pki.authorization

Security-policy authorization checks for PKI objects (CAs and certificates).

Module Contents

class pki.authorization.HasCaModel[source]

Bases: Protocol

Structural type satisfied by CaModel.

Any object exposing ca_certificate_model, is_self_signed_ca, and crl_validity_hours attributes qualifies.

property ca_certificate_model: pki.models.certificate.CertificateModel | None[source]

Return the CertificateModel for this CA, or None.

Return type:

pki.models.certificate.CertificateModel | None

property crl_validity_hours: float[source]

Return the configured CRL validity in hours.

Return type:

float

class pki.authorization.PkiCheckStrategy[source]

Bases: abc.ABC

Abstract base for a single PKI security-policy check.

abstractmethod check(ca, cfg)[source]

Execute the check.

Parameters:
Raises:

ValueError – If the CA violates the policy.

Return type:

None

class pki.authorization.PkiSecurityAuthorization(strategies=None)[source]

Bases: trustpoint.logger.LoggerMixin

Runs all PKI security-policy checks against the active SecurityConfig.

Parameters:

strategies (list[PkiCheckStrategy] | None)

check(ca)[source]

Run all PKI policy checks against ca.

Parameters:

ca (pki.models.ca.CaModel)

Return type:

None