pki.util.idevid

Classes for handling IDevID certificates according to IEEE 802.1AR.

Module Contents

exception pki.util.idevid.IDevIDAuthenticationError[source]

Bases: Exception

Exception raised for IDevID authentication failures.

class pki.util.idevid.IDevIDExtensionPolicy[source]

Builder for IDevID extension policies.

static idevid_ee_policy()[source]

Create an extension policy for IDevID end-entity certificates.

Return type:

cryptography.x509.verification.ExtensionPolicy

static idevid_ca_policy()[source]

Create an extension policy for IDevID CA certificates.

Return type:

cryptography.x509.verification.ExtensionPolicy

class pki.util.idevid.IDevIDVerifier[source]

Bases: trustpoint.logger.LoggerMixin

Verifies IDevID certificates as used e.g. by EST with mutual TLS auth.

classmethod verify_idevid_against_truststore(idevid_cert, intermediate_cas, truststore)[source]

Verify the IDevID certificate against the provided truststore.

Parameters:
  • idevid_cert (cryptography.x509.Certificate)

  • intermediate_cas (list[cryptography.x509.Certificate])

  • truststore (pki.models.TruststoreModel)

Return type:

bool

class pki.util.idevid.IDevIDAuthenticator[source]

Bases: trustpoint.logger.LoggerMixin

Authenticates IDevID certificates as used e.g. by EST with mutual TLS auth.

static get_subject_serial_number(idevid_cert)[source]

Get the serial number from the subject of the IDevID certificate.

Parameters:

idevid_cert (cryptography.x509.Certificate)

Return type:

str

classmethod authenticate_idevid_from_x509_no_device(idevid_cert, intermediate_cas, domain=None)[source]

Authenticate client using an IDevID certificate.

Parameters:
  • idevid_cert (cryptography.x509.Certificate)

  • intermediate_cas (list[cryptography.x509.Certificate])

  • domain (pki.models.DomainModel | None)

Return type:

tuple[pki.models.DomainModel, str]

classmethod authenticate_idevid_from_x509(idevid_cert, intermediate_cas, domain=None, onboarding_protocol=OnboardingProtocol.EST_IDEVID, pki_protocol=OnboardingPkiProtocol.EST)[source]

Authenticate client using IDevID certificate for Domain Credential request and create a device.

Parameters:
  • idevid_cert (cryptography.x509.Certificate)

  • intermediate_cas (list[cryptography.x509.Certificate])

  • domain (pki.models.DomainModel | None)

  • onboarding_protocol (onboarding.models.OnboardingProtocol)

  • pki_protocol (onboarding.models.OnboardingPkiProtocol)

Return type:

devices.models.DeviceModel

classmethod authenticate_idevid(request, domain=None)[source]

Authenticate client using IDevID certificate for Domain Credential request.

Parameters:
  • request (django.http.HttpRequest)

  • domain (pki.models.DomainModel | None)

Return type:

devices.models.DeviceModel