certvalidator
A Python library for validating X.509 certificates or paths. Supports various options, including: validation at a specific moment in time, whitelisting and revocation checks.
- Features
- Related Crypto Libraries
- Current Release
- Dependencies
- Installation
- License
- Documentation
- Continuous Integration
- Testing
- Development
- CI Tasks
Features
- X.509 path building
- X.509 basic path validation
- Signatures
- RSA, DSA and EC algorithms
- Name chaining
- Validity dates
- Basic constraints extension
- CA flag
- Path length constraint
- Key usage extension
- Extended key usage extension
- Certificate policies
- Policy constraints
- Policy mapping
- Inhibit anyPolicy
- Failure on unknown/unsupported critical extensions
- Signatures
- TLS/SSL server validation
- Whitelisting certificates
- Blacklisting hash algorithms
- Revocation checks
- CRLs
- Indirect CRLs
- Delta CRLs
- OCSP checks
- Delegated OCSP responders
- Disable, require or allow soft failures
- Caching of CRLs/OCSP responses
- CRLs
- CRL and OCSP HTTP clients
- Point-in-time validation
Unsupported features:
- Name constraints
Related Crypto Libraries
certvalidator is part of the modularcrypto family of Python packages:
Current Release
0.11.1 - changelog
Dependencies
- asn1crypto
- oscrypto
- Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9 or pypy
Installation
pip install certvalidator
License
certvalidator is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.
Documentation
Continuous Integration
Various combinations of platforms and versions of Python are tested via:
- macOS, Linux, Windows via GitHub Actions
- arm64 via CircleCI
Testing
Tests are written using unittest
and require no third-party packages.
Depending on what type of source is available for the package, the following commands can be used to run the test suite.
Git Repository
When working within a Git working copy, or an archive of the Git repository, the full test suite is run via:
python run.py tests
To run only some tests, pass a regular expression as a parameter to tests
.
python run.py tests path
PyPi Source Distribution
When working within an extracted source distribution (aka .tar.gz
) from
PyPi, the full test suite is run via:
python setup.py test
Test Cases
The test cases for the library are comprised of:
- Public Key Interoperability Test Suite from NIST
- OCSP tests from OpenSSL
- Various certificates generated for TLS certificate validation
Development
To install the package used for linting, execute:
pip install --user -r requires/lint
The following command will run the linter:
python run.py lint
Support for code coverage can be installed via:
pip install --user -r requires/coverage
Coverage is measured by running:
python run.py coverage
To install the packages requires to generate the API documentation, run:
pip install --user -r requires/api_docs
The documentation can then be generated by running:
python run.py api_docs
The following will run a test that connects to all (non-adult) sites in the Alexa top 1000 that respond on port 443:
python run.py stress_test
Once the script is complete, results that differ between the OS validation and the certvalidator validation will be listed for further debugging.
To change the version number of the package, run:
python run.py version {pep440_version}
To install the necessary packages for releasing a new version on PyPI, run:
pip install --user -r requires/release
Releases are created by:
-
Making a git tag in PEP 440 format
-
Running the command:
python run.py release
Existing releases can be found at https://pypi.org/project/certvalidator.
CI Tasks
A task named deps
exists to ensure a modern version of pip
is installed,
along with all necessary testing dependencies.
The ci
task runs lint
(if flake8 is avaiable for the version of Python) and
coverage
(or tests
if coverage is not available for the version of Python).
If the current directory is a clean git working copy, the coverage data is
submitted to codecov.io.
python run.py deps
python run.py ci