Package API: konnect.curl.certificates

Cryptographic certificate management

The support for certificate and key storage formats is very naïve, it does no checks that keys match certificates. It exists only to allow users to use as many formats as possible with as many of libcurl’s TLS backends as possible.

The backends currently supported are:

OpenSSL
GnuTLS
MbedSSL
WolfSSL
Schannel
Secure Transport

class AsciiArmored[source]

Bases: bytes

Base 64 encoding with fences for binary cryptographic data, commonly known as PEM

This class assumes that the encoded data contains at most one certificate and one private key, the first occurrence of each being returned by the AsciiArmored.certificate() and AsciiArmored.private_key() methods respectively.

format: ClassVar = 'PEM'

classmethod new(certificate: konnect.curl.certificates.encodings.Certificate | None = None, private_key: konnect.curl.certificates.encodings.PrivateKey | None = None) → Self[source]

Return an instance with the encoded form of the given certificate and/or private key

classmethod from_bytes(source: bytes, /) → Self[source]

Return a new instance from an in-memory bytes string

to_bytes() → Self[source]

Return a bytes string representation of an instance (itself, as it subclasses bytes)

certificate() → konnect.curl.certificates.encodings.Certificate | None[source]

Return the first certificate found in the encoded data, or None

private_key() → konnect.curl.certificates.encodings.PrivateKey | None[source]

Return the first private key found in the encoded data

find_first(kind: type[konnect.curl.certificates.encodings.Certificate], /) → konnect.curl.certificates.encodings.Certificate[source]

find_first(kind: type[PrivateKeyT], /) → PrivateKeyT

Return the first item with a label matching one of the provided types

class Certificate[source]

Bases: bytes

X.509 certificates

format: ClassVar = 'DER'

label: ClassVar = 'CERTIFICATE'

classmethod from_bytes(source: bytes, /) → Self[source]

Return a new instance from an in-memory bytes string

to_bytes() → Self[source]

Return a bytes string representation of an instance (itself, as it subclasses bytes)

fingerprint() → str[source]

Return the SHA1 hash of the certificate as a hexadecimal string

certificate() → Self[source]

Return the certificate, itself

private_key() → None[source]

Return None, this is a no-op for certificates

class ECPrivateKey(source: bytes, /)[source]

Bases: konnect.curl.certificates.encodings.PrivateKey

ECDSA private key

format: ClassVar[str] = 'DER'

label: ClassVar[str] = 'EC PRIVATE KEY'

final class EncodedFile(contents: konnect.curl.certificates.files.T, path: pathlib.Path)[source]

Bases: Generic[konnect.curl.certificates.files.T]

Combines decoding data with file path information

classmethod read(path: pathlib.Path, encoding: type[konnect.curl.certificates.files.C], /, maxsize: int = 65536) → konnect.curl.certificates.files.EncodedFile[konnect.curl.certificates.files.C][source]

Read encoded data from the file path if it exists and return an EncodedFile

The value of ‘maxsize’ is a safety net to prevent arbitrarily large files being read into memory. The default should be suitable for most certificate and key files but can be overridden to allow unusually large files to be read (probably ASCII armored files containing many items).

Can raise the normal range of OSError exceptions that may occur when opening and reading a file.

static write(path: pathlib.Path, contents: konnect.curl.certificates.files.C, /, *, exists_ok: bool = False) → konnect.curl.certificates.files.EncodedFile[konnect.curl.certificates.files.C][source]

Write encoded data to the file path

If ‘exists_ok’ is false the file will be opened in create-only mode, raising FileExistsError if there is already a file at the path; otherwise the file is opened in normal write mode and truncated before writing the encoded data. Either way the data is never appended to the file.

Can raise the normal range of OSError exceptions that may occur when opening and writing to a file.

class Pkcs8EncryptedPrivateKey(source: bytes, /)[source]