pki.util.idevid¶

Classes for handling IDevID certificates according to IEEE 802.1AR.

Exceptions¶

IDevIDAuthenticationError

Exception raised for IDevID authentication failures.

Classes¶

`IDevIDExtensionPolicy`	Builder for IDevID extension policies.
`IDevIDVerifier`	Verifies IDevID certificates as used e.g. by EST with mutual TLS auth.
`IDevIDAuthenticator`	Authenticates IDevID certificates as used e.g. by EST with mutual TLS auth.

Module Contents¶

exception pki.util.idevid.IDevIDAuthenticationError[source]¶

Bases: Exception

Exception raised for IDevID authentication failures.

class pki.util.idevid.IDevIDExtensionPolicy[source]¶

Builder for IDevID extension policies.

static _idevid_base_policy()[source]¶

Create an extension policy for all certificates in a IDevID PKI.

Return type:: cryptography.x509.verification.ExtensionPolicy

static idevid_ee_policy()[source]¶

Create an extension policy for IDevID end-entity certificates.

Return type:: cryptography.x509.verification.ExtensionPolicy

static idevid_ca_policy()[source]¶

Create an extension policy for IDevID CA certificates.

Return type:: cryptography.x509.verification.ExtensionPolicy

class pki.util.idevid.IDevIDVerifier[source]¶

Bases: trustpoint.logger.LoggerMixin

Verifies IDevID certificates as used e.g. by EST with mutual TLS auth.

classmethod verify_idevid_against_truststore(idevid_cert, intermediate_cas, truststore)[source]¶

Verify the IDevID certificate against the provided truststore.

Parameters:

idevid_cert (cryptography.x509.Certificate)
intermediate_cas (list[cryptography.x509.Certificate])
truststore (pki.models.TruststoreModel)

Return type:

bool

class pki.util.idevid.IDevIDAuthenticator[source]¶

Bases: trustpoint.logger.LoggerMixin

Authenticates IDevID certificates as used e.g. by EST with mutual TLS auth.

static _get_matching_registrations(idevid_subj_sn, domain)[source]¶

Get DevIdRegistration patters matching the given domain and serial number.

Parameters:

idevid_subj_sn (str)
domain (pki.models.DomainModel | None)

Return type:

list[pki.models.DevIdRegistration]

static _auto_create_device_from_idevid(idevid_cert, idevid_subj_sn, domain, pki_protocol, onboarding_protocol)[source]¶

Auto-create a new DeviceModel from the IDevID certificate.

Parameters:

idevid_cert (cryptography.x509.Certificate)
idevid_subj_sn (str)
domain (pki.models.DomainModel)
pki_protocol (onboarding.models.OnboardingPkiProtocol)
onboarding_protocol (onboarding.models.OnboardingProtocol)

Return type:

devices.models.DeviceModel

static get_subject_serial_number(idevid_cert)[source]¶

Get the serial number from the subject of the IDevID certificate.

Parameters:: idevid_cert (cryptography.x509.Certificate)
Return type:: str

classmethod authenticate_idevid_from_x509_no_device(idevid_cert, intermediate_cas, domain=None)[source]¶

Authenticate client using an IDevID certificate.

Parameters:

idevid_cert (cryptography.x509.Certificate)
intermediate_cas (list[cryptography.x509.Certificate])
domain (pki.models.DomainModel | None)

Return type:

tuple[pki.models.DomainModel, str]

classmethod authenticate_idevid_from_x509(idevid_cert, intermediate_cas, domain=None, onboarding_protocol=OnboardingProtocol.EST_IDEVID, pki_protocol=OnboardingPkiProtocol.EST)[source]¶

Authenticate client using IDevID certificate for Domain Credential request and create a device.

Parameters:

idevid_cert (cryptography.x509.Certificate)
intermediate_cas (list[cryptography.x509.Certificate])
domain (pki.models.DomainModel | None)
onboarding_protocol (onboarding.models.OnboardingProtocol)
pki_protocol (onboarding.models.OnboardingPkiProtocol)

Return type:

devices.models.DeviceModel

classmethod authenticate_idevid(request, domain=None)[source]¶

Authenticate client using IDevID certificate for Domain Credential request.

Parameters:

request (django.http.HttpRequest)
domain (pki.models.DomainModel | None)

Return type:

devices.models.DeviceModel