written, the most current version of Python was 2.1. It made a distinction between classes and types. None of the versions of Python currently supported by pyOpenSSL still enforce that distinction: the type of an instance of an X509 object is now simply X509. Originally, the type would have been X509Type. These days, X509Type and X509 are literally the same object. pyOpenSSL maintains these old names for backwards compatibility.

Here’s a table of these backwards-compatible names:

Type name Backwards-compatible name
X509 X509Type
X509Name X509NameType
X509Req X509ReqType
X509Store X509StoreType
X509Extension X509ExtensionType
PKey PKeyType
PKCS7 PKCS7Type
PKCS12 PKCS12Type
NetscapeSPKI NetscapeSPKIType
CRL CRLType

Some objects, such as Revoked, don’t have Type equivalents, because they were added after the restriction had been lifted.