
Certificate
***********

Parsing for Tor Ed25519 certificates, which are used to validate the
key used to sign server descriptors.

New in version 1.6.0.

**Module Overview:**

   Ed25519Certificate - Ed25519 signing key certificate
     | +- Ed25519CertificateV1 - version 1 Ed25519 certificate
     |      |- is_expired - checks if certificate is presently expired
     |      +- validate - validates signature of a server descriptor
     |
     +- parse - reads base64 encoded certificate data

   Ed25519Extension - extension included within an Ed25519Certificate

stem.descriptor.certificate.CertType(enum)

   Purpose of Ed25519 certificate. As new certificate versions are
   added this enumeration will expand.

   +----------------+------------------------------------------------------+
   | CertType       | Description                                          |
   +================+======================================================+
   | **SIGNING**    | signing a signing key with an identity key           |
   +----------------+------------------------------------------------------+
   | **LINK_CERT**  | TLS link certificate signed with ed25519 signing key |
   +----------------+------------------------------------------------------+
   | **AUTH**       | authentication key signed with ed25519 signing key   |
   +----------------+------------------------------------------------------+

stem.descriptor.certificate.ExtensionType(enum)

   Recognized exception types.

   +----------------------+-------------------------------------------+
   | ExtensionType        | Description                               |
   +======================+===========================================+
   | **HAS_SIGNING_KEY**  | includes key used to sign the certificate |
   +----------------------+-------------------------------------------+

stem.descriptor.certificate.ExtensionFlag(enum)

   Flags that can be assigned to Ed25519 certificate extensions.

   +------------------------+-----------------------------------------------------+
   | ExtensionFlag          | Description                                         |
   +========================+=====================================================+
   | **AFFECTS_VALIDATION** | extension affects whether the certificate is valid  |
   +------------------------+-----------------------------------------------------+
   | **UNKNOWN**            | extension includes flags not yet recognized by stem |
   +------------------------+-----------------------------------------------------+

class class stem.descriptor.certificate.Ed25519Extension

   Bases: "stem.descriptor.certificate.Ed25519Extension"

   Extension within an Ed25519 certificate.

   Variables:
      * **type** (*int*) -- extension type

      * **flags** (*list*) -- extension attribute flags

      * **flag_int** (*int*) -- integer encoding of the extension
        attribute flags

      * **data** (*bytes*) -- data the extension concerns

class class stem.descriptor.certificate.Ed25519Certificate(version, encoded)

   Bases: "object"

   Base class for an Ed25519 certificate.

   Variables:
      * **version** (*int*) -- certificate format version

      * **encoded** (*str*) -- base64 encoded ed25519 certificate

   static parse(content)

      Parses the given base64 encoded data as an Ed25519 certificate.

      Parameters:
         **content** (*str*) -- base64 encoded certificate

      Returns:
         "Ed25519Certificate" subclsss for the given certificate

      Raises :
         **ValueError** if content is malformed

class class stem.descriptor.certificate.Ed25519CertificateV1(version, encoded, decoded)

   Bases: "stem.descriptor.certificate.Ed25519Certificate"

   Version 1 Ed25519 certificate, which are used for signing tor
   server descriptors.

   Variables:
      * **type** (*CertType*) -- certificate purpose

      * **expiration** (*datetime*) -- expiration of the certificate

      * **key_type** (*int*) -- format of the key

      * **key** (*bytes*) -- key content

      * **extensions** (*list*) -- "Ed25519Extension" in this
        certificate

      * **signature** (*bytes*) -- certificate signature

   is_expired()

      Checks if this certificate is presently expired or not.

      Returns:
         **True** if the certificate has expired, **False** otherwise

   validate(server_descriptor)

      Validates our signing key and that the given descriptor content
      matches its Ed25519 signature.

      Parameters:
         **server_descriptor**
         (*stem.descriptor.server_descriptor.Ed25519*) -- relay server
         descriptor to validate

      Raises :
         * **ValueError** if signing key or descriptor are invalid

         * **ImportError** if pynacl module is unavailable
