pki.models.credential ===================== .. py:module:: pki.models.credential .. autoapi-nested-parse:: Module that contains the CredentialModel. Exceptions ---------- .. autoapisummary:: pki.models.credential.CredentialAlreadyExistsError Classes ------- .. autoapisummary:: pki.models.credential.CredentialModel pki.models.credential.CertificateChainOrderModel pki.models.credential.IDevIDReferenceModel pki.models.credential.OwnerCredentialModel Module Contents --------------- .. py:exception:: CredentialAlreadyExistsError(*args, **kwargs) Bases: :py:obj:`django.core.exceptions.ValidationError` The CredentialAlreadyExistsError is raised if a credential already exists in the database. .. py:class:: CredentialModel(*args, **kwargs) Bases: :py:obj:`trustpoint.logger.LoggerMixin`, :py:obj:`util.db.CustomDeleteActionModel` The CredentialModel that holds all local credentials used by the Trustpoint. This model holds both local unprotected credentials, for which the keys and certificates are stored in the DB, but also credentials that are stored within an HSM or TPM utilizing PKCS#11. PKCS#11 credentials are not yet supported. .. py:class:: CredentialTypeChoice(*args, **kwds) Bases: :py:obj:`django.db.models.IntegerChoices` The CredentialTypeChoice defines the type of the credential and thus implicitly restricts its usage. It is intended to limit the credential usage to specific cases, e.g. usage as Issuing CA. The abstractions using the CredentialModel are responsible to check that the credential has the correct and expected CredentialTypeChoice. .. py:attribute:: TRUSTPOINT_TLS_SERVER .. py:attribute:: ROOT_CA .. py:attribute:: ISSUING_CA .. py:attribute:: ISSUED_CREDENTIAL .. py:attribute:: DEV_OWNER_ID .. py:attribute:: credential_type .. py:attribute:: private_key .. py:attribute:: certificate .. py:attribute:: certificates .. py:attribute:: certificate_chain .. py:attribute:: created_at .. py:method:: __repr__() Returns a string representation of this CredentialModel entry. .. py:method:: __str__() Returns a human-readable string that represents this CredentialModel entry. :returns: Human-readable string that represents this CredentialModel entry. :rtype: str .. py:method:: clean() Validates the CredentialModel instance. .. py:method:: save_credential_serializer(credential_serializer, credential_type) :classmethod: This method will try to normalize the credential_serializer and then save it to the database. :param credential_serializer: The credential serializer to store in the database. :param credential_type: The credential type to set. :returns: The stored credential model. :rtype: CredentialModel .. py:property:: ordered_certificate_chain_queryset :type: django.db.models.QuerySet[CertificateChainOrderModel] Gets the ordered certificate chain queryset. .. py:method:: _save_normalized_credential_serializer(normalized_credential_serializer, credential_type) :classmethod: This method will store a credential that is expected to be normalized.. :param normalized_credential_serializer: The normalized credential serializer to store in the database. :param credential_type: The credential type to set. :returns: The stored credential model. :rtype: CredentialModel .. py:method:: save_keyless_credential(certificate, certificate_chain, credential_type) :classmethod: Stores a credential without a private key. .. py:method:: update_keyless_credential(certificate, certificate_chain) Updates the primary certificate and certificate chain of the credential. Previous certificates are kept as part of the credential. .. py:method:: pre_delete() Deletes related models, only allow deletion if there are no more active certificates. .. py:method:: get_private_key() Gets an abstraction of the credential private key. Note, in the case of keys stored in an HSM or TPM using PKCS#11, it will only be possible to use the key abstraction to sign and verify, but not to export the key in any way. :returns: The credential private key abstraction. :rtype: PrivateKey .. py:method:: get_private_key_serializer() Gets a serializer of the credential private key. :returns: The credential private key abstraction. :rtype: PrivateKey .. py:method:: get_certificate() Gets the credential certificate as x509.Certificate instance. :returns: The credential certificate. :rtype: x509.Certificate .. py:method:: get_certificate_chain() Gets the credential certificate chain as a list of x509.Certificate instances. :returns: The credential certificate chain as list of x509.Certificate instances. :rtype: list[x509.Certificate] .. py:method:: get_certificate_serializer() Gets the credential certificate as a CertificateSerializer instance. :returns: The credential certificate. :rtype: CertificateSerializer .. py:method:: get_certificate_chain_serializer() Gets the credential certificate chain as a CertificateCollectionSerializer instance. :returns: The credential certificate chain. :rtype: CertificateCollectionSerializer .. py:method:: get_last_in_chain() Gets the root ca certificate model, if any. .. py:method:: get_root_ca_certificate() Gets the root CA certificate of the credential certificate chain. .. py:method:: get_root_ca_certificate_serializer() Gets the root CA certificate serializer. .. py:method:: get_credential_serializer() Gets the serializer for this credential. .. py:property:: signature_suite :type: trustpoint_core.oid.SignatureSuite Returns the signature suite used by the current credential primary certificate. .. py:property:: public_key_info :type: trustpoint_core.oid.PublicKeyInfo Returns the PublicKeyInfo the current credential primary certificate. .. py:property:: hash_algorithm :type: cryptography.hazmat.primitives.hashes.HashAlgorithm | None Returns the hash algorithm used by the current credential. .. py:method:: is_valid_issued_credential() Determines if this issued credential is valid. This method performs the following checks: 1. The credential must be of type ISSUED_CREDENTIAL. 2. A primary certificate must exist. 3. The certificate's status must be 'OK'. :returns: A tuple where: - The first value is True if the credential meets all criteria, False otherwise. - The second value is a reason string explaining why the credential is invalid. :rtype: tuple[bool, str] .. py:class:: CertificateChainOrderModel(*args, **kwargs) Bases: :py:obj:`django.db.models.Model` This Model is used to preserve the order of certificates in credential certificate chains. .. py:attribute:: certificate .. py:attribute:: credential .. py:attribute:: order .. py:attribute:: primary_certificate .. py:class:: Meta This Meta class add some configuration to the CertificateChainOrderModel. Sets the default ordering such that the field order is used. Restricts entries such that the tuple (credential, order) is unique. .. py:attribute:: ordering :type: ClassVar :value: ['order'] .. py:attribute:: constraints :type: ClassVar .. py:method:: __repr__() Returns a string representation of this CertificateChainOrderModel entry. .. py:method:: __str__() Returns a human-readable string that represents this CertificateChainOrderModel entry. :returns: Human-readable string that represents this CertificateChainOrderModel entry. :rtype: str .. py:method:: save(*args, **kwargs) Stores a CertificateChainOrderModel in the database. This is only possible if the order takes the next available value. That is, e.g. if the corresponding credential certificate chain has already two certificates stored with order 0 and 1, then the next entry to be stored must have order 2. :param \*args: Positional arguments, passed to super().save() :param \*\*kwargs: Keyword arguments, passed to super().save() :returns: None :raises ValueError: If the CertificateChainOrderModel entry to be stored does not have the correct order. .. py:method:: delete(*args, **kwargs) Tries to delete the CertificateChainOrderModel entry. A CertificateChainOrderModel entry can only be deleted if it has the highest order in the corresponding credential certificate chain. :param \*args: Positional arguments, passed to super().delete() :param \*\*kwargs: Keyword arguments, passed to super().delete() :returns: tuple[int, dict[str, int]] (returned by parent) :raises ValueError: If the CertificateChainOrderModel entry does not have the highest order in the corresponding credential certificate chain. .. py:method:: _get_max_order() Gets highest order of a certificate of a credential certificate chain. :returns: The highest order of a certificate of a credential certificate chain. :rtype: int .. py:class:: IDevIDReferenceModel(*args, **kwargs) Bases: :py:obj:`django.db.models.Model` Model to store the string referencing an IDevID certificate. Obtained from the SAN of the DevOwnerID certificate. .. py:attribute:: dev_owner_id .. py:attribute:: idevid_ref .. py:method:: __str__() Returns a human-readable string that represents this IDevIDRefSanModel entry. .. py:property:: idevid_subject_serial_number :type: str Returns the IDevID Subject Serial Number from the SAN of the DevOwnerID certificate. .. py:property:: idevid_x509_serial_number :type: str Returns the IDevID X.509 Serial Number from the SAN of the DevOwnerID certificate. .. py:property:: idevid_sha256_fingerprint :type: str Returns the IDevID SHA256 Fingerprint from the SAN of the DevOwnerID certificate. .. py:class:: OwnerCredentialModel(*args, **kwargs) Bases: :py:obj:`trustpoint.logger.LoggerMixin`, :py:obj:`util.db.CustomDeleteActionModel` Device owner credential model. This model is a wrapper to store a DevOwnerID Credential for use by devices to trust the Trustpoint. .. py:attribute:: unique_name .. py:attribute:: credential :type: CredentialModel .. py:attribute:: created_at .. py:method:: __str__() Returns a human-readable string that represents this OwnerCredentialModel entry. :returns: Human-readable string that represents this OwnerCredentialModel entry. :rtype: str .. py:method:: __repr__() Returns a string representation of the OwnerCredentialModel instance. .. py:method:: create_new_owner_credential(unique_name, credential_serializer) :classmethod: Creates a new owner credential model and returns it. :param unique_name: The unique name that will be used to identify the Owner Credential. :param credential_serializer: The credential as CredentialSerializer instance. :returns: The newly created owner credential model. :rtype: OwnerCredentialModel .. py:method:: post_delete() Deletes the credential of this owner credential after deleting it.