/python-certificate-chain-resolver

Resolve the certificate chains (leaf, intermediate, and the root) for x509 certificates using the CLI or Python API. It supports PEM, DER, and PKCS7 formats and custom root certificate stores.

Primary LanguagePythonMIT LicenseMIT

Python certificate chain resolver

Licence CI Docs codecov Downloads Python) PyPI - Wheel PyPI Code style: black

Resolve and obtain the complete certificate chain from the leaf, intermediate(s) to the root of a x509 certificate using the CLI or the python API.

The library provides an easy to use API to access each property of a certificate chain and the important metadata of a certificate. The library also exposes a CLI for resolving and inspecting certificate chains from the command line.

Support

  • PKCS7, PEM and DER formats
  • LetsEncrypt certificates
  • Including the root certificate using the system CA bundle or custom bundle
  • Python2 (but not for much longer..)

Installation

Pypi package

$ pip install cert-chain-resolver

CLI Usage

For more options and examples see the read the docs or pass the --help flag.

The bundle gets written to stdout and the chain information to stderr.

from source:

$ python -m cert_chain_resolver.cli --include-root certificate.crt > bundle.crt
$ cat certificate.crt | python -m cert_chain_resolver.cli --include-root > bundle.crt

from PIP

 $ cert_chain_resolver --include-root certificate.crt > bundle.crt
 1. <Cert common_name="github.com" subject="CN=github.com,O=GitHub\, Inc.,L=San Francisco,ST=California,C=US" issuer="CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US">
 2. <Cert common_name="DigiCert SHA2 High Assurance Server CA" subject="CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US" issuer="CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US">
 3. <Cert common_name="DigiCert High Assurance EV Root CA" subject="CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US" issuer="CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US">

Python API

Make sure to read the documentation for more examples and options.

from cert_chain_resolver.api import resolve

with open('cert.pem', 'rb') as f:
   fb = f.read()
   chain = resolve(fb)
>>>
for cert in chain:
  print(cert)
<Cert common_name="cert-chain-resolver.remcokoopmans.com" subject="CN=cert-chain-resolver.remcokoopmans.com" issuer="CN=R3,O=Let's Encrypt,C=US">
<Cert common_name="R3" subject="CN=R3,O=Let's Encrypt,C=US" issuer="CN=DST Root CA X3,O=Digital Signature Trust Co.">
<Cert common_name="DST Root CA X3" subject="CN=DST Root CA X3,O=Digital Signature Trust Co." issuer="CN=DST Root CA X3,O=Digital Signature Trust Co.">

Dependencies

  • cryptography

After cloning the repository

Install dependencies

$ make

Development

bootstrap

$ make

Testing

Unit testing

$ make tests

Re-run tests on file changes:

$ make tests TEST_ARGS="-- -f"

Formatting

$ make format