Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

pyhanko-certvalidator

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

pyhanko-certvalidator

Validates X.509 certificates and paths; forked from wbond/certvalidator

  • 0.26.5
  • PyPI
  • Socket score

Maintainers
1

certvalidator

This library started as a fork of wbond/certvalidator with patches for pyHanko, but has since diverged considerably from its parent repository.

Bugs and questions regarding this library should be asked in the pyHanko repository rather than here.

pyhanko-certvalidator is a Python library for validating X.509 certificates paths. It supports various options, including: validation at a specific moment in time, whitelisting and revocation checks.

Features

  • X.509 path building
  • X.509 basic path validation
    • Signatures
      • RSA (including PSS padding), DSA, ECDSA and EdDSA algorithms.
    • Name chaining
    • Validity dates
    • Basic constraints extension
      • CA flag
      • Path length constraint
    • Key usage extension
    • Extended key usage extension
    • Certificate policies
      • Policy constraints
      • Policy mapping
      • Inhibit anyPolicy
    • Failure on unknown/unsupported critical extensions
  • TLS/SSL server validation
  • Whitelisting certificates
  • Blacklisting hash algorithms
  • Revocation checks
    • CRLs
      • Indirect CRLs
      • Delta CRLs
    • OCSP checks
      • Delegated OCSP responders
    • Disable, require or allow soft failures
    • Caching of CRLs/OCSP responses
  • CRL and OCSP HTTP clients
  • Point-in-time validation
  • Name constraints
  • Attribute certificate support

Current Release

pypi - changelog

Dependencies

  • asn1crypto
  • cryptography
  • uritools
  • oscrypto
  • requests or aiohttp (use the latter for more efficient asyncio, requires resource management)
  • Python 3.7 or higher

Note on compatibility

Starting with pyhanko-certvalidator version 0.17.0, the library has been refactored to use asynchronous I/O as much as possible. Most high-level API entrypoints can still be used synchronously, but have been deprecated in favour of their asyncio equivalents. As part of this move, the OCSP and CRL clients now have two separate implementations: a requests-based one, and an aiohttp-based one. The latter is probably more performant, but requires more resource management efforts on the caller's part, which was impossible to implement without making major breaking changes to the public API that would make the migration path more complicated. Therefore, the requests-based fetcher will remain the default for the time being.

Installation

pip install pyhanko-certvalidator

License

certvalidator is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Testing

Test framework

Tests are written using pytest and require an asynchronous test case backend such as pytest-asyncio.

Test cases

The test cases for the library are comprised of:

Existing releases can be found at https://pypi.org/project/pyhanko-certvalidator.

Keywords

FAQs


Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc