pki.util.x509¶

Handles certificate creation for Issuing CA certificates.

Attributes¶

logger

Exceptions¶

ClientCertificateAuthenticationError

Exception raised for general client certificate authentication failures.

Classes¶

`CertificateGenerator`	Methods for generating X.509 certificates.
`ApacheTLSClientCertExtractor`	Extracts the TLS client certificate from the request.

Module Contents¶

pki.util.x509.logger[source]¶

class pki.util.x509.CertificateGenerator[source]¶

Methods for generating X.509 certificates.

static create_root_ca(cn, validity_days=7300, private_key=None, hash_algorithm=None)[source]¶

Creates a root CA certificate for testing and AutoGenPKI.

Parameters:

cn (str)
validity_days (int)
private_key (None | cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey | cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey)
hash_algorithm (None | cryptography.hazmat.primitives.hashes.HashAlgorithm)

Return type:

tuple[cryptography.x509.Certificate, trustpoint_core.crypto_types.PrivateKey]

static create_issuing_ca(issuer_private_key, issuer_cn, subject_cn, private_key=None, validity_days=3650, hash_algorithm=None)[source]¶

Creates an issuing CA certificate + key pair.

Parameters:

issuer_private_key (None | trustpoint_core.crypto_types.PrivateKey)
issuer_cn (str)
subject_cn (str)
private_key (None | trustpoint_core.crypto_types.PrivateKey)
validity_days (int)
hash_algorithm (None | cryptography.hazmat.primitives.hashes.HashAlgorithm)

Return type:

tuple[cryptography.x509.Certificate, trustpoint_core.crypto_types.PrivateKey]

static create_ee(issuer_private_key, issuer_cn, subject_name, private_key=None, extensions=None, validity_days=365)[source]¶

Creates a generic end entity certificate + key pair.

Parameters:

issuer_private_key (trustpoint_core.crypto_types.PrivateKey)
issuer_cn (str)
subject_name (str | cryptography.x509.Name)
private_key (None | trustpoint_core.crypto_types.PrivateKey)
extensions (list[tuple[cryptography.x509.ExtensionType, bool]] | None)
validity_days (int)

Return type:

tuple[cryptography.x509.Certificate, trustpoint_core.crypto_types.PrivateKey]

static create_test_pki(chain_depth=0)[source]¶

Get a test PKI chain with a specified depth (excluding root CA). depth=0 is a self-signed EE.

Parameters:: chain_depth (int)
Return type:: tuple[list[cryptography.x509.Certificate], list[trustpoint_core.crypto_types.PrivateKey]]

static save_issuing_ca(issuing_ca_cert, chain, private_key, unique_name='issuing_ca', ca_type=IssuingCaModel.IssuingCaTypeChoice.LOCAL_UNPROTECTED)[source]¶

Saves an Issuing CA certificate to the database.

Parameters:

issuing_ca_cert (cryptography.x509.Certificate)
chain (list[cryptography.x509.Certificate])
private_key (trustpoint_core.crypto_types.PrivateKey)
unique_name (str)
ca_type (pki.models.IssuingCaModel.IssuingCaTypeChoice)

Return type:

pki.models.IssuingCaModel

exception pki.util.x509.ClientCertificateAuthenticationError[source]¶

Bases: Exception

Exception raised for general client certificate authentication failures.

class pki.util.x509.ApacheTLSClientCertExtractor[source]¶

Extracts the TLS client certificate from the request.

static get_client_cert_as_x509(request)[source]¶

Retrieve the client certificate from the request and convert it to an x509.Certificate object.

Parameters:: request (django.http.HttpRequest) – Django HttpRequest containing the headers.
Returns:: x509.Certificate object.
Raises:: ClientCertificateAuthenticationError – if no client certificate found or it is not a valid PEM-encoded cert.
Return type:: tuple[cryptography.x509.Certificate, list[cryptography.x509.Certificate]]