M2Crypto Package

M2Crypto Package

ASN1 Module

class M2Crypto.ASN1.ASN1_Integer(asn1int: ASN1_Integer, _pyfree: int = 0)

Bases: object

m2_asn1_integer_free()

class M2Crypto.ASN1.ASN1_Object(asn1obj: ASN1_Object, _pyfree: int = 0)

Bases: object

m2_asn1_object_free()

class M2Crypto.ASN1.ASN1_String(asn1str: ASN1_String, _pyfree: int = 0)

Bases: object

as_text(flags: int = 0) → str

Output an ASN1_STRING structure according to the set flags.

Parameters:

flags – determine the format of the output by using predetermined constants, see ASN1_STRING_print_ex(3) manpage for their meaning.

Returns:

output an ASN1_STRING structure.

m2_asn1_string_free()

class M2Crypto.ASN1.ASN1_TIME(asn1_time: ASN1_TIME | None = None, _pyfree: int | None = 0, asn1_utctime: ASN1_TIME | None = None)

Bases: object

get_datetime() → datetime

Get time as datetime.datetime object

Returns:

always return datetime object

Raises:

ValueError if anything wrong happens

m2_asn1_time_free()

set_datetime(date: datetime) → ASN1_TIME

Set time from datetime.datetime object.

Returns:

pointer to a time structure or NULL if an error occurred

set_string(string: bytes) → int

Set time from UTC string.

Returns:

1 if the time value is successfully set and 0 otherwise

set_time(time: int) → ASN1_TIME

Set time from seconds since epoch (int).

Returns:

pointer to a time structure or NULL if an error occurred

M2Crypto.ASN1.ASN1_UTCTIME

alias of ASN1_TIME

class M2Crypto.ASN1.LocalTimezone

Bases: tzinfo

Localtimezone from datetime manual.

dst(dt: datetime) → timedelta

datetime -> DST offset as timedelta positive east of UTC.

tzname(dt: datetime) → str

datetime -> string name of time zone.

utcoffset(dt: datetime) → timedelta

datetime -> timedelta showing offset from UTC, negative values indicating West of UTC

AuthCookie Module

class M2Crypto.AuthCookie.AuthCookie(expiry: float, data: str, dough: str, mac: str)

Bases: object

data() → str

Return the data portion of the cookie.

expiry() → float

Return the cookie’s expiry time.

headerValue() → str

isExpired() → bool

Return 1 if the cookie has expired, 0 otherwise.

mac() → str

Return the cookie’s MAC.

name() → str

output(header: str | None = 'Set-Cookie:') → str

Return the cookie’s output in “Set-Cookie” format.

value() → str

Return the cookie’s output minus the “Set-Cookie: “ portion.

class M2Crypto.AuthCookie.AuthCookieJar

Bases: object

isGoodCookie(cookie: AuthCookie) → bool | int

isGoodCookieString(cookie_str: dict | bytes, _debug: bool = False) → bool | int

makeCookie(expiry: float, data: str) → AuthCookie

Make a cookie

Parameters:

• expiry – expiration time (float in seconds)

• data – cookie content

Returns:

AuthCookie object

M2Crypto.AuthCookie.mix(expiry: float, data: AnyStr, format: str = 'exp=%f&data=%s&digest=') → AnyStr

M2Crypto.AuthCookie.unmix(dough: AnyStr, regex: re = re.compile('exp=(\\d+\\.\\d+)&data=(.+)&digest=(\\S*)')) → object

M2Crypto.AuthCookie.unmix3(dough: AnyStr, regex: re = re.compile('exp=(\\d+\\.\\d+)&data=(.+)&digest=(\\S*)')) → tuple[float, AnyStr, AnyStr] | None

BIO Module

class M2Crypto.BIO.BIO(bio: BIO | None = None, _pyfree: int = 0, _close_cb: Callable | None = None)

Bases: object

Abstract object interface to the BIO API.

bio_ptr()

close() → None

fileno() → int

flush() → None

Flush the buffers.

Returns:

1 for success, and 0 or -1 for failure

m2_bio_free()

read(size: int = None) → bytes | bytearray

readable() → bool

readline(size: int = 4096) → bytes

readlines(sizehint: AnyStr | int = 'ignored') → Iterable[bytes]

reset() → int

Set the bio to its initial state.

Returns:

1 for success, and 0 or -1 for failure

seek(off)

Seek to the specified absolute offset.

should_read() → int

Should we read more data?

should_retry() → int

Can the call be attempted again, or was there an error ie do_handshake

should_write() → int

Should we write more data?

tell()

Return the current offset.

write(data: AnyStr) → int

Write data to BIO.

Returns:

either data written, or [0, -1] for nothing written, -2 not implemented

write_close() → None

writeable() → bool

exception M2Crypto.BIO.BIOError

Bases: ValueError

class M2Crypto.BIO.CipherStream(obio: BIO)

Bases: BIO

Object interface to BIO_f_cipher.

SALT_LEN = 8

close() → None

m2_bio_free()

m2_bio_pop()

set_cipher(algo: str, key: AnyStr, iv: AnyStr, op: int) → None

write_close() → None

class M2Crypto.BIO.File(pyfile: BytesIO | AnyStr, close_pyfile: int = 1, mode: AnyStr = 'rb')

Bases: BIO

Object interface to BIO_s_pyfd.

This class interfaces Python to OpenSSL functions that expect BIO. For general file manipulation in Python, use Python’s builtin file object.

close() → None

flush() → None

Flush the buffers.

Returns:

1 for success, and 0 or -1 for failure

reset() → int

Set the bio to its initial state.

Returns:

0 for success, and -1 for failure

class M2Crypto.BIO.IOBuffer(under_bio: BIO, mode: str = 'rwb', _pyfree: int = 1)

Bases: BIO

Object interface to BIO_f_buffer.

Its principal function is to be BIO_push()’ed on top of a BIO_f_ssl, so that makefile() of said underlying SSL socket works.

close() → None

m2_bio_free()

m2_bio_pop()

class M2Crypto.BIO.MemoryBuffer(data: bytes | None = None)

Bases: BIO

Object interface to BIO_s_mem.

Empirical testing suggests that this class performs less well than cStringIO, because cStringIO is implemented in C, whereas this class is implemented in Python. Thus, the recommended practice is to use cStringIO for regular work and convert said cStringIO object to a MemoryBuffer object only when necessary.

close() → None

getvalue(size: int = 0) → bytes

read(size: int = 0) → bytes

read_all(size: int = 0) → bytes

write_close() → None

class M2Crypto.BIO.SSLBio(_pyfree: int = 1)

Bases: BIO

Object interface to BIO_f_ssl.

do_handshake() → int

Do the handshake.

Return 1 if the handshake completes Return 0 or a negative number if there is a problem

set_ssl(conn: Any, close_flag: int = 0) → None

Sets the bio to the SSL pointer which is contained in the connection object.

M2Crypto.BIO.openfile(filename: AnyStr, mode: AnyStr = 'rb') → File

BN Module

M2Crypto.BN.rand(bits: int, top: int = -1, bottom: int = 0) → int | None

Generate cryptographically strong random number.

Parameters:

• bits – Length of random number in bits.

• top – If -1, the most significant bit can be 0. If 0, the most significant bit is 1, and if 1, the two most significant bits will be 1.

• bottom – If bottom is true, the number will be odd.

M2Crypto.BN.rand_range(range: int) → int

Generate a random number in a range.

Parameters:

range – Upper limit for range.

Returns:

A random number in the range [0, range)

M2Crypto.BN.randfname(length: int) → str

Return a random filename, which is simply a string where all the characters are from the set [a-zA-Z0-9].

Parameters:

length – Length of filename to return.

Returns:

random filename string

DH Module

class M2Crypto.DH.DH(dh: bytes, _pyfree: int = 0)

Bases: object

Object interface to the Diffie-Hellman key exchange protocol.

check_params() → int

compute_key(pubkey: bytes) → bytes

gen_key() → None

m2_dh_free()

print_params(bio: BIO) → int

exception M2Crypto.DH.DHError

Bases: Exception

M2Crypto.DH.gen_params(plen: int, g: int, callback: ~typing.Callable | None = <function genparam_callback>) → DH

M2Crypto.DH.load_params(file: AnyStr) → DH

M2Crypto.DH.load_params_bio(bio: BIO) → DH

M2Crypto.DH.set_params(p: bytes, g: bytes) → DH

DSA Module

class M2Crypto.DSA.DSA(dsa: bytes, _pyfree: int = 0)

Bases: object

This class is a context supporting DSA key and parameter values, signing and verifying.

Simple example:

from M2Crypto import EVP, DSA, util

message = 'Kilroy was here!'
md = EVP.MessageDigest('sha1')
md.update(message)
digest = md.final()

dsa = DSA.gen_params(1024)
dsa.gen_key()
r, s = dsa.sign(digest)
good = dsa.verify(digest, r, s)
if good:
    print('  ** success **')
else:
    print('  ** verification failed **')

check_key()

Check to be sure the DSA object has a valid private key.

Returns:

1 (true) if a valid private key

gen_key() → None

Generate a key pair.

m2_dsa_free()

save_key(filename: AnyStr, cipher: str = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the DSA key pair to a file.

Parameters:

• filename – Save the DSA key pair to this file.

• cipher – name of symmetric key algorithm and mode to encrypt the private key.

Returns:

1 (true) if successful

save_key_bio(bio: ~M2Crypto.BIO.BIO, cipher: str = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save DSA key pair to a BIO object.

Parameters:

• bio – Save DSA parameters to this object.

• cipher – name of symmetric key algorithm and mode to encrypt the private key.

Returns:

1 (true) if successful

save_params(filename: AnyStr) → int

Save the DSA parameters to a file.

Parameters:

filename – Save the DSA parameters to this file.

Returns:

1 (true) if successful

save_params_bio(bio: BIO) → int

Save DSA parameters to a BIO object.

Parameters:

bio – Save DSA parameters to this object.

Returns:

1 (true) if successful

save_pub_key(filename: AnyStr) → int

Save the DSA public key (with parameters) to a file.

Parameters:

filename – Save DSA public key (with parameters) to this file.

Returns:

1 (true) if successful

save_pub_key_bio(bio: BIO) → int

Save DSA public key (with parameters) to a BIO object.

Parameters:

bio – Save DSA public key (with parameters) to this object.

Returns:

1 (true) if successful

set_params(p: bytes, q: bytes, g: bytes) → None

Set new parameters.

Parameters:

• p – MPI binary representation … format that consists of the number’s length in bytes represented as a 4-byte big-endian number, and the number itself in big-endian format, where the most significant bit signals a negative number (the representation of numbers with the MSB set is prefixed with null byte).

• q – ditto

• g – ditto

@warning: This does not change the private key, so it may be

unsafe to use this method. It is better to use gen_params function to create a new DSA object.

sign(digest: bytes) → Tuple[bytes, bytes]

Sign the digest.

Parameters:

digest – SHA-1 hash of message (same as output from MessageDigest, a “byte string”)

Returns:

DSA signature, a tuple of two values, r and s, both “byte strings”.

sign_asn1(digest)

verify(digest: bytes, r: bytes, s: bytes) → int

Verify a newly calculated digest against the signature values r and s.

Parameters:

• digest – SHA-1 hash of message (same as output from MessageDigest, a “byte string”)

• r – r value of the signature, a “byte string”

• s – s value of the signature, a “byte string”

Returns:

1 (true) if verify succeeded, 0 if failed

verify_asn1(digest, blob)

exception M2Crypto.DSA.DSAError

Bases: Exception

class M2Crypto.DSA.DSA_pub(dsa: bytes, _pyfree: int = 0)

Bases: DSA

This class is a DSA context that only supports a public key and verification. It does NOT support a private key or signing.

check_key() → int

Returns:

does DSA_pub contain a pub key?

save_key(filename: AnyStr) → int

Save the DSA public key (with parameters) to a file.

Parameters:

filename – Save DSA public key (with parameters) to this file.

Returns:

1 (true) if successful

save_key_bio(bio: BIO) → int

Save DSA public key (with parameters) to a BIO object.

Parameters:

bio – Save DSA public key (with parameters) to this object.

Returns:

1 (true) if successful

sign(*argv: Any) → None

Sign the digest.

Parameters:

digest – SHA-1 hash of message (same as output from MessageDigest, a “byte string”)

Returns:

DSA signature, a tuple of two values, r and s, both “byte strings”.

sign_asn1(*argv: Any) → None

Sign the digest.

Parameters:

digest – SHA-1 hash of message (same as output from MessageDigest, a “byte string”)

Returns:

DSA signature, a tuple of two values, r and s, both “byte strings”.

M2Crypto.DSA.gen_params(bits: int, callback: ~typing.Callable = <function genparam_callback>) → DSA

Factory function that generates DSA parameters and instantiates a DSA object from the output.

Parameters:

• bits – The length of the prime to be generated. If ‘bits’ < 512, it is set to 512.

• callback – A Python callback object that will be invoked during parameter generation; it usual purpose is to provide visual feedback.

Returns:

instance of DSA.

M2Crypto.DSA.load_key(file: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → DSA

Factory function that instantiates a DSA object from a PEM encoded DSA key pair.

Parameters:

• file – Names the file (a path) that contains the PEM representation of the DSA key pair.

• callback – A Python callback object that will be invoked if the DSA key pair is passphrase-protected.

Returns:

instance of DSA.

M2Crypto.DSA.load_key_bio(bio: ~M2Crypto.BIO.BIO, callback: ~typing.Callable = <function passphrase_callback>) → DSA

Factory function that instantiates a DSA object from a PEM encoded DSA key pair.

Parameters:

• bio – Contains the PEM representation of the DSA key pair.

• callback – A Python callback object that will be invoked if the DSA key pair is passphrase-protected.

Returns:

instance of DSA.

M2Crypto.DSA.load_params(file: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → DSA

Factory function that instantiates a DSA object with DSA parameters from a file.

Parameters:

• file – Names the file (a path) that contains the PEM representation of the DSA parameters.

• callback – A Python callback object that will be invoked if the DSA parameters file is passphrase-protected.

Returns:

instance of DSA.

M2Crypto.DSA.load_params_bio(bio: ~M2Crypto.BIO.BIO, callback: ~typing.Callable = <function passphrase_callback>) → DSA

Factory function that instantiates a DSA object with DSA parameters from a M2Crypto.BIO object.

Parameters:

• bio – Contains the PEM representation of the DSA parameters.

• callback – A Python callback object that will be invoked if the DSA parameters file is passphrase-protected.

Returns:

instance of DSA.

M2Crypto.DSA.load_pub_key(file: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → DSA_pub

Factory function that instantiates a DSA_pub object using a DSA public key contained in PEM file. The PEM file must contain the parameters in addition to the public key.

Parameters:

• file – Names the file (a path) that contains the PEM representation of the DSA public key.

• callback – A Python callback object that will be invoked should the DSA public key be passphrase-protected.

Returns:

instance of DSA_pub.

M2Crypto.DSA.load_pub_key_bio(bio: ~M2Crypto.BIO.BIO, callback: ~typing.Callable = <function passphrase_callback>) → DSA_pub

Factory function that instantiates a DSA_pub object using a DSA public key contained in PEM format. The PEM must contain the parameters in addition to the public key.

Parameters:

• bio – Contains the PEM representation of the DSA public key (with params).

• callback – A Python callback object that will be invoked should the DSA public key be passphrase-protected.

Returns:

instance of DSA_pub.

M2Crypto.DSA.pub_key_from_params(p: bytes, q: bytes, g: bytes, pub: bytes) → DSA_pub

Factory function that instantiates a DSA_pub object using the parameters and public key specified.

Parameters:

• p – value of p

• q – value of q

• g – value of g

• pub – value of the public key

Returns:

instance of DSA_pub.

M2Crypto.DSA.set_params(p: bytes, q: bytes, g: bytes) → DSA

Factory function that instantiates a DSA object with DSA parameters.

Parameters:

• p – value of p, a “byte string”

• q – value of q, a “byte string”

• g – value of g, a “byte string”

Returns:

instance of DSA.

EC Module

class M2Crypto.EC.EC(ec: EC, _pyfree: int = 0)

Bases: object

Object interface to a EC key pair.

as_pem(cipher='aes_128_cbc', callback=<function passphrase_callback>)

Returns the key(pair) as a string in PEM format. If no password is passed and the cipher is set it exits with error

check_key() → int

compute_dh_key(pub_key: EC) → bytes | None

Compute the ECDH shared key of this key pair and the given public key object. They must both use the same curve. Returns the shared key in binary as a buffer object. No Key Derivation Function is applied.

gen_key() → int

Generates the key pair from its parameters. Use:

keypair = EC.gen_params(curve)
keypair.gen_key()

to create an EC key pair.

m2_ec_key_free()

pub() → EC_pub

save_key(file: AnyStr, cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the key pair to a file in PEM format.

Parameters:

• file – Name of filename to save key to.

• cipher – Symmetric cipher to protect the key. The default cipher is ‘aes_128_cbc’. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

save_key_bio(bio: ~M2Crypto.BIO.BIO, cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the key pair to an M2Crypto.BIO.BIO object in PEM format.

Parameters:

• bio – M2Crypto.BIO.BIO object to save key to.

• cipher – Symmetric cipher to protect the key. The default cipher is ‘aes_128_cbc’. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

save_pub_key(file: AnyStr) → int

Save the public key to a filename in PEM format.

Parameters:

file – Name of filename to save key to.

save_pub_key_bio(bio: BIO) → int

Save the public key to an M2Crypto.BIO.BIO object in PEM format.

Parameters:

bio – M2Crypto.BIO.BIO object to save key to.

sign_dsa(digest: bytes) → Tuple[bytes, bytes]

Sign the given digest using ECDSA. Returns a tuple (r,s), the two ECDSA signature parameters.

sign_dsa_asn1(digest: bytes) → bytes

verify_dsa(digest: bytes, r: bytes, s: bytes) → int

Verify the given digest using ECDSA. r and s are the ECDSA signature parameters.

verify_dsa_asn1(digest, blob)

exception M2Crypto.EC.ECError

Bases: Exception

class M2Crypto.EC.EC_pub(ec: EC, _pyfree: int = 0)

Bases: EC

Object interface to an EC public key. ((don’t like this implementation inheritance))

as_pem()

Returns the key(pair) as a string in PEM format. If no password is passed and the cipher is set it exits with error

get_der() → bytes

Returns the public key in DER format as a buffer object.

get_key() → bytes

Returns the public key as a byte string.

save_key(file: AnyStr) → int

Save the public key to a filename in PEM format.

Parameters:

file – Name of filename to save key to.

save_key_bio(bio: BIO) → int

Save the public key to an M2Crypto.BIO.BIO object in PEM format.

Parameters:

bio – M2Crypto.BIO.BIO object to save key to.

M2Crypto.EC.ec_error() → ECError

M2Crypto.EC.gen_params(curve: int) → EC

Factory function that generates EC parameters and instantiates a EC object from the output.

Parameters:

curve – This is the OpenSSL nid of the curve to use.

M2Crypto.EC.get_builtin_curves() → Tuple[Dict[str, int | str]]

M2Crypto.EC.load_key(file: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → EC

Factory function that instantiates a EC object.

Parameters:

• file – Names the filename that contains the PEM representation of the EC key pair.

• callback – Python callback object that will be invoked if the EC key pair is passphrase-protected.

M2Crypto.EC.load_key_bio(bio: ~M2Crypto.BIO.BIO, callback: ~typing.Callable = <function passphrase_callback>) → EC

Factory function that instantiates a EC object.

Parameters:

• bio – M2Crypto.BIO object that contains the PEM representation of the EC key pair.

• callback – Python callback object that will be invoked if the EC key pair is passphrase-protected.

M2Crypto.EC.load_key_string(string: str, callback: ~typing.Callable = <function passphrase_callback>) → EC

Load an EC key pair from a string.

Parameters:

• string – String containing EC key pair in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to unlock the key. The default is util.passphrase_callback.

Returns:

M2Crypto.EC.EC object.

M2Crypto.EC.load_key_string_pubkey(string: str, callback: Callable = <function passphrase_callback>) → EC.PKey

Load an M2Crypto.EC.PKey from a public key as a string.

Parameters:

• string – String containing the key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key.

Returns:

M2Crypto.EC.PKey object.

M2Crypto.EC.load_pub_key(file: AnyStr) → EC_pub

Load an EC public key from filename.

Parameters:

file – Name of filename containing EC public key in PEM format.

Returns:

M2Crypto.EC.EC_pub object.

M2Crypto.EC.load_pub_key_bio(bio: BIO) → EC_pub

Load an EC public key from an M2Crypto.BIO.BIO object.

Parameters:

bio – M2Crypto.BIO.BIO object containing EC public key in PEM format.

Returns:

M2Crypto.EC.EC_pub object.

M2Crypto.EC.pub_key_from_der(der: bytes) → EC_pub

Create EC_pub from DER.

M2Crypto.EC.pub_key_from_params(curve: bytes, bytes: bytes) → EC_pub

Create EC_pub from curve name and octet string.

EVP Module

class M2Crypto.EVP.Cipher(alg: str, key: bytes, iv: bytes, op: object, key_as_bytes: int = 0, d: str = 'md5', salt: bytes = b'12345678', i: int = 1, padding: int = 1)

Bases: object

final() → bytes

m2_cipher_ctx_free()

set_padding(padding: int = 1) → int

Actually always return 1

update(data: bytes) → bytes

exception M2Crypto.EVP.EVPError

Bases: ValueError

class M2Crypto.EVP.HMAC(key: bytes, algo: str = 'sha1')

Bases: object

digest() → bytes

final() → bytes

m2_hmac_ctx_free()

reset(key: bytes) → None

update(data: bytes) → None

class M2Crypto.EVP.MessageDigest(algo: str)

Bases: object

Message Digest

digest()

final()

m2_md_ctx_free()

update(data: bytes) → int

Add data to be digested.

Returns:

-1 for Python error, 1 for success, 0 for OpenSSL failure.

class M2Crypto.EVP.PKey(pkey: bytes | None = None, _pyfree: int = 0, md: str = 'sha1')

Bases: object

Object to hold diverse types of asymmetric keys (also known as “key pairs”).

as_der() → bytes

Return key in DER format in a string

as_pem(cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → bytes

Return key in PEM format in a string.

Parameters:

• cipher – Symmetric cipher to protect the key. The default cipher is 'aes_128_cbc'. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

assign_ec(ec: EC, capture: int = 1) → int

Assign the EC key pair to self.

Parameters:

• ec – M2Crypto.EC.EC object to be assigned to self.

• capture – If true (default), this PKey object will own the EC object, meaning that once the PKey object gets deleted it is no longer safe to use the EC object.

Returns:

Return 1 for success and 0 for failure.

assign_rsa(rsa: RSA, capture: int = 1) → int

Assign the RSA key pair to self.

Parameters:

• rsa – M2Crypto.RSA.RSA object to be assigned to self.

• capture – If true (default), this PKey object will own the RSA object, meaning that once the PKey object gets deleted it is no longer safe to use the RSA object.

Returns:

Return 1 for success and 0 for failure.

digest_sign(data) → bytes

Return signature.

Returns:

The signature.

digest_sign_final() → bytes

Return signature.

Returns:

The signature.

digest_sign_init() → None

Initialise digest signing operation with self.

digest_sign_update(data: bytes) → None

Feed data to digest signing operation.

Parameters:

data – Data to be signed.

digest_verify()

Return result of verification.

Parameters:

• sign – Signature to use for verification

• data – Data to be verified.

Returns:

Result of verification: 1 for success, 0 for failure, -1 on other error.

digest_verify_final(sign: bytes) → int

Feed data to digest verification operation.

Parameters:

sign – Signature to use for verification

Returns:

Result of verification: 1 for success, 0 for failure, -1 on other error.

digest_verify_init() → None

Initialise verification operation with self.

digest_verify_update(data: bytes) → int

Feed data to verification operation.

Parameters:

data – Data to be verified.

Returns:

-1 on Python error, 1 for success, 0 for OpenSSL error

final() → bytes

Return signature.

Returns:

The signature.

get_ec() → EC_pub

Return the underlying EC key if that is what the EVP instance is holding.

get_modulus() → bytes | None

Return the modulus in hex format.

get_rsa() → RSA_pub

Return the underlying RSA key if that is what the EVP instance is holding.

m2_md_ctx_free()

m2_pkey_free()

reset_context(md: str = 'sha1') → None

Reset internal message digest context.

Parameters:

md – The message digest algorithm.

save_key(file: AnyStr, cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the key pair to a file in PEM format.

Parameters:

• file – Name of file to save key to.

• cipher – Symmetric cipher to protect the key. The default cipher is ‘aes_128_cbc’. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

save_key_bio(bio: ~M2Crypto.BIO.BIO, cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the key pair to the M2Crypto.BIO object ‘bio’ in PEM format.

Parameters:

• bio – M2Crypto.BIO object to save key to.

• cipher – Symmetric cipher to protect the key. The default cipher is ‘aes_128_cbc’. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

sign_final() → bytes

Return signature.

Returns:

The signature.

sign_init() → None

Initialise signing operation with self.

sign_update(data: bytes) → None

Feed data to signing operation.

Parameters:

data – Data to be signed.

size() → int

Return the size of the key in bytes.

update(data: bytes) → None

Feed data to signing operation.

Parameters:

data – Data to be signed.

verify_final(sign: bytes) → int

Return result of verification.

Parameters:

sign – Signature to use for verification

Returns:

Result of verification: 1 for success, 0 for failure, -1 on other error.

verify_init() → None

Initialise signature verification operation with self.

verify_update(data: bytes) → int

Feed data to verification operation.

Parameters:

data – Data to be verified.

Returns:

-1 on Python error, 1 for success, 0 for OpenSSL error

M2Crypto.EVP.hmac(key: bytes, data: bytes, algo: str = 'sha1') → bytes

M2Crypto.EVP.load_key(file: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → PKey

Load an M2Crypto.EVP.PKey from file.

Parameters:

• file – Name of file containing the key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key.

Returns:

M2Crypto.EVP.PKey object.

M2Crypto.EVP.load_key_bio(bio: ~M2Crypto.BIO.BIO, callback: ~typing.Callable = <function passphrase_callback>) → PKey

Load an M2Crypto.EVP.PKey from an M2Crypto.BIO object.

Parameters:

• bio – M2Crypto.BIO object containing the key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key.

Returns:

M2Crypto.EVP.PKey object.

M2Crypto.EVP.load_key_bio_pubkey(bio: ~M2Crypto.BIO.BIO, callback: ~typing.Callable = <function passphrase_callback>) → PKey

Load an M2Crypto.EVP.PKey from a public key as a M2Crypto.BIO object.

Parameters:

• bio – M2Crypto.BIO object containing the key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key.

Returns:

M2Crypto.EVP.PKey object.

M2Crypto.EVP.load_key_pubkey(file: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → PKey

Load an M2Crypto.EVP.PKey from a public key as a file.

Parameters:

• file – Name of file containing the key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key.

Returns:

M2Crypto.EVP.PKey object.

M2Crypto.EVP.load_key_string(string: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → PKey

Load an M2Crypto.EVP.PKey from a string.

Parameters:

• string – String containing the key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key.

Returns:

M2Crypto.EVP.PKey object.

M2Crypto.EVP.load_key_string_pubkey(string: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → PKey

Load an M2Crypto.EVP.PKey from a public key as a string.

Parameters:

• string – String containing the key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key.

Returns:

M2Crypto.EVP.PKey object.

M2Crypto.EVP.pbkdf2(password: bytes, salt: bytes, iter: int, keylen: int) → bytes

Derive a key from password using PBKDF2 algorithm specified in RFC 2898.

Parameters:

• password – Derive the key from this password.

• salt – Salt.

• iter – Number of iterations to perform.

• keylen – Length of key to produce.

Returns:

Key.

Engine Module

class M2Crypto.Engine.Engine(id: bytes | None = None, _ptr: bytes | None = None, _pyfree: int = 1)

Bases: object

Wrapper for ENGINE object.

ctrl_cmd_string(cmd: AnyStr, arg: AnyStr | None, optional: int = 0) → None

Call ENGINE_ctrl_cmd_string

finish() → int

Release a functional and structural reference to the engine.

get_id() → bytes

Return engine id

get_name() → bytes

Return engine name

init() → int

Obtain a functional reference to the engine.

Returns:

0 on error, non-zero on success.

load_certificate(name: bytes) → X509

Load certificate from engine (e.g from smartcard). NOTE: This function may be not implemented by engine!

load_private_key(name: bytes, pin: bytes | None = None) → X509

Load private key with engine methods (e.g from smartcard). If pin is not set it will be asked

load_public_key(name: bytes, pin: bytes | None = None) → PKey

Load public key with engine methods (e.g from smartcard).

m2_engine_free()

set_default(methods: int = 65535) → int

Use this engine as default for methods specified in argument

Parameters:

methods – Possible values are bitwise OR of m2.ENGINE_METHOD_*

exception M2Crypto.Engine.EngineError

Bases: Exception

M2Crypto.Engine.cleanup() → None

If you load any engines, you need to clean up after your application is finished with the engines.

M2Crypto.Engine.load_dynamic() → None

Load dynamic engine

M2Crypto.Engine.load_dynamic_engine(id: bytes, sopath: AnyStr) → Engine

Load and return dymanic engine from sopath and assign id to it

M2Crypto.Engine.load_openssl() → None

Load openssl engine

Err Module

exception M2Crypto.Err.M2CryptoError

Bases: Exception

exception M2Crypto.Err.SSLError(err: int, client_addr: Tuple[str, int] | str)

Bases: Exception

M2Crypto.Err.get_error() → str | None

M2Crypto.Err.get_error_code() → int

M2Crypto.Err.get_error_func(err: int | None) → str

M2Crypto.Err.get_error_lib(err: int | None) → str

M2Crypto.Err.get_error_message() → str

M2Crypto.Err.get_error_reason(err: int | None) → str

M2Crypto.Err.get_x509_verify_error(err: int | None) → str

M2Crypto.Err.peek_error_code() → int

RC4 Module

class M2Crypto.RC4.RC4(key: bytes = None)

Bases: object

Object interface to the stream cipher RC4.

final() → str

rc4_free()

set_key(key: bytes) → None

update(data: bytes) → bytes

RSA Module

class M2Crypto.RSA.RSA(rsa: bytes, _pyfree: int = 0)

Bases: object

RSA Key Pair.

as_pem(cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → bytes

Returns the key(pair) as a string in PEM format.

check_key() → int

Validate RSA keys.

It checks that p and q are in fact prime, and that n = p*q.

Returns:

returns 1 if rsa is a valid RSA key, and 0 otherwise. -1 is returned if an error occurs while checking the key. If the key is invalid or an error occurred, the reason code can be obtained using ERR_get_error(3).

m2_rsa_free()

private_decrypt(data: bytes, padding: int) → bytes

private_encrypt(data: bytes, padding: int) → bytes

pub() → Tuple[bytes, bytes]

public_decrypt(data: bytes, padding: int) → bytes

public_encrypt(data: bytes, padding: int) → bytes

save_key(file: AnyStr, cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the key pair to a file in PEM format.

Parameters:

• file – Name of file to save key to.

• cipher – Symmetric cipher to protect the key. The default cipher is ‘aes_128_cbc’. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

save_key_bio(bio: ~M2Crypto.BIO.BIO, cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the key pair to an M2Crypto.BIO.BIO object in PEM format.

Parameters:

• bio – M2Crypto.BIO.BIO object to save key to.

• cipher – Symmetric cipher to protect the key. The default cipher is ‘aes_128_cbc’. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

save_key_der(file: AnyStr) → int

Save the key pair to a file in DER format.

Parameters:

file – Filename to save key to

save_key_der_bio(bio: BIO) → int

Save the key pair to an M2Crypto.BIO.BIO object in DER format.

Parameters:

bio – M2Crypto.BIO.BIO object to save key to.

save_pem(file: AnyStr, cipher: str | None = 'aes_128_cbc', callback: ~typing.Callable = <function passphrase_callback>) → int

Save the key pair to a file in PEM format.

Parameters:

• file – Name of file to save key to.

• cipher – Symmetric cipher to protect the key. The default cipher is ‘aes_128_cbc’. If cipher is None, then the key is saved in the clear.

• callback – A Python callable object that is invoked to acquire a passphrase with which to protect the key. The default is util.passphrase_callback.

save_pub_key(file: AnyStr) → int

Save the public key to a file in PEM format.

Parameters:

file – Name of file to save key to.

save_pub_key_bio(bio: BIO) → int

Save the public key to an M2Crypto.BIO.BIO object in PEM format.

Parameters:

bio – M2Crypto.BIO.BIO object to save key to.

sign(digest: bytes, algo: str = 'sha1') → bytes

Signs a digest with the private key

Parameters:

• digest – A digest created by using the digest method

• algo – The method that created the digest. Legal values like ‘sha1’,’sha224’, ‘sha256’, ‘ripemd160’, and ‘md5’.

Returns:

a string which is the signature

sign_rsassa_pss(digest: bytes, algo: str = 'sha1', salt_length: int = 20) → bytes

Signs a digest with the private key using RSASSA-PSS

Parameters:

• digest – A digest created by using the digest method

• salt_length – The length of the salt to use

• algo – The hash algorithm to use Legal values like ‘sha1’,’sha224’, ‘sha256’, ‘ripemd160’, and ‘md5’.

Returns:

a string which is the signature

verify(data: bytes, signature: bytes, algo: str = 'sha1') → int

Verifies the signature with the public key

Parameters:

• data – Data that has been signed

• signature – The signature signed with the private key

• algo – The method use to create digest from the data before it was signed. Legal values like ‘sha1’,’sha224’, ‘sha256’, ‘ripemd160’, and ‘md5’.

Returns:

1 or 0, depending on whether the signature was verified or not.

verify_rsassa_pss(data: bytes, signature: bytes, algo: str = 'sha1', salt_length: int = 20) → int

Verifies the signature RSASSA-PSS

Parameters:

• data – Data that has been signed

• signature – The signature signed with RSASSA-PSS

• salt_length – The length of the salt that was used

• algo – The hash algorithm to use Legal values are for example ‘sha1’,’sha224’, ‘sha256’, ‘ripemd160’, and ‘md5’.

Returns:

1 or 0, depending on whether the signature was verified or not.

exception M2Crypto.RSA.RSAError

Bases: Exception

class M2Crypto.RSA.RSA_pub(rsa: bytes, _pyfree: int = 0)

Bases: RSA

Object interface to an RSA public key.

check_key() → int

Validate RSA keys.

It checks that p and q are in fact prime, and that n = p*q.

Returns:

returns 1 if rsa is a valid RSA key, and 0 otherwise. -1 is returned if an error occurs while checking the key. If the key is invalid or an error occurred, the reason code can be obtained using ERR_get_error(3).

private_decrypt(*argv: Any) → None

private_encrypt(*argv: Any) → None

save_key(file: AnyStr, *args: Any, **kw: Any) → int

Save public key to file.

save_key_bio(bio: BIO, *args: Any, **kw: Any) → int

Save public key to BIO.

M2Crypto.RSA.gen_key(bits: int, e: int, callback: ~typing.Callable = <function keygen_callback>) → RSA

Generate an RSA key pair.

Parameters:

• bits – Key length, in bits.

• e – The RSA public exponent.

• callback – A Python callable object that is invoked during key generation; its usual purpose is to provide visual feedback. The default callback is keygen_callback.

Returns:

M2Crypto.RSA.RSA object.

M2Crypto.RSA.keygen_callback(p: int, n: ~typing.Any, out: ~typing.IO[str] = <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>) → None

Default callback for gen_key().

M2Crypto.RSA.load_key(file: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → RSA

Load an RSA key pair from file.

Parameters:

• file – Name of file containing RSA public key in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to unlock the key. The default is util.passphrase_callback.

Returns:

M2Crypto.RSA.RSA object.

M2Crypto.RSA.load_key_bio(bio: ~M2Crypto.BIO.BIO, callback: ~typing.Callable = <function passphrase_callback>) → RSA

Load an RSA key pair from an M2Crypto.BIO.BIO object.

Parameters:

• bio – M2Crypto.BIO.BIO object containing RSA key pair in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to unlock the key. The default is util.passphrase_callback.

Returns:

M2Crypto.RSA.RSA object.

M2Crypto.RSA.load_key_string(string: AnyStr, callback: ~typing.Callable = <function passphrase_callback>) → RSA

Load an RSA key pair from a string.

Parameters:

• string – String containing RSA key pair in PEM format.

• callback – A Python callable object that is invoked to acquire a passphrase with which to unlock the key. The default is util.passphrase_callback.

Returns:

M2Crypto.RSA.RSA object.

M2Crypto.RSA.load_pub_key(file: AnyStr) → RSA_pub

Load an RSA public key from file.

Parameters:

file – Name of file containing RSA public key in PEM format.

Returns:

M2Crypto.RSA.RSA_pub object.

M2Crypto.RSA.load_pub_key_bio(bio: BIO) → RSA_pub

Load an RSA public key from an M2Crypto.BIO.BIO object.

Parameters:

bio – M2Crypto.BIO.BIO object containing RSA public key in PEM format.

Returns:

M2Crypto.RSA.RSA_pub object.

M2Crypto.RSA.new_pub_key(e_n: Tuple[bytes, bytes]) → RSA_pub

Instantiate an RSA_pub object from an (e, n) tuple.

Parameters:

• e – The RSA public exponent; it is a string in OpenSSL’s MPINT format - 4-byte big-endian bit-count followed by the appropriate number of bits.

• n – The RSA composite of primes; it is a string in OpenSSL’s MPINT format - 4-byte big-endian bit-count followed by the appropriate number of bits.

Returns:

M2Crypto.RSA.RSA_pub object.

M2Crypto.RSA.rsa_error() → None

Rand Module

M2Crypto wrapper for OpenSSL PRNG. Requires OpenSSL 0.9.5 and above.

Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved. Copyright (c) 2014-2017 Matej Cepl. All rights reserved.

See LICENCE for the license information.

M2Crypto.Rand.load_file(filename: AnyStr, max_bytes: int) → int

Read a number of bytes from file filename and adds them to the PRNG.

If max_bytes is non-negative, up to to max_bytes are read; starting with OpenSSL 0.9.5, if max_bytes is -1, the complete file is read.

Parameters:

• filename –

• max_bytes –

Returns:

the number of bytes read.

M2Crypto.Rand.rand_add(blob: bytes, entropy: float) → None

Mixes blob into the PRNG state.

Parameters:

• blob – added data

• entropy – (the lower bound of) an estimate of how much randomness is contained in blob, measured in bytes.

Thus, if the data at buf are unpredictable to an adversary, this increases the uncertainty about the state and makes the PRNG output less predictable. Suitable input comes from user interaction (random key presses, mouse movements) and certain hardware events.

Details about sources of randomness and how to estimate their entropy can be found in the literature, e.g. RFC 1750.

M2Crypto.Rand.rand_bytes(num: int) → bytes

Return n cryptographically strong pseudo-random bytes.

An error occurs if the PRNG has not been seeded with enough randomness to ensure an unpredictable byte sequence.

Parameters:

num – number of bytes to be returned

Returns:

random bytes

M2Crypto.Rand.rand_file_name() → str

Generate a default path for the random seed file.

Returns:

string with the filename. The seed file is $RANDFILE if that environment variable is set, $HOME/.rnd otherwise. If $HOME is not set either, an error occurs.

M2Crypto.Rand.rand_pseudo_bytes(num: int) → Tuple[bytes, int]

Return num pseudo-random bytes into buf.

Pseudo-random byte sequences generated by this method will be unique if they are of sufficient length, but are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc.

Output of the function is mixed into the entropy pool before retrieving the new pseudo-random bytes unless disabled at compile time (see FAQ).

Parameters:

num – number of bytes to be returned

Returns:

random bytes

M2Crypto.Rand.rand_seed(seed: bytes) → None

Equivalent to rand_add() when len(seed) == entropy.

Parameters:

seed – added data (see description at rand_add)

M2Crypto.Rand.rand_status() → int

Check whether there is enough entropy in PRNG.

Returns:

1 if the PRNG has been seeded with enough data, 0 otherwise.

M2Crypto.Rand.save_file(filename: AnyStr) → int

Write a number of random bytes (currently 1024) to file.

The file then can be used to initialize the PRNG by calling load_file() in a later session.

Parameters:

filename –

Returns:

returns the number of bytes written, and -1 if the bytes written were generated without appropriate seed.

SMIME Module

class M2Crypto.SMIME.Cipher(algo: str)

Bases: object

Object interface to EVP_CIPHER without all the frills of M2Crypto.EVP.Cipher.

class M2Crypto.SMIME.PKCS7(pkcs7: bytes | None = None, _pyfree: int = 0)

Bases: object

get0_signers(certs: X509_Stack, flags: int = 0) → X509_Stack

m2_pkcs7_free()

type(text_name: int = 0) → int

write(bio: BIO) → int

write_der(bio: BIO) → int

exception M2Crypto.SMIME.PKCS7_Error

Bases: Exception

class M2Crypto.SMIME.SMIME

Bases: object

decrypt(pkcs7: PKCS7, flags: int = 0) → bytes | None

encrypt(data_bio: BIO, flags: int = 0) → PKCS7

load_key(keyfile: AnyStr, certfile: AnyStr | None = None, callback: ~typing.Callable = <function passphrase_callback>) → None

load_key_bio(keybio: ~M2Crypto.BIO.BIO, certbio: ~M2Crypto.BIO.BIO | None = None, callback: ~typing.Callable = <function passphrase_callback>) → None

set_cipher(cipher: Cipher) → None

set_x509_stack(stack: X509_Stack) → None

set_x509_store(store: X509_Store) → None

sign(data_bio: BIO, flags: int = 0, algo: str | None = 'sha1') → PKCS7

unset_cipher() → None

unset_key() → None

unset_x509_stack() → None

unset_x509_store() → None

verify(pkcs7: PKCS7, data_bio: BIO = None, flags: int = 0) → bytes | None

write(out_bio: BIO, pkcs7: PKCS7, data_bio: BIO | None = None, flags: int = 0) → int

exception M2Crypto.SMIME.SMIME_Error

Bases: Exception

M2Crypto.SMIME.load_pkcs7(p7file: AnyStr) → PKCS7

M2Crypto.SMIME.load_pkcs7_bio(p7_bio: BIO) → PKCS7

M2Crypto.SMIME.load_pkcs7_bio_der(p7_bio: BIO) → PKCS7

M2Crypto.SMIME.load_pkcs7_der(p7file: AnyStr) → PKCS7

M2Crypto.SMIME.smime_load_pkcs7(p7file: AnyStr) → PKCS7

M2Crypto.SMIME.smime_load_pkcs7_bio(p7_bio: BIO) → PKCS7

M2Crypto.SMIME.text_crlf(text: bytes) → bytes

M2Crypto.SMIME.text_crlf_bio(bio_in: BIO) → BIO

X509 Module

class M2Crypto.X509.CRL(crl: bytes | None = None, _pyfree: int = 0)

Bases: object

X509 Certificate Revocation List

as_text() → str

Return CRL in PEM format in a string.

Returns:

String containing the CRL in PEM format.

m2_x509_crl_free()

class M2Crypto.X509.Request(req: int | None = None, _pyfree: int = 0)

Bases: object

X509 Certificate Request.

add_extensions(ext_stack: X509_Extension_Stack) → int

Add X509 extensions to this request.

Parameters:

ext_stack – Stack of extensions to add.

Returns:

1 for success and 0 for failure

as_der() → bytes

as_pem() → bytes

as_text() → str

get_pubkey() → PKey

Get the public key for the request.

Returns:

Public key from the request.

get_subject() → X509_Name

get_version() → int

Get version.

Returns:

Returns version.

m2_x509_req_free()

save(filename: AnyStr, format: int = 1) → int

Saves X.509 certificate request to a file. Default output format is PEM.

Parameters:

• filename – Name of the file the request will be saved to.

• format – Controls what output format is used to save the request. Either FORMAT_PEM or FORMAT_DER to save in PEM or DER format. Raises ValueError if an unknown format is used.

Returns:

1 for success, 0 for failure. The error code can be obtained by ERR_get_error.

save_pem(filename: AnyStr) → int

set_pubkey(pkey: PKey) → int

Set the public key for the request.

Parameters:

pkey – Public key

Returns:

Return 1 for success and 0 for failure.

set_subject(name: X509_Name) → int

Set subject name.

Parameters:

name – subjectName field.

Returns:

1 for success and 0 for failure

set_subject_name(name: X509_Name) → int

Set subject name.

Parameters:

name – subjectName field.

Returns:

1 for success and 0 for failure

set_version(version: int) → int

Set version.

Parameters:

version – Version number.

Returns:

Returns 0 on failure.

sign(pkey: PKey, md: str) → int

Parameters:

• pkey – PKey to be signed

• md – used algorigthm

Returns:

1 for success and 0 for failure

verify(pkey: PKey) → int

Parameters:

pkey – PKey to be verified

Returns:

1 for success and 0 for failure

class M2Crypto.X509.X509(x509: bytes | None = None, _pyfree: int = 0)

Bases: object

X.509 Certificate

add_ext(ext: X509_Extension) → int

Add X509 extension to this certificate.

Parameters:

ext – Extension

:return 1 for success and 0 for failure

as_der() → bytes

as_pem() → bytes

as_text() → str

check_ca() → int

Check if the certificate is a Certificate Authority (CA) certificate.

Returns:

0 if the certificate is not CA, nonzero otherwise.

Requires:

OpenSSL 0.9.8 or newer

check_purpose(id: int, ca: int) → int

Check if the certificate’s purpose matches the asked purpose.

Parameters:

• id – Purpose id. See X509_PURPOSE_* constants.

• ca – 1 if the certificate should be CA, 0 otherwise.

Returns:

0 if the certificate purpose does not match, nonzero otherwise.

get_ext(name: str) → X509_Extension

Get X509 extension by name.

Parameters:

name – Name of the extension

Returns:

X509_Extension

get_ext_at(index: int) → X509_Extension

Get X509 extension by index.

Parameters:

index – Name of the extension

Returns:

X509_Extension

get_ext_count() → int

Get X509 extension count.

get_fingerprint(md: str = 'md5') → str

Get the fingerprint of the certificate.

Parameters:

md – Message digest algorithm to use.

Returns:

String containing the fingerprint in hex format.

get_issuer() → X509_Name

get_not_after() → ASN1_TIME

get_not_before() → ASN1_TIME

get_pubkey() → PKey

get_serial_number() → ASN1_Integer

get_subject() → X509_Name

get_version() → int

m2_x509_free()

save(filename: AnyStr, format: int = 1) → int

Saves X.509 certificate to a file. Default output format is PEM.

Parameters:

• filename – Name of the file the cert will be saved to.

• format – Controls what output format is used to save the cert. Either FORMAT_PEM or FORMAT_DER to save in PEM or DER format. Raises a ValueError if an unknow format is used.

Returns:

1 for success or 0 for failure

save_pem(filename: AnyStr) → int

Parameters:

filename – name of the file to be loaded

Returns:

1 for success or 0 for failure

set_issuer(name: X509_Name) → int

Set issuer name.

Parameters:

name – subjectName field.

:return 1 for success and 0 for failure

set_issuer_name(name: X509_Name) → int

Returns:

1 on success, 0 on failure

set_not_after(asn1_time: ASN1_TIME) → int

Returns:

1 on success, 0 on failure

set_not_before(asn1_time: ASN1_TIME) → int

Returns:

1 on success, 0 on failure

set_pubkey(pkey: PKey) → int

Set the public key for the certificate

Parameters:

pkey – Public key

:return 1 for success and 0 for failure

set_serial_number(serial: ASN1_Integer) → int

Set serial number.

Parameters:

serial – Serial number.

:return 1 for success and 0 for failure.

set_subject(name: X509_Name) → int

Set subject name.

Parameters:

name – subjectName field.

:return 1 for success and 0 for failure

set_subject_name(name: X509_Name) → int

Returns:

1 on success, 0 on failure

set_version(version: int) → int

Set version of the certificate.

Parameters:

version – Version number.

Returns:

Returns 0 on failure.

sign(pkey: PKey, md: str) → int

Sign the certificate.

Parameters:

• pkey – Public key

• md – Message digest algorithm to use for signing, for example ‘sha1’.

:return int

verify(pkey: PKey | None = None) → int

exception M2Crypto.X509.X509Error

Bases: ValueError

class M2Crypto.X509.X509_Extension(x509_ext_ptr: bytes | None = None, _pyfree: int = 1)

Bases: object

X509 Extension

get_critical() → int

Return whether or not this is a critical extension.

Returns:

Nonzero if this is a critical extension.

get_name() → str

Get the extension name, for example ‘subjectAltName’.

get_value(flag: int = 0, indent: int = 0) → str

Get the extension value, for example ‘DNS:www.example.com’.

Parameters:

• flag – Flag to control what and how to print.

• indent – How many spaces to print before actual value.

m2_x509_extension_free()

set_critical(critical: int = 1) → int

Mark this extension critical or noncritical. By default an extension is not critical.

Parameters:

critical – Nonzero sets this extension as critical. Calling this method without arguments will set this extension to critical.

Returns:

1 for success, 0 for failure

class M2Crypto.X509.X509_Extension_Stack(stack: bytes | None = None, _pyfree: int = 0)

Bases: object

X509 Extension Stack

Warning:

Do not modify the underlying OpenSSL stack except through this interface, or use any OpenSSL functions that do so indirectly. Doing so will get the OpenSSL stack and the internal pystack of this class out of sync, leading to python memory leaks, exceptions or even python crashes!

m2_sk_x509_extension_free()

pop() → X509_Extension

Pop X509_Extension object from the stack.

Returns:

X509_Extension popped

push(x509_ext: X509_Extension) → int

Push X509_Extension object onto the stack.

Parameters:

x509_ext – X509_Extension object to be pushed onto the stack.

Returns:

The number of extensions on the stack.

class M2Crypto.X509.X509_Name(x509_name: bytes = None, _pyfree: int = 0)

Bases: object

X509 Name

add_entry_by_txt(field, type, entry, len, loc, set)

Add X509_Name field whose name is identified by its name.

Parameters:

• field – name of the entry

• type – use MBSTRING_ASC or MBSTRING_UTF8 (or standard ASN1 type like V_ASN1_IA5STRING)

• entry – value

• len – buf_len of the entry (-1 and the length is computed automagically)

The loc and set parameters determine where a new entry should be added. For almost all applications loc can be set to -1 and set to 0. This adds a new entry to the end of name as a single valued RelativeDistinguishedName (RDN).

Parameters:

• loc – determines the index where the new entry is inserted: if it is -1 it is appended.

• set – determines how the new type is added. If it is zero a new RDN is created. If set is -1 or 1 it is added to the previous or next RDN structure respectively. This will then be a multivalued RDN: since multivalues RDNs are very seldom used set is almost always set to zero.

Returns:

1 for success of 0 if an error occurred.

as_der() → bytes

as_hash() → int

as_text(indent: int = 0, flags: int = 0) → str

as_text returns the name as a string.

Parameters:

• indent – Each line in multiline format is indented by this many spaces.

• flags – Flags that control how the output should be formatted.

entry_count() → int

get_entries_by_nid(nid: int) → List[X509_Name_Entry]

Retrieve the next index matching nid.

Parameters:

nid – name of the entry (as m2.NID* constants)

Returns:

list of X509_Name_Entry items

m2_x509_name_free()

nid = {'C': 14, 'CN': 13, 'Email': 48, 'GN': 99, 'L': 15, 'O': 17, 'OU': 18, 'SN': 100, 'SP': 16, 'ST': 16, 'commonName': 13, 'emailAddress': 48, 'givenName': 99, 'localityName': 15, 'organizationName': 17, 'organizationUnitName': 18, 'serialNumber': 105, 'stateOrProvinceName': 16, 'surname': 100}

class M2Crypto.X509.X509_Name_Entry(x509_name_entry: bytes, _pyfree: int = 0)

Bases: object

X509 Name Entry

create_by_txt(field, type, entry, len)

get_data() → ASN1_String

get_object() → ASN1_Object

m2_x509_name_entry_free()

set_data(data: bytes, type: int = 4097) → int

Sets the field name to asn1obj

Parameters:

data – data in a binary form to be set

Returns:

0 on failure, 1 on success

set_object(asn1obj: ASN1_Object) → int

Sets the field name to asn1obj

Parameters:

asn1obj –

Returns:

0 on failure, 1 on success

class M2Crypto.X509.X509_Stack(stack: bytes = None, _pyfree: int = 0, _pyfree_x509: int = 0)

Bases: object

X509 Stack

Warning:

Do not modify the underlying OpenSSL stack except through this interface, or use any OpenSSL functions that do so indirectly. Doing so will get the OpenSSL stack and the internal pystack of this class out of sync, leading to python memory leaks, exceptions or even python crashes!

as_der() → bytes

Return the stack as a DER encoded string

m2_sk_x509_free()

pop() → X509

pop a certificate from the stack.

Returns:

X509 object that was popped, or None if there is nothing to pop.

push(x509: X509) → int

push an X509 certificate onto the stack.

Parameters:

x509 – X509 object.

Returns:

The number of X509 objects currently on the stack.

class M2Crypto.X509.X509_Store(store: bytes | None = None, _pyfree: int = 0)

Bases: object

X509 Store

add_cert(x509: X509) → int

add_x509(x509: X509) → int

load_info(file: AnyStr) → int

Parameters:

file – filename

Returns:

1 on success, 0 on failure

load_locations(file: AnyStr) → int

Parameters:

file – filename

Returns:

1 on success, 0 on failure

m2_x509_store_free()

set_flags(flags: int) → int

Set the verification flags for the X509Store Wrapper over OpenSSL X509_STORE_set_flags()

Parameters:

flags – VERIFICATION FLAGS section of the X509_VERIFY_PARAM_set_flags man page has a complete description of values the flags parameter can take. Their M2Crypto equivalent is transformed following the pattern: “X509_V_FLAG_XYZ” -> lowercase(“VERIFY_XYZ”)

set_verify_cb(callback: callable | None = None) → None

Set callback which will be called when the store is verified. Wrapper over OpenSSL X509_STORE_set_verify_cb().

Parameters:

callback – Callable to specify verification options. Type of the callable must be: (int, X509_Store_Context) -> int. If None: set the standard options.

Note:

compile-time or run-time errors in the callback would result in mysterious errors during verification, which could be hard to trace.

Note:

Python exceptions raised in callbacks do not propagate to verify() call.

Returns:

None

class M2Crypto.X509.X509_Store_Context(x509_store_ctx: bytes, _pyfree: int = 0)

Bases: object

X509 Store Context

get1_chain() → X509_Stack

Get certificate chain.

Returns:

Reference counted (i.e. safe to use even after the store context goes away) stack of certificates in the chain.

get_current_cert() → X509

Get current X.509 certificate.

Warning:

The returned certificate is NOT refcounted, so you can not rely on it being valid once the store context goes away or is modified.

get_error() → int

Get error code.

get_error_depth() → int

Get error depth.

m2_x509_store_ctx_free()

M2Crypto.X509.load_cert(file: AnyStr, format: int = 1) → X509

Load certificate from file.

Parameters:

• file – Name of file containing certificate in either DER or PEM format.

• format – Describes the format of the file to be loaded, either PEM or DER.

Returns:

M2Crypto.X509.X509 object.

M2Crypto.X509.load_cert_bio(bio: BIO, format: int = 1) → X509

Load certificate from a bio.

Parameters:

• bio – BIO pointing at a certificate in either DER or PEM format.

• format – Describes the format of the cert to be loaded, either PEM or DER (via constants FORMAT_PEM and FORMAT_FORMAT_DER)

Returns:

M2Crypto.X509.X509 object.

M2Crypto.X509.load_cert_der_string(cert_str: AnyStr) → X509

Load certificate from a cert_str.

Parameters:

cert_str – String containing a certificate in DER format.

Returns:

M2Crypto.X509.X509 object.

M2Crypto.X509.load_cert_string(cert_str: AnyStr, format: int = 1) → X509

Load certificate from a cert_str.

Parameters:

• cert_str – String containing a certificate in either DER or PEM format.

• format – Describes the format of the cert to be loaded, either PEM or DER (via constants FORMAT_PEM and FORMAT_FORMAT_DER)

Returns:

M2Crypto.X509.X509 object.

M2Crypto.X509.load_crl(file: AnyStr) → CRL

Load CRL from file.

Parameters:

file – Name of file containing CRL in PEM format.

Returns:

M2Crypto.X509.CRL object.

M2Crypto.X509.load_request(file: AnyStr, format: int = 1) → Request

Load certificate request from file.

Parameters:

• file – Name of file containing certificate request in either PEM or DER format.

• format – Describes the format of the file to be loaded, either PEM or DER. (using constants FORMAT_PEM and FORMAT_DER)

Returns:

Request object.

M2Crypto.X509.load_request_bio(bio: BIO, format: int = 1) → Request

Load certificate request from a bio.

Parameters:

• bio – BIO pointing at a certificate request in either DER or PEM format.

• format – Describes the format of the request to be loaded, either PEM or DER. (using constants FORMAT_PEM and FORMAT_DER)

Returns:

M2Crypto.X509.Request object.

M2Crypto.X509.load_request_der_string(cert_str: AnyStr) → Request

Load certificate request from a cert_str.

Parameters:

cert_str – String containing a certificate request in DER format.

Returns:

M2Crypto.X509.Request object.

M2Crypto.X509.load_request_string(cert_str: AnyStr, format: int = 1) → Request

Load certificate request from a cert_str.

Parameters:

• cert_str – String containing a certificate request in either DER or PEM format.

• format – Describes the format of the request to be loaded, either PEM or DER. (using constants FORMAT_PEM and FORMAT_DER)

Returns:

M2Crypto.X509.Request object.

M2Crypto.X509.new_extension(name: str, value: bytes, critical: int = 0, _pyfree: int = 1) → X509_Extension

Create new X509_Extension instance.

M2Crypto.X509.new_stack_from_der(der_string: bytes) → X509_Stack

Create a new X509_Stack from DER string.

Returns:

X509_Stack

M2Crypto.X509.x509_store_default_cb(ok: int, ctx: X509_Store_Context) → int

callback Module

ftpslib Module

class M2Crypto.ftpslib.FTP_TLS(host=None, ssl_ctx=None)

Bases: FTP

Python OO interface to client-side FTP/TLS.

auth_ssl()

Secure the control connection per AUTH SSL, aka AUTH TLS-P.

auth_tls()

Secure the control connection per AUTH TLS, aka AUTH TLS-C.

ntransfercmd(cmd, rest=None)

Initiate a data transfer.

prot_c()

Set up data connection in the clear.

prot_p()

Set up secure data connection.

httpslib Module

class M2Crypto.httpslib.HTTPSConnection(host: str, port: int | None = None, strict: bool | None = None, **ssl: Any)

Bases: HTTPConnection

This class allows communication via SSL using M2Crypto.

close() → None

Close the connection to the HTTP server.

connect() → None

Connect to the host and port specified in __init__.

default_port = 443

get_session() → Session

set_session(session: Session) → None

class M2Crypto.httpslib.ProxyHTTPSConnection(host: str, port: int | None = None, strict: bool | None = None, username: AnyStr | None = None, password: AnyStr | None = None, **ssl: Any)

Bases: HTTPSConnection

An HTTPS Connection that uses a proxy and the CONNECT request.

When the connection is initiated, CONNECT is first sent to the proxy (along with authorization headers, if supplied). If successful, an SSL connection will be established over the socket through the proxy and to the target host.

Finally, the actual request is sent over the SSL connection tunneling through the proxy.

connect() → None

Connect to the host and port specified in __init__.

endheaders(*args: Any, **kwargs: Any) → None

Indicate that the last header line has been sent to the server.

This method sends the request to the server. The optional message_body argument can be used to pass a message body associated with the request.

putheader(header: AnyStr, value: AnyStr) → None

Send a request header line to the server.

For example: h.putheader(‘Accept’, ‘text/html’)

putrequest(method: AnyStr, url: AnyStr, skip_host: int = 0, skip_accept_encoding: int = 0) → None

putrequest is called before connect, so can interpret url and get real host/port to be used to make CONNECT request to proxy

m2 Module

m2crypto Module

m2urllib Module

M2Crypto.m2urllib.open_https(self: URLOpener, url: AnyStr, data: bytes | None = None, ssl_context: SSL.Context | None = None) → addinfourl

Open URL over the SSL connection.

Parameters:

• url – URL to be opened

• data – data for the POST request

• ssl_context – SSL.Context to be used

Returns:

m2urllib2 Module

class M2Crypto.m2urllib2.HTTPSHandler(ssl_context: Context = None)

Bases: AbstractHTTPHandler

https_open(req: Request) → addinfourl

Return an addinfourl object for the request, using http_class.

http_class must implement the HTTPConnection API from httplib. The addinfourl return value is a file-like object. It also has methods and attributes including:

• info(): return a mimetools.Message object for the headers

• geturl(): return the original request URL

• code: HTTP status code

https_request(request)

M2Crypto.m2urllib2.build_opener(ssl_context: Context | None = None, *handlers: object) → OpenerDirector

Create an opener object from a list of handlers.

The opener will use several default handlers, including support for HTTP and FTP.

If any of the handlers passed as arguments are subclasses of the default handlers, the default handlers will not be used.

m2xmlrpclib Module

class M2Crypto.m2xmlrpclib.SSL_Transport(ssl_context: Context | None = None, *args: Any, **kw: Any)

Bases: Transport

request(host: AnyStr, handler: Callable, request_body: bytes, verbose: int = 0) → object

user_agent = 'M2Crypto_XMLRPC/0.40.1 - Python-xmlrpc/3.12'

threading Module

M2Crypto.threading.cleanup() → None

End and cleanup threading support.

M2Crypto.threading.init() → None

Initialize threading support.

util Module

exception M2Crypto.util.UtilError

Bases: Exception

M2Crypto.util.bin_to_hex(b: bytes) → str

M2Crypto.util.expectedFailureIf(condition)

The test is marked as an expectedFailure if the condition is satisfied.

M2Crypto.util.genparam_callback(p: int, n: ~typing.Any, out: ~typing.TextIO = <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>) → None

M2Crypto.util.is_32bit() → bool

M2Crypto.util.no_passphrase_callback(*args: Any) → str

M2Crypto.util.octx_to_num(x: bytes) → int

M2Crypto.util.passphrase_callback(v: bool, prompt1: str = 'Enter passphrase:', prompt2: str = 'Verify passphrase:') → str | None

M2Crypto.util.pkcs5_pad(data: str, blklen: int = 8) → str

M2Crypto.util.pkcs7_pad(data: str, blklen: int) → str

M2Crypto.util.quiet_genparam_callback(p: Any, n: Any, out: Any) → None

Subpackages

• SSL Package
  • SSL Package
    • SSLError
    • SSLTimeoutError
  • Checker Module
    • Checker
      • Checker.numericIpMatch
    • NoCertificate
    • SSLVerificationError
    • WrongCertificate
    • WrongHost
  • Cipher Module
    • Cipher
      • Cipher.name()
      • Cipher.version()
    • Cipher_Stack
  • Connection Module
    • Connection
      • Connection.accept()
      • Connection.accept_ssl()
      • Connection.bind()
      • Connection.clear()
      • Connection.close()
      • Connection.connect()
      • Connection.connect_ssl()
      • Connection.fileno()
      • Connection.get_cipher()
      • Connection.get_cipher_list()
      • Connection.get_ciphers()
      • Connection.get_context()
      • Connection.get_default_session_timeout()
      • Connection.get_peer_cert()
      • Connection.get_peer_cert_chain()
      • Connection.get_session()
      • Connection.get_shutdown()
      • Connection.get_socket_read_timeout()
      • Connection.get_socket_write_timeout()
      • Connection.get_state()
      • Connection.get_verify_depth()
      • Connection.get_verify_mode()
      • Connection.get_verify_result()
      • Connection.get_version()
      • Connection.getpeername()
      • Connection.getsockname()
      • Connection.getsockopt()
      • Connection.listen()
      • Connection.m2_bio_free()
      • Connection.m2_bio_noclose
      • Connection.m2_ssl_free()
      • Connection.makefile()
      • Connection.pending()
      • Connection.read()
      • Connection.recv()
      • Connection.recv_into()
      • Connection.renegotiate()
      • Connection.send()
      • Connection.sendall()
      • Connection.serverPostConnectionCheck()
      • Connection.set1_host()
      • Connection.set_accept_state()
      • Connection.set_bio()
      • Connection.set_cipher_list()
      • Connection.set_client_CA_list_from_context()
      • Connection.set_client_CA_list_from_file()
      • Connection.set_connect_state()
      • Connection.set_post_connection_check_callback()
      • Connection.set_session()
      • Connection.set_session_id_ctx()
      • Connection.set_shutdown()
      • Connection.set_socket_read_timeout()
      • Connection.set_socket_write_timeout()
      • Connection.set_ssl_close_flag()
      • Connection.set_tlsext_host_name()
      • Connection.setblocking()
      • Connection.setsockopt()
      • Connection.settimeout()
      • Connection.setup_addr()
      • Connection.setup_ssl()
      • Connection.shutdown()
      • Connection.ssl_get_error()
      • Connection.verify_ok()
      • Connection.write()
  • Context Module
    • Context
      • Context.add_session()
      • Context.close()
      • Context.get_allow_unknown_ca()
      • Context.get_cert_store()
      • Context.get_session_cache_mode()
      • Context.get_session_timeout()
      • Context.get_verify_depth()
      • Context.get_verify_mode()
      • Context.load_cert()
      • Context.load_cert_chain()
      • Context.load_client_CA()
      • Context.load_client_ca()
      • Context.load_verify_info()
      • Context.load_verify_locations()
      • Context.m2_ssl_ctx_free()
      • Context.remove_session()
      • Context.set_allow_unknown_ca()
      • Context.set_cipher_list()
      • Context.set_client_CA_list_from_file()
      • Context.set_default_verify_paths()
      • Context.set_info_callback()
      • Context.set_options()
      • Context.set_session_cache_mode()
      • Context.set_session_id_ctx()
      • Context.set_session_timeout()
      • Context.set_tmp_dh()
      • Context.set_tmp_dh_callback()
      • Context.set_tmp_rsa()
      • Context.set_tmp_rsa_callback()
      • Context.set_verify()
    • ctxmap()
    • map()
  • SSLServer Module
    • ForkingSSLServer
    • SSLServer
      • SSLServer.handle_error()
      • SSLServer.handle_request()
    • ThreadingSSLServer
  • Session Module
    • Session
      • Session.as_der()
      • Session.as_text()
      • Session.get_time()
      • Session.get_timeout()
      • Session.m2_ssl_session_free()
      • Session.set_time()
      • Session.set_timeout()
      • Session.write_bio()
    • load_session()
  • TwistedProtocolWrapper Module
    • TLSProtocolWrapper
      • TLSProtocolWrapper.clear()
      • TLSProtocolWrapper.connectionLost()
      • TLSProtocolWrapper.connectionMade()
      • TLSProtocolWrapper.dataReceived()
      • TLSProtocolWrapper.loseConnection()
      • TLSProtocolWrapper.startTLS()
      • TLSProtocolWrapper.write()
      • TLSProtocolWrapper.writeSequence()
    • connectSSL()
    • connectTCP()
    • listenSSL()
    • listenTCP()
  • cb Module
    • ssl_info_callback()
    • ssl_verify_callback()
    • ssl_verify_callback_allow_unknown_ca()
    • ssl_verify_callback_stub()
  • timeout Module
    • struct_size()
    • struct_to_timeout()
    • timeout
      • timeout.pack()