devices.issuer

Module for issuing and managing TLS and OPC UA credentials.

Classes

SaveCredentialToDbMixin

Mixin to handle saving credentials to the database.

CredentialSaver

A basic class for saving credentials to the database.

BaseTlsCredentialIssuer

Base class for issuing TLS credentials.

LocalTlsClientCredentialIssuer

Handles issuing TLS client credentials.

LocalTlsServerCredentialIssuer

Handles issuing TLS server credentials.

LocalDomainCredentialIssuer

Handles issuing domain credentials.

OpcUaServerCredentialIssuer

Issues OPC UA server credentials.

OpcUaClientCredentialIssuer

Issues OPC UA client credentials.

Module Contents

class devices.issuer.SaveCredentialToDbMixin[source]

Bases: trustpoint.logger.LoggerMixin

Mixin to handle saving credentials to the database.

property device: devices.models.DeviceModel[source]
Abstractmethod:

Return type:

devices.models.DeviceModel

Abstract property that has to be implemented by the derived class.

property domain: pki.models.domain.DomainModel[source]
Abstractmethod:

Return type:

pki.models.domain.DomainModel

Abstract property that has to be implemented by the derived class.

_save(credential, common_name, issued_credential_type, issued_using_cert_profile)[source]

Saves the issued credential in the database.

Parameters:

  • credential (trustpoint_core.serializer.CredentialSerializer) – The credential serializer instance.

  • common_name (str) – The common name for the credential.

  • issued_credential_type (devices.models.IssuedCredentialModel.IssuedCredentialType) – The type of issued credential.

  • issued_using_cert_profile (str) – The profile used for issuing the credential.

Returns:

The saved issued credential model.

Return type:

devices.models.IssuedCredentialModel

_save_keyless_credential(certificate, certificate_chain, common_name, issued_credential_type, issued_using_cert_profile)[source]
Parameters:
Return type:

devices.models.IssuedCredentialModel

class devices.issuer.CredentialSaver(device, domain)[source]

Bases: SaveCredentialToDbMixin

A basic class for saving credentials to the database.

Parameters:
_device[source]
_domain[source]
property device: devices.models.DeviceModel[source]

Gets the device associated with this credential saver.

Returns:

The device linked to the issued credential.

Return type:

DeviceModel

property domain: pki.models.domain.DomainModel[source]

Gets the domain associated with this credential saver.

Returns:

The domain linked to the issued credential.

Return type:

DomainModel

save_keyless_credential(certificate, certificate_chain, common_name, issued_credential_type, cert_profile_disp_name)[source]

Saves a keyless (i.e. private key stays on requesting device) credential to the database.

Parameters:
Return type:

devices.models.IssuedCredentialModel

class devices.issuer.BaseTlsCredentialIssuer(device, domain)[source]

Bases: SaveCredentialToDbMixin

Base class for issuing TLS credentials.

This class provides common functionality for creating and saving TLS certificates and key pairs for different use cases, including TLS client, server, domain, and OPC UA credentials.

Parameters:
_pseudonym: str[source]
_device: devices.models.DeviceModel[source]
_domain: pki.models.domain.DomainModel[source]
_credential: None | trustpoint_core.serializer.CredentialSerializer = None[source]
_credential_model: None | pki.models.credential.CredentialModel = None[source]
_issued_application_credential_model: None | devices.models.IssuedCredentialModel = None[source]
property device: devices.models.DeviceModel[source]

Gets the device associated with this credential issuer.

Returns:

The device linked to the issued credential.

Return type:

DeviceModel

property domain: pki.models.domain.DomainModel[source]

Gets the domain associated with this credential issuer.

Returns:

The domain linked to the issued credential.

Return type:

DomainModel

property serial_number: str[source]

Gets the serial number of the associated device.

Returns:

The serial number of the device.

Return type:

str

property domain_component: str[source]

Gets the unique name of the domain component.

Returns:

The unique name of the domain.

Return type:

str

property pseudonym: str[source]

Gets the pseudonym associated with this issuer.

Returns:

The predefined pseudonym for the credential issuer.

Return type:

str

classmethod get_fixed_values(device, domain)[source]

Retrieves a dictionary of fixed values related to the device and domain.

Parameters:
Returns:

A dictionary containing the pseudonym, domain component, and serial number of the device.

Return type:

dict[str, str]

_raise_value_error(message)[source]

Raises a ValueError with the given message.

Parameters:

message (str) – The error message to include in the exception.

Raises:

ValueError – Always raised with the provided message.

Return type:

None

_raise_type_error(message)[source]

Raises a TypeError with the given message.

Parameters:

message (str) – The error message to include in the exception.

Raises:

TypeError – Always raised with the provided message.

Return type:

None

_build_certificate(common_name, public_key, validity_days, extra_extensions=None)[source]

Builds an X.509 certificate with the specified parameters.

Parameters:

  • common_name (str) – The common name (CN) for the certificate subject.

  • public_key (trustpoint_core.crypto_types.PublicKey) – The public key associated with the certificate.

  • validity_days (int) – The number of days the certificate should be valid.

  • extra_extensions (list[tuple[cryptography.x509.ExtensionType, bool]] | None) – Additional extensions to be added.

Returns:

The generated X.509 certificate.

Return type:

cryptography.x509.Certificate

class devices.issuer.LocalTlsClientCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Handles issuing TLS client credentials.

Parameters:
_pseudonym = 'Trustpoint Application Credential - TLS Client'[source]
issue_tls_client_credential(common_name, validity_days)[source]

Issues a TLS client credential.

Parameters:

  • common_name (str) – The common name for the certificate.

  • validity_days (int) – The validity period in days.

  • public_key – The public key to be included in the certificate.

Returns:

The issued credential model.

Return type:

devices.models.IssuedCredentialModel

issue_tls_client_certificate(common_name, validity_days, public_key)[source]

Issues a TLS client certificate without a private key.

Parameters:

  • common_name (str) – Certificate common name.

  • validity_days (int) – Certificate validity period.

  • public_key (trustpoint_core.crypto_types.PublicKey) – Public key for the certificate.

Returns:

The issued TLS client certificate.

Return type:

devices.models.IssuedCredentialModel

class devices.issuer.LocalTlsServerCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Handles issuing TLS server credentials.

Parameters:
_pseudonym = 'Trustpoint Application Credential - TLS Server'[source]
_build_san_extension(ipv4_addresses, ipv6_addresses, domain_names)[source]

Builds the Subject Alternative Name (SAN) extension.

Parameters:

  • ipv4_addresses (list[ipaddress.IPv4Address])

  • ipv6_addresses (list[ipaddress.IPv6Address])

  • domain_names (list[str])

Return type:

cryptography.x509.SubjectAlternativeName

issue_tls_server_credential(common_name, ipv4_addresses, ipv6_addresses, domain_names, validity_days, *, san_critical=False)[source]

Issues a TLS server credential with a private key.

Generates a TLS server certificate and private key, including SAN extensions, and saves the credential in the database.

Parameters:

  • common_name (str) – Certificate common name.

  • ipv4_addresses (list[ipaddress.IPv4Address]) – IPv4 addresses for SAN.

  • ipv6_addresses (list[ipaddress.IPv6Address]) – IPv6 addresses for SAN.

  • domain_names (list[str]) – Domain names for SAN.

  • validity_days (int) – Certificate validity period.

  • san_critical (bool) – Whether SAN is critical. Defaults to False.

Returns:

The issued TLS server credential.

Return type:

devices.models.IssuedCredentialModel

issue_tls_server_certificate(common_name, ipv4_addresses, ipv6_addresses, domain_names, validity_days, public_key, *, san_critical=False)[source]

Issues a TLS server certificate without a private key.

Parameters:

  • common_name (str) – Certificate common name.

  • ipv4_addresses (list[ipaddress.IPv4Address]) – IPv4 addresses for SAN.

  • ipv6_addresses (list[ipaddress.IPv6Address]) – IPv6 addresses for SAN.

  • domain_names (list[str]) – Domain names for SAN.

  • validity_days (int) – Certificate validity period.

  • public_key (trustpoint_core.crypto_types.PublicKey) – Public key for the certificate.

  • san_critical (bool) – Whether SAN is critical. Defaults to False.

Returns:

The issued TLS server certificate.

Return type:

devices.models.IssuedCredentialModel

class devices.issuer.LocalDomainCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Handles issuing domain credentials.

Parameters:
DOMAIN_CREDENTIAL_CN = 'Trustpoint Domain Credential'[source]
_pseudonym = 'Trustpoint Domain Credential'[source]
issue_domain_credential(application_uri=None, extra_extensions=None)[source]

Issues a domain credential for a device.

Parameters:

  • application_uri (str | None) – Optional application URI to include in the certificate.

  • extra_extensions (list[tuple[cryptography.x509.ExtensionType, bool]] | None) – Optional list of additional certificate extensions to include. If provided, these will override the default extensions (except BasicConstraints).

Returns:

The issued domain credential model.

Return type:

devices.models.IssuedCredentialModel

issue_domain_credential_certificate(public_key, extra_extensions=None)[source]

Issues a domain credential certificate.

Parameters:

  • public_key (trustpoint_core.crypto_types.PublicKey) – The public key associated with the issued certificate.

  • extra_extensions (list[tuple[cryptography.x509.ExtensionType, bool]] | None) – Optional list of additional certificate extensions to include. If provided, these will override the default extensions (except BasicConstraints).

Returns:

The issued domain credential certificate model.

Return type:

devices.models.IssuedCredentialModel

class devices.issuer.OpcUaServerCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Issues OPC UA server credentials.

Parameters:
_pseudonym = 'Trustpoint OPC UA Server Credential'[source]
_build_san_extension(application_uri, ipv4_addresses, ipv6_addresses, domain_names)[source]

Builds the Subject Alternative Name (SAN) extension for OPC UA server certificates.

Parameters:

  • application_uri (str)

  • ipv4_addresses (list[ipaddress.IPv4Address])

  • ipv6_addresses (list[ipaddress.IPv6Address])

  • domain_names (list[str])

Return type:

cryptography.x509.SubjectAlternativeName

_get_key_usage(public_key)[source]

Determines Key Usage based on RSA vs ECC.

Parameters:

public_key (trustpoint_core.crypto_types.PublicKey)

Return type:

cryptography.x509.KeyUsage

_validate_application_uri(application_uri)[source]

Validates the Uniform resource identifier according to OPC UA specification.

Parameters:

application_uri (str | list[str])

Return type:

None

issue_opc_ua_server_credential(common_name, application_uri, ipv4_addresses, ipv6_addresses, domain_names, validity_days=365)[source]

Issues an OPC UA server credential (certificate + private key) following OPC UA security standards.

Parameters:

  • common_name (str)

  • application_uri (str)

  • ipv4_addresses (list[ipaddress.IPv4Address])

  • ipv6_addresses (list[ipaddress.IPv6Address])

  • domain_names (list[str])

  • validity_days (int)

Return type:

devices.models.IssuedCredentialModel

issue_opc_ua_server_certificate(common_name, application_uri, ipv4_addresses, ipv6_addresses, domain_names, validity_days, public_key)[source]

Issues an OPC UA server certificate (no private key) following OPC UA security standards.

Parameters:

  • common_name (str)

  • application_uri (str | list[str])

  • ipv4_addresses (list[ipaddress.IPv4Address])

  • ipv6_addresses (list[ipaddress.IPv6Address])

  • domain_names (list[str])

  • validity_days (int)

  • public_key (trustpoint_core.crypto_types.PublicKey)

Return type:

devices.models.IssuedCredentialModel

class devices.issuer.OpcUaClientCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Issues OPC UA client credentials.

Parameters:
_pseudonym = 'Trustpoint OPC UA Client Credential'[source]
_build_san_extension(application_uri)[source]

Builds the Subject Alternative Name (SAN) extension for OPC UA client certificates.

Parameters:

application_uri (str)

Return type:

cryptography.x509.SubjectAlternativeName

_get_key_usage(public_key)[source]

Determines Key Usage based on RSA vs ECC.

Parameters:

public_key (trustpoint_core.crypto_types.PublicKey)

Return type:

cryptography.x509.KeyUsage

_validate_application_uri(application_uri)[source]

Validates the Uniform resource identifier according to OPC UA specification.

Parameters:

application_uri (str | list[str])

Return type:

None

issue_opc_ua_client_credential(common_name, application_uri, validity_days=365)[source]

Issues an OPC UA client credential (certificate + private key) following OPC UA security standards.

Parameters:

  • common_name (str)

  • application_uri (str | list[str])

  • validity_days (int)

Return type:

devices.models.IssuedCredentialModel

issue_opc_ua_client_certificate(common_name, application_uri, validity_days, public_key)[source]

Issues an OPC UA client certificate (no private key) following OPC UA security standards.

Parameters:

  • common_name (str)

  • application_uri (str | list[str])

  • validity_days (int)

  • public_key (trustpoint_core.crypto_types.PublicKey)

Return type:

devices.models.IssuedCredentialModel