Trust

class siotls.trust.TrustStore

Abstract class that the trust backends implement.

abstractmethod verify_chain(conn, entry_chain)

Verify that the entry_chain is composed of valid certificates that can be re-ordered to form a chain of trust anchored with a trusted certificate.

In the case of a server certificate, also verify that the first certificate in the chain is a subject certificate whoose CN or SAN match with conn.server_hostname (if set).

Raises:

alerts.BadCertificate – When the verification failed, that it would be unsafe to continue using the connection.

Parameters:
Return type:

None

siotls.trust.get_ca_certificates()

Load and save in cache a list of trusted root CA certificates.

The loading order is as follow:

  1. load_system_ca_certificates()

  2. load_certifi_ca_certificates()

It raises the error the last function rose when all functions failed.

Return type:

list[DerCertificate]

siotls.trust.get_truststore()

Instantiate and save in cache a concrete truststore.

The loading order is as follow:

  1. OpensslTrustStore

It raises the error the last function rose when all functions failed.

Return type:

TrustStore

siotls.trust.load_certifi_ca_certificates()

Load the same chain of trust as the Mozilla Firefox browser, via the certifi bundle of ca certificates.

Return type:

list[DerCertificate]

siotls.trust.load_system_ca_certificates()

Load the chain of trust of the operating system.

On Linux, it relies on the ca-certificates package (the package name differs depending on the distribution). It lookups the well-known place where the certificate bundle should be installed and load it if found. It uses platform.freedesktop_os_release() and fields ID and ID_LIKE to determine the distribution.

On Windows, it uses ssl.enum_certificates() from the python standard library to load all three ROOT, CA and MY.

If the operating system is unknown, or that loading a trust for for that operating system failed, it fallbacks on ssl.get_default_verify_paths() from the python standard library to find a trust store of last resort. An error is raised if that last resort fails too.

Raises:

RuntimeError – When no chain of trust was found.

Return type:

list[DerCertificate]

Backends