pki.util.cert_profile¶

JSON Certificate Profile implementation.

This module provides functionality to verify certificate requests against JSON-based profiles.

Profiles define allowed fields, prohibited fields, and other constraints for certificate requests. They can also specify default values for fields and validate the request against these rules.

Attributes¶

`logger`
`ALIASES`
`CERT_PROFILE_KEYWORDS`
`alias_map`
`alias_map`

Exceptions¶

ProfileValidationError

Raised when the request is well-formed but does not match the profile constraints.

Classes¶

`ProfileValuePropertyModel`	Model for a profile value property.
`SubjectModel`	Model for the subject DN of a certificate profile.
`BaseExtensionModel`	Base model for certificate extensions.
`BasicConstraintsExtensionModel`	Model for the Basic Constraints extension of a certificate profile.
`SanExtensionModel`	Model for the SAN extension of a certificate profile.
`CRLDistributionPointsExtensionModel`	Model for the CRL Distribution Points extension of a certificate profile.
`KeyUsageExtensionModel`	Model for the Key Usage extension of a certificate profile.
`ExtendedKeyUsageExtensionModel`	Model for the Extended Key Usage extension of a certificate profile.
`ExtensionsModel`	Model for the extensions of a certificate request.
`ValidityModel`	Model for the validity period of a certificate profile.
`CertProfileBaseModel`	Base model for each nesting level of certificate profiles.
`ProfileSubjectModel`	Model for the subject DN of a certificate profile, with profile constraints.
`ProfileSanExtensionModel`	Model for the SAN extension of a certificate profile, with profile constraints.
`ProfileCrlDistributionPointsExtensionModel`	Model for the CRL Distribution Points extension of a certificate profile, with profile constraints.
`ProfileExtensionsModel`	Model for the extensions of a certificate profile, with profile constraints.
`CertProfileModel`	Model for a certificate profile.
`CertRequestModel`	Model for a certificate request.
`InheritedProfileConfig`	Constraints set in the profile that are inherited by deeper nesting levels.
`JSONProfileVerifier`	Class to verify certificate requests against JSON-based profiles.

Functions¶

build_alias_map_name_oids(alias_map, enum_cls)

Build a mapping of all known OID strings from trustpoint_core to their canonical field names.

Module Contents¶

pki.util.cert_profile.logger[source]¶

exception pki.util.cert_profile.ProfileValidationError[source]¶

Bases: Exception

Raised when the request is well-formed but does not match the profile constraints.

pki.util.cert_profile.ALIASES: dict[str, pydantic.AliasChoices][source]¶

pki.util.cert_profile.CERT_PROFILE_KEYWORDS[source]¶

pki.util.cert_profile.build_alias_map_name_oids(alias_map, enum_cls)[source]¶

Build a mapping of all known OID strings from trustpoint_core to their canonical field names.

Parameters:

alias_map (dict[str, str])
enum_cls (type[enum.Enum])

Return type:

dict[str, str]

pki.util.cert_profile.alias_map[source]¶

pki.util.cert_profile.alias_map[source]¶

class pki.util.cert_profile.ProfileValuePropertyModel(/, **data)[source]¶

Bases: pydantic.BaseModel

Model for a profile value property.

Parameters:: data (Any)

value: Any | None = None[source]¶

default: Any | None = None[source]¶

required: bool = False[source]¶

mutable: bool = True[source]¶

class pki.util.cert_profile.SubjectModel(/, **data)[source]¶

Bases: pydantic.BaseModel

Model for the subject DN of a certificate profile.

Parameters:: data (Any)

common_name: str | ProfileValuePropertyModel | None = None[source]¶

surname: str | ProfileValuePropertyModel | None = None[source]¶

serial_number: str | ProfileValuePropertyModel | None = None[source]¶

country_name: str | ProfileValuePropertyModel | None = None[source]¶

locality_name: str | ProfileValuePropertyModel | None = None[source]¶

state_or_province_name: str | ProfileValuePropertyModel | None = None[source]¶

street_address: str | ProfileValuePropertyModel | None = None[source]¶

organization_name: str | ProfileValuePropertyModel | None = None[source]¶

organizational_unit_name: str | ProfileValuePropertyModel | None = None[source]¶

title: str | ProfileValuePropertyModel | None = None[source]¶

description: str | ProfileValuePropertyModel | None = None[source]¶

postal_code: str | ProfileValuePropertyModel | None = None[source]¶

email_address: str | ProfileValuePropertyModel | None = None[source]¶

name: str | ProfileValuePropertyModel | None = None[source]¶

given_name: str | ProfileValuePropertyModel | None = None[source]¶

initials: str | ProfileValuePropertyModel | None = None[source]¶

pseudonym: str | ProfileValuePropertyModel | None = None[source]¶

uid: str | ProfileValuePropertyModel | None = None[source]¶

domain_component: str | ProfileValuePropertyModel | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.BaseExtensionModel(/, **data)[source]¶

Bases: pydantic.BaseModel

Base model for certificate extensions.

Parameters:: data (Any)

critical: bool | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.BasicConstraintsExtensionModel(/, **data)[source]¶

Bases: BaseExtensionModel

Model for the Basic Constraints extension of a certificate profile.

Parameters:: data (Any)

ca: bool | None = None[source]¶

path_length: int | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.SanExtensionModel(/, **data)[source]¶

Bases: BaseExtensionModel, ProfileValuePropertyModel

Model for the SAN extension of a certificate profile.

Parameters:: data (Any)

dns_names: list[str] | ProfileValuePropertyModel | None = None[source]¶

ip_addresses: list[str] | ProfileValuePropertyModel | None = None[source]¶

rfc822_names: list[str] | ProfileValuePropertyModel | None = None[source]¶

uris: list[str] | ProfileValuePropertyModel | None = None[source]¶

other_names: list[str] | ProfileValuePropertyModel | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.CRLDistributionPointsExtensionModel(/, **data)[source]¶

Bases: BaseExtensionModel, ProfileValuePropertyModel

Model for the CRL Distribution Points extension of a certificate profile.

Note: Only URIs in full_name are supported.

Parameters:: data (Any)

uris: list[str] | ProfileValuePropertyModel | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.KeyUsageExtensionModel(/, **data)[source]¶

Bases: BaseExtensionModel

Model for the Key Usage extension of a certificate profile.

Parameters:: data (Any)

digital_signature: bool | None = None[source]¶

content_commitment: bool | None = None[source]¶

key_encipherment: bool | None = None[source]¶

data_encipherment: bool | None = None[source]¶

key_agreement: bool | None = None[source]¶

key_cert_sign: bool | None = None[source]¶

crl_sign: bool | None = None[source]¶

encipher_only: bool | None = None[source]¶

decipher_only: bool | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.ExtendedKeyUsageExtensionModel(/, **data)[source]¶

Bases: BaseExtensionModel

Model for the Extended Key Usage extension of a certificate profile.

Parameters:: data (Any)

usages: list[str] | ProfileValuePropertyModel | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.ExtensionsModel(/, **data)[source]¶

Bases: pydantic.BaseModel

Model for the extensions of a certificate request.

Parameters:: data (Any)

basic_constraints: BasicConstraintsExtensionModel | None = None[source]¶

key_usage: KeyUsageExtensionModel | None = None[source]¶

extended_key_usage: ExtendedKeyUsageExtensionModel | None = None[source]¶

subject_alternative_name: SanExtensionModel | None = None[source]¶

crl_distribution_points: CRLDistributionPointsExtensionModel | None = None[source]¶

class pki.util.cert_profile.ValidityModel(/, **data)[source]¶

Bases: pydantic.BaseModel

Model for the validity period of a certificate profile.

Parameters:: data (Any)

not_before: pydantic.AwareDatetime | None = None[source]¶

not_after: pydantic.AwareDatetime | None = None[source]¶

days: float | None = None[source]¶

hours: float | None = None[source]¶

minutes: float | None = None[source]¶

seconds: int | None = None[source]¶

duration: datetime.timedelta | None = None[source]¶

offset_s: int | None = None[source]¶

validity_max: datetime.timedelta | None = None[source]¶

validity_min: datetime.timedelta | None = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.CertProfileBaseModel(/, **data)[source]¶

Bases: pydantic.BaseModel

Base model for each nesting level of certificate profiles.

This allows for granular control over allowed fields and constraints at each level.

Parameters:: data (Any)

allow: list[str] | Literal['*'] | None = None[source]¶

reject_mods: bool = None[source]¶

classmethod normalize_allow(value)[source]¶

Normalize the allow list by replacing aliases with their canonical names.

Parameters:: value (list[str] | Literal['*'] | None)
Return type:: list[str] | Literal[‘*’] | None

class pki.util.cert_profile.ProfileSubjectModel(/, **data)[source]¶

Bases: SubjectModel, CertProfileBaseModel

Model for the subject DN of a certificate profile, with profile constraints.

Parameters:: data (Any)

class pki.util.cert_profile.ProfileSanExtensionModel(/, **data)[source]¶

Bases: SanExtensionModel, CertProfileBaseModel

Model for the SAN extension of a certificate profile, with profile constraints.

Parameters:: data (Any)

class pki.util.cert_profile.ProfileCrlDistributionPointsExtensionModel(/, **data)[source]¶

Bases: CRLDistributionPointsExtensionModel, CertProfileBaseModel

Model for the CRL Distribution Points extension of a certificate profile, with profile constraints.

Parameters:: data (Any)

class pki.util.cert_profile.ProfileExtensionsModel(/, **data)[source]¶

Bases: CertProfileBaseModel

Model for the extensions of a certificate profile, with profile constraints.

Parameters:: data (Any)

basic_constraints: BasicConstraintsExtensionModel | ProfileValuePropertyModel | None = None[source]¶

key_usage: KeyUsageExtensionModel | ProfileValuePropertyModel | None = None[source]¶

extended_key_usage: ExtendedKeyUsageExtensionModel | ProfileValuePropertyModel | None = None[source]¶

subject_alternative_name: ProfileSanExtensionModel | ProfileValuePropertyModel | None = None[source]¶

crl_distribution_points: ProfileCrlDistributionPointsExtensionModel | ProfileValuePropertyModel | None = None[source]¶

class pki.util.cert_profile.CertProfileModel(/, **data)[source]¶

Bases: CertProfileBaseModel

Model for a certificate profile.

Parameters:: data (Any)

type: Literal['cert_profile'][source]¶

display_name: str | None = None[source]¶

subject: ProfileSubjectModel = None[source]¶

extensions: ProfileExtensionsModel = None[source]¶

validity: ValidityModel = None[source]¶

class pki.util.cert_profile.CertRequestModel(/, **data)[source]¶

Bases: pydantic.BaseModel

Model for a certificate request.

Parameters:: data (Any)

type: Literal['cert_request'] | None = 'cert_request'[source]¶

subject: SubjectModel = None[source]¶

extensions: ExtensionsModel = None[source]¶

validity: ValidityModel = None[source]¶

model_config[source]¶: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class pki.util.cert_profile.InheritedProfileConfig(*, allow_implicit=False, reject_mods=False, mutable=False)[source]¶

Constraints set in the profile that are inherited by deeper nesting levels.

Parameters:

allow_implicit (bool)
reject_mods (bool)
mutable (bool)

allow_implicit: bool = False[source]¶

reject_mods: bool = False[source]¶

mutable: bool = False[source]¶

class pki.util.cert_profile.JSONProfileVerifier(profile)[source]¶

Class to verify certificate requests against JSON-based profiles.

Parameters:: profile (dict[str, Any])

profile[source]¶

profile_dict[source]¶

static validate_request(request)[source]¶

Validates and normalizes a certificate request.

This just checks its structure, it does not validate against a profile.

Parameters:: request (dict[str, Any])
Return type:: dict[str, Any]

static _is_simple_type(value)[source]¶

Check if the value is a simple type (not a dict, class).

Excludes None, since we check it separately.

List is considered a simple type here (e.g. for SAN dns_names).

Parameters:: value (Any)
Return type:: bool

_handle_request_only_fields(request, profile, profile_config, allow_list=None)[source]¶

Consider the fields that are only in the request, but not in the profile.

Don’t need to do any nested stuff here, since if the key is not in the profile, it will also not constrain sub-keys.

Request fields are deleted in-place if they are not allowed by the profile.

Parameters:

request (dict[str, Any])
profile (dict[str, Any])
profile_config (InheritedProfileConfig)
allow_list (list[str] | None)

Return type:

None

_handle_profile_only_field(profile_value, field, request, profile_config)[source]¶

Parameters:

profile_value (Any)
field (str)
request (dict[str, Any])
profile_config (InheritedProfileConfig)

Return type:

None

_handle_profile_and_req_field(profile_value, field, request, profile_config)[source]¶

Parameters:

profile_value (Any)
field (str)
request (dict[str, Any])
profile_config (InheritedProfileConfig)

Return type:

None

_apply_profile_rules(request, profile, parent_profile_config=None)[source]¶

Apply the actual profile rules to one level of the request dict.

It needs them both request and profile to be in the same structure and hierarchy, e.g. both in the “subject” sub-dict.

Parameters:

request (dict[str, Any])
profile (dict[str, Any])
parent_profile_config (InheritedProfileConfig | None)

Return type:

dict[str, Any]

apply_profile_to_request(request)[source]¶

Apply the profile to a certificate request and return the modified request.

Parameters:: request (dict[str, Any])
Return type:: dict[str, Any]

_apply_profile_rules_sample(request, profile, parent_profile_config=None)[source]¶

Apply the actual profile rules to one level of the request dict.

It needs them both request and profile to be in the same structure and hierarchy, e.g. both in the “subject” sub-dict.

Parameters:

request (dict[str, Any])
profile (dict[str, Any])
parent_profile_config (InheritedProfileConfig | None)

Return type:

dict[str, Any]

get_sample_request()[source]¶

Generate a sample certificate request that conforms to the profile.

Return type:: dict[str, Any]