request.clients.cmp_client ========================== .. py:module:: request.clients.cmp_client .. autoapi-nested-parse:: CMP (Certificate Management Protocol) client implementation. This client enables Trustpoint to communicate with external CMP servers in two modes: 1. Direct client: Trustpoint requests certificates for itself 2. Registration Authority (RA): Trustpoint forwards device requests to upstream PKI Module Contents --------------- .. py:data:: DEFAULT_CMP_PORT :value: 443 .. py:data:: DEFAULT_CMP_TIMEOUT :value: 30 .. py:exception:: CmpClientError Bases: :py:obj:`Exception` Base exception for CMP client errors. .. py:class:: CmpClient(context, timeout = DEFAULT_CMP_TIMEOUT) Bases: :py:obj:`trustpoint.logger.LoggerMixin` CMP client for communicating with CMP servers according to RFC 9483. This client implements the CMP protocol for forwarding PKI messages to upstream CMP servers. It supports two primary use cases: 1. **Trustpoint as CMP client**: Trustpoint creates and sends its own CMP requests to obtain certificates from an upstream PKI. 2. **Trustpoint as Registration Authority (RA)**: Trustpoint receives CMP requests from devices, validates them, and forwards them to an upstream PKI, acting as a trusted intermediary. The client works with complete rfc4210.PKIMessage objects, allowing full control over the CMP protocol interaction. .. py:attribute:: context .. py:attribute:: timeout :value: 30 .. py:method:: send_pki_message(pki_message, *, add_shared_secret_protection = False) Send a PKI message to the CMP server and return the response. :param pki_message: The complete PKI message to send. This should be a properly constructed rfc4210.PKIMessage with header and body. :param add_shared_secret_protection: If True, adds HMAC-based protection using the shared secret from context. If False, the message must already be protected. :returns: A tuple of (parsed_response_message, raw_response_bytes). The raw bytes are preserved for DER-level certificate extraction. :raises CmpClientError: If the request fails or response is invalid. .. py:method:: send_and_extract_certificate(pki_message, *, add_shared_secret_protection = False) Send a certification/initialization request and extract the issued certificate. Convenience method that combines send_pki_message() and certificate extraction for the common case of requesting a certificate. :param pki_message: The CR or IR PKI message to send. :param add_shared_secret_protection: Whether to add HMAC protection. :returns: A tuple of (issued_certificate, chain_certificates). The chain certificates are from the ``extraCerts`` field of the response. :raises CmpClientError: If the request fails or certificate extraction fails.