est.views¶

Views for EST (Enrollment over Secure Transport) handling authentication and certificate issuance.

Attributes¶

THRESHOLD_LOGGER

Exceptions¶

UsernamePasswordAuthenticationError

Exception raised for username and password authentication failures.

Classes¶

LoggedHttpResponse

Custom HttpResponse that logs and prints error messages automatically.

Dispatchable

Protocol defining a dispatch method for handling HTTP requests.

CredentialRequest

Encapsulates the details extracted from a CSR.

EstAuthenticationMixin

Checks for HTTP Basic Authentication before processing the request.

EstHttpMixin

Mixin for processing HTTP requests for EST endpoints.

EstRequestedDomainExtractorMixin

Mixin to extract the requested domain.

EstRequestedCertTemplateExtractorMixin

Mixin to extract and validate the certificate template from request parameters.

EstPkiMessageSerializerMixin

Mixin to handle serialization and deserialization of PKCS#10 certificate signing requests.

DeviceHandlerMixin

Extract the serial number from an X.509 CSR and retrieve or create a DeviceModel instance.

CredentialIssuanceMixin

Mixin to handle issuing credentials based on a given certificate template input.

OnboardingMixin

A mixin that provides onboarding validation logic for issuing credentials.

EstSimpleEnrollmentView

Handles simple EST (Enrollment over Secure Transport) enrollment requests.

EstSimpleReEnrollmentView

Handles simple EST (Enrollment over Secure Transport) reenrollment requests.

EstCACertsView

View to handle the EST /cacerts endpoint.

EstCsrAttrsView

View to handle the EST /csrattrs endpoint.

Module Contents¶

exception est.views.UsernamePasswordAuthenticationError[source]¶

Bases: Exception

Exception raised for username and password authentication failures.

est.views.THRESHOLD_LOGGER: int = 400[source]¶
class est.views.LoggedHttpResponse(content=b'', status=None, *args, **kwargs)[source]¶

Bases: django.http.HttpResponse, trustpoint.logger.LoggerMixin

Custom HttpResponse that logs and prints error messages automatically.

Parameters:

  • content (str | bytes)

  • status (int | None)

  • args (Any)

  • kwargs (Any)

class est.views.Dispatchable[source]¶

Bases: Protocol

Protocol defining a dispatch method for handling HTTP requests.

dispatch(request, *args, **kwargs)[source]¶

Handle the dispatching of an HTTP request.

Parameters:

  • request (django.http.HttpRequest)

  • args (Any)

  • kwargs (Any)

Return type:

django.http.HttpResponse

class est.views.CredentialRequest[source]¶

Encapsulates the details extracted from a CSR.

common_name: str[source]¶
serial_number: str | None[source]¶
uniform_resource_identifiers: list[str][source]¶
ipv4_addresses: list[ipaddress.IPv4Address][source]¶
ipv6_addresses: list[ipaddress.IPv6Address][source]¶
dns_names: list[str][source]¶
public_key: cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey | cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey[source]¶
request_format: str[source]¶
class est.views.EstAuthenticationMixin[source]¶

Bases: trustpoint.logger.LoggerMixin

Checks for HTTP Basic Authentication before processing the request.

used_onboarding_protocol_auth: devices.models.OnboardingProtocol | None = None[source]¶
static authenticate_username_password(request)[source]¶

Authenticate a user using HTTP Basic credentials and return associated DeviceModel.

Parameters:

request (django.http.HttpRequest) – Django HttpRequest containing the headers.

Returns:

Authenticated DeviceModel instance.

Raises:

UsernamePasswordAuthenticationError – if authentication fails.

Return type:

devices.models.DeviceModel

authenticate_domain_credential(request)[source]¶

Authenticate client using a Domain Credential TLS cert (Mutual TLS), return the associated DeviceModel.

Parameters:

request (django.http.HttpRequest)

Return type:

devices.models.DeviceModel

authenticate_reenrollment_application_credential(request, csr)[source]¶

Authenticate client using an Application Credential. This is only allowed for reenrolling.

Only authenticates if subject and SAN in both client cert and CSR match the existing issued credential.

Parameters:

  • request (django.http.HttpRequest)

  • csr (cryptography.x509.CertificateSigningRequest)

Return type:

devices.models.DeviceModel

authenticate_request(request, domain, cert_template_str, csr=None)[source]¶

Authenticate the request and return a DeviceModel if authentication succeeds.

Parameters:

  • request (django.http.HttpRequest)

  • domain (pki.models.domain.DomainModel)

  • cert_template_str (str)

  • csr (cryptography.x509.CertificateSigningRequest | None)

Return type:

tuple[devices.models.DeviceModel | None, LoggedHttpResponse | None]

_authenticate_domain_credential_request(request, domain)[source]¶

Authenticate requests for ‘domaincredential’ certificates and return the associated DeviceModel.

Parameters:
Return type:

tuple[devices.models.DeviceModel | None, LoggedHttpResponse | None]

_authenticate_application_certificate_request(request, domain, csr)[source]¶

Authenticate requests for application certificate templates and return the associated DeviceModel.

Parameters:
Return type:

tuple[devices.models.DeviceModel | None, LoggedHttpResponse | None]

class est.views.EstHttpMixin[source]¶

Mixin for processing HTTP requests for EST endpoints.

This mixin reads the raw message from the request, verifies that the payload:

  • Does not exceed the maximum allowed size.

  • Contains the expected content type.

  • Is optionally decoded from base64 if required.

Upon successful validation, the mixin delegates the request handling to the parent dispatch method.

expected_content_type = 'application/pkcs10'[source]¶
max_payload_size = 131072[source]¶
raw_message: bytes[source]¶
process_http_request(request)[source]¶

Process the incoming HTTP request for EST enrollment.

The method performs the following checks in order:

  1. Reads the raw request message and ensures it does not exceed the maximum allowed size.

  2. Verifies that the request contains a Content-Type header matching the expected type.

  3. If the request includes a ‘Content-Transfer-Encoding’ header set to ‘base64’, decodes the raw message from base64.

  4. Delegates the remaining request processing to the parent class’s dispatch method.

Parameters:

request (django.http.HttpRequest) – The incoming HttpRequest.

Returns:

An LoggedHttpResponse, either an error response or the result of the parent dispatch.

Return type:

tuple[bytes | None, LoggedHttpResponse | None]

class est.views.EstRequestedDomainExtractorMixin[source]¶

Mixin to extract the requested domain.

This mixin sets:

  • self.requested_domain: The DomainModel instance based on the ‘domain’ parameter.

  • self.issuing_ca_certificate: The CA certificate for the requested domain.

  • self.signature_suite: The signature suite derived from the CA certificate.

requested_domain: pki.models.domain.DomainModel | None[source]¶
extract_requested_domain(domain_name)[source]¶

Extracts the requested domain and sets the relevant certificate and signature suite.

Returns:

The response from the parent class’s dispatch method.

Parameters:

domain_name (str)

Return type:

tuple[pki.models.domain.DomainModel | None, LoggedHttpResponse | None]

class est.views.EstRequestedCertTemplateExtractorMixin[source]¶

Mixin to extract and validate the certificate template from request parameters.

requested_cert_template_str: str[source]¶
allowed_cert_templates: ClassVar[list[str]] = ['tls-server', 'tls-client', 'opc-ua-client', 'opc-ua-server', 'domaincredential'][source]¶
cert_template_classes: ClassVar[dict[str, type[object]]][source]¶
extract_cert_template(cert_template)[source]¶

Extract and validate the ‘certtemplate’ parameter, then delegate request processing.

Parameters:

cert_template (str)

Return type:

tuple[str | None, LoggedHttpResponse | None]

class est.views.EstPkiMessageSerializerMixin[source]¶

Bases: trustpoint.logger.LoggerMixin

Mixin to handle serialization and deserialization of PKCS#10 certificate signing requests.

extract_details_from_csr(csr, request_format)[source]¶

Loads the CSR (x509.CertificateSigningRequest) and extracts subject and SAN.

Parameters:

  • csr (cryptography.x509.CertificateSigningRequest)

  • request_format (str)

Return type:

CredentialRequest

_extract_serial_number(subject_attributes)[source]¶
Parameters:

subject_attributes (list[cryptography.x509.NameAttribute[Any]])

Return type:

str | None

_extract_common_name(subject_attributes)[source]¶

Extracts the common name from the subject attributes.

Parameters:

subject_attributes (list[cryptography.x509.NameAttribute[Any]])

Return type:

str

_extract_san(csr)[source]¶

Extract SAN (Subject Alternative Name) extension values.

Parameters:

csr (cryptography.x509.CertificateSigningRequest)

Return type:

tuple[list[str], list[ipaddress.IPv4Address], list[ipaddress.IPv6Address], list[str]]

deserialize_pki_message(data)[source]¶

Deserializes a DER-encoded PKCS#10 certificate signing request.

Parameters:

  • data (bytes) – DER-encoded PKCS#10 request bytes.

  • requested_cert_template – Certificate template string.

Returns:

An CredentialRequest object.

Raises:

ValueError – If deserialization fails.

Return type:

tuple[CredentialRequest | None, cryptography.x509.CertificateSigningRequest | None, LoggedHttpResponse | None]

verify_csr_signature(csr)[source]¶

Verifies that the CSR’s signature is valid by using the public key contained in the CSR.

Supports RSA, ECDSA, and DSA public keys.

Parameters:

csr (cryptography.x509.CertificateSigningRequest)

Return type:

None

class est.views.DeviceHandlerMixin[source]¶

Extract the serial number from an X.509 CSR and retrieve or create a DeviceModel instance.

This mixin assumes the CSR is already deserialized into a cryptography.x509.CertificateSigningRequest object.

create_device_idevid(credential_request, domain, cert_template)[source]¶

Retrieves a DeviceModel instance using the serial number extracted from the provided CSR.

If a device with that serial number does not exist, a new one is created.

Parameters:

  • csr – A cryptography.x509.CertificateSigningRequest instance.

  • domain (pki.models.domain.DomainModel) – The DomainModel instance associated with this device.

  • cert_template (str) – The X509 Certificate Template to use for this device.

  • credential_request (CredentialRequest)

Returns:

A DeviceModel instance corresponding to the extracted serial number.

Return type:

devices.models.DeviceModel

class est.views.CredentialIssuanceMixin[source]¶

Mixin to handle issuing credentials based on a given certificate template input.

Required inputs for the issue_credential method:
  • cert_template_str: A string indicating the certificate template type.

    Supported values: ‘tls-server’, ‘tls-client’, or ‘domaincredential’.

  • cert_template_class: The class responsible for issuing the credential.

  • device: The device instance for which the credential is issued.

  • domain: The domain instance used during credential issuance.

  • csr: The certificate signing request (used only for ‘domaincredential’).

Additional parameters are used by the specific issuance methods:

  • common_name: Used for ‘tls-client’ and ‘tls-server’ credentials.

  • validity_days: Used for ‘tls-client’ and ‘tls-server’ credentials.

  • ipv4_addresses, ipv6_addresses, domain_names: Used for ‘tls-server’ credentials.

cert_template_classes: ClassVar[dict[str, type]][source]¶
_validate_subject_attributes(subject_attributes, allowed_subject_oids)[source]¶

Helper method to validate subject attributes.

Parameters:

  • subject_attributes (list[cryptography.x509.NameAttribute[Any]])

  • allowed_subject_oids (set[pyasn1.type.univ.ObjectIdentifier])

Return type:

None

issue_credential(cert_template_str, device, domain, credential_request)[source]¶

Issues a credential based on the specified certificate template and CSR.

This method handles the credential issuance process, which includes extracting the necessary details from the CSR and domain, and then issuing the requested certificate. The method supports both new certificate issuance and reenrollment.

Parameters:

  • cert_template_str (str) – The certificate template string indicating the type of certificate to issue (e.g., ‘tls-server’, ‘tls-client’, etc.).

  • device (DeviceModel) – The device for which the certificate is being issued.

  • domain (DomainModel) – The domain associated with the certificate issuance.

  • credential_request (CredentialRequest) – A CredentialRequest object containing processed information about the CSR

Returns:

The issued credential model that contains the issued certificate and related data.

Return type:

IssuedCredentialModel

Raises:

ValueError – If the certificate template is invalid or any other error occurs during issuance.

_issue_simpleenroll(device, domain, requested_cert_template_str, credential_request)[source]¶

Handles the credential issuance and raises an error if issuance fails.

Parameters:
Return type:

LoggedHttpResponse

_issue_based_on_template(cert_template_str, credential_request, device, domain)[source]¶

Issues the credential based on the selected template.

Parameters:
Return type:

devices.models.IssuedCredentialModel | None

class est.views.OnboardingMixin(content=b'', status=None, *args, **kwargs)[source]¶

Bases: LoggedHttpResponse

A mixin that provides onboarding validation logic for issuing credentials.

Parameters:

  • content (str | bytes)

  • status (int | None)

  • args (Any)

  • kwargs (Any)

_validate_onboarding(device, credential_request, requested_cert_template_str)[source]¶

Validates if the device’s onboarding status is appropriate for credential issuance.

Parameters:
Return type:

LoggedHttpResponse | None

class est.views.EstSimpleEnrollmentView(content=b'', status=None, *args, **kwargs)[source]¶

Bases: EstAuthenticationMixin, EstHttpMixin, EstRequestedDomainExtractorMixin, EstRequestedCertTemplateExtractorMixin, EstPkiMessageSerializerMixin, DeviceHandlerMixin, CredentialIssuanceMixin, OnboardingMixin, trustpoint.logger.LoggerMixin, django.views.View

Handles simple EST (Enrollment over Secure Transport) enrollment requests.

This view processes certificate signing requests (CSRs), authenticates the client using either Mutual TLS or username/password, validates the device, and issues the requested certificate based on the certificate template specified in the request.

Parameters:

  • content (str | bytes)

  • status (int | None)

  • args (Any)

  • kwargs (Any)

post(request, *args, **kwargs)[source]¶

Handle POST requests for simple enrollment.

Parameters:

  • request (django.http.HttpRequest)

  • args (Any)

  • kwargs (Any)

Return type:

LoggedHttpResponse

class est.views.EstSimpleReEnrollmentView(content=b'', status=None, *args, **kwargs)[source]¶

Bases: EstAuthenticationMixin, EstHttpMixin, EstRequestedDomainExtractorMixin, EstRequestedCertTemplateExtractorMixin, EstPkiMessageSerializerMixin, DeviceHandlerMixin, CredentialIssuanceMixin, OnboardingMixin, trustpoint.logger.LoggerMixin, django.views.View

Handles simple EST (Enrollment over Secure Transport) reenrollment requests.

This view processes certificate signing requests (CSRs), authenticates the client using either Mutual TLS or username/password, validates the device, and issues the requested certificate based on the certificate template specified in the request.

Parameters:

  • content (str | bytes)

  • status (int | None)

  • args (Any)

  • kwargs (Any)

post(request, *args, **kwargs)[source]¶

Handle POST requests for simple enrollment.

Parameters:

  • request (django.http.HttpRequest)

  • args (Any)

  • kwargs (Any)

Return type:

LoggedHttpResponse

class est.views.EstCACertsView(**kwargs)[source]¶

Bases: EstAuthenticationMixin, EstRequestedDomainExtractorMixin, django.views.View, trustpoint.logger.LoggerMixin

View to handle the EST /cacerts endpoint.

Returns the CA certificate chain in a (simplified) PKCS#7 MIME format.

URL pattern should supply the ‘domain’ parameter (e.g., /cacerts/<domain>/)

get(request, *args, **kwargs)[source]¶

Handle GET requests for the /cacerts endpoint.

This method retrieves the CA certificate chain and returns it in PKCS#7 MIME format.

Parameters:

  • request (django.http.HttpRequest)

  • args (Any)

  • kwargs (Any)

Return type:

LoggedHttpResponse

class est.views.EstCsrAttrsView(**kwargs)[source]¶

Bases: django.views.View, trustpoint.logger.LoggerMixin

View to handle the EST /csrattrs endpoint.

This endpoint is not supported and returns 404 Not Found.

get(request, *args, **kwargs)[source]¶

Handle GET requests for the /csrattrs endpoint.

Parameters:

  • request (django.http.HttpRequest)

  • args (Any)

  • kwargs (Any)

Return type:

django.http.HttpResponseBase