devices.issuer

Module for issuing and managing TLS and OPC UA credentials.

Module Contents

class devices.issuer.SaveCredentialToDbMixin[source]

Bases: trustpoint.logger.LoggerMixin

Mixin to handle saving credentials to the database.

property device: devices.models.DeviceModel[source]
Abstractmethod:

Return type:

devices.models.DeviceModel

Abstract property that has to be implemented by the derived class.

property domain: pki.models.domain.DomainModel[source]
Abstractmethod:

Return type:

pki.models.domain.DomainModel

Abstract property that has to be implemented by the derived class.

class devices.issuer.CredentialSaver(device, domain)[source]

Bases: SaveCredentialToDbMixin

A basic class for saving credentials to the database.

Parameters:
property device: devices.models.DeviceModel[source]

Gets the device associated with this credential saver.

Returns:

The device linked to the issued credential.

Return type:

DeviceModel

property domain: pki.models.domain.DomainModel[source]

Gets the domain associated with this credential saver.

Returns:

The domain linked to the issued credential.

Return type:

DomainModel

save_credential(credential, common_name, issued_credential_type, cert_profile_disp_name)[source]

Saves a credential with a private key to the database.

Parameters:
Return type:

pki.models.issued_credential.IssuedCredentialModel

save_keyless_credential(certificate, certificate_chain, common_name, issued_credential_type, cert_profile_disp_name)[source]

Saves a keyless (i.e. private key stays on requesting device) credential to the database.

Parameters:
Return type:

pki.models.issued_credential.IssuedCredentialModel

save_remote_keyless_credential(certificate, certificate_chain, common_name, issued_using_cert_profile)[source]

Saves a keyless credential issued via a remote/RA CA as a RemoteIssuedCredentialModel.

Parameters:
  • certificate (cryptography.x509.Certificate)

  • certificate_chain (list[cryptography.x509.Certificate])

  • common_name (str)

  • issued_using_cert_profile (str)

Return type:

pki.models.issued_credential.RemoteIssuedCredentialModel

class devices.issuer.BaseTlsCredentialIssuer(device, domain)[source]

Bases: SaveCredentialToDbMixin

Base class for issuing TLS credentials.

This class provides common functionality for creating and saving TLS certificates and key pairs for different use cases, including TLS client, server, domain, and OPC UA credentials.

Parameters:
property device: devices.models.DeviceModel[source]

Gets the device associated with this credential issuer.

Returns:

The device linked to the issued credential.

Return type:

DeviceModel

property domain: pki.models.domain.DomainModel[source]

Gets the domain associated with this credential issuer.

Returns:

The domain linked to the issued credential.

Return type:

DomainModel

property serial_number: str[source]

Gets the serial number of the associated device.

Returns:

The serial number of the device.

Return type:

str

property domain_component: str[source]

Gets the unique name of the domain component.

Returns:

The unique name of the domain.

Return type:

str

property pseudonym: str[source]

Gets the pseudonym associated with this issuer.

Returns:

The predefined pseudonym for the credential issuer.

Return type:

str

classmethod get_fixed_values(device, domain)[source]

Retrieves a dictionary of fixed values related to the device and domain.

Parameters:
Returns:

A dictionary containing the pseudonym, domain component, and serial number of the device.

Return type:

dict[str, str]

class devices.issuer.LocalTlsClientCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Handles issuing TLS client credentials.

Parameters:
issue_tls_client_credential(common_name, validity_days)[source]

Issues a TLS client credential.

Parameters:
  • common_name (str) – The common name for the certificate.

  • validity_days (int) – The validity period in days.

  • public_key – The public key to be included in the certificate.

Returns:

The issued credential model.

Return type:

pki.models.issued_credential.IssuedCredentialModel

issue_tls_client_certificate(common_name, validity_days, public_key)[source]

Issues a TLS client certificate without a private key.

Parameters:
  • common_name (str) – Certificate common name.

  • validity_days (int) – Certificate validity period.

  • public_key (trustpoint_core.crypto_types.PublicKey) – Public key for the certificate.

Returns:

The issued TLS client certificate.

Return type:

pki.models.issued_credential.IssuedCredentialModel

class devices.issuer.LocalTlsServerCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Handles issuing TLS server credentials.

Parameters:
issue_tls_server_credential(common_name, ipv4_addresses, ipv6_addresses, domain_names, validity_days, *, san_critical=False)[source]

Issues a TLS server credential with a private key.

Generates a TLS server certificate and private key, including SAN extensions, and saves the credential in the database.

Parameters:
  • common_name (str) – Certificate common name.

  • ipv4_addresses (list[ipaddress.IPv4Address]) – IPv4 addresses for SAN.

  • ipv6_addresses (list[ipaddress.IPv6Address]) – IPv6 addresses for SAN.

  • domain_names (list[str]) – Domain names for SAN.

  • validity_days (int) – Certificate validity period.

  • san_critical (bool) – Whether SAN is critical. Defaults to False.

Returns:

The issued TLS server credential.

Return type:

pki.models.issued_credential.IssuedCredentialModel

issue_tls_server_certificate(common_name, ipv4_addresses, ipv6_addresses, domain_names, validity_days, public_key, *, san_critical=False)[source]

Issues a TLS server certificate without a private key.

Parameters:
  • common_name (str) – Certificate common name.

  • ipv4_addresses (list[ipaddress.IPv4Address]) – IPv4 addresses for SAN.

  • ipv6_addresses (list[ipaddress.IPv6Address]) – IPv6 addresses for SAN.

  • domain_names (list[str]) – Domain names for SAN.

  • validity_days (int) – Certificate validity period.

  • public_key (trustpoint_core.crypto_types.PublicKey) – Public key for the certificate.

  • san_critical (bool) – Whether SAN is critical. Defaults to False.

Returns:

The issued TLS server certificate.

Return type:

pki.models.issued_credential.IssuedCredentialModel

class devices.issuer.LocalDomainCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Handles issuing domain credentials.

Parameters:
DOMAIN_CREDENTIAL_CN = 'Trustpoint Domain Credential'[source]
issue_domain_credential(application_uri=None, extra_extensions=None)[source]

Issues a domain credential for a device.

Parameters:
  • application_uri (str | None) – Optional application URI to include in the certificate.

  • extra_extensions (list[tuple[cryptography.x509.ExtensionType, bool]] | None) – Optional list of additional certificate extensions to include. If provided, these will override the default extensions (except BasicConstraints).

Returns:

The issued domain credential model.

Return type:

pki.models.issued_credential.IssuedCredentialModel

issue_domain_credential_certificate(public_key, extra_extensions=None)[source]

Issues a domain credential certificate.

Parameters:
  • public_key (trustpoint_core.crypto_types.PublicKey) – The public key associated with the issued certificate.

  • extra_extensions (list[tuple[cryptography.x509.ExtensionType, bool]] | None) – Optional list of additional certificate extensions to include. If provided, these will override the default extensions (except BasicConstraints).

Returns:

The issued domain credential certificate model.

Return type:

pki.models.issued_credential.IssuedCredentialModel

class devices.issuer.OpcUaServerCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Issues OPC UA server credentials.

Parameters:
issue_opc_ua_server_credential(common_name, application_uri, ipv4_addresses, ipv6_addresses, domain_names, validity_days=365)[source]

Issues an OPC UA server credential (certificate + private key) following OPC UA security standards.

Parameters:
  • common_name (str)

  • application_uri (str)

  • ipv4_addresses (list[ipaddress.IPv4Address])

  • ipv6_addresses (list[ipaddress.IPv6Address])

  • domain_names (list[str])

  • validity_days (int)

Return type:

pki.models.issued_credential.IssuedCredentialModel

issue_opc_ua_server_certificate(common_name, application_uri, ipv4_addresses, ipv6_addresses, domain_names, validity_days, public_key)[source]

Issues an OPC UA server certificate (no private key) following OPC UA security standards.

Parameters:
  • common_name (str)

  • application_uri (str | list[str])

  • ipv4_addresses (list[ipaddress.IPv4Address])

  • ipv6_addresses (list[ipaddress.IPv6Address])

  • domain_names (list[str])

  • validity_days (int)

  • public_key (trustpoint_core.crypto_types.PublicKey)

Return type:

pki.models.issued_credential.IssuedCredentialModel

class devices.issuer.OpcUaClientCredentialIssuer(device, domain)[source]

Bases: BaseTlsCredentialIssuer

Issues OPC UA client credentials.

Parameters:
issue_opc_ua_client_credential(common_name, application_uri, validity_days=365)[source]

Issues an OPC UA client credential (certificate + private key) following OPC UA security standards.

Parameters:
  • common_name (str)

  • application_uri (str | list[str])

  • validity_days (int)

Return type:

pki.models.issued_credential.IssuedCredentialModel

issue_opc_ua_client_certificate(common_name, application_uri, validity_days, public_key)[source]

Issues an OPC UA client certificate (no private key) following OPC UA security standards.

Parameters:
  • common_name (str)

  • application_uri (str | list[str])

  • validity_days (int)

  • public_key (trustpoint_core.crypto_types.PublicKey)

Return type:

pki.models.issued_credential.IssuedCredentialModel