d1_common.cert package

This package contains certificate related functionality, such as functions for extracting DataONE subjects from PEM (base64) encoded X.509 v3 certificates and Java Web Tokens (JTWs) as used in DataONE.

Although this directory is not a package, this __init__.py file is required for pytest to be able to reach test directories below this directory.

Submodules

d1_common.cert.jwt module

JSON Web Token (JWT) parsing and validation.

JWT representations:

  • bu64: A URL safe flavor of Base64 used by JWTs

  • jwt_bu64: A complete JWT consisting of three dot separated bu64 encoded parts: (header_bu64, payload_bu64, signature_bu64)

  • jwt_tup: A complete JWT consisting of a tuple of 3 decoded (raw) parts: (header_str, payload_str, signature_str)

d1_common.cert.jwt.get_subject_with_local_validation(jwt_bu64, cert_obj)

Validate the JWT and return the subject it contains.

  • The JWT is validated by checking that it was signed with a CN certificate.

  • The returned subject can be trusted for authz and authn operations.

  • Possible validation errors include:

    • A trusted (TLS/SSL) connection could not be made to the CN holding the signing certificate.

    • The JWT could not be decoded.

    • The JWT signature signature was invalid.

    • The JWT claim set contains invalid “Not Before” or “Expiration Time” claims.

Parameters

  • jwt_bu64 – bytes The JWT encoded using a a URL safe flavor of Base64.

  • cert_obj – cryptography.Certificate Public certificate used for signing the JWT (typically the CN cert).

Returns

  • On successful validation, the subject contained in the JWT is returned.

  • If validation fails for any reason, errors are logged and None is returned.

d1_common.cert.jwt.get_subject_with_remote_validation(jwt_bu64, base_url)

Same as get_subject_with_local_validation() except that the signing certificate is automatically downloaded from the CN.

  • Additional possible validations errors:

    • The certificate could not be retrieved from the root CN.

d1_common.cert.jwt.get_subject_with_file_validation(jwt_bu64, cert_path)

Same as get_subject_with_local_validation() except that the signing certificate is read from a local PEM file.

d1_common.cert.jwt.get_subject_without_validation(jwt_bu64)

Extract subject from the JWT without validating the JWT.

  • The extracted subject cannot be trusted for authn or authz.

Parameters

jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.

Returns

The subject contained in the JWT.

Return type

str

d1_common.cert.jwt.get_bu64_tup(jwt_bu64)

Split the Base64 encoded JWT to its 3 component sections.

Parameters

jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.

Returns

Component sections of the JWT.

Return type

3-tup of Base64

d1_common.cert.jwt.get_jwt_tup(jwt_bu64)

Split and decode the Base64 encoded JWT to its 3 component sections.

  • Reverse of get_jwt_bu64().

Parameters

jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.

Returns

Raw component sections of the JWT.

Return type

3-tup of bytes

d1_common.cert.jwt.get_jwt_bu64(jwt_tup)

Join and Base64 encode raw JWT component sections.

  • Reverse of get_jwt_tup().

Parameters

jwt_tup – 3-tup of bytes Raw component sections of the JWT.

Returns

bytes

JWT, encoded using a a URL safe flavor of Base64.

Return type

jwt_bu64

d1_common.cert.jwt.get_jwt_dict(jwt_bu64)

Parse Base64 encoded JWT and return as a dict.

  • JWTs contain a set of values serialized to a JSON dict. This decodes the JWT and returns it as a dict containing Unicode strings.

  • In addition, a SHA1 hash is added to the dict for convenience.

Parameters

jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.

Returns

Values embedded in and derived from the JWT.

Return type

dict

d1_common.cert.jwt.validate_and_decode(jwt_bu64, cert_obj)

Validate the JWT and return as a dict.

  • JWTs contain a set of values serialized to a JSON dict. This decodes the JWT and returns it as a dict.

Parameters

  • jwt_bu64 – bytes The JWT encoded using a a URL safe flavor of Base64.

  • cert_obj – cryptography.Certificate Public certificate used for signing the JWT (typically the CN cert).

Raises

JwtException – If validation fails.

Returns

Values embedded in the JWT.

Return type

dict

d1_common.cert.jwt.log_jwt_dict_info(log, msg_str, jwt_dict)

Dump JWT to log.

Parameters

  • log – Logger Logger to which to write the message.

  • msg_str – str A message to write to the log before the JWT values.

  • jwt_dict – dict JWT containing values to log.

Returns

None

d1_common.cert.jwt.log_jwt_bu64_info(log, msg_str, jwt_bu64)

Dump JWT to log.

Parameters

  • log – Logger Logger to which to write the message.

  • msg_str – str A message to write to the log before the JWT values.

  • jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.

Returns

None

d1_common.cert.jwt.ts_to_str(jwt_dict)

Convert timestamps in JWT to human readable dates.

Parameters

jwt_dict – dict JWT with some keys containing timestamps.

Returns

Copy of input dict where timestamps have been replaced with human readable dates.

Return type

dict

d1_common.cert.jwt.ts_to_dt(jwt_dict)

Convert timestamps in JWT to datetime objects.

Parameters

jwt_dict – dict JWT with some keys containing timestamps.

Returns

Copy of input dict where timestamps have been replaced with datetime.datetime() objects.

Return type

dict

d1_common.cert.jwt.encode_bu64(b)

Encode bytes to a URL safe flavor of Base64 used by JWTs.

  • Reverse of decode_bu64().

Parameters

b – bytes Bytes to Base64 encode.

Returns

URL safe Base64 encoded version of input.

Return type

bytes

d1_common.cert.jwt.decode_bu64(b)

Encode bytes to a URL safe flavor of Base64 used by JWTs.

  • Reverse of encode_bu64().

Parameters

b – bytes URL safe Base64 encoded bytes to encode.

Returns

Decoded bytes.

Return type

bytes

exception d1_common.cert.jwt.JwtException

Bases: Exception

Exceptions raised directly by this module.

d1_common.cert.subject_info module

Utilities for handling the DataONE SubjectInfo type.

Overview of Access Control in DataONE

Access control in DataONE works much like traditional Access Control Lists (ACLs). Each science object is associated with an ACL. The ACL contains a list of subjects and an access level for each subject. The access levels are read, write and changePermission. Each access level implicitly grants access to the lower levels, so only only the highest access level for a given subject needs to be specified in the ACL.

This module handles the information that will be used for creating a list of authenticated subjects that can be compared against an ACL in order to determine if a given subject is allowed to access the object at the requested level.

DataONE supports a system where subjects can be linked to equivalent identities as well as managed in groups. E.g., a group of subjects can be created and all the subjects in the group can be given access to an object by only listing the single group subject in the object’s ACL.

A given subject can describe an actual identity, an equivalent subject or a group subject. Any type of subject can be used in any capacity. E.g., each subject in a group can be any type of subject including another group.

Since ACLs can also contain any combination of subjects for actual identities, equivalent subjects and groups subjects, a list of subjects that includes all subjects that are associated with an authenticated subject is required in order to determine if access should be granted.

Arbitrarily nested subjects must be supported. E.g., If subj-1 has been successfully authenticated, and subj-1 has an equivalent subject called equiv-1, and equiv-1 is in a group with subject group-1, all of those subjects (subj-1, equiv-1, and group-1), must be included in the list of associated subjects. That way, access is granted to the object regardless of which of them are authenticated directly in the ACL.

Notes

  • It’s important to separate the roles of groups in the ACL and groups in the SubjectInfo. Including a group subject in an ACL grants access to all subjects in that group. However, including a subject that is in a group, in the ACL, does not give access to the other subjects of the group or to the group itself. In other words, groups add access for their members, not the other way around.

  • In terms of generating a list of equivalent subjects based on SubjectInfo, the one way transfer of access from groups to their subjects means that, when a subject is found to belong to a group, only the group subject is included in the list (after which it may chain to more equivalent identifies, etc). The group members are not included.

  • For deriving a list of indirectly authenticated subjects, the SubjectInfo contains a set of statements that establish subject types and relationships between subjects. There are 4 kinds of statements:

    • Subject is a person

    • Subject is an equivalent of another subject

    • Subject is a group

    • Subject is member of a group

  • An equivalent subject can only be the equivalent for a person. The equivalence relationship is the only one that causes each side to be granted all the rights of the other side, and so allows the two subjects to be used interchangeably. The other relationships cause one side to be granted the rights of the other side, but not the other way around. E.g.: Designating a subject as a member of a group causes the subject to be granted the rights of the group, but does not cause the group to be granted the rights of the subject.

Authorization examples

Given SubjectInfo:

A = person subject A, authenticated by certificate
B = person subject B

C = equivalent to A
D = equivalent to B
E = equivalent to D

F = group with members G, H, B
J = group with members K, L, F
M = group with members E, N
N = group with members C, D

Given ACL containing: D

  • D is equivalent to B

  • B is a Person, but it’s unauthenticated

Authorization: Denied

Given ACL containing: N

  • N is a group with members C and D

  • D is equivalent to B, but B is not authenticated

  • C is equivalent to A, and A is authenticated

Authorization: Granted

Given ACL containing: F

  • F leads to G, H, B

  • G -> unknown

  • H -> unknown

  • B -> person subject, but not authenticated

Authorization: Denied

d1_common.cert.subject_info.extract_subjects(subject_info_xml, primary_str)

Extract a set of authenticated subjects from a DataONE SubjectInfo.

  • See subject_info_tree for details.

Parameters

  • subject_info_xml – str A SubjectInfo XML document.

  • primary_str – str A DataONE subject, typically a DataONE compliant serialization of the DN of the DataONE X.509 v3 certificate extension from which the SubjectInfo was extracted.

    The primary subject can be viewed as the root of a tree. Any subject in the SubjectInfo that is directly or indirectly connected to the root subject is included in the returned set of authenticated subjects.

Returns

Set of authenticated subjects. Will always include the primary subject.

  • All subjects in the returned set are equivalent to primary_str for the purpose of access control for private science objects.

  • If SubjectInfo does not contain all relevant records, it is still considered to be valid, but the authenticated set will be incomplete.

  • Only the subject strings and relationships in SubjectInfo are used by this function. Other information about subjects, such as name and email address, is ignored.

  • No attempt should be made to infer type of subject from the content of a subject string. Subject strings should be handled as random Unicode sequences, each of which may designate an person subject, an equivalent subject, or a group subject.

  • To determine if an action is authorized, the returned set is checked against the authorized_set for a given object. If one or more subjects exist in both sets, the action is authorized. The check can be performed with high performance using a set union operation in Python or an inner join in Postgres.

  • Subject types are only known and relevant while processing the SubjectInfo type.

  • The type of each subject in the authenticated_subjects and allowed_subjects lists are unknown and irrelevant.

Return type

set

Notes

Procedure:

The set of authenticated subjects is generated from the SubjectInfo and primary subject using the following procedure:

  • Start with empty set of subjects

  • Add authenticatedUser

  • If subject is not in set of subjects:

  • Add subject

  • Iterate over Person records

  • If Person.subject is subject:

  • If Person.verified is present and set:

  • Add “verifiedUser”

  • Iterate over Person.equivalentIdentity:

  • Recursively add those subjects

  • Iterate over Person.isMemberOf

  • Recursively add those subjects, but ONLY check Group subjects

  • Iterate over Group records

  • If any Group.hasMember is subject:

  • Recursively add Group.subject (not group members)

Handling of various invalid SubjectInfo and corner cases:

  • SubjectInfo XML doc that is not well formed

  • Return an exception that includes a useful error message with the line number of the issue

  • person.isMemberOf and group.hasMember should always form pairs referencing each other.

  • One side of the pair is missing

  • Process the available side as normal

  • person.isMemberOf subject references a person or equivalent instead of a group

  • Only Group subjects are searched for isMemberOf references, so only the referenced Group subject is added to the list of authorized subjects

  • Multiple Person or Group records conflict by using the same subject

  • The records are handled as equivalents

  • person.isMemberOf subject does not reference a known subject

  • If the Person containing the dangling isMemberOf IS NOT connected with the authenticated subject, the whole record, including the isMemberOf subject is simply ignored

  • If it IS connected with an authenticated subject, the isMemberOf subject is authenticated and recursive processing of the subject is skipped

  • Circular references

  • Handled by skipping recursive add for subjects that are already added

  • See the unit tests for example SubjectInfo XML documents for each of these issues and the expected results.

d1_common.cert.subject_info.deserialize_subject_info(subject_info_xml)

Deserialize SubjectInfo XML doc to native object.

Parameters

subject_info_xml – str SubjectInfo XML doc

Returns

SubjectInfo PyXB object

d1_common.cert.subject_info.gen_subject_info_tree(subject_info_pyxb, authn_subj, include_duplicates=False)

Convert the flat, self referential lists in the SubjectInfo to a tree structure.

Parameters

  • subject_info_pyxb – SubjectInfo PyXB object

  • authn_subj – str The authenticated subject that becomes the root subject in the tree of subjects built from the SubjectInfo.

    Only subjects that are authenticated by a direct or indirect connection to this subject are included in the tree.

  • include_duplicates – Include branches of the tree that contain subjects that have already been included via other branches.

    If the tree is intended for rendering, including the duplicates will provide a more complete view of the SubjectInfo.

Returns

Tree of nodes holding information about subjects that are directly or indirectly connected to the authenticated subject in the root.

Return type

SubjectInfoNode

class d1_common.cert.subject_info.SubjectInfoNode(label_str, type_str)

Bases: object

Tree representation of SubjectInfo.

In SubjectInfo, nested information is represented via self- referential lists. This class holds a recursive tree of nodes which simplifies processing of SubjectInfo for client apps.

SUBJECT_NODE_TAG = 'is_subject_node'
TYPE_NODE_TAG = 'is_type_node'
add_child(label_str, type_str)

Add a child node.

property node_gen

Generate all nodes for the tree rooted at this node.

Yields: SubjectInfoNode All nodes rooted at this node.

property leaf_node_gen

Generate all leaf nodes for the tree rooted at this node.

Yields: SubjectInfoNode All leaf nodes rooted at this node.

property parent_gen

Generate this node, then all parents from this node to the root.

Yields: SubjectInfoNode This node, then all parents from this node to the root.

get_path_str(sep='/', type_str=None)

Get path from root to this node.

Parameters

  • sep – str One or more characters to insert between each element in the path. Defaults to “/” on Unix and “” on Windows.

  • type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.

Returns

String describing the path from the root to this node.

Return type

str

get_leaf_node_path_list(sep='/', type_str=None)

Get paths for all leaf nodes for the tree rooted at this node.

Parameters

  • sep – str One or more characters to insert between each element in the path. Defaults to “/” on Unix and “” on Windows.

  • type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.

Returns

The paths to the leaf nodes for the tree rooted at this node.

Return type

list of str

get_path_list(type_str=None)

Get list of the labels of the nodes leading up to this node from the root.

Parameters

type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.

Returns

The labels of the nodes leading up to this node from the root.

Return type

list of str

property is_leaf

Return True if this is a leaf node (has no children)

get_label_set(type_str=None)

Get a set of label_str for the tree rooted at this node.

Parameters

type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.

Returns

The labels of the nodes leading up to this node from the root.

Return type

set

get_subject_set()

Get a set of subjects for the tree rooted at this node.

Returns: set: The subjects for the tree rooted at this node.

d1_common.cert.subject_info.SubjectInfoTree

alias of d1_common.cert.subject_info.SubjectInfoNode

d1_common.cert.subject_info_renderer module

d1_common.cert.subjects module

Extract subjects from a DataONE PEM (Base64) encoded X.509 v3 certificate.

The DataONE infrastructure uses X.509 v3 certificates to represent sessions. A session contains assertions about the identity of the caller. In particular, the session contains the primary identity, a list of equivalent identities and group memberships of the caller.

d1_common.cert.subjects.extract_subjects(cert_pem)

Extract subjects from a DataONE PEM (Base64) encoded X.509 v3 certificate.

Parameters

cert_pem – str or bytes PEM (Base64) encoded X.509 v3 certificate

Returns

  • The primary subject string, extracted from the certificate DN.

  • A set of equivalent identities, group memberships and inferred symbolic subjects extracted from the SubjectInfo (if present.)

  • All returned subjects are DataONE compliant serializations.

  • A copy of the primary subject is always included in the set of equivalent identities.

Return type

2-tuple

d1_common.cert.view_subject_info module

d1_common.cert.x509 module

Utilities for processing X.509 v3 certificates.

d1_common.cert.x509.extract_subjects(cert_pem)

Extract primary subject and SubjectInfo from a DataONE PEM (Base64) encoded X.509 v3 certificate.

Parameters

cert_pem – str or bytes PEM (Base64) encoded X.509 v3 certificate

Returns

  • Primary subject (str) extracted from the certificate DN.

  • SubjectInfo (XML str) if present (see the subject_info module for parsing)

Return type

2-tuple

d1_common.cert.x509.extract_subject_from_dn(cert_obj)

Serialize a DN to a DataONE subject string.

Parameters

cert_obj – cryptography.Certificate

Returns

Primary subject extracted from the certificate DN.

Return type

str

The certificate DN (DistinguishedName) is a sequence of RDNs (RelativeDistinguishedName). Each RDN is a set of AVAs (AttributeValueAssertion / AttributeTypeAndValue). A DataONE subject is a plain string. As there is no single standard specifying how to create a string representation of a DN, DataONE selected one of the most common ways, which yield strings such as:

CN=Some Name A123,O=Some Organization,C=US,DC=Some Domain,DC=org

In particular, the sequence of RDNs is reversed. Attribute values are escaped, attribute type and value pairs are separated by “=”, and AVAs are joined together with “,”. If an RDN contains an unknown OID, the OID is serialized as a dotted string.

As all the information in the DN is preserved, it is not possible to create the same subject with two different DNs, and the DN can be recreated from the subject.

d1_common.cert.x509.create_mn_dn(node_urn)

Create a certificate DN suitable for use in Member Node client side certificates issued by DataONE, and thus in Certificate Signing Requests (CSR). The DN will be on the form:

DC=org, DC=dataone, CN=urn:node:<ID>

where <ID> typically is a short acronym for the name of the organization responsible for the Member Node.

The DN is formatted into a DataONE subject, which is used in authentication, authorization and event tracking.

Parameters

node_urn – str Node URN. E.g.,

Production certificate: urn:node:XYZ. Test certificate urn:node:mnTestXYZ.

Returns

cryptography.x509.Name

d1_common.cert.x509.create_simple_dn(common_name_str, domain_componet_list=None)

Create a simple certificate DN suitable for use in testing and for generating self signed CA and other certificate.

DC=local, DC=dataone, CN=<common name>

Parameters

  • common_name_str – The Common Name to use for the certificate. DataONE uses simple DNs without physical location information, so only the common_name_str (CommonName) needs to be specified.

    For Member Node Client Side certificates or CSRs, common_name_str is the node_id, e.g., urn:node:ABCD for production, or urn:node:mnTestABCD for the test environments.

    For a local CA, something like localCA may be used.

    For a locally trusted client side certificate, something like localClient may be used.

  • domain_componet_list – list Optionally set custom domain components.

  • fqdn_list – list of str List of Fully Qualified Domain Names (FQDN) and/or IP addresses for which this certificate will provide authentication.

    E.g.: [‘my.membernode.org’, ‘1.2.3.4’]

    This is mainly useful for creating a self signed server side certificate or a CSR that will be submitted to a trusted CA, such as Verisign, for signing.

Returns

cryptography.x509.Name

d1_common.cert.x509.generate_csr(private_key_bytes, dn, fqdn_list=None)

Generate a Certificate Signing Request (CSR).

Parameters

  • private_key_bytes – bytes Private key with which the CSR will be signed.

  • dn – cryptography.x509.Name The dn can be built by passing a list of cryptography.x509.NameAttribute to cryptography.x509.Name.

    Simple DNs can be created with the create_dn* functions in this module.

  • fqdn_list – list of str List of Fully Qualified Domain Names (FQDN) and/or IP addresses for which this certificate will provide authentication.

    E.g.: [‘my.membernode.org’, ‘1.2.3.4’]

    This is mainly useful for creating a self signed server side certificate or a CSR that will be submitted to a trusted CA, such as Verisign, for signing.

Returns

cryptography.x509.CertificateSigningRequest

d1_common.cert.x509.deserialize_pem(cert_pem)

Deserialize PEM (Base64) encoded X.509 v3 certificate.

Parameters

cert_pem – str or bytes PEM (Base64) encoded X.509 v3 certificate

Returns

cryptography.Certificate

Return type

cert_obj

d1_common.cert.x509.deserialize_pem_file(cert_path)

Deserialize PEM (Base64) encoded X.509 v3 certificate in file.

Parameters

cert_path – str or bytes Path to PEM (Base64) encoded X.509 v3 certificate file

Returns

cryptography.Certificate

Return type

cert_obj

d1_common.cert.x509.serialize_cert_to_pem(cert_obj)

Serialize certificate to PEM.

The certificate can be also be a Certificate Signing Request (CSR).

Parameters

cert_obj – cryptography.Certificate

Returns

PEM encoded certificate

Return type

bytes

d1_common.cert.x509.extract_subject_info_extension(cert_obj)

Extract DataONE SubjectInfo XML doc from certificate.

Certificates issued by DataONE may include an embedded XML doc containing additional information about the subject specified in the certificate DN. If present, the doc is stored as an extension with an OID specified by DataONE and formatted as specified in the DataONE SubjectInfo schema definition.

Parameters

cert_obj – cryptography.Certificate

Returns

SubjectInfo XML doc if present, else None

Return type

str

d1_common.cert.x509.download_as_der(base_url='https://cn.dataone.org/cn', timeout_sec=60.0)

Download public certificate from a TLS/SSL web server as DER encoded bytes.

If the certificate is being downloaded in order to troubleshoot validation issues, the download itself may fail due to the validation issue that is being investigated. To work around such chicken-and-egg problems, temporarily wrap calls to the download_* functions with the disable_cert_validation() context manager (also in this module).

Parameters

  • base_url – str A full URL to a DataONE service endpoint or a server hostname

  • timeout_sec – int or float Timeout for the SSL socket operations

Returns

The server’s public certificate as DER encoded bytes.

Return type

bytes

d1_common.cert.x509.download_as_pem(base_url='https://cn.dataone.org/cn', timeout_sec=60.0)

Download public certificate from a TLS/SSL web server as PEM encoded string.

Also see download_as_der().

Parameters

  • base_url – str A full URL to a DataONE service endpoint or a server hostname

  • timeout_sec – int or float Timeout for the SSL socket operations

Returns

The certificate as a PEM encoded string.

Return type

str

d1_common.cert.x509.download_as_obj(base_url='https://cn.dataone.org/cn', timeout_sec=60.0)

Download public certificate from a TLS/SSL web server as Certificate object.

Also see download_as_der().

Parameters

  • base_url – str A full URL to a DataONE service endpoint or a server hostname

  • timeout_sec – int or float Timeout for the SSL socket operations

Returns

cryptography.Certificate

d1_common.cert.x509.decode_der(cert_der)

Decode cert DER string to Certificate object.

Parameters

cert_der – Certificate as a DER encoded string

Returns

cryptography.Certificate()

d1_common.cert.x509.disable_cert_validation()

Context manager to temporarily disable certificate validation in the standard SSL library.

Note: This should not be used in production code but is sometimes useful for troubleshooting certificate validation issues.

By design, the standard SSL library does not provide a way to disable verification of the server side certificate. However, a patch to disable validation is described by the library developers. This context manager allows applying the patch for specific sections of code.

d1_common.cert.x509.extract_issuer_ca_cert_url(cert_obj)

Extract issuer CA certificate URL from certificate.

Certificates may include a URL where the root certificate for the CA which was used for signing the certificate can be downloaded. This function returns the URL if present.

The primary use for this is to fix validation failure due to non-trusted issuer by downloading the root CA certificate from the URL and installing it in the local trust store.

Parameters

cert_obj – cryptography.Certificate

Returns

Issuer certificate URL if present, else None

Return type

str

d1_common.cert.x509.serialize_private_key_to_pem(private_key, passphrase_bytes=None)

Serialize private key to PEM.

Parameters

  • private_key

  • passphrase_bytes

Returns

PEM encoded private key

Return type

bytes

d1_common.cert.x509.generate_private_key(key_size=2048)

Generate a private key.

d1_common.cert.x509.get_public_key_pem(cert_obj)

Extract public key from certificate as PEM encoded PKCS#1.

Parameters

cert_obj – cryptography.Certificate

Returns

PEM encoded PKCS#1 public key.

Return type

bytes

d1_common.cert.x509.save_pem(pem_path, pem_bytes)

Save PEM encoded bytes to file.

d1_common.cert.x509.load_csr(pem_path)

Load CSR from PEM encoded file.

d1_common.cert.x509.load_private_key(pem_path, passphrase_bytes=None)

Load private key from PEM encoded file.

d1_common.cert.x509.generate_cert(ca_issuer, ca_key, csr_subject, csr_pub_key)
d1_common.cert.x509.serialize_cert_to_der(cert_obj)

Serialize certificate to DER.

Parameters

cert_obj – cryptography.Certificate

Returns

DER encoded certificate

Return type

bytes

d1_common.cert.x509.generate_ca_cert(dn, private_key, fqdn_str=None, public_ip=None, private_ip=None, valid_days=3650)
Parameters

  • dn – cryptography.x509.Name A cryptography.x509.Name holding a sequence of cryptography.x509.NameAttribute objects.

    See the create_dn* functions.

  • private_key – RSAPrivateKey, etc

  • fqdn_str

  • public_ip

  • private_ip

  • valid_days – int Number of days from now until the certificate expires.

Returns:

d1_common.cert.x509.input_key_passphrase(applicable_str='private key')
d1_common.cert.x509.check_cert_type(cert)
d1_common.cert.x509.rdn_escape(rdn_str)

Escape string for use as an RDN (RelativeDistinguishedName)

The following chars must be escaped in RDNs: , = + < > # ; “

Parameters

rdn_str – str

Returns

Escaped string ready for use in an RDN (.)

Return type

str

d1_common.cert.x509.log_cert_info(logger, msg_str, cert_obj)

Dump basic certificate values to the log.

Parameters

  • logger – Logger Logger to which to write the certificate values.

  • msg_str – str A message to write to the log before the certificate values.

  • cert_obj – cryptography.Certificate Certificate containing values to log.

Returns

None

d1_common.cert.x509.get_cert_info_list(cert_obj)

Get a list of certificate values.

Parameters

cert_obj – cryptography.Certificate Certificate containing values to retrieve.

Returns

Certificate value name, value

Return type

list of tup

d1_common.cert.x509.get_extension_by_name(cert_obj, extension_name)

Get a standard certificate extension by attribute name.

Parameters

  • cert_obj – cryptography.Certificate Certificate containing a standard extension.

  • extension_name – str Extension name. E.g., ‘SUBJECT_DIRECTORY_ATTRIBUTES’.

Returns

Cryptography.Extension