d1_common.cert package¶
This package contains certificate related functionality, such as functions for extracting DataONE subjects from PEM (base64) encoded X.509 v3 certificates and Java Web Tokens (JTWs) as used in DataONE.
Although this directory is not a package, this __init__.py file is required for pytest to be able to reach test directories below this directory.
Submodules¶
d1_common.cert.jwt module¶
JSON Web Token (JWT) parsing and validation.
JWT representations:
bu64: A URL safe flavor of Base64 used by JWTs
jwt_bu64: A complete JWT consisting of three dot separated bu64 encoded parts: (header_bu64, payload_bu64, signature_bu64)
jwt_tup: A complete JWT consisting of a tuple of 3 decoded (raw) parts: (header_str, payload_str, signature_str)
-
d1_common.cert.jwt.
get_subject_with_local_validation
(jwt_bu64, cert_obj)¶ Validate the JWT and return the subject it contains.
The JWT is validated by checking that it was signed with a CN certificate.
The returned subject can be trusted for authz and authn operations.
Possible validation errors include:
A trusted (TLS/SSL) connection could not be made to the CN holding the signing certificate.
The JWT could not be decoded.
The JWT signature signature was invalid.
The JWT claim set contains invalid “Not Before” or “Expiration Time” claims.
- Parameters
jwt_bu64 – bytes The JWT encoded using a a URL safe flavor of Base64.
cert_obj – cryptography.Certificate Public certificate used for signing the JWT (typically the CN cert).
- Returns
On successful validation, the subject contained in the JWT is returned.
If validation fails for any reason, errors are logged and None is returned.
-
d1_common.cert.jwt.
get_subject_with_remote_validation
(jwt_bu64, base_url)¶ Same as get_subject_with_local_validation() except that the signing certificate is automatically downloaded from the CN.
Additional possible validations errors:
The certificate could not be retrieved from the root CN.
-
d1_common.cert.jwt.
get_subject_with_file_validation
(jwt_bu64, cert_path)¶ Same as get_subject_with_local_validation() except that the signing certificate is read from a local PEM file.
-
d1_common.cert.jwt.
get_subject_without_validation
(jwt_bu64)¶ Extract subject from the JWT without validating the JWT.
The extracted subject cannot be trusted for authn or authz.
- Parameters
jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.
- Returns
The subject contained in the JWT.
- Return type
str
-
d1_common.cert.jwt.
get_bu64_tup
(jwt_bu64)¶ Split the Base64 encoded JWT to its 3 component sections.
- Parameters
jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.
- Returns
Component sections of the JWT.
- Return type
3-tup of Base64
-
d1_common.cert.jwt.
get_jwt_tup
(jwt_bu64)¶ Split and decode the Base64 encoded JWT to its 3 component sections.
Reverse of get_jwt_bu64().
- Parameters
jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.
- Returns
Raw component sections of the JWT.
- Return type
3-tup of bytes
-
d1_common.cert.jwt.
get_jwt_bu64
(jwt_tup)¶ Join and Base64 encode raw JWT component sections.
Reverse of get_jwt_tup().
- Parameters
jwt_tup – 3-tup of bytes Raw component sections of the JWT.
- Returns
- bytes
JWT, encoded using a a URL safe flavor of Base64.
- Return type
jwt_bu64
-
d1_common.cert.jwt.
get_jwt_dict
(jwt_bu64)¶ Parse Base64 encoded JWT and return as a dict.
JWTs contain a set of values serialized to a JSON dict. This decodes the JWT and returns it as a dict containing Unicode strings.
In addition, a SHA1 hash is added to the dict for convenience.
- Parameters
jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.
- Returns
Values embedded in and derived from the JWT.
- Return type
dict
-
d1_common.cert.jwt.
validate_and_decode
(jwt_bu64, cert_obj)¶ Validate the JWT and return as a dict.
JWTs contain a set of values serialized to a JSON dict. This decodes the JWT and returns it as a dict.
- Parameters
jwt_bu64 – bytes The JWT encoded using a a URL safe flavor of Base64.
cert_obj – cryptography.Certificate Public certificate used for signing the JWT (typically the CN cert).
- Raises
JwtException – If validation fails.
- Returns
Values embedded in the JWT.
- Return type
dict
-
d1_common.cert.jwt.
log_jwt_dict_info
(log, msg_str, jwt_dict)¶ Dump JWT to log.
- Parameters
log – Logger Logger to which to write the message.
msg_str – str A message to write to the log before the JWT values.
jwt_dict – dict JWT containing values to log.
- Returns
None
-
d1_common.cert.jwt.
log_jwt_bu64_info
(log, msg_str, jwt_bu64)¶ Dump JWT to log.
- Parameters
log – Logger Logger to which to write the message.
msg_str – str A message to write to the log before the JWT values.
jwt_bu64 – bytes JWT, encoded using a a URL safe flavor of Base64.
- Returns
None
-
d1_common.cert.jwt.
ts_to_str
(jwt_dict)¶ Convert timestamps in JWT to human readable dates.
- Parameters
jwt_dict – dict JWT with some keys containing timestamps.
- Returns
Copy of input dict where timestamps have been replaced with human readable dates.
- Return type
dict
-
d1_common.cert.jwt.
ts_to_dt
(jwt_dict)¶ Convert timestamps in JWT to datetime objects.
- Parameters
jwt_dict – dict JWT with some keys containing timestamps.
- Returns
Copy of input dict where timestamps have been replaced with datetime.datetime() objects.
- Return type
dict
-
d1_common.cert.jwt.
encode_bu64
(b)¶ Encode bytes to a URL safe flavor of Base64 used by JWTs.
Reverse of decode_bu64().
- Parameters
b – bytes Bytes to Base64 encode.
- Returns
URL safe Base64 encoded version of input.
- Return type
bytes
-
d1_common.cert.jwt.
decode_bu64
(b)¶ Encode bytes to a URL safe flavor of Base64 used by JWTs.
Reverse of encode_bu64().
- Parameters
b – bytes URL safe Base64 encoded bytes to encode.
- Returns
Decoded bytes.
- Return type
bytes
-
exception
d1_common.cert.jwt.
JwtException
¶ Bases:
Exception
Exceptions raised directly by this module.
d1_common.cert.subject_info module¶
Utilities for handling the DataONE SubjectInfo type.
Overview of Access Control in DataONE¶
Access control in DataONE works much like traditional Access Control Lists (ACLs). Each science object is associated with an ACL. The ACL contains a list of subjects and an access level for each subject. The access levels are read, write and changePermission. Each access level implicitly grants access to the lower levels, so only only the highest access level for a given subject needs to be specified in the ACL.
This module handles the information that will be used for creating a list of authenticated subjects that can be compared against an ACL in order to determine if a given subject is allowed to access the object at the requested level.
DataONE supports a system where subjects can be linked to equivalent identities as well as managed in groups. E.g., a group of subjects can be created and all the subjects in the group can be given access to an object by only listing the single group subject in the object’s ACL.
A given subject can describe an actual identity, an equivalent subject or a group subject. Any type of subject can be used in any capacity. E.g., each subject in a group can be any type of subject including another group.
Since ACLs can also contain any combination of subjects for actual identities, equivalent subjects and groups subjects, a list of subjects that includes all subjects that are associated with an authenticated subject is required in order to determine if access should be granted.
Arbitrarily nested subjects must be supported. E.g., If subj-1 has been successfully authenticated, and subj-1 has an equivalent subject called equiv-1, and equiv-1 is in a group with subject group-1, all of those subjects (subj-1, equiv-1, and group-1), must be included in the list of associated subjects. That way, access is granted to the object regardless of which of them are authenticated directly in the ACL.
Notes
It’s important to separate the roles of groups in the ACL and groups in the SubjectInfo. Including a group subject in an ACL grants access to all subjects in that group. However, including a subject that is in a group, in the ACL, does not give access to the other subjects of the group or to the group itself. In other words, groups add access for their members, not the other way around.
In terms of generating a list of equivalent subjects based on SubjectInfo, the one way transfer of access from groups to their subjects means that, when a subject is found to belong to a group, only the group subject is included in the list (after which it may chain to more equivalent identifies, etc). The group members are not included.
For deriving a list of indirectly authenticated subjects, the SubjectInfo contains a set of statements that establish subject types and relationships between subjects. There are 4 kinds of statements:
Subject is a person
Subject is an equivalent of another subject
Subject is a group
Subject is member of a group
An equivalent subject can only be the equivalent for a person. The equivalence relationship is the only one that causes each side to be granted all the rights of the other side, and so allows the two subjects to be used interchangeably. The other relationships cause one side to be granted the rights of the other side, but not the other way around. E.g.: Designating a subject as a member of a group causes the subject to be granted the rights of the group, but does not cause the group to be granted the rights of the subject.
Authorization examples¶
Given SubjectInfo:
A = person subject A, authenticated by certificate
B = person subject B
C = equivalent to A
D = equivalent to B
E = equivalent to D
F = group with members G, H, B
J = group with members K, L, F
M = group with members E, N
N = group with members C, D
Given ACL containing: D¶
D is equivalent to B
B is a Person, but it’s unauthenticated
Authorization: Denied
Given ACL containing: N¶
N is a group with members C and D
D is equivalent to B, but B is not authenticated
C is equivalent to A, and A is authenticated
Authorization: Granted
Given ACL containing: F¶
F leads to G, H, B
G -> unknown
H -> unknown
B -> person subject, but not authenticated
Authorization: Denied
-
d1_common.cert.subject_info.
extract_subjects
(subject_info_xml, primary_str)¶ Extract a set of authenticated subjects from a DataONE SubjectInfo.
See subject_info_tree for details.
- Parameters
subject_info_xml – str A SubjectInfo XML document.
primary_str – str A DataONE subject, typically a DataONE compliant serialization of the DN of the DataONE X.509 v3 certificate extension from which the SubjectInfo was extracted.
The primary subject can be viewed as the root of a tree. Any subject in the SubjectInfo that is directly or indirectly connected to the root subject is included in the returned set of authenticated subjects.
- Returns
Set of authenticated subjects. Will always include the primary subject.
All subjects in the returned set are equivalent to
primary_str
for the purpose of access control for private science objects.If SubjectInfo does not contain all relevant records, it is still considered to be valid, but the authenticated set will be incomplete.
Only the subject strings and relationships in SubjectInfo are used by this function. Other information about subjects, such as name and email address, is ignored.
No attempt should be made to infer type of subject from the content of a subject string. Subject strings should be handled as random Unicode sequences, each of which may designate an person subject, an equivalent subject, or a group subject.
To determine if an action is authorized, the returned set is checked against the authorized_set for a given object. If one or more subjects exist in both sets, the action is authorized. The check can be performed with high performance using a set union operation in Python or an inner join in Postgres.
Subject types are only known and relevant while processing the SubjectInfo type.
The type of each subject in the authenticated_subjects and allowed_subjects lists are unknown and irrelevant.
- Return type
set
Notes
Procedure:
The set of authenticated subjects is generated from the SubjectInfo and primary subject using the following procedure:
Start with empty set of subjects
Add authenticatedUser
If
subject
is not in set of subjects:Add
subject
Iterate over Person records
If Person.subject is
subject
:If Person.verified is present and set:
Add “verifiedUser”
Iterate over Person.equivalentIdentity:
Recursively add those subjects
Iterate over Person.isMemberOf
Recursively add those subjects, but ONLY check Group subjects
Iterate over Group records
If any Group.hasMember is
subject
:Recursively add Group.subject (not group members)
Handling of various invalid SubjectInfo and corner cases:
SubjectInfo XML doc that is not well formed
Return an exception that includes a useful error message with the line number of the issue
person.isMemberOf and group.hasMember should always form pairs referencing each other.
One side of the pair is missing
Process the available side as normal
person.isMemberOf subject references a person or equivalent instead of a group
Only Group subjects are searched for isMemberOf references, so only the referenced Group subject is added to the list of authorized subjects
Multiple Person or Group records conflict by using the same subject
The records are handled as equivalents
person.isMemberOf subject does not reference a known subject
If the Person containing the dangling isMemberOf IS NOT connected with the authenticated subject, the whole record, including the isMemberOf subject is simply ignored
If it IS connected with an authenticated subject, the isMemberOf subject is authenticated and recursive processing of the subject is skipped
Circular references
Handled by skipping recursive add for subjects that are already added
See the unit tests for example SubjectInfo XML documents for each of these issues and the expected results.
-
d1_common.cert.subject_info.
deserialize_subject_info
(subject_info_xml)¶ Deserialize SubjectInfo XML doc to native object.
- Parameters
subject_info_xml – str SubjectInfo XML doc
- Returns
SubjectInfo PyXB object
-
d1_common.cert.subject_info.
gen_subject_info_tree
(subject_info_pyxb, authn_subj, include_duplicates=False)¶ Convert the flat, self referential lists in the SubjectInfo to a tree structure.
- Parameters
subject_info_pyxb – SubjectInfo PyXB object
authn_subj – str The authenticated subject that becomes the root subject in the tree of subjects built from the SubjectInfo.
Only subjects that are authenticated by a direct or indirect connection to this subject are included in the tree.
include_duplicates – Include branches of the tree that contain subjects that have already been included via other branches.
If the tree is intended for rendering, including the duplicates will provide a more complete view of the SubjectInfo.
- Returns
Tree of nodes holding information about subjects that are directly or indirectly connected to the authenticated subject in the root.
- Return type
-
class
d1_common.cert.subject_info.
SubjectInfoNode
(label_str, type_str)¶ Bases:
object
Tree representation of SubjectInfo.
In SubjectInfo, nested information is represented via self- referential lists. This class holds a recursive tree of nodes which simplifies processing of SubjectInfo for client apps.
-
SUBJECT_NODE_TAG
= 'is_subject_node'¶
-
TYPE_NODE_TAG
= 'is_type_node'¶
-
add_child
(label_str, type_str)¶ Add a child node.
-
property
node_gen
¶ Generate all nodes for the tree rooted at this node.
Yields: SubjectInfoNode All nodes rooted at this node.
-
property
leaf_node_gen
¶ Generate all leaf nodes for the tree rooted at this node.
Yields: SubjectInfoNode All leaf nodes rooted at this node.
-
property
parent_gen
¶ Generate this node, then all parents from this node to the root.
Yields: SubjectInfoNode This node, then all parents from this node to the root.
-
get_path_str
(sep='/', type_str=None)¶ Get path from root to this node.
- Parameters
sep – str One or more characters to insert between each element in the path. Defaults to “/” on Unix and “” on Windows.
type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.
- Returns
String describing the path from the root to this node.
- Return type
str
-
get_leaf_node_path_list
(sep='/', type_str=None)¶ Get paths for all leaf nodes for the tree rooted at this node.
- Parameters
sep – str One or more characters to insert between each element in the path. Defaults to “/” on Unix and “” on Windows.
type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.
- Returns
The paths to the leaf nodes for the tree rooted at this node.
- Return type
list of str
-
get_path_list
(type_str=None)¶ Get list of the labels of the nodes leading up to this node from the root.
- Parameters
type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.
- Returns
The labels of the nodes leading up to this node from the root.
- Return type
list of str
-
property
is_leaf
¶ Return True if this is a leaf node (has no children)
-
get_label_set
(type_str=None)¶ Get a set of label_str for the tree rooted at this node.
- Parameters
type_str – SUBJECT_NODE_TAG, TYPE_NODE_TAG or None. If set, only include information from nodes of that type.
- Returns
The labels of the nodes leading up to this node from the root.
- Return type
set
-
get_subject_set
()¶ Get a set of subjects for the tree rooted at this node.
Returns: set: The subjects for the tree rooted at this node.
-
-
d1_common.cert.subject_info.
SubjectInfoTree
¶
d1_common.cert.subject_info_renderer module¶
d1_common.cert.subjects module¶
Extract subjects from a DataONE PEM (Base64) encoded X.509 v3 certificate.
The DataONE infrastructure uses X.509 v3 certificates to represent sessions. A session contains assertions about the identity of the caller. In particular, the session contains the primary identity, a list of equivalent identities and group memberships of the caller.
-
d1_common.cert.subjects.
extract_subjects
(cert_pem)¶ Extract subjects from a DataONE PEM (Base64) encoded X.509 v3 certificate.
- Parameters
cert_pem – str or bytes PEM (Base64) encoded X.509 v3 certificate
- Returns
The primary subject string, extracted from the certificate DN.
A set of equivalent identities, group memberships and inferred symbolic subjects extracted from the SubjectInfo (if present.)
All returned subjects are DataONE compliant serializations.
A copy of the primary subject is always included in the set of equivalent identities.
- Return type
2-tuple
d1_common.cert.view_subject_info module¶
d1_common.cert.x509 module¶
Utilities for processing X.509 v3 certificates.
-
d1_common.cert.x509.
extract_subjects
(cert_pem)¶ Extract primary subject and SubjectInfo from a DataONE PEM (Base64) encoded X.509 v3 certificate.
- Parameters
cert_pem – str or bytes PEM (Base64) encoded X.509 v3 certificate
- Returns
Primary subject (str) extracted from the certificate DN.
SubjectInfo (XML str) if present (see the subject_info module for parsing)
- Return type
2-tuple
-
d1_common.cert.x509.
extract_subject_from_dn
(cert_obj)¶ Serialize a DN to a DataONE subject string.
- Parameters
cert_obj – cryptography.Certificate
- Returns
Primary subject extracted from the certificate DN.
- Return type
str
The certificate DN (DistinguishedName) is a sequence of RDNs (RelativeDistinguishedName). Each RDN is a set of AVAs (AttributeValueAssertion / AttributeTypeAndValue). A DataONE subject is a plain string. As there is no single standard specifying how to create a string representation of a DN, DataONE selected one of the most common ways, which yield strings such as:
CN=Some Name A123,O=Some Organization,C=US,DC=Some Domain,DC=org
In particular, the sequence of RDNs is reversed. Attribute values are escaped, attribute type and value pairs are separated by “=”, and AVAs are joined together with “,”. If an RDN contains an unknown OID, the OID is serialized as a dotted string.
As all the information in the DN is preserved, it is not possible to create the same subject with two different DNs, and the DN can be recreated from the subject.
-
d1_common.cert.x509.
create_mn_dn
(node_urn)¶ Create a certificate DN suitable for use in Member Node client side certificates issued by DataONE, and thus in Certificate Signing Requests (CSR). The DN will be on the form:
DC=org, DC=dataone, CN=urn:node:<ID>
where <ID> typically is a short acronym for the name of the organization responsible for the Member Node.
The DN is formatted into a DataONE subject, which is used in authentication, authorization and event tracking.
- Parameters
node_urn – str Node URN. E.g.,
Production certificate:
urn:node:XYZ
. Test certificateurn:node:mnTestXYZ
.- Returns
cryptography.x509.Name
-
d1_common.cert.x509.
create_simple_dn
(common_name_str, domain_componet_list=None)¶ Create a simple certificate DN suitable for use in testing and for generating self signed CA and other certificate.
DC=local, DC=dataone, CN=<common name>
- Parameters
common_name_str – The Common Name to use for the certificate. DataONE uses simple DNs without physical location information, so only the
common_name_str
(CommonName
) needs to be specified.For Member Node Client Side certificates or CSRs,
common_name_str
is thenode_id
, e.g.,urn:node:ABCD
for production, orurn:node:mnTestABCD
for the test environments.For a local CA, something like
localCA
may be used.For a locally trusted client side certificate, something like
localClient
may be used.domain_componet_list – list Optionally set custom domain components.
fqdn_list – list of str List of Fully Qualified Domain Names (FQDN) and/or IP addresses for which this certificate will provide authentication.
E.g.: [‘my.membernode.org’, ‘1.2.3.4’]
This is mainly useful for creating a self signed server side certificate or a CSR that will be submitted to a trusted CA, such as Verisign, for signing.
- Returns
cryptography.x509.Name
-
d1_common.cert.x509.
generate_csr
(private_key_bytes, dn, fqdn_list=None)¶ Generate a Certificate Signing Request (CSR).
- Parameters
private_key_bytes – bytes Private key with which the CSR will be signed.
dn – cryptography.x509.Name The dn can be built by passing a list of cryptography.x509.NameAttribute to cryptography.x509.Name.
Simple DNs can be created with the
create_dn*
functions in this module.fqdn_list – list of str List of Fully Qualified Domain Names (FQDN) and/or IP addresses for which this certificate will provide authentication.
E.g.: [‘my.membernode.org’, ‘1.2.3.4’]
This is mainly useful for creating a self signed server side certificate or a CSR that will be submitted to a trusted CA, such as Verisign, for signing.
- Returns
cryptography.x509.CertificateSigningRequest
-
d1_common.cert.x509.
deserialize_pem
(cert_pem)¶ Deserialize PEM (Base64) encoded X.509 v3 certificate.
- Parameters
cert_pem – str or bytes PEM (Base64) encoded X.509 v3 certificate
- Returns
cryptography.Certificate
- Return type
cert_obj
-
d1_common.cert.x509.
deserialize_pem_file
(cert_path)¶ Deserialize PEM (Base64) encoded X.509 v3 certificate in file.
- Parameters
cert_path – str or bytes Path to PEM (Base64) encoded X.509 v3 certificate file
- Returns
cryptography.Certificate
- Return type
cert_obj
-
d1_common.cert.x509.
serialize_cert_to_pem
(cert_obj)¶ Serialize certificate to PEM.
The certificate can be also be a Certificate Signing Request (CSR).
- Parameters
cert_obj – cryptography.Certificate
- Returns
PEM encoded certificate
- Return type
bytes
-
d1_common.cert.x509.
extract_subject_info_extension
(cert_obj)¶ Extract DataONE SubjectInfo XML doc from certificate.
Certificates issued by DataONE may include an embedded XML doc containing additional information about the subject specified in the certificate DN. If present, the doc is stored as an extension with an OID specified by DataONE and formatted as specified in the DataONE SubjectInfo schema definition.
- Parameters
cert_obj – cryptography.Certificate
- Returns
SubjectInfo XML doc if present, else None
- Return type
str
-
d1_common.cert.x509.
download_as_der
(base_url='https://cn.dataone.org/cn', timeout_sec=60.0)¶ Download public certificate from a TLS/SSL web server as DER encoded
bytes
.If the certificate is being downloaded in order to troubleshoot validation issues, the download itself may fail due to the validation issue that is being investigated. To work around such chicken-and-egg problems, temporarily wrap calls to the download_* functions with the
disable_cert_validation()
context manager (also in this module).- Parameters
base_url – str A full URL to a DataONE service endpoint or a server hostname
timeout_sec – int or float Timeout for the SSL socket operations
- Returns
The server’s public certificate as DER encoded bytes.
- Return type
bytes
-
d1_common.cert.x509.
download_as_pem
(base_url='https://cn.dataone.org/cn', timeout_sec=60.0)¶ Download public certificate from a TLS/SSL web server as PEM encoded string.
Also see download_as_der().
- Parameters
base_url – str A full URL to a DataONE service endpoint or a server hostname
timeout_sec – int or float Timeout for the SSL socket operations
- Returns
The certificate as a PEM encoded string.
- Return type
str
-
d1_common.cert.x509.
download_as_obj
(base_url='https://cn.dataone.org/cn', timeout_sec=60.0)¶ Download public certificate from a TLS/SSL web server as Certificate object.
Also see download_as_der().
- Parameters
base_url – str A full URL to a DataONE service endpoint or a server hostname
timeout_sec – int or float Timeout for the SSL socket operations
- Returns
cryptography.Certificate
-
d1_common.cert.x509.
decode_der
(cert_der)¶ Decode cert DER string to Certificate object.
- Parameters
cert_der – Certificate as a DER encoded string
- Returns
cryptography.Certificate()
-
d1_common.cert.x509.
disable_cert_validation
()¶ Context manager to temporarily disable certificate validation in the standard SSL library.
Note: This should not be used in production code but is sometimes useful for troubleshooting certificate validation issues.
By design, the standard SSL library does not provide a way to disable verification of the server side certificate. However, a patch to disable validation is described by the library developers. This context manager allows applying the patch for specific sections of code.
-
d1_common.cert.x509.
extract_issuer_ca_cert_url
(cert_obj)¶ Extract issuer CA certificate URL from certificate.
Certificates may include a URL where the root certificate for the CA which was used for signing the certificate can be downloaded. This function returns the URL if present.
The primary use for this is to fix validation failure due to non-trusted issuer by downloading the root CA certificate from the URL and installing it in the local trust store.
- Parameters
cert_obj – cryptography.Certificate
- Returns
Issuer certificate URL if present, else None
- Return type
str
-
d1_common.cert.x509.
serialize_private_key_to_pem
(private_key, passphrase_bytes=None)¶ Serialize private key to PEM.
- Parameters
private_key
passphrase_bytes
- Returns
PEM encoded private key
- Return type
bytes
-
d1_common.cert.x509.
generate_private_key
(key_size=2048)¶ Generate a private key.
-
d1_common.cert.x509.
get_public_key_pem
(cert_obj)¶ Extract public key from certificate as PEM encoded PKCS#1.
- Parameters
cert_obj – cryptography.Certificate
- Returns
PEM encoded PKCS#1 public key.
- Return type
bytes
-
d1_common.cert.x509.
save_pem
(pem_path, pem_bytes)¶ Save PEM encoded bytes to file.
-
d1_common.cert.x509.
load_csr
(pem_path)¶ Load CSR from PEM encoded file.
-
d1_common.cert.x509.
load_private_key
(pem_path, passphrase_bytes=None)¶ Load private key from PEM encoded file.
-
d1_common.cert.x509.
generate_cert
(ca_issuer, ca_key, csr_subject, csr_pub_key)¶
-
d1_common.cert.x509.
serialize_cert_to_der
(cert_obj)¶ Serialize certificate to DER.
- Parameters
cert_obj – cryptography.Certificate
- Returns
DER encoded certificate
- Return type
bytes
-
d1_common.cert.x509.
generate_ca_cert
(dn, private_key, fqdn_str=None, public_ip=None, private_ip=None, valid_days=3650)¶ - Parameters
dn – cryptography.x509.Name A cryptography.x509.Name holding a sequence of cryptography.x509.NameAttribute objects.
See the create_dn* functions.
private_key – RSAPrivateKey, etc
fqdn_str
public_ip
private_ip
valid_days – int Number of days from now until the certificate expires.
Returns:
-
d1_common.cert.x509.
input_key_passphrase
(applicable_str='private key')¶
-
d1_common.cert.x509.
check_cert_type
(cert)¶
-
d1_common.cert.x509.
rdn_escape
(rdn_str)¶ Escape string for use as an RDN (RelativeDistinguishedName)
The following chars must be escaped in RDNs: , = + < > # ; “
- Parameters
rdn_str – str
- Returns
Escaped string ready for use in an RDN (.)
- Return type
str
-
d1_common.cert.x509.
log_cert_info
(logger, msg_str, cert_obj)¶ Dump basic certificate values to the log.
- Parameters
logger – Logger Logger to which to write the certificate values.
msg_str – str A message to write to the log before the certificate values.
cert_obj – cryptography.Certificate Certificate containing values to log.
- Returns
None
-
d1_common.cert.x509.
get_cert_info_list
(cert_obj)¶ Get a list of certificate values.
- Parameters
cert_obj – cryptography.Certificate Certificate containing values to retrieve.
- Returns
Certificate value name, value
- Return type
list of tup
-
d1_common.cert.x509.
get_extension_by_name
(cert_obj, extension_name)¶ Get a standard certificate extension by attribute name.
- Parameters
cert_obj – cryptography.Certificate Certificate containing a standard extension.
extension_name – str Extension name. E.g., ‘SUBJECT_DIRECTORY_ATTRIBUTES’.
- Returns
Cryptography.Extension