Metadata-Version: 2.1
Name: tlstrust
Version: 2.5.4
Summary: Utilities that assist with trust relationship checking of X.509 Certificates for various end-user devices with disparate root trust stores.
Home-page: https://gitlab.com/trivialsec/tlstrust
Author: Christopher Langton
Author-email: chris@langton.cloud
License: UNKNOWN
Project-URL: Source, https://gitlab.com/trivialsec/tlstrust
Project-URL: Documentation, https://gitlab.com/trivialsec/tlstrust/-/blob/main/docs/0.index.md
Project-URL: Tracker, https://gitlab.com/trivialsec/tlstrust/-/issues
Platform: UNKNOWN
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE


# tlstrust

Utilities that assist with trust relationship checking of X.509 Certificates for various end-user devices with disparate root trust stores.

![tlstrust cli](https://gitlab.com/trivialsec/tlstrust/-/raw/5052faa1d1a5fbf21dec6107622cffc58359762d/docs/images/tlstrust.jpg)

## [Documentation](https://gitlab.com/trivialsec/tlstrust/-/blob/main/docs/0.index.md)

On the command-line:

```sh
tlstrust --help
```

produces:

```
usage: tlstrust [-h] [-C CLIENT_PEM] [--disable-sni] [-v] [-vv] [-vvv] [-vvvv] [--version] [targets ...]

positional arguments:
  targets               All unnamed arguments are hosts (and ports) targets to test. ~$ tlstrust apple.com:443 github.io
                        localhost:3000

options:
  -h, --help            show this help message and exit
  -C CLIENT_PEM, --client-pem CLIENT_PEM
                        path to PEM encoded client certificate, url or file path accepted
  --disable-sni         Do not negotiate SNI using INDA encoded host
  -v, --errors-only     set logging level to ERROR (default CRITICAL)
  -vv, --warning        set logging level to WARNING (default CRITICAL)
  -vvv, --info          set logging level to INFO (default CRITICAL)
  -vvvv, --debug        set logging level to DEBUG (default CRITICAL)
  --version
```

In your app you can:

```py
import os
from pathlib import Path
from OpenSSL.crypto import FILETYPE_ASN1
from tlstrust import TrustStore

der = Path(os.path.join(os.path.dirname(__file__), "cacert.der")).read_bytes()
trust_store = TrustStore(FILETYPE_ASN1, der)
print(trust_store.check_trust())
```

# Platform specific checking

```py
all_trusted = trust_store.check_trust()
assert all_trusted is True
assert trust_store.android
assert trust_store.linux
assert trust_store.ccadb # Windows, Mozilla, and Apple (from December 1st 2021)
assert trust_store.java
assert trust_store.certifi
```

## Basic usage

Using CCADB for demonstration purposes (includes Apple, Microsoft, and Mozilla)

```py
from tlstrust.context import SOURCE_CCADB

assert trust_store.exists(SOURCE_CCADB)
assert trust_store.expired_in_store(SOURCE_CCADB)
assert trust_store.get_certificate_from_store(SOURCE_CCADB)
assert trust_store.check_trust(SOURCE_CCADB)
```

## Other Platforms

```py
from tlstrust.context import PLATFORM_ANDROID
from tlstrust.context import PLATFORM_JAVA
from tlstrust.context import PLATFORM_LINUX
from tlstrust.context import PLATFORM_APPLE
```

## Apple (before CCADB)

Apple (legacy) Trust Store support exists in earlier versions of `tlstrust`, it was removed in version `2.0.0` so installing prior versions will allow you to access this functionality.

## Android versions

```py
from tlstrust.context import PLATFORM_ANDROID2_2
from tlstrust.context import PLATFORM_ANDROID2_3
from tlstrust.context import PLATFORM_ANDROID3
from tlstrust.context import PLATFORM_ANDROID4
from tlstrust.context import PLATFORM_ANDROID4_4
from tlstrust.context import PLATFORM_ANDROID7
from tlstrust.context import PLATFORM_ANDROID8
from tlstrust.context import PLATFORM_ANDROID9
from tlstrust.context import PLATFORM_ANDROID10
from tlstrust.context import PLATFORM_ANDROID11
from tlstrust.context import PLATFORM_ANDROID12
```

# Browser Trust Stores

```py
from tlstrust.context import BROWSER_AMAZON_SILK, BROWSER_SAMSUNG_INTERNET_BROWSER, BROWSER_GOOGLE_CHROME, BROWSER_CHROMIUM, BROWSER_FIREFOX, BROWSER_BRAVE, BROWSER_SAFARI, BROWSER_MICROSOFT_EDGE, BROWSER_YANDEX_BROWSER, BROWSER_OPERA, BROWSER_VIVALDI, BROWSER_TOR_BROWSER

assert trust_store.check_trust(BROWSER_AMAZON_SILK)
assert trust_store.check_trust(BROWSER_SAMSUNG_INTERNET_BROWSER)
assert trust_store.check_trust(BROWSER_GOOGLE_CHROME)
assert trust_store.check_trust(BROWSER_CHROMIUM)
assert trust_store.check_trust(BROWSER_FIREFOX)
assert trust_store.check_trust(BROWSER_BRAVE)
assert trust_store.check_trust(BROWSER_SAFARI)
assert trust_store.check_trust(BROWSER_MICROSOFT_EDGE)
assert trust_store.check_trust(BROWSER_YANDEX_BROWSER)
assert trust_store.check_trust(BROWSER_OPERA)
assert trust_store.check_trust(BROWSER_VIVALDI)
assert trust_store.check_trust(BROWSER_TOR_BROWSER)
```

# Programming Language Trust (Microservice architecture and APIs)

Python:

```py
from tlstrust.context import LANGUAGE_PYTHON_WINDOWS_SERVER, LANGUAGE_PYTHON_LINUX_SERVER, LANGUAGE_PYTHON_MACOS_SERVER, LANGUAGE_PYTHON_CERTIFI, LANGUAGE_PYTHON_URLLIB, LANGUAGE_PYTHON_REQUESTS, LANGUAGE_PYTHON_DJANGO

assert trust_store.check_trust(LANGUAGE_PYTHON_WINDOWS_SERVER)
assert trust_store.check_trust(LANGUAGE_PYTHON_LINUX_SERVER)
assert trust_store.check_trust(LANGUAGE_PYTHON_MACOS_SERVER)
assert trust_store.check_trust(LANGUAGE_PYTHON_CERTIFI)
assert trust_store.check_trust(LANGUAGE_PYTHON_URLLIB)
assert trust_store.check_trust(LANGUAGE_PYTHON_REQUESTS)
assert trust_store.check_trust(LANGUAGE_PYTHON_DJANGO)
```

## [Change Log](https://gitlab.com/trivialsec/tlstrust/-/blob/main/docs/z.change-log.md)
    

