request.authentication.cmp¶

Provides the ‘CmpAuthentication’ class using the Composite pattern for modular CMP authentication.

Classes¶

`CmpAuthenticationBase`	Base class for CMP authentication components with common functionality.
`CmpSharedSecretAuthentication`	Handles CMP authentication using shared secrets with HMAC-based protection.
`CmpSignatureBasedInitializationAuthentication`	Handles CMP signature-based authentication for initialization requests using IDevID certificates.
`CmpSignatureBasedCertificationAuthentication`	Handles CMP signature-based authentication for certification requests using domain credentials.
`CmpAuthentication`	Composite authenticator specifically for CMP requests, combining various authentication methods.

Module Contents¶

class request.authentication.cmp.CmpAuthenticationBase[source]¶

Bases: request.authentication.base.AuthenticationComponent, trustpoint.logger.LoggerMixin

Base class for CMP authentication components with common functionality.

_is_aoki_request(context)[source]¶

Determine if this is an AOKI request based on domain name and URL path.

Parameters:: context (request.request_context.CmpBaseRequestContext)
Return type:: bool

class request.authentication.cmp.CmpSharedSecretAuthentication[source]¶

Bases: CmpAuthenticationBase

Handles CMP authentication using shared secrets with HMAC-based protection.

authenticate(context)[source]¶

Authenticate using CMP shared secret HMAC protection.

Parameters:: context (request.request_context.BaseRequestContext)
Return type:: None

_validate_context(context)[source]¶

Validate the context for CMP shared secret authentication.

Parameters:: context (request.request_context.CmpBaseRequestContext)
Return type:: bool

_raise_value_error(message)[source]¶

Raise a ValueError with the given message.

Parameters:: message (str)
Return type:: Never

_extract_sender_kid(context)[source]¶

Extract sender KID from CMP message header.

Parameters:: context (request.request_context.CmpBaseRequestContext)
Return type:: int

_get_device(sender_kid)[source]¶

Get device by sender KID.

Parameters:: sender_kid (int)
Return type:: devices.models.DeviceModel

_validate_device_configuration(device, sender_kid)[source]¶

Validate device has required shared secret configuration.

Parameters:

device (devices.models.DeviceModel)
sender_kid (int)

Return type:

onboarding.models.OnboardingConfigModel | onboarding.models.NoOnboardingConfigModel

_verify_hmac_protection(context, shared_secret)[source]¶

Verify HMAC-based protection and store shared secret for response.

Parameters:

context (request.request_context.CmpBaseRequestContext)
shared_secret (str)

Return type:

None

_finalize_authentication(context, device, sender_kid)[source]¶

Finalize authentication by setting device in context and logging success.

Parameters:

context (request.request_context.CmpBaseRequestContext)
device (devices.models.DeviceModel)
sender_kid (int)

Return type:

None

_handle_authentication_error(error)[source]¶

Handle known authentication errors.

Parameters:: error (Exception)
Return type:: None

_handle_unexpected_error(error)[source]¶

Handle unexpected errors during authentication.

Parameters:: error (Exception)
Return type:: None

_raise_cmp_error(message)[source]¶

Raise CMP authentication error.

Parameters:: message (str)
Return type:: Never

static _verify_protection_shared_secret(parsed_message, shared_secret)[source]¶

Verifies the HMAC-based protection of a CMP message using a shared secret.

Returns a new HMAC object that can be used to sign the response message.

Parameters:

parsed_message (pyasn1_modules.rfc4210.PKIMessage)
shared_secret (str)

Return type:

cryptography.hazmat.primitives.hmac.HMAC

class request.authentication.cmp.CmpSignatureBasedInitializationAuthentication[source]¶

Bases: CmpAuthenticationBase

Handles CMP signature-based authentication for initialization requests using IDevID certificates.

authenticate(context)[source]¶

Authenticate using CMP signature-based protection for initialization requests.

Parameters:: context (request.request_context.BaseRequestContext)
Return type:: None

_authenticate_and_verify_device(context, cmp_signer_cert, intermediate_certs)[source]¶

Authenticate and verify the device.

Parameters:

context (request.request_context.CmpCertificateRequestContext)
cmp_signer_cert (cryptography.x509.Certificate)
intermediate_certs (list[cryptography.x509.Certificate])

Return type:

devices.models.DeviceModel

_process_device_authentication(context, cmp_signer_cert, intermediate_certs)[source]¶

Process device authentication using certificates.

Parameters:

context (request.request_context.CmpCertificateRequestContext)
cmp_signer_cert (cryptography.x509.Certificate)
intermediate_certs (list[cryptography.x509.Certificate])

Return type:

devices.models.DeviceModel

_handle_authentication_error(error)[source]¶

Handle authentication errors by logging and raising a ValueError.

Parameters:: error (Exception)
Return type:: Never

_validate_context(context)[source]¶

Validate the context for CMP authentication.

Parameters:: context (request.request_context.CmpCertificateRequestContext)
Return type:: bool

_extract_certificates(context)[source]¶

Extract and validate certificates from the CMP message.

Parameters:: context (request.request_context.CmpCertificateRequestContext)
Return type:: tuple[cryptography.x509.Certificate, list[cryptography.x509.Certificate]]

_authenticate_device(context, cmp_signer_cert, intermediate_certs)[source]¶

Authenticate the device using IDevID.

Parameters:

context (request.request_context.CmpCertificateRequestContext)
cmp_signer_cert (cryptography.x509.Certificate)
intermediate_certs (list[cryptography.x509.Certificate])

Return type:

devices.models.DeviceModel

_verify_device_configuration(device)[source]¶

Verify the device’s configuration and protocols.

Parameters:: device (devices.models.DeviceModel)
Return type:: None

_raise_value_error(message)[source]¶

Helper method to log and raise a ValueError.

Parameters:: message (str)
Return type:: Never

_verify_protection_signature(parsed_message, cmp_signer_cert)[source]¶

Verifies the message signature of a CMP message using signature-based protection.

Parameters:

parsed_message (pyasn1_modules.rfc4210.PKIMessage)
cmp_signer_cert (cryptography.x509.Certificate)

Return type:

None

class request.authentication.cmp.CmpSignatureBasedCertificationAuthentication[source]¶

Bases: request.authentication.base.AuthenticationComponent, trustpoint.logger.LoggerMixin

Handles CMP signature-based authentication for certification requests using domain credentials.

authenticate(context)[source]¶

Authenticate using CMP signature-based protection for certification requests.

Parameters:: context (request.request_context.BaseRequestContext)
Return type:: None

_should_authenticate(context)[source]¶

Check if this authentication method should be applied.

Parameters:: context (request.request_context.CmpCertificateRequestContext)
Return type:: bool

_extract_and_validate_certificate(context)[source]¶

Extract and validate the CMP signer certificate from the message.

Parameters:: context (request.request_context.CmpCertificateRequestContext)
Return type:: cryptography.x509.Certificate

_authenticate_device(context)[source]¶

Authenticate the device using the CMP signer certificate.

Parameters:: context (request.request_context.CmpCertificateRequestContext)
Return type:: devices.models.DeviceModel

_extract_device_info(cmp_signer_cert)[source]¶

Extract device information from certificate subject.

Parameters:: cmp_signer_cert (cryptography.x509.Certificate)
Return type:: dict[str, str | int | None]

_lookup_device(device_info)[source]¶

Look up the device by ID.

Parameters:: device_info (dict[str, str | int | None])
Return type:: devices.models.DeviceModel

_validate_device(device, device_info, cmp_signer_cert)[source]¶

Validate device properties and certificate.

Parameters:

device (devices.models.DeviceModel)
device_info (dict[str, str | int | None])
cmp_signer_cert (cryptography.x509.Certificate)

Return type:

None

_verify_protection_and_finalize(context, cmp_signer_cert, device)[source]¶

Verify protection signature and finalize authentication.

Parameters:

context (request.request_context.CmpCertificateRequestContext)
cmp_signer_cert (cryptography.x509.Certificate)
device (devices.models.DeviceModel)

Return type:

None

_raise_value_error(message)[source]¶

Helper method to log and raise a ValueError.

Parameters:: message (str)
Return type:: Never

_raise_type_error(message)[source]¶

Helper method to log and raise a TypeError.

Parameters:: message (str)
Return type:: Never

_verify_protection_signature(parsed_message, cmp_signer_cert)[source]¶

Verifies the message signature of a CMP message using signature-based protection.

Parameters:

parsed_message (pyasn1_modules.rfc4210.PKIMessage)
cmp_signer_cert (cryptography.x509.Certificate)

Return type:

None

class request.authentication.cmp.CmpAuthentication[source]¶

Bases: request.authentication.base.CompositeAuthentication

Composite authenticator specifically for CMP requests, combining various authentication methods.