cmp.views¶

This module contains the CMP endpoints (views).

Attributes¶

`UTC_TIME_THRESHOLD`
`UTC_TIME_CORRECTION`
`CERT_TEMPLATE_VERSION`
`DEFAULT_VALIDITY_DAYS`
`CMP_MESSAGE_VERSION`
`SENDER_NONCE_LENGTH`
`TRANSACTION_ID_LENGTH`
`IMPLICIT_CONFIRM_OID`
`IMPLICIT_CONFIRM_STR_VALUE`

Classes¶

`ApplicationCertificateTemplateNames`	Application Certificate Template.
`Dispatchable`	Dispatchable Protocol.
`CmpHttpMixin`	CMP Http Validations.
`CmpRequestedDomainExtractorMixin`	Domain name extractor.
`CmpPkiMessageSerializerMixin`	CMP message serialization.
`CmpRequestTemplateExtractorMixin`	CMP template extractor.
`CmpResponseBuilderMixin`	Mixin for CMP response message building shared between request types.
`CmpInitializationRequestView`	Handles CMP Initialization Request Messages.
`CmpCertificationRequestView`	Handles CMP Certification Request Messages.

Functions¶

`is_supported_public_key`(public_key)	TypeGuard function that narrows down the public key type.
`load_supported_public_key_type`(der_bytes)	Tries to load the public key from bytes and checks if it is a supported key.
`get_encoded_protected_part`(cmp_message)	Encode the protected part of the CMP message.
`convert_rfc2459_time`(time_obj)	Convert a pyasn1_modules.rfc2459.Time object to a timezone-aware datetime (UTC).

Module Contents¶

cmp.views.UTC_TIME_THRESHOLD = 2050[source]¶

cmp.views.UTC_TIME_CORRECTION = 100[source]¶

cmp.views.CERT_TEMPLATE_VERSION = 2[source]¶

cmp.views.DEFAULT_VALIDITY_DAYS = 10[source]¶

cmp.views.CMP_MESSAGE_VERSION = 2[source]¶

cmp.views.SENDER_NONCE_LENGTH = 16[source]¶

cmp.views.TRANSACTION_ID_LENGTH = 16[source]¶

cmp.views.is_supported_public_key(public_key)[source]¶

TypeGuard function that narrows down the public key type.

Parameters:: public_key (cryptography.hazmat.primitives.asymmetric.types.PublicKeyTypes) – The loaded public key to check if it is supported.
Returns:: True if it is supported, False otherwise.
Return type:: TypeGuard[trustpoint_core.crypto_types.PublicKey]

cmp.views.load_supported_public_key_type(der_bytes)[source]¶

Tries to load the public key from bytes and checks if it is a supported key.

Parameters:

der_bytes (bytes) – The bytes containing the key.

Raises:

ValueError – If loading of the public key failed.
TypeError – If the loaded public key is of an unsupported type.

Returns:

The loaded public key.

Return type:

trustpoint_core.crypto_types.PublicKey

class cmp.views.ApplicationCertificateTemplateNames(*args, **kwds)[source]¶

Bases: enum.Enum

Application Certificate Template.

TLS_CLIENT = 'tls-client'[source]¶

TLS_SERVER = 'tls-server'[source]¶

OPCUA_SERVER = 'opc-ua-server'[source]¶

OPCUA_CLIENT = 'opc-ua-client'[source]¶

cmp.views.IMPLICIT_CONFIRM_OID = '1.3.6.1.5.5.7.4.13'[source]¶

cmp.views.IMPLICIT_CONFIRM_STR_VALUE = '0x0500'[source]¶

class cmp.views.Dispatchable[source]¶

Bases: Protocol

Dispatchable Protocol.

dispatch(request, *args, **kwargs)[source]¶

Dispatch method.

Parameters:

request (django.http.HttpRequest)
args (Any)
kwargs (Any)

Return type:

django.http.HttpResponse

class cmp.views.CmpHttpMixin[source]¶

CMP Http Validations.

expected_content_type = 'application/pkixcmp'[source]¶

max_payload_size = 131072[source]¶

raw_message: bytes[source]¶

dispatch(request, *args, **kwargs)[source]¶

Dispatch method.

Parameters:

request (django.http.HttpRequest)
args (Any)
kwargs (Any)

Return type:

django.http.HttpResponse

class cmp.views.CmpRequestedDomainExtractorMixin[source]¶

Domain name extractor.

requested_domain: pki.models.domain.DomainModel[source]¶

is_aoki: bool = False[source]¶

dispatch(request, *args, **kwargs)[source]¶

Dispatch method.

Parameters:

request (django.http.HttpRequest)
args (Any)
kwargs (Any)

Return type:

django.http.HttpResponse

class cmp.views.CmpPkiMessageSerializerMixin[source]¶

CMP message serialization.

raw_message: bytes[source]¶

serialized_pyasn1_message: None | pyasn1_modules.rfc4210.PKIMessage[source]¶

dispatch(request, *args, **kwargs)[source]¶

Dispatch method.

Parameters:

request (django.http.HttpRequest)
args (Any)
kwargs (Any)

Return type:

django.http.HttpResponse

class cmp.views.CmpRequestTemplateExtractorMixin[source]¶

CMP template extractor.

application_certificate_template: ApplicationCertificateTemplateNames | None = None[source]¶

dispatch(request, *args, **kwargs)[source]¶

Dispatch method.

Parameters:

request (django.http.HttpRequest)
args (Any)
kwargs (Any)

Return type:

django.http.HttpResponse

static _check_header(serialized_pyasn1_message)[source]¶

Checks some parts of the header.

Parameters:: serialized_pyasn1_message (pyasn1_modules.rfc4210.PKIMessage)
Return type:: None

_extract_cert_req_template(pki_body)[source]¶

Extracts the certificate request template from the PKI (IR/CR) message body.

Parameters:: pki_body (pyasn1_modules.rfc4210.PKIBody)
Return type:: pyasn1_modules.rfc2511.CertTemplate

static get_subject_common_name(cert_req_template)[source]¶

Extracts the common name from the subject in the certificate request template.

Parameters:: cert_req_template (pyasn1_modules.rfc2511.CertTemplate)
Return type:: str

_load_cert_req_public_key(cert_req_template)[source]¶

Parameters:: cert_req_template (pyasn1_modules.rfc2511.CertTemplate)
Return type:: trustpoint_core.crypto_types.PublicKey

static _verify_protection_shared_secret(serialized_pyasn1_message, shared_secret)[source]¶

Verifies the HMAC-based protection of a CMP message using a shared secret.

Returns a new HMAC object that can be used to sign the response message.

Parameters:

serialized_pyasn1_message (pyasn1_modules.rfc4210.PKIMessage)
shared_secret (str)

Return type:

cryptography.hazmat.primitives.hmac.HMAC

static _verify_protection_signature(serialized_pyasn1_message, cmp_signer_cert)[source]¶

Verifies the message signature of a CMP message using signature-based protection.

Parameters:

serialized_pyasn1_message (pyasn1_modules.rfc4210.PKIMessage)
cmp_signer_cert (cryptography.x509.Certificate)

Return type:

None

class cmp.views.CmpResponseBuilderMixin[source]¶

Mixin for CMP response message building shared between request types.

static _parse_san_extension(cert_req_template)[source]¶

Parses the (mandatory) SAN extension from the certificate request template.

Returns a dictionary with the following keys:

‘dns_names’: List of DNS/domain names.
‘ipv4_addresses’: List of IPv4 addresses.
‘ipv6_addresses’: List of IPv6 addresses.
‘uris’: List of URIs.
‘san_critical’: Boolean indicating if the SAN extension is critical.

Parameters:: cert_req_template (pyasn1_modules.rfc2511.CertTemplate)
Return type:: dict[str, Any]

static _issue_application_credential(cert_req_template, public_key, device, application_certificate_template)[source]¶

Issues an application certificate for CMP CR.

Parameters:

cert_req_template (pyasn1_modules.rfc2511.CertReq)
public_key (trustpoint_core.crypto_types.PublicKey)
device (devices.models.DeviceModel)
application_certificate_template (ApplicationCertificateTemplateNames)

Return type:

devices.models.IssuedCredentialModel

static _build_response_message_header(serialized_pyasn1_message, sender_kid, issuer_credential)[source]¶

Builds the PKI response message header for the IP and CP response messages.

Parameters:

serialized_pyasn1_message (pyasn1_modules.rfc4210.PKIMessage)
sender_kid (pyasn1_modules.rfc2459.KeyIdentifier)
issuer_credential (pki.models.credential.CredentialModel)

Return type:

pyasn1_modules.rfc4210.PKIHeader

static _add_protection_shared_secret(pki_message, hmac_gen)[source]¶

Adds HMAC-based shared-secret protection to the base PKI message.

Parameters:

pki_message (pyasn1_modules.rfc4210.PKIMessage)
hmac_gen (cryptography.hazmat.primitives.hmac.HMAC)

Return type:

pyasn1_modules.rfc4210.PKIMessage

_sign_pki_message(pki_message, signer_credential)[source]¶

Applies signature-based protection to the base PKI message.

Parameters:

pki_message (pyasn1_modules.rfc4210.PKIMessage)
signer_credential (pki.models.credential.CredentialModel)

Return type:

pyasn1_modules.rfc4210.PKIMessage

cmp.views.get_encoded_protected_part(cmp_message)[source]¶

Encode the protected part of the CMP message.

Parameters:: cmp_message (pyasn1_modules.rfc4210.PKIMessage)
Return type:: Any

class cmp.views.CmpInitializationRequestView(**kwargs)[source]¶

Bases: CmpHttpMixin, CmpRequestedDomainExtractorMixin, CmpPkiMessageSerializerMixin, CmpRequestTemplateExtractorMixin, CmpResponseBuilderMixin, django.views.generic.base.View

Handles CMP Initialization Request Messages.

http_method_names = ('post',)[source]¶

raw_message: bytes[source]¶

serialized_pyasn1_message: pyasn1_modules.rfc4210.PKIMessage[source]¶

requested_domain: pki.models.domain.DomainModel[source]¶

device: None | devices.models.DeviceModel = None[source]¶

_extract_ir_body()[source]¶

Return type:: pyasn1_modules.rfc4210.PKIBody

_build_base_ip_message(issued_cred, issuer_credential, sender_kid, signer_credential=None)[source]¶

Builds the IP response message (without the protection).

Parameters:

issued_cred (devices.models.IssuedCredentialModel)
issuer_credential (pki.models.credential.CredentialModel)
sender_kid (pyasn1_modules.rfc2459.KeyIdentifier)
signer_credential (pki.models.credential.CredentialModel | None)

Return type:

pyasn1_modules.rfc4210.PKIMessage

_handle_shared_secret_initialization_request()[source]¶

Handles IR for initial certificate requests with shared secret protection.

Return type:: django.http.HttpResponse

_handle_signature_based_initialization_request()[source]¶

Handles IR for initial certificate requests with signature-based protection.

Return type:: django.http.HttpResponse

post(request, *args, **kwargs)[source]¶

Handles the POST requests to the CMP IR endpoint.

Parameters:

request (django.http.HttpRequest)
args (Any)
kwargs (Any)

Return type:

django.http.HttpResponse

class cmp.views.CmpCertificationRequestView(**kwargs)[source]¶

Bases: CmpHttpMixin, CmpRequestedDomainExtractorMixin, CmpPkiMessageSerializerMixin, CmpRequestTemplateExtractorMixin, CmpResponseBuilderMixin, django.views.generic.base.View

Handles CMP Certification Request Messages.

http_method_names = ('post',)[source]¶

raw_message: bytes[source]¶

serialized_pyasn1_message: pyasn1_modules.rfc4210.PKIMessage[source]¶

requested_domain: pki.models.domain.DomainModel[source]¶

device: devices.models.DeviceModel[source]¶

application_certificate_template: None | ApplicationCertificateTemplateNames = None[source]¶

_extract_cr_body()[source]¶

Return type:: pyasn1_modules.rfc4210.PKIBody

_build_base_cp_message(issued_cred, issuer_credential, sender_kid)[source]¶

Builds the CR response message (without the protection).

Parameters:

issued_cred (devices.models.IssuedCredentialModel)
issuer_credential (pki.models.credential.CredentialModel)
sender_kid (pyasn1_modules.rfc2459.KeyIdentifier)

Return type:

pyasn1_modules.rfc4210.PKIMessage

_handle_shared_secret_certificate_request()[source]¶

Handles CMP CR for application certificates with shared secret protection.

Return type:: django.http.HttpResponse

_handle_signature_based_certificate_request()[source]¶

Return type:: django.http.HttpResponse

post(request, *args, **kwargs)[source]¶

Handles the POST requests to the CMP CR endpoint.

Parameters:

request (django.http.HttpRequest)
args (Any)
kwargs (Any)

Return type:

django.http.HttpResponse

cmp.views.convert_rfc2459_time(time_obj)[source]¶

Convert a pyasn1_modules.rfc2459.Time object to a timezone-aware datetime (UTC).

The Time object is a CHOICE between:

utcTime: YYMMDDHHMMSSZ
generalizedTime: YYYYMMDDHHMMSSZ

Returns:: A datetime object in UTC.
Raises:: ValueError – If the time format is unexpected.
Parameters:: time_obj (pyasn1_modules.rfc2459.Time)
Return type:: datetime.datetime