pki.util.x509¶
Handles certificate creation for Issuing CA certificates.
Attributes¶
Exceptions¶
Exception raised for general client certificate authentication failures. |
Classes¶
Methods for generating X.509 certificates. |
|
Extracts the TLS client certificate from the request. |
|
Methods for verifying client and server certificates. |
Module Contents¶
- class pki.util.x509.CertificateGenerator[source]¶
Methods for generating X.509 certificates.
- static create_root_ca(cn, validity_days=7300, private_key=None, hash_algorithm=None, path_length=None)[source]¶
Creates a root CA certificate for testing and AutoGenPKI.
- Parameters:
cn (str) – Common name for the root CA.
validity_days (int) – Validity period in days.
private_key (None | trustpoint_core.crypto_types.PrivateKey) – Private key to use. If None, generates new RSA-2048 key.
hash_algorithm (None | cryptography.hazmat.primitives.hashes.HashAlgorithm) – Hash algorithm to use for signing.
path_length (int | None) – Maximum number of CA certificates that may follow this certificate. If None, defaults to 1.
- Returns:
Tuple of (certificate, private_key).
- Return type:
tuple[cryptography.x509.Certificate, trustpoint_core.crypto_types.PrivateKey]
- static create_issuing_ca(issuer_private_key, issuer_cn, subject_cn, private_key=None, validity_days=3650, hash_algorithm=None, path_length=None)[source]¶
Creates an issuing CA certificate + key pair.
- Parameters:
issuer_private_key (None | trustpoint_core.crypto_types.PrivateKey) – Private key of the issuing CA. None for root CA.
issuer_cn (str) – Common name of the issuer.
subject_cn (str) – Common name of the subject.
private_key (None | trustpoint_core.crypto_types.PrivateKey) – Private key to use. If None, generates new RSA-2048 key.
validity_days (int) – Validity period in days.
hash_algorithm (None | cryptography.hazmat.primitives.hashes.HashAlgorithm) – Hash algorithm to use for signing.
path_length (int | None) – Maximum number of CA certificates that may follow this certificate in a valid certification path. If None, defaults to 1 for root CAs and 0 for intermediate CAs.
- Returns:
Tuple of (certificate, private_key).
- Return type:
tuple[cryptography.x509.Certificate, trustpoint_core.crypto_types.PrivateKey]
- static create_ee(issuer_private_key, issuer_name, subject_name, private_key=None, extensions=None, validity_days=365)[source]¶
Creates a generic end entity certificate + key pair.
- Parameters:
issuer_private_key (trustpoint_core.crypto_types.PrivateKey) – The private key of the issuer.
issuer_name (cryptography.x509.Name) – The full issuer Name (must be x509.Name to ensure proper certificate chain matching).
subject_name (str | cryptography.x509.Name) – The subject common name (str) or full subject Name.
private_key (None | trustpoint_core.crypto_types.PrivateKey) – The private key for the EE. If None, generates new RSA-2048 key.
extensions (list[tuple[cryptography.x509.ExtensionType, bool]] | None) – List of (extension, critical) tuples to add.
validity_days (int) – Validity period in days.
- Returns:
Tuple of (certificate, private_key).
- Return type:
tuple[cryptography.x509.Certificate, trustpoint_core.crypto_types.PrivateKey]
- static create_test_pki(chain_depth=0)[source]¶
Get a test PKI chain with a specified depth (excluding root CA). depth=0 is a self-signed EE.
- Parameters:
chain_depth (int)
- Return type:
tuple[list[cryptography.x509.Certificate], list[trustpoint_core.crypto_types.PrivateKey]]
- static save_issuing_ca(issuing_ca_cert, chain, private_key, unique_name='issuing_ca', ca_type=CaModel.CaTypeChoice.LOCAL_UNPROTECTED, parent_ca=None)[source]¶
Saves an Issuing CA certificate to the database and returns the CaModel.
- Parameters:
issuing_ca_cert (cryptography.x509.Certificate) – The issuing CA certificate.
chain (list[cryptography.x509.Certificate]) – List of intermediate certificates in the chain.
private_key (trustpoint_core.crypto_types.PrivateKey) – The private key for the issuing CA.
unique_name (str) – Unique name for this CA.
ca_type (pki.models.CaModel.CaTypeChoice) – The type of issuing CA.
parent_ca (pki.models.CaModel | None) – Optional parent CA in the hierarchy (the CA that issued this certificate).
- Returns:
The created CA model.
- Return type:
- exception pki.util.x509.ClientCertificateAuthenticationError[source]¶
Bases:
ExceptionException raised for general client certificate authentication failures.
- class pki.util.x509.NginxTLSClientCertExtractor[source]¶
Extracts the TLS client certificate from the request.
- static get_client_cert_as_x509(request)[source]¶
Retrieve the client certificate from the request and convert it to an x509.Certificate object.
- Parameters:
request (django.http.HttpRequest) – Django HttpRequest containing the headers.
- Returns:
x509.Certificate object.
- Raises:
ClientCertificateAuthenticationError – if no client certificate found or it is not a valid PEM-encoded cert.
- Return type:
tuple[cryptography.x509.Certificate, list[cryptography.x509.Certificate]]
- class pki.util.x509.CertificateVerifier[source]¶
Methods for verifying client and server certificates.
- static verify_server_cert(cert, subject, untrusted_intermediates=None, verification_time=None)[source]¶
Verifies a server’s TLS certificate against a trusted certificate store.
- Parameters:
cert (x509.Certificate) – The DER- or PEM-encoded leaf server certificate to verify.
subject (str) – The expected DNS name or hostname to match against the certificate’s Subject Alternative Name (SAN).
untrusted_intermediates (list[x509.Certificate]) – DER- or PEM-encoded intermediate certificates that are not trusted by default but provided to assist chain building.
verification_time (datetime) – Certificate verification time
- Returns:
A validated certificate chain from the leaf certificate up to a trusted root.
- Return type:
list[x509.Certificate]
- Raises:
VerificationError – If a valid chain cannot be constructed.
UnsupportedGeneralNameType – If a valid chain exists, but contains an unsupported general name type.