Class: QgsAuthCertUtils¶

Utilities for working with certificates and keys.

class qgis.core.QgsAuthCertUtils[source]¶

Bases: object

AnyOrUnspecifiedUsage = 1¶

CRLSigningUsage = 10¶

class CaCertSource¶: Bases: int

CertAuthorityUsage = 2¶

CertIssuerUsage = 3¶

class CertTrustPolicy¶: Bases: int

class CertUsageType¶: Bases: int

CodeSigningUsage = 7¶

Connection = 3¶

class ConstraintGroup¶: Bases: int

DefaultTrust = 0¶

EmailProtectionUsage = 8¶

ExtendedKeyUsage = 1¶

FromFile = 1¶

InDatabase = 2¶

KeyUsage = 0¶

NoPolicy = 3¶

SystemRoot = 0¶

TimeStampingUsage = 9¶

TlsClientUsage = 6¶

TlsServerEvUsage = 5¶

TlsServerUsage = 4¶

Trusted = 1¶

UndeterminedUsage = 0¶

Untrusted = 2¶

static casFromFile(certspath: str | None) → List[QSslCertificate]¶

Returns a list of concatenated CAs from a PEM or DER formatted file

Parameters:: certspath (Optional[str])
Return type:: List[QSslCertificate]

static casMerge(bundle1: Iterable[QSslCertificate], bundle2: Iterable[QSslCertificate]) → List[QSslCertificate]¶

casMerge merges two certificate bundles in a single one removing duplicates, the certificates from the bundle2 are appended to bundle1 if not already there

Parameters:

bundle1 (Iterable[QSslCertificate]) – first bundle
bundle2 (Iterable[QSslCertificate]) – second bundle

Return type:

List[QSslCertificate]

Returns:

a list of unique certificates

static casRemoveSelfSigned(caList: Iterable[QSslCertificate]) → List[QSslCertificate]¶

casRemoveSelfSigned remove self-signed CA certificates from caList

Parameters:: caList (Iterable[QSslCertificate]) – list of CA certificates
Return type:: List[QSslCertificate]
Returns:: a list of non self-signed certificates

static certFromFile(certpath: str | None) → QSslCertificate[source]¶

Returns the first cert from a PEM or DER formatted file

Parameters:: certpath (Optional[str])
Return type:: QSslCertificate

static certIsCurrent(cert: QSslCertificate) → bool[source]¶

certIsCurrent checks if cert is viable for its not before and not after dates

Parameters:: cert (QSslCertificate) – certificate to be checked
Return type:: bool

static certIsViable(cert: QSslCertificate) → bool[source]¶

certIsViable checks for viability errors of cert and whether it is NULL

Parameters:: cert (QSslCertificate) – certificate to be checked
Return type:: bool
Returns:: False if cert is NULL or has viability errors

static certKeyBundleToPem(certpath: str | None, keypath: str | None, keypass: str | None = '', reencrypt: bool = True) → List[str][source]¶

Returns list of certificate, private key and algorithm (as PEM text) from file path components

Parameters:

certpath (Optional[str]) – File path to certificate
keypath (Optional[str]) – File path to private key
keypass (Optional[str] = '') – Passphrase for private key
reencrypt (bool = True) – Whether to re-encrypt the private key with the passphrase

Return type:

List[str]

Returns:

certificate, private key, key’s algorithm type

static certViabilityErrors(cert: QSslCertificate) → List[QSslError]¶

certViabilityErrors checks basic characteristics (validity dates, blocklisting, etc.) of given cert

Parameters:: cert (QSslCertificate) – certificate to be checked
Return type:: List[QSslError]
Returns:: list of QSslError (will return NO ERRORS if a null QSslCertificate is passed)

static certificateIsAuthority(cert: QSslCertificate) → bool[source]¶

Gets whether a certificate is an Authority

Parameters:: cert (QSslCertificate)
Return type:: bool

static certificateIsAuthorityOrIssuer(cert: QSslCertificate) → bool[source]¶

Gets whether a certificate is an Authority or can at least sign other certificates

Parameters:: cert (QSslCertificate)
Return type:: bool

static certificateIsIssuer(cert: QSslCertificate) → bool[source]¶

Gets whether a certificate can sign other certificates

Parameters:: cert (QSslCertificate)
Return type:: bool

static certificateIsSslClient(cert: QSslCertificate) → bool[source]¶

Gets whether a certificate is probably used for a client identity

Parameters:: cert (QSslCertificate)
Return type:: bool

static certificateIsSslServer(cert: QSslCertificate) → bool[source]¶

Gets whether a certificate is probably used for a SSL server

Parameters:: cert (QSslCertificate)
Return type:: bool

static certificateUsageTypes(cert: QSslCertificate) → List[QgsAuthCertUtils.CertUsageType]¶

Try to determine the certificates usage types

Parameters:: cert (QSslCertificate)
Return type:: List[QgsAuthCertUtils.CertUsageType]

static certsFromFile(certspath: str | None) → List[QSslCertificate]¶

Returns a list of concatenated certs from a PEM or DER formatted file

Parameters:: certspath (Optional[str])
Return type:: List[QSslCertificate]

static certsFromString(pemtext: str | None) → List[QSslCertificate]¶

Returns a list of concatenated certs from a PEM Base64 text block

Parameters:: pemtext (Optional[str])
Return type:: List[QSslCertificate]

static certsToPemText(certs: Iterable[QSslCertificate]) → QByteArray[source]¶

certsToPemText dump a list of QSslCertificates to PEM text

Parameters:: certs (Iterable[QSslCertificate]) – list of certs
Return type:: QByteArray
Returns:: a byte array of concatenated certificates as PEM text

static fileData(path: str | None) → QByteArray[source]¶

Returns data from a local file via a read-only operation

Parameters:: path (Optional[str]) – Path to file to read
Return type:: QByteArray
Returns:: All data contained in file or empty contents if file does not exist

static getCaSourceName(source: QgsAuthCertUtils.CaCertSource, single: bool = False) → str[source]¶

Gets the general name for CA source enum type

Parameters:

source (QgsAuthCertUtils.CaCertSource) – The enum source type for the CA
single (bool = False) – Whether to return singular or plural description

Return type:

str

static getCertTrustName(trust: QgsAuthCertUtils.CertTrustPolicy) → str[source]¶

Gets the general name for certificate trust

Parameters:: trust (QgsAuthCertUtils.CertTrustPolicy)
Return type:: str

static getColonDelimited(txt: str | None) → str[source]¶

Gets string with colon delimiters every 2 characters

Parameters:: txt (Optional[str])
Return type:: str

static getSslProtocolName(protocol: QSsl.SslProtocol) → str[source]¶

SSL Protocol name strings per enum

Parameters:: protocol (QSsl.SslProtocol)
Return type:: str

static keyFromFile(keypath: str | None, keypass: str | None = '', algtype: str | None | None = '') → QSslKey[source]¶

Returns non-encrypted key from a PEM or DER formatted file

Parameters:

keypath (Optional[str]) – File path to private key
keypass (Optional[str] = '') – Passphrase for private key
algtype (Optional[Optional[str]] = '') – string to set with resolved algorithm type

Return type:

QSslKey

static mapDigestToCerts(certs: Iterable[QSslCertificate]) → Dict[str, QSslCertificate]¶

Map certificate sha1 to certificate as simple cache

Parameters:: certs (Iterable[QSslCertificate])
Return type:: Dict[str, QSslCertificate]

static mapDigestToSslConfigs(configs: Iterable[QgsAuthConfigSslServer]) → Dict[str, QgsAuthConfigSslServer]¶

Map SSL custom configs’ certificate sha1 to custom config as simple cache

Parameters:: configs (Iterable[QgsAuthConfigSslServer])
Return type:: Dict[str, QgsAuthConfigSslServer]

static pemIsPkcs8(keyPemTxt: str | None) → bool[source]¶

Determine if the PEM-encoded text of a key is PKCS#8 format

Parameters:: keyPemTxt (Optional[str]) – PEM-encoded text
Return type:: bool
Returns:: True if PKCS#8, otherwise False

static pemTextToTempFile(name: str | None, pemtext: QByteArray | bytes | bytearray) → str[source]¶

Write a temporary file for a PEM text of cert/key/CAs bundle component

Parameters:

pemtext (Union[QByteArray, bytes, bytearray]) – Component content as PEM text
name (Optional[str]) – Name of file

Return type:

str

Returns:

File path to temporary file

static pkcs12BundleCas(bundlepath: str | None, bundlepass: str | None = '') → List[QSslCertificate]¶

Returns list of CA certificates (as QSslCertificate) for a PKCS#12 bundle

Parameters:

bundlepath (Optional[str]) – File path to the PKCS bundle
bundlepass (Optional[str] = '') – Passphrase for bundle

Return type:

List[QSslCertificate]

Returns:

list of certificate

static pkcs12BundleToPem(bundlepath: str | None, bundlepass: str | None = '', reencrypt: bool = True) → List[str][source]¶

Returns list of certificate, private key and algorithm (as PEM text) for a PKCS#12 bundle

Parameters:

bundlepath (Optional[str]) – File path to the PKCS bundle
bundlepass (Optional[str] = '') – Passphrase for bundle
reencrypt (bool = True) – Whether to re-encrypt the private key with the passphrase

Return type:

List[str]

Returns:

certificate, private key, key’s algorithm type

static resolvedCertName(cert: QSslCertificate, issuer: bool = False) → str[source]¶

Gets the general name via RFC 5280 resolution

Parameters:

cert (QSslCertificate)
issuer (bool = False)

Return type:

str

static shaHexForCert(cert: QSslCertificate, formatted: bool = False) → str[source]¶

Gets the sha1 hash for certificate

Parameters:

cert (QSslCertificate) – Qt SSL certificate to generate hash from
formatted (bool = False) – Whether to colon-delimit the hash

Return type:

str

static sslErrorEnumString(errenum: QSslError.SslError) → str[source]¶

Gets short strings describing an SSL error

Parameters:: errenum (QSslError.SslError)
Return type:: str

static validateCertChain(certificateChain: Iterable[QSslCertificate], hostName: str | None = '', trustRootCa: bool = False) → List[QSslError]¶

validateCertChain validates the given certificateChain

Parameters:

certificateChain (Iterable[QSslCertificate]) – list of certificates to be checked, with leaf first and with optional root CA last
hostName (Optional[str] = '') – (optional) name of the host to be verified
trustRootCa (bool = False) – if True the CA will be added to the trusted CAs for this validation check

Return type:

List[QSslError]

Returns:

list of QSslError, if the list is empty then the cert chain is valid

static validatePKIBundle(bundle: QgsPkiBundle, useIntermediates: bool = True, trustRootCa: bool = False) → List[str][source]¶

validatePKIBundle validate the PKI bundle by checking the certificate chain, the expiration and effective dates, optionally trusts the root CA

Parameters:

bundle (QgsPkiBundle)
useIntermediates (bool = True) – if True the intermediate certs are also checked
trustRootCa (bool = False) – if True the CA will be added to the trusted CAs for this validation check (if useIntermediates is False) this option is ignored and set to False

Return type:

List[str]

Returns:

a list of error strings, if the list is empty then the PKI bundle is valid