pki.models.credentialΒΆ
Module that contains the CredentialModel.
Module ContentsΒΆ
- exception pki.models.credential.CredentialAlreadyExistsError(*args, **kwargs)[source]ΒΆ
Bases:
django.core.exceptions.ValidationErrorThe CredentialAlreadyExistsError is raised if a credential already exists in the database.
- Parameters:
args (Any)
kwargs (Any)
- class pki.models.credential.PKCS11Key(*args, **kwargs)[source]ΒΆ
Bases:
django.db.models.ModelModel representing a private key stored in a PKCS#11 HSM/token.
- class KeyType(*args, **kwds)[source]ΒΆ
Bases:
django.db.models.TextChoicesSupported key types in PKCS#11.
- class Meta[source]ΒΆ
Meta class to define unique constraints and verbose names for the PKCS11Key model.
- get_pkcs11_key_instance(lib_path, user_pin)[source]ΒΆ
Get the appropriate PKCS#11 key instance.
- Parameters:
lib_path (str)
user_pin (str)
- Return type:
management.pkcs11_util.Pkcs11RSAPrivateKey | management.pkcs11_util.Pkcs11ECPrivateKey | management.pkcs11_util.Pkcs11AESKey
- class pki.models.credential.CredentialModel(*args, **kwargs)[source]ΒΆ
Bases:
trustpoint.logger.LoggerMixin,util.db.CustomDeleteActionModelThe CredentialModel that holds all local credentials used by the Trustpoint.
This model holds both local unprotected credentials, for which the keys and certificates are stored in the DB, but also credentials that are stored within an HSM or TPM utilizing PKCS#11.
PKCS#11 credentials are not yet supported.
- class CredentialTypeChoice(*args, **kwds)[source]ΒΆ
Bases:
django.db.models.IntegerChoicesThe CredentialTypeChoice defines the type of the credential and thus implicitly restricts its usage.
It is intended to limit the credential usage to specific cases, e.g. usage as Issuing CA. The abstractions using the CredentialModel are responsible to check that the credential has the correct and expected CredentialTypeChoice.
- certificate_chain: django.db.models.ManyToManyField[pki.models.CertificateModel, CertificateChainOrderModel][source]ΒΆ
- property certificate_or_error: pki.models.CertificateModel[source]ΒΆ
Returns the certificate, raising an error if it is None.
- Returns:
The non-null certificate.
- Return type:
- Raises:
ValueError β If certificate is None.
- classmethod save_credential_serializer(credential_serializer, credential_type)[source]ΒΆ
This method will try to normalize the credential_serializer and then save it to the database.
- Parameters:
credential_serializer (trustpoint_core.serializer.CredentialSerializer) β The credential serializer to store in the database.
credential_type (CredentialModel) β The credential type to set.
- Returns:
The stored credential model.
- Return type:
- property ordered_certificate_chain_queryset: django.db.models.QuerySet[CertificateChainOrderModel][source]ΒΆ
Gets the ordered certificate chain queryset.
- Return type:
django.db.models.QuerySet[CertificateChainOrderModel]
- classmethod save_keyless_credential(certificate, certificate_chain, credential_type)[source]ΒΆ
Stores a credential without a private key.
- Parameters:
certificate (cryptography.x509.Certificate)
certificate_chain (list[cryptography.x509.Certificate])
credential_type (CredentialModel)
- Return type:
- update_keyless_credential(certificate, certificate_chain)[source]ΒΆ
Updates the primary certificate and certificate chain of the credential.
Previous certificates are kept as part of the credential.
- Parameters:
certificate (cryptography.x509.Certificate)
certificate_chain (list[cryptography.x509.Certificate])
- Return type:
None
- pre_delete()[source]ΒΆ
Deletes related models, only allow deletion if there are no more active certificates.
- Return type:
None
- get_private_key()[source]ΒΆ
Gets an abstraction of the credential private key.
Note, in the case of keys stored in an HSM or TPM using PKCS#11, it will only be possible to use the key abstraction to sign and verify, but not to export the key in any way.
- Returns:
The credential private key abstraction.
- Return type:
PrivateKey
- get_pkcs11_private_key()[source]ΒΆ
Gets the private key abstraction.
- Return type:
trustpoint_core.crypto_types.PrivateKey
- get_private_key_serializer()[source]ΒΆ
Gets a serializer of the credential private key.
For PKCS#11 keys, since the private key cannot be exported, this method returns a PrivateKeySerializer constructed from the public key extracted from the certificate. This allows code that needs the public key (via .public_key_serializer) to work with both software-stored and HSM-stored credentials.
- Returns:
The credential private key serializer.
- Return type:
PrivateKeySerializer
- Raises:
RuntimeError β If no private key information is available.
- get_certificate()[source]ΒΆ
Gets the credential certificate as x509.Certificate instance.
- Returns:
The credential certificate.
- Return type:
x509.Certificate
- get_certificate_chain()[source]ΒΆ
Gets the credential certificate chain as a list of x509.Certificate instances.
- Returns:
The credential certificate chain as list of x509.Certificate instances.
- Return type:
list[x509.Certificate]
- get_certificate_serializer()[source]ΒΆ
Gets the credential certificate as a CertificateSerializer instance.
- Returns:
The credential certificate.
- Return type:
- Raises:
ValueError β If the certificate is not set.
- get_certificate_chain_serializer()[source]ΒΆ
Gets the credential certificate chain as a CertificateCollectionSerializer instance.
- Returns:
The credential certificate chain.
- Return type:
CertificateCollectionSerializer
- get_last_in_chain()[source]ΒΆ
Gets the root ca certificate model, if any.
- Return type:
None | pki.models.CertificateModel
- get_root_ca_certificate()[source]ΒΆ
Gets the root CA certificate of the credential certificate chain.
- Return type:
None | cryptography.x509.Certificate
- get_root_ca_certificate_serializer()[source]ΒΆ
Gets the root CA certificate serializer.
- Return type:
None | trustpoint_core.serializer.CertificateSerializer
- get_credential_serializer()[source]ΒΆ
Gets the serializer for this credential.
- Return type:
trustpoint_core.serializer.CredentialSerializer
- property signature_suite: trustpoint_core.oid.SignatureSuite[source]ΒΆ
Returns the signature suite used by the current credential primary certificate.
- Return type:
trustpoint_core.oid.SignatureSuite
- property public_key_info: trustpoint_core.oid.PublicKeyInfo[source]ΒΆ
Returns the PublicKeyInfo the current credential primary certificate.
- Return type:
trustpoint_core.oid.PublicKeyInfo
- property hash_algorithm: cryptography.hazmat.primitives.hashes.HashAlgorithm | None[source]ΒΆ
Returns the hash algorithm used by the current credential.
- Return type:
cryptography.hazmat.primitives.hashes.HashAlgorithm | None
- is_valid_issued_credential()[source]ΒΆ
Determines if this issued credential is valid.
- This method performs the following checks:
The credential must be of type ISSUED_CREDENTIAL.
A primary certificate must exist.
The certificateβs status must be βOKβ.
- Returns:
- A tuple where:
The first value is True if the credential meets all criteria, False otherwise.
The second value is a reason string explaining why the credential is invalid.
- Return type:
tuple[bool, str]
- class pki.models.credential.PrimaryCredentialCertificate(*args, **kwargs)[source]ΒΆ
Bases:
django.db.models.ModelModel to store which certificate is the primary certificate of a credential.
Used as through model for the many-to-many relationship between CredentialModel and CertificateModel.
- class pki.models.credential.CertificateChainOrderModel(*args, **kwargs)[source]ΒΆ
Bases:
django.db.models.ModelThis Model is used to preserve the order of certificates in credential certificate chains.
- class Meta[source]ΒΆ
This Meta class add some configuration to the CertificateChainOrderModel.
Sets the default ordering such that the field order is used. Restricts entries such that the tuple (credential, order) is unique.
- save(*args, **kwargs)[source]ΒΆ
Stores a CertificateChainOrderModel in the database.
This is only possible if the order takes the next available value. That is, e.g. if the corresponding credential certificate chain has already two certificates stored with order 0 and 1, then the next entry to be stored must have order 2.
- Parameters:
*args (Any) β Positional arguments, passed to super().save()
**kwargs (Any) β Keyword arguments, passed to super().save()
- Returns:
None
- Raises:
ValueError β If the CertificateChainOrderModel entry to be stored does not have the correct order.
- Return type:
None
- delete(*args, **kwargs)[source]ΒΆ
Tries to delete the CertificateChainOrderModel entry.
A CertificateChainOrderModel entry can only be deleted if it has the highest order in the corresponding credential certificate chain.
- Parameters:
*args (Any) β Positional arguments, passed to super().delete()
**kwargs (Any) β Keyword arguments, passed to super().delete()
- Returns:
tuple[int, dict[str, int]] (returned by parent)
- Raises:
ValueError β If the CertificateChainOrderModel entry does not have the highest order in the corresponding credential certificate chain.
- Return type:
tuple[int, dict[str, int]]
- class pki.models.credential.IDevIDReferenceModel(*args, **kwargs)[source]ΒΆ
Bases:
django.db.models.ModelModel to store the string referencing an IDevID certificate.
Obtained from the SAN of the DevOwnerID certificate.
The
idevid_reffield holds the rawdev-owner:URI embedded in the DevOwnerID SAN.dev_owner_id_certificatepoints to theCertificateModelof the DevOwnerID certificate whose SAN contained this reference, so the details view can display the DevOwnerID certificate information without a fragile fingerprint-string lookup.- property idevid_subject_serial_number: str[source]ΒΆ
Returns the IDevID Subject Serial Number from the SAN of the DevOwnerID certificate.
The stored
idevid_refformat isdev-owner:<subj_sn>.<x509_sn>.<sha256_fingerprint>. This property strips thedev-owner:scheme prefix and returns the first segment.- Return type:
str
- class pki.models.credential.OwnerCredentialModel(*args, **kwargs)[source]ΒΆ
Bases:
trustpoint.logger.LoggerMixin,util.db.CustomDeleteActionModelDevice owner credential model.
This model is a wrapper to manage a DevOwnerID for use by devices to trust the Trustpoint.
The actual DevOwnerID certificate is stored as an
IssuedCredentialModelwithissued_credential_type=DEV_OWNER_IDpointing back to this model.Supports two acquisition modes: - File upload / Manual: a
NoOnboardingConfigModelwithMANUALprotocol is created. - Remote CA enrollment:no_onboarding_config(EST username/password) oronboarding_config(EST IDevID) is set together with the remote_* fields.- class OwnerCredentialTypeChoice(*args, **kwds)[source]ΒΆ
Bases:
django.db.models.IntegerChoicesHow the DevOwnerID certificate is acquired.
LOCAL: uploaded as a file or generated locally (no remote CA).REMOTE_EST: enrolled from a remote CA via EST (RFC 7030) with username/password.REMOTE_CMP: enrolled from a remote CA via CMP (RFC 4210 / 9483).REMOTE_EST_ONBOARDING: enrolled from a remote CA via EST using IDevID onboarding.
- property dev_owner_id_credentials: django.db.models.QuerySet[pki.models.issued_credential.RemoteIssuedCredentialModel][source]ΒΆ
Returns all DevOwnerID RemoteIssuedCredentialModel instances for this owner credential, newest first.
An OwnerCredentialModel may accumulate multiple DevOwnerID credentials over time, e.g. after re-enrollment or renewal rounds.
- Return type:
django.db.models.QuerySet[pki.models.issued_credential.RemoteIssuedCredentialModel]
- property dev_owner_id_credential: pki.models.issued_credential.RemoteIssuedCredentialModel | None[source]ΒΆ
Returns the most recently created DevOwnerID RemoteIssuedCredentialModel, or
None.Use
dev_owner_id_credentialswhen you need the full set of credentials.- Return type:
pki.models.issued_credential.RemoteIssuedCredentialModel | None
- property domain_credentials: django.db.models.QuerySet[pki.models.issued_credential.RemoteIssuedCredentialModel][source]ΒΆ
Returns all Domain Credential RemoteIssuedCredentialModel instances for this owner credential, newest first.
Domain credentials are obtained during onboarding before the DevOwnerID is enrolled.
- Return type:
django.db.models.QuerySet[pki.models.issued_credential.RemoteIssuedCredentialModel]
- property domain_credential: pki.models.issued_credential.RemoteIssuedCredentialModel | None[source]ΒΆ
Returns the most recently created Domain Credential RemoteIssuedCredentialModel, or
None.- Return type:
pki.models.issued_credential.RemoteIssuedCredentialModel | None
- property has_valid_domain_credential: bool[source]ΒΆ
Returns True if there is at least one valid domain credential.
- Return type:
bool
- classmethod create_new_owner_credential(unique_name, credential_serializer, no_onboarding_config=None)[source]ΒΆ
Creates a new OwnerCredentialModel with the DevOwnerID stored as RemoteIssuedCredentialModel.
The DevOwnerID certificate (with optional chain and private key) is stored in a
CredentialModeland wrapped in aRemoteIssuedCredentialModelof typeDEV_OWNER_ID. If nono_onboarding_configis provided a newNoOnboardingConfigModelwith protocolMANUALis created automatically.- Parameters:
unique_name (str) β Unique human-readable name for this owner credential.
credential_serializer (trustpoint_core.serializer.CredentialSerializer) β The DevOwnerID credential (cert + optional key + chain).
no_onboarding_config (Any | None) β Optional pre-created
NoOnboardingConfigModelto attach.
- Returns:
The newly created instance.
- Return type: