X509Certificate is a class for managing X509 certificates

Proxy RFC: https://tools.ietf.org/html/rfc38200

X509RFC: https://tools.ietf.org/html/rfc5280

class DIRAC.Core.Security.m2crypto.X509Certificate.X509Certificate(x509Obj=None, certString=None)

Bases: object

The X509Certificate object represents … a X509Certificate.

It is a wrapper around a lower level implementation (M2Crypto in this case) of a certificate. In theory, tt can be a host or user certificate. Also, a proxy certificate is a X509Certificate, however it is useless without all the chain of issuers. That’s why one has the X509Chain.

In practice, X509Certificate is just used for checking if the host certificate has expired. This class will most probably disappear once we get ride of pyGSI. After all, a X509Certificate is nothing but a X509Chain of length 1.

Note that the SSL connection itself does not use this class, it gives directly the certificate to the library

__init__(x509Obj=None, certString=None)

Constructor. You can give either nothing, or the x509Obj or the certString

  • x509Obj (M2Crypto.X509.X509) – (optional) certificate instance
  • certString (String) – text representation of certificate

Return certificate as PEM string

Returns:pem string
classmethod generateProxyCertFromIssuer(x509Issuer, x509ExtensionStack, proxyKey, lifetime=3600)

This class method is meant to generate a new X509Certificate out of an existing one. Basically, it generates a proxy… However, you can’t have a proxy certificate working on its own, you need all the chain of certificates. This method is meant to be called only by the X509Chain class.

Inspired from https://github.com/eventbrite/m2crypto/blob/master/demo/x509/ca.py#L45

  • x509Issuer – X509Certificate instance from which we generate the next one
  • x509ExtensionStack – M2Crypto.X509.X509_Extension_Stack object to add to the new certificate. It contains all the X509 extensions needed for the proxy (e.g. DIRAC group). See ~X509Chain.__getProxyExtensionList
  • proxyKey – a M2Crypto.EVP.PKey instance with private and public key
  • lifetime – duration of the proxy in second. Default 3600

a new X509Certificate


Generate a proxy request. See DIRAC.Core.Security.m2crypto.X509Request.X509Request

In principle, there is no reason to have this here, since a the X509Request is independant of the 509Certificate when generating it. The only reason is to check whether the current Certificate is limited or not.

  • bitStrength – strength of the key
  • limited – if True or if the current certificate is limited (see proxy RFC), creates a request for a limited proxy

S_OK( DIRAC.Core.Security.m2crypto.X509Request.X509Request ) / S_ERROR


Get the dirac group if present

If no group is found in the certificate, we query the CS to get the default group for the given user. This can be disabled using the ignoreDefault parameter

Note that the lookup in the CS only can work for a proxy of first generation, since we search based on the issuer DN

Parameters:ignoreDefault – if True, do not lookup the CS
Returns:S_OK(group name/bool)

Return X509 Extension with given name

Parameters:name – name of the extension
Returns:S_OK with M2Crypto.X509.X509_Extension object, or S_ERROR

Get a decoded list of extensions

Returns:S_OK( list of tuple (extensionName, extensionValue))

Get issuer DN

Returns:S_OK( string )/S_ERROR

Get not after date of a certificate

Returns:S_OK( datetime )/S_ERROR

Get not before date of a certificate

Returns:S_OK( datetime )/S_ERROR

Get the public key of the certificate


Get remaining lifetime in secs

Returns:S_OK(remaining seconds)

Get certificate serial number

Returns:S_OK( serial )/S_ERROR

Get subject DN

Returns:S_OK( string )/S_ERROR

Get subject name object

Returns:S_OK( X509Name )/S_ERROR

Get voms extensions data

Returns:S_ERROR/S_OK(dict). For the content of the dict, see decodeVOMSExtension()

Check if the loaded certificate is still valid

Returns:S_OK( True/False )/S_ERROR

Has voms extensions

Returns:S_OK(bool) if voms extensions are found

Load an x509 certificate either from a file or from a string

Parameters:certificate – path to the file or PEM encoded string
Returns:S_OK on success, otherwise S_ERROR

Load a x509 cert from a pem file

param certLocation:
 path to the certificate file
Returns:S_OK / S_ERROR.

Load a x509 cert from a string containing the pem data

Parameters:pemData – pem encoded string
Returns:S_OK / S_ERROR

Sign the cerificate using provided key and algorithm.

  • key – M2crypto.EVP.PKey object with private and public key
  • algo – algorithm to sign the certificate



Verify the signature of the certificate using the public key provided

Parameters:pkey – ~M2Crypto.EVP.PKey object
Returns:S_OK(bool) where the boolean shows the success of the verification