Skip to content

Certificate Verification

aia_chaser.verify

VerifyCertificatesConfig dataclass

Configuration to verify certificates.

ATTRIBUTE DESCRIPTION
fingerprint_hash_alg

Hash algorithm used to verify that the root certificate from the chain is the same as the one found in the trusted certificates. Defaults to hashes.SHA256.

TYPE: HashAlgorithm

crl_enabled

Whether or not perform CRL validation.

TYPE: bool

ocsp_enabled

Whether or not perform OCSP validation. Defaults to True.

TYPE: bool

ocsp_hash_alg

Hash algorithm used to construct OCSP requests. Defaults to hashes.SHA1.

TYPE: HashAlgorithm

ocsp_ignore_unknown

Whether to ignore OCSP’s status UNKNOWN or consider it a verification error. Defaults to True.

TYPE: bool

ocsp_verify_responder

Whether to verify responder certificate. See VerifyOcspConfig for more details.

TYPE: bool

verification_time

Timestamp used to verify certificate validity period. Defaults to datetime.datetime.now(datetime.timezone.utc).

TYPE: datetime

retry_config

Configuration for HTTP retry behavior when downloading CRLs or making OCSP requests. Defaults to 3 attempts with exponential backoff.

TYPE: RetryConfig

VerifyOcspConfig dataclass

Configuration to verify certificates.

ATTRIBUTE DESCRIPTION
hash_alg

Hash algorithm used to construct OCSP requests. Defaults to hashes.SHA1.

TYPE: HashAlgorithm

nonce_size

Size in bytes of the OCSP nonce.

TYPE: int

ignore_unknown

Whether to ignore OCSP’s status UNKNOWN or consider it a verification error. Defaults to True.

TYPE: bool

verify_responder

Whether to verify responder certificate. If enabled there are 3 possibilities:

1 - Responder and Issuer are the same: Issuer is *trusted*
    (verifying it should be done by the user using
    `verify_certificate_chain`) and the response signature
    is verified with the Issuer certificate.
2 - Responder certificate is different but is signed by
    Issuer: The same criteria applies, Issuer is *trusted*
    and used to verify the responder certificate, which
    in turn is used to verify the response.
3 - Responder certificate is different and signed by another
    certificate: Then a trusted set of certificates is
    required to verify the certificate.

TYPE: bool

trusted

Trusted certificates mapping from subject (name) to certificate. If not provided a responder certificate verification may fail.

TYPE: Mapping[Name, Certificate]

retry_config

Configuration for HTTP retry behavior when making OCSP requests. Defaults to 3 attempts with exponential backoff.

TYPE: RetryConfig

verify_certificate_chain(certificates, trusted=None, config=None)

Verifies the integrity of the certificates chain.

The verification checks that each certificate in the sequence is signed by the next one and that all are valid certificates.

PARAMETER DESCRIPTION
certificates

Chain of certificates starting with the leaf and ending in the root CA certificate.

TYPE: Iterable[Certificate]

trusted

Trusted certificates mapping from subject, formatted as rfc4514, to certificate. If not provided root certificate verification will be skipped.

TYPE: Mapping[Name, Certificate] | None DEFAULT: None

config

Configuration of the verification process.

TYPE: VerifyCertificatesConfig | None DEFAULT: None

RAISES DESCRIPTION
CertificateChainError

If a verification error is detected on any of the certificates from the chain. It will also be raised if trusted is given certificate[-1] is not contained in it or the fingerprint does not match.

verify_certificate_validity_period(certificate, verification_time=None)

Verifies certificate validity period (not valid before/after).

PARAMETER DESCRIPTION
certificate

Certificate to verify.

TYPE: Certificate

verification_time

datetime value to use as reference when verifying the validity period. If not given uses UTC time.

TYPE: datetime | None DEFAULT: None

RAISES DESCRIPTION
CertificateExpiredError

If the certificate is outside its validity period.
CertificateTimeZoneError

If verification_time is offset-naive.

verify_crl_status(certificate, verification_time, retry_config=None)

Verifies the status of a certificate using revocation lists.

PARAMETER DESCRIPTION
certificate

The certificate whose revocation status needs to be verified.

TYPE: Certificate

verification_time

time at which the verification is being conducted. Defaults to datetime.datetime.now(datetime.timezone.utc).

TYPE: datetime | None

retry_config

Configuration for HTTP retry behavior.

TYPE: RetryConfig | None DEFAULT: None

verify_directly_issued_by(certificate, issuer)

Verifies that a certificate was issued by the provided issuer.

This function delegates to x509.Certificate.verify_directly_issued_by to check if the given certificate’s issuer matches the provided issuer certificate and to validate the issuer’s signature. If the check fails, specific exceptions are raised to indicate the type of failure.

PARAMETER DESCRIPTION
certificate

The certificate to validate.

TYPE: Certificate

issuer

The certificate of the issuer expected to have issued the given certificate.

TYPE: Certificate

RAISES DESCRIPTION
CertificateIssuerNameError

If the issuer’s subject name does not match the certificate’s issuer name.
CertificateSignatureError

If the issuer’s signature on the certificate is invalid.

verify_ocsp_status(certificate, issuer, config=None)

Verifies the status of a certificate using Online Certificate Status Protocol.

PARAMETER DESCRIPTION
certificate

The certificate whose revocation status needs to be verified.

TYPE: Certificate

issuer

The issuer certificate that signed the target certificate.

TYPE: Certificate

config

Configuration of the OCSP verification process.

TYPE: VerifyOcspConfig | None DEFAULT: None

RAISES DESCRIPTION
OcspRevokedStatusError

The certificate status is REVOKED in the OCSP response.
OcspUnknownStatusError

The certificate status is UNKNOWN in the OCSP response and ignore_unknown is False.
OcspHttpError

An HTTP error happened while requesting the OCSP status.
OcspResponseStatusError

The OCSP response status is not SUCCESSFUL.
OcspResponseUnsignedError

The OCSP response is not signed.
OcspResponseSignatureError

The OCSP response is not signed by the responder certificate.
CertificateKeyTypeError

The responder certificate key is not supported.
WARNS DESCRIPTION
UserWarning

A warning is issued if a hash algorithm other than SHA-1 is used, as some OCSP servers may not support other hash algorithms and may fail with UNAUTHORIZED or MALFORMED responses.

verify_root_certificate(root_cert, trusted, verification_time=None, hash_alg=None)

Verifies the validity of the provided root certificate.

PARAMETER DESCRIPTION
root_cert

Certificate to verify.

TYPE: Certificate

verification_time

datetime value to validate the certificates validity period. Defaults to datetime.datetime.now(datetime.timezone.utc).

TYPE: datetime | None DEFAULT: None

trusted

Trusted certificates mapping from subject (name) to certificate.

TYPE: Mapping[Name, Certificate]

hash_alg

Hashing algorithm used for operations like fingerprint comparison, etc. Defaults to SHA-256.

TYPE: HashAlgorithm | None DEFAULT: None

RAISES DESCRIPTION
RootCertificateNotFoundError

If the root certificate cannot be found in trusted.
CertificateFingerprintError

If the root certificate fingerprint does not match the trusted certificate fingerprint.