Service Identity Verification for pyOpenSSL & cryptography

Use this package if:

• you want to verify that a PyCA cryptography certificate is valid for a certain hostname or IP address,
• or if you use pyOpenSSL and don’t want to be MITMed,
• or if you want to inspect certificates from either for service IDs.

service-identity aspires to give you all the tools you need for verifying whether a certificate is valid for the intended purposes. In the simplest case, this means host name verification. However, service-identity implements RFC 6125 fully.

Also check out pem that makes loading certificates from all kinds of PEM-encoded files a breeze!

Project Information

service-identity is released under the MIT license, its documentation lives at Read the Docs, the code on GitHub, and the latest release on PyPI.

Credits

service-identity is written and maintained by Hynek Schlawack.

The development is kindly supported by my employer Variomedia AG, service-identity's Tidelift subscribers, and all my amazing GitHub Sponsors.

service-identity for Enterprise

Available as part of the Tidelift Subscription.

The maintainers of service-identity and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open-source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.

Release Information

Added

• Python 3.14 and 3.15 are now officially supported. #85 #93

Changed

• service-identity now uses cryptography's Rust-based ASN.1 decoder and doesn't depend on pyasn1 and pyasn1-modules anymore. As a result, the oldest supported pyOpenSSL backend combination is now pyOpenSSL 26.1.0 with cryptography 47.0.0. #95

Fixed

• Verifying a single-label hostname (e.g. localhost) against a wildcard certificate pattern now raises VerificationError cleanly instead of crashing with an opaque ValueError. #92

Complete Changelog →