Certificate Transparency

Certificate Transparency is a set of protocols specified in RFC 6962 which allow X.509 certificates to be sent to append-only logs and have small cryptographic proofs that a certificate has been publicly logged. This allows for external auditing of the certificates that a certificate authority has issued.

class cryptography.x509.certificate_transparency.SignedCertificateTimestamp

Added in version 2.0.

SignedCertificateTimestamps (SCTs) are small cryptographically signed assertions that the specified certificate has been submitted to a Certificate Transparency Log, and that it will be part of the public log within some time period, this is called the “maximum merge delay” (MMD) and each log specifies its own.

version
Type:

Version

The SCT version as an enumeration. Currently only one version has been specified.

log_id
Type:

bytes

An opaque identifier, indicating which log this SCT is from. This is the SHA256 hash of the log’s public key.

timestamp
Type:

datetime.datetime

A naïve datetime representing the time in UTC at which the log asserts the certificate had been submitted to it.

entry_type
Type:

LogEntryType

The type of submission to the log that this SCT is for. Log submissions can either be certificates themselves or “pre-certificates” which indicate a binding-intent to issue a certificate for the same data, with SCTs embedded in it.

signature_hash_algorithm

Added in version 38.0.0.

Type:

HashAlgorithm

The hashing algorithm used by this SCT’s signature.

signature_algorithm

Added in version 38.0.0.

Type:

SignatureAlgorithm

The signing algorithm used by this SCT’s signature.

signature

Added in version 38.0.0.

Type:

bytes

The raw bytes of the signatures embedded in the SCT.

extension_bytes

Added in version 38.0.0.

Type:

bytes

Any raw extension bytes.

class cryptography.x509.certificate_transparency.Version[source]

Added in version 2.0.

An enumeration for SignedCertificateTimestamp versions.

v1

For version 1 SignedCertificateTimestamps.

class cryptography.x509.certificate_transparency.LogEntryType[source]

Added in version 2.0.

An enumeration for SignedCertificateTimestamp log entry types.

X509_CERTIFICATE

For SCTs corresponding to X.509 certificates.

PRE_CERTIFICATE

For SCTs corresponding to pre-certificates.

class cryptography.x509.certificate_transparency.SignatureAlgorithm[source]

Added in version 38.0.0.

An enumeration for SignedCertificateTimestamp signature algorithms.

These are exactly the same as SignatureAlgorithm in RFC 5246 (TLS 1.2).

ANONYMOUS
RSA
DSA
ECDSA