.\" Man page generated from reStructuredText. . . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .TH "PKI-PYTHON-CLIENT" "1" "Feb 07, 2023" "@APPLICATION_VERSION@" "Dogtag Certificate System" .SH NAME pki-python-client \- Dogtag Python Client API .sp Dogtag is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. These pages document the Python client API that can be used to interact with Dogtag\(aqs REST API to request and issue certificates, store secrets in the KRA etc. .SH PKI PACKAGE .SS \fI\%pki\fP Package .sp This module contains top\-level classes and functions used by the Dogtag project. .INDENT 0.0 .TP .B class pki.Attribute(name, value) Bases: \fBobject\fP .sp Class representing a key/value pair. .sp This object is the basis of the representation of a ResourceMessage. .UNINDENT .INDENT 0.0 .TP .B class pki.AttributeList Bases: \fBobject\fP .sp Class representing a list of attributes. .sp This class is needed because of a JavaMapper used in the REST API. .UNINDENT .INDENT 0.0 .TP .B exception pki.BadRequestException(message, exception=None, code=None, class_name=None) Bases: \fI\%PKIException\fP .sp Bad Request Exception: return code = 400 .UNINDENT .INDENT 0.0 .TP .B exception pki.CertNotFoundException(message, exception=None, code=None, class_name=None) Bases: \fI\%ResourceNotFoundException\fP .sp Cert Not Found Exception: return code = 404 .UNINDENT .INDENT 0.0 .TP .B exception pki.ConflictingOperationException(message, exception=None, code=None, class_name=None) Bases: \fI\%PKIException\fP .sp Conflicting Operation Exception: return code = 409 .UNINDENT .INDENT 0.0 .TP .B class pki.FIPS Bases: \fBobject\fP .INDENT 7.0 .TP .B static is_enabled() .UNINDENT .UNINDENT .INDENT 0.0 .TP .B exception pki.ForbiddenException(message, exception=None, code=None, class_name=None) Bases: \fI\%PKIException\fP .sp Forbidden Exception: return code = 403 .UNINDENT .INDENT 0.0 .TP .B exception pki.GroupNotFoundException(message, exception=None, code=None, class_name=None) Bases: \fI\%ResourceNotFoundException\fP .sp Group Not Found Exception: return code = 404 .UNINDENT .INDENT 0.0 .TP .B exception pki.HTTPGoneException(message, exception=None, code=None, class_name=None) Bases: \fI\%PKIException\fP .sp Gone Exception: return code = 410 .UNINDENT .INDENT 0.0 .TP .B exception pki.KeyNotFoundException(message, exception=None, code=None, class_name=None) Bases: \fI\%ResourceNotFoundException\fP .sp Key Not Found Exception: return code 404 .UNINDENT .INDENT 0.0 .TP .B exception pki.PKIException(message, exception=None, code=None, class_name=None) Bases: \fBException\fP, \fI\%ResourceMessage\fP .sp Base exception class for REST Interface .INDENT 7.0 .TP .B classmethod from_json(json_value) Construct PKIException from JSON. :param json_value: JSON representation of the exception. :type json_value: str :return: pki.PKIException .UNINDENT .UNINDENT .INDENT 0.0 .TP .B exception pki.ProfileNotFoundException(message, exception=None, code=None, class_name=None) Bases: \fI\%ResourceNotFoundException\fP .sp Profile Not Found Exception: return code = 404 .UNINDENT .INDENT 0.0 .TP .B class pki.PropertyFile(filename, delimiter=\(aq=\(aq) Bases: \fBobject\fP .sp Class to manage property files The contents of the property file are maintained internally as a list of properties. .sp Properties are strings of the format where \(aq=\(aq is the default delimiter. .INDENT 7.0 .TP .B get(name) Get the value of the specified property. .INDENT 7.0 .TP .B Parameters \fBname\fP (\fIstr\fP) \-\- name of property to be fetched. .TP .B Returns str \-\- value of property .UNINDENT .UNINDENT .INDENT 7.0 .TP .B index(name) Find the index (position) of a property in a property file. .INDENT 7.0 .TP .B Parameters \fBname\fP (\fIstr\fP) \-\- name of property .TP .B Returns int \-\- index of property. .UNINDENT .UNINDENT .INDENT 7.0 .TP .B insert_line(index, line) Insert property into the list of properties maintained by this object at the specified location (index). .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBindex\fP (\fIint\fP) \-\- point at which to insert value. .IP \(bu 2 \fBline\fP (\fIstr\fP) \-\- value to be inserted. .UNINDENT .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B read() Read from property file into the list of properties maintained by this object. .INDENT 7.0 .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B remove(name) Remove property from list of properties maintained by this object. .INDENT 7.0 .TP .B Parameters \fBname\fP (\fIstr\fP) \-\- name of property to be removed. .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B remove_line(index) Remove property at specified index from the properties list. .INDENT 7.0 .TP .B Parameters \fBindex\fP (\fIint\fP) \-\- location of property to be removed. .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B set(name, value, index=None) Set value of specified property. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBname\fP (\fIstr\fP) \-\- name of property to set. .IP \(bu 2 \fBvalue\fP (\fIstr\fP) \-\- value to set .IP \(bu 2 \fBindex\fP (\fIint\fP) \-\- (optional) position of property .UNINDENT .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B show() Print the contents of the list of properties maintained by this object to STDOUT. .INDENT 7.0 .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B write() Write the list of properties maintained by this object to the property file. .INDENT 7.0 .TP .B Returns None .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B exception pki.RequestNotFoundException(message, exception=None, code=None, class_name=None) Bases: \fI\%ResourceNotFoundException\fP .sp Request Not Found Exception: return code = 404 .UNINDENT .INDENT 0.0 .TP .B class pki.ResourceMessage(class_name) Bases: \fBobject\fP .sp This class is the basis for the various types of key requests. It is essentially a list of attributes. .INDENT 7.0 .TP .B add_attribute(name, value) Add an attribute to the list. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBname\fP (\fIstr\fP) \-\- name of attribute to add .IP \(bu 2 \fBvalue\fP (\fIstr\fP) \-\- value to add .UNINDENT .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B get_attribute_value(name) Get the value of a given attribute. .INDENT 7.0 .TP .B Parameters \fBname\fP (\fIstr\fP) \-\- name of attribute to retrieve .TP .B Returns str \-\- value of parameter .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B exception pki.ResourceNotFoundException(message, exception=None, code=None, class_name=None) Bases: \fI\%PKIException\fP .sp Not Found Exception: return code = 404 .UNINDENT .INDENT 0.0 .TP .B exception pki.UnauthorizedException(message, exception=None, code=None, class_name=None) Bases: \fI\%PKIException\fP .sp Unauthorized Exception: return code = 401 .UNINDENT .INDENT 0.0 .TP .B exception pki.UserNotFoundException(message, exception=None, code=None, class_name=None) Bases: \fI\%ResourceNotFoundException\fP .sp User Not Found Exception: return code = 404 .UNINDENT .INDENT 0.0 .TP .B pki.convert_x509_name_to_dn(name) Convert X.509 Name into NSS\-style DN string. .sp See also: \- \fI\%https://cryptography.io/en/latest/x509/reference.html#cryptography.x509.Name\fP \- \fI\%https://cryptography.io/en/latest/x509/reference.html#cryptography.x509.RelativeDistinguishedName\fP \- \fI\%https://cryptography.io/en/latest/x509/reference.html#cryptography.x509.NameAttribute\fP \- \fI\%https://cryptography.io/en/latest/x509/reference.html#cryptography.x509.ObjectIdentifier\fP .INDENT 7.0 .TP .B Parameters \fBname\fP (\fIcryptography.x509.Name\fP) \-\- X.509 Name .TP .B Returns str \-\- DN string. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.generate_password(charset=\(aq0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#*+,\-./:;^_|~\(aq, length=12) This function generates FIPS\-compliant password. .sp See sftk_newPinCheck() in the following file: \fI\%https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c\fP .sp The minimum password length is FIPS_MIN_PIN Unicode characters. .INDENT 7.0 .TP .B The password must contain at least 3 character classes: .INDENT 7.0 .IP \(bu 2 digits (string.digits) .IP \(bu 2 ASCII lowercase letters (string.ascii_lowercase) .IP \(bu 2 ASCII uppercase letters (string.ascii_uppercase) .IP \(bu 2 ASCII non\-alphanumeric characters (PUNCTUATIONS) .IP \(bu 2 non\-ASCII characters .UNINDENT .UNINDENT .sp If an ASCII uppercase letter is the first character of the password, the uppercase letter is not counted toward its character class. .sp If a digit is the last character of the password, the digit is not counted toward its character class. .sp The FIPS_MIN_PIN is defined in the following file: \fI\%https://dxr.mozilla.org/nss/source/nss/lib/softoken/pkcs11i.h\fP .sp #define FIPS_MIN_PIN 7 .UNINDENT .INDENT 0.0 .TP .B pki.get_info(name) .UNINDENT .INDENT 0.0 .TP .B pki.handle_exceptions() Decorator handling exceptions from REST methods. .UNINDENT .INDENT 0.0 .TP .B pki.implementation_version() Return implementation version. .INDENT 7.0 .TP .B Returns str \-\- implementation version .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.specification_version() Return specification version. .INDENT 7.0 .TP .B Returns str \-\- specification version .UNINDENT .UNINDENT .SS \fBaccount\fP Module .INDENT 0.0 .TP .B class pki.account.AccountClient(connection, subsystem=None) Bases: \fBobject\fP .sp Class used to associate an authentication session variable with a connection. .INDENT 7.0 .TP .B To use this class: .INDENT 7.0 .IP \(bu 2 set the authentication credentials with the connection, .IP \(bu 2 create an AccountClient and then call login(). .IP \(bu 2 further operations in this session will use the same authentication credentials without re\-authentication. .IP \(bu 2 call logout() to invalidate the session. .UNINDENT .UNINDENT .INDENT 7.0 .TP .B login() Login to account REST interface. If login is successful, an authentication session variable is associated with the connection. .INDENT 7.0 .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B logout() Logs out of the session. Authentication session variables are invalidated for the connection .INDENT 7.0 .TP .B Returns None .UNINDENT .UNINDENT .UNINDENT .SS \fBcert\fP Module .INDENT 0.0 .TP .B class pki.cert.CertClient(connection) Bases: \fBobject\fP .sp Class encapsulating and mirroring the functionality in the CertResource Java interface class defining the REST API for Certificate resources. .INDENT 7.0 .TP .B approve_request(request_id, cert_review_response=None) Approves a certificate enrollment request. If cert_review_response is None, a review request operation is performed to fetch the CertReviewResponse object. Requires as agent level authentication. .UNINDENT .INDENT 7.0 .TP .B assign_request(request_id, cert_review_response) Assigns a certificate enrollment request. If cert_review_response is None, a review request operation is performed to fetch the CertReviewResponse object. Requires as agent level authentication. .UNINDENT .INDENT 7.0 .TP .B cancel_request(request_id, cert_review_response=None) Cancels a certificate enrollment request. If cert_review_response is None, a review request operation is performed to fetch the CertReviewResponse object. Requires as agent level authentication. .UNINDENT .INDENT 7.0 .TP .B create_enrollment_request(profile_id, inputs) Fetches the enrollment request object for the given profile and sets values to its attributes using the values provided in the inputs dictionary. Returns the CertEnrollmentRequest object, which can be submitted to enroll a certificate. .UNINDENT .INDENT 7.0 .TP .B enroll_cert(profile_id, inputs, authority=None) A convenience method for enrolling a certificate for a given profile id. The inputs parameter should be a dictionary with values for the profile attributes for an enrollment request. .sp Calling this method with valid arguments, creates an enrollment request, submits it to the server, approves the certificate requests generated for the enrollment and returns a list of CertData objects for all the certificates generated as part of this enrollment. .sp Note: This method supports only certificate enrollment where only one agent approval is sufficient. .sp Requires an agent level authentication. Returns a list of CertEnrollmentResult objects. .UNINDENT .INDENT 7.0 .TP .B get_cert(cert_serial_number) Return a CertData object for a particular certificate. .UNINDENT .INDENT 7.0 .TP .B get_enrollment_template(profile_id) Fetch the enrollment template for the given profile id. For the first time, the request is sent to the server. The retrieved CertEnrollmentRequest object is then cached locally for future requests. Returns a CerEnrollmentRequest object. .UNINDENT .INDENT 7.0 .TP .B get_request(request_id) Get information of a certificate request with the given request ID. Returns a CertRequestInfo object. .UNINDENT .INDENT 7.0 .TP .B hold_cert(cert_serial_number, comments=None, authority=None) Places a certificate on\-hold. Calls the revoke_cert method with reason \- CertRevokeRequest.REASON_CERTIFICATE_HOLD. Returns a CertRequestInfo object. This method requires an agent\(aqs authentication cert in the connection object. .UNINDENT .INDENT 7.0 .TP .B list_certs(max_results=None, max_time=None, start=None, size=None, **cert_search_params) Return a CertDataInfoCollection object with a information about all the certificates that satisfy the search criteria. If cert_search_request=None, returns all the certificates. .UNINDENT .INDENT 7.0 .TP .B list_enrollment_templates(start=None, size=None) Gets the list of profile templates supported by the CA. The values for start and size arguments determine the starting point and the length of the list. Returns a ProfileDataInfoCollection object. .UNINDENT .INDENT 7.0 .TP .B list_requests(request_status=None, request_type=None, from_request_id=None, size=None, max_results=None, max_time=None) Query for a list of certificates using the arguments passed. Returns a CertRequestInfoCollection object. .UNINDENT .INDENT 7.0 .TP .B reject_request(request_id, cert_review_response=None) Rejects a certificate enrollment request. If cert_review_response is None, a review request operation is performed to fetch the CertReviewResponse object. Requires as agent level authentication. .UNINDENT .INDENT 7.0 .TP .B review_cert(cert_serial_number) Reviews a certificate. Returns a CertData object with a nonce. This method requires an agent\(aqs authentication cert in the connection object. .UNINDENT .INDENT 7.0 .TP .B review_request(request_id) Reviews a certificate enrollment request. Returns a CertReviewResponse object which contains the nonce from the server needed to perform an action on the request. .UNINDENT .INDENT 7.0 .TP .B revoke_ca_cert(cert_serial_number, revocation_reason=None, invalidity_date=None, comments=None, nonce=None, authority=None) Revokes a CA certificate. Returns a CertRequestInfo object with information about the request. This method requires an agent\(aqs authentication cert in the connection object. .UNINDENT .INDENT 7.0 .TP .B revoke_cert(cert_serial_number, revocation_reason=None, invalidity_date=None, comments=None, nonce=None, authority=None) Revokes a certificate. Returns a CertRequestInfo object with information about the request. This method requires an agent\(aqs authentication cert in the connection object. .UNINDENT .INDENT 7.0 .TP .B submit_enrollment_request(enrollment_request, authority=None) Submits the CertEnrollmentRequest object to the server. Returns a CertRequestInfoCollection object with information about the certificate requests enrolled at the CA. .UNINDENT .INDENT 7.0 .TP .B unassign_request(request_id, cert_review_response) Un\-assigns a certificate enrollment request. If cert_review_response is None, a review request operation is performed to fetch the CertReviewResponse object. Requires as agent level authentication. .UNINDENT .INDENT 7.0 .TP .B unrevoke_cert(cert_serial_number, authority=None) Un\-revokes a revoked certificate. Returns a CertRequestInfo object. This method requires an agent\(aqs authentication cert in the connection object. .UNINDENT .INDENT 7.0 .TP .B update_request(request_id, cert_review_response) Updates a certificate enrollment request. If cert_review_response is None, a review request operation is performed to fetch the CertReviewResponse object. Requires as agent level authentication. .UNINDENT .INDENT 7.0 .TP .B validate_request(request_id, cert_review_response) Validates a certificate enrollment request. If cert_review_response is None, a review request operation is performed to fetch the CertReviewResponse object. Requires as agent level authentication. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertData Bases: \fBobject\fP .sp Class containing certificate data as returned from getCert() .INDENT 7.0 .TP .B classmethod from_json(attr_list) Return CertData object from JSON dict .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqEncoded\(aq: \(aqencoded\(aq, \(aqIssuerDN\(aq: \(aqissuer_dn\(aq, \(aqNonce\(aq: \(aqnonce\(aq, \(aqNotAfter\(aq: \(aqnot_after\(aq, \(aqNotBefore\(aq: \(aqnot_before\(aq, \(aqPKCS7CertChain\(aq: \(aqpkcs7_cert_chain\(aq, \(aqPrettyPrint\(aq: \(aqpretty_repr\(aq, \(aqStatus\(aq: \(aqstatus\(aq, \(aqSubjectDN\(aq: \(aqsubject_dn\(aq, \(aqid\(aq: \(aqserial_number\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertDataInfo Bases: \fBobject\fP .sp Class containing information contained in a CertRecord on the CA. This data is returned when searching/listing certificate records. .INDENT 7.0 .TP .B classmethod from_json(attr_list) Return CertDataInfo object from JSON dict .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqIssuedBy\(aq: \(aqissued_by\(aq, \(aqIssuedOn\(aq: \(aqissued_on\(aq, \(aqKeyAlgorithmOID\(aq: \(aqkey_algorithm_oid\(aq, \(aqKeyLength\(aq: \(aqkey_length\(aq, \(aqNotValidAfter\(aq: \(aqnot_valid_after\(aq, \(aqNotValidBefore\(aq: \(aqnot_valid_before\(aq, \(aqStatus\(aq: \(aqstatus\(aq, \(aqSubjectDN\(aq: \(aqsubject_dn\(aq, \(aqType\(aq: \(aqtype\(aq, \(aqVersion\(aq: \(aqversion\(aq, \(aqid\(aq: \(aqserial_number\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertDataInfoCollection Bases: \fBobject\fP .sp Class containing list of CertDataInfo objects and their respective link objects. This data is returned when searching/listing certificate records in the CA. .INDENT 7.0 .TP .B classmethod from_json(json_value) Populate object from JSON input .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertEnrollmentRequest(profile_id=None, renewal=False, serial_number=None, remote_host=None, remote_address=None, inputs=None, outputs=None) Bases: \fBobject\fP .INDENT 7.0 .TP .B This class encapsulates the parameters required for a certificate enrollment request. .UNINDENT .INDENT 7.0 .TP .B add_input(profile_input) .UNINDENT .INDENT 7.0 .TP .B add_output(profile_output) .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_input(profile_input_name) .UNINDENT .INDENT 7.0 .TP .B get_output(profile_output_name) .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqInput\(aq: \(aqinputs\(aq, \(aqOutput\(aq: \(aqoutputs\(aq, \(aqProfileID\(aq: \(aqprofile_id\(aq, \(aqRemoteAddress\(aq: \(aqremote_address\(aq, \(aqRemoteHost\(aq: \(aqremote_host\(aq, \(aqRenewal\(aq: \(aqrenewal\(aq, \(aqSerialNumber\(aq: \(aqserial_number\(aq} .UNINDENT .INDENT 7.0 .TP .B remove_input(profile_input_name) .UNINDENT .INDENT 7.0 .TP .B remove_output(profile_output_name) .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertEnrollmentResult(request, cert) Bases: \fBobject\fP .sp Class containing results of an enrollment request. .sp This structure contains information about the cert request generated and any certificates issued. .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertRequestInfo Bases: \fBobject\fP .sp An object of this class stores represents a certificate request. .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqcertId\(aq: \(aqcert_id\(aq, \(aqcertRequestType\(aq: \(aqcert_request_type\(aq, \(aqcertURL\(aq: \(aqcert_url\(aq, \(aqerrorMessage\(aq: \(aqerror_message\(aq, \(aqoperationResult\(aq: \(aqoperation_result\(aq, \(aqrequestStatus\(aq: \(aqrequest_status\(aq, \(aqrequestType\(aq: \(aqrequest_type\(aq, \(aqrequestURL\(aq: \(aqrequest_url\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertRequestInfoCollection Bases: \fBobject\fP .sp Class containing list of CertRequestInfo objects. This data is returned when listing certificate request records in the CA. .INDENT 7.0 .TP .B classmethod from_json(json_value) Populate object from JSON input .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertRequestStatus Bases: \fBobject\fP .sp Class containing valid cert statuses. .INDENT 7.0 .TP .B CANCELED = \(aqcanceled\(aq .UNINDENT .INDENT 7.0 .TP .B COMPLETE = \(aqcomplete\(aq .UNINDENT .INDENT 7.0 .TP .B PENDING = \(aqpending\(aq .UNINDENT .INDENT 7.0 .TP .B REJECTED = \(aqrejected\(aq .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertReviewResponse(profile_id=None, renewal=False, serial_number=None, remote_host=None, remote_address=None, inputs=None, outputs=None, nonce=None, request_id=None, request_type=None, request_status=None, request_owner=None, request_creation_time=None, request_modification_time=None, request_notes=None, profile_approval_by=None, profile_set_id=None, profile_is_visible=None, profile_name=None, profile_description=None, profile_remote_host=None, profile_remote_address=None, policy_sets=None) Bases: \fI\%CertEnrollmentRequest\fP .sp An object of this class represent the response from the server when reviewing a certificate enrollment request. It contains a nonce required to perform action on the request. .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqInput\(aq: \(aqinputs\(aq, \(aqOutput\(aq: \(aqoutputs\(aq, \(aqProfileID\(aq: \(aqprofile_id\(aq, \(aqProfilePolicySet\(aq: \(aqpolicy_sets\(aq, \(aqRemoteAddress\(aq: \(aqremote_address\(aq, \(aqRemoteHost\(aq: \(aqremote_host\(aq, \(aqRenewal\(aq: \(aqrenewal\(aq, \(aqSerialNumber\(aq: \(aqserial_number\(aq, \(aqprofileApprovedBy\(aq: \(aqprofile_approved_by\(aq, \(aqprofileDescription\(aq: \(aqprofile_description\(aq, \(aqprofileIsVisible\(aq: \(aqprofile_is_visible\(aq, \(aqprofileName\(aq: \(aqprofile_name\(aq, \(aqprofileRemoteAddr\(aq: \(aqprofile_remote_address\(aq, \(aqprofileRemoteHost\(aq: \(aqprofile_remote_host\(aq, \(aqprofileSetId\(aq: \(aqprofile_set_id\(aq, \(aqrequestCreationTime\(aq: \(aqrequest_creation_time\(aq, \(aqrequestId\(aq: \(aqrequest_id\(aq, \(aqrequestModificationTime\(aq: \(aqrequest_modification_time\(aq, \(aqrequestNotes\(aq: \(aqrequest_notes\(aq, \(aqrequestOwner\(aq: \(aqrequest_owner\(aq, \(aqrequestStatus\(aq: \(aqrequest_status\(aq, \(aqrequestType\(aq: \(aqrequest_type\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertRevokeRequest(nonce, reason=None, invalidity_date=None, comments=None) Bases: \fBobject\fP .sp An object of this class encapsulates all the parameters required for revoking a certificate. .INDENT 7.0 .TP .B Valid values for reasons for revoking a request are: \(aqUnspecified\(aq, \(aqKey_Compromise\(aq, \(aqCA_Compromise\(aq, \(aqAffiliation_Changed\(aq, \(aqSuperseded\(aq, \(aqCessation_of_Operation\(aq, \(aqCertificate_Hold\(aq, \(aqRemove_from_CRL\(aq, \(aqPrivilege_Withdrawn\(aq, \(aqAA_Compromise\(aq .UNINDENT .INDENT 7.0 .TP .B reasons = [\(aqUnspecified\(aq, \(aqKey_Compromise\(aq, \(aqCA_Compromise\(aq, \(aqAffiliation_Changed\(aq, \(aqSuperseded\(aq, \(aqCessation_of_Operation\(aq, \(aqCertificate_Hold\(aq, \(aqRemove_from_CRL\(aq, \(aqPrivilege_Withdrawn\(aq, \(aqAA_Compromise\(aq] .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.cert.CertSearchRequest(**cert_search_params) Bases: \fBobject\fP .sp An object of this class is used to store the search parameters and send them to server. .INDENT 7.0 .TP .B search_params = {\(aqcert_type_secure_email\(aq: \(aqcertTypeSecureEmail\(aq, \(aqcert_type_ssl_client\(aq: \(aqcertTypeSSLClient\(aq, \(aqcert_type_ssl_server\(aq: \(aqcertTypeSSLServer\(aq, \(aqcert_type_sub_email_ca\(aq: \(aqcertTypeSubEmailCA\(aq, \(aqcert_type_sub_ssl_ca\(aq: \(aqcertTypeSubSSLCA\(aq, \(aqcommon_name\(aq: \(aqcommonName\(aq, \(aqcountry\(aq: \(aqcountry\(aq, \(aqemail\(aq: \(aqeMail\(aq, \(aqissued_by\(aq: \(aqissuedBy\(aq, \(aqissued_on_from\(aq: \(aqissuedOnFrom\(aq, \(aqissued_on_to\(aq: \(aqissuedOnTo\(aq, \(aqlocality\(aq: \(aqlocality\(aq, \(aqmatch_exactly\(aq: \(aqmatchExactly\(aq, \(aqorg\(aq: \(aqorg\(aq, \(aqorg_unit\(aq: \(aqorgUnit\(aq, \(aqrevocation_reason\(aq: \(aqrevocationReason\(aq, \(aqrevoked_by\(aq: \(aqrevokedBy\(aq, \(aqrevoked_on_from\(aq: \(aqrevokedOnFrom\(aq, \(aqrevoked_on_to\(aq: \(aqrevokedOnTo\(aq, \(aqserial_from\(aq: \(aqserialFrom\(aq, \(aqserial_to\(aq: \(aqserialTo\(aq, \(aqstate\(aq: \(aqstate\(aq, \(aqstatus\(aq: \(aqstatus\(aq, \(aquser_id\(aq: \(aquserID\(aq, \(aqvalid_not_after_from\(aq: \(aqvalidNotAfterFrom\(aq, \(aqvalid_not_after_to\(aq: \(aqvalidNotAfterTo\(aq, \(aqvalid_not_before_from\(aq: \(aqvalidNotBeforeFrom\(aq, \(aqvalid_not_before_to\(aq: \(aqvalidNotBeforeTo\(aq, \(aqvalidity_count\(aq: \(aqvalidityCount\(aq, \(aqvalidity_operation\(aq: \(aqvalidityOperation\(aq, \(aqvalidity_unit\(aq: \(aqvalidityUnit\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.cert.main() .UNINDENT .SS \fBclient\fP Module .INDENT 0.0 .TP .B class pki.client.PKIConnection(protocol=\(aqhttp\(aq, hostname=\(aqlocalhost\(aq, port=\(aq8080\(aq, subsystem=None, accept=\(aqapplication/json\(aq, trust_env=None, verify=True, cert_paths=None) Bases: \fBobject\fP .sp Class to encapsulate the connection between the client and a Dogtag subsystem. .INDENT 7.0 .TP .B authenticate(username=None, password=None) Set the parameters used for authentication if username/password is to be used. Both username and password must not be None. Note that this method only sets the parameters. Actual authentication occurs when the connection is attempted, .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBusername\fP \-\- username to authenticate connection .IP \(bu 2 \fBpassword\fP \-\- password to authenticate connection .UNINDENT .TP .B Returns None .UNINDENT .UNINDENT .INDENT 7.0 .TP .B delete(path, headers=None, use_root_uri=False) Uses python\-requests to issue a DEL request to the server. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBpath\fP (\fIstr\fP) \-\- path URI for the DEL request .IP \(bu 2 \fBheaders\fP (\fIdict\fP) \-\- headers for the DEL request .IP \(bu 2 \fBuse_root_uri\fP (\fIboolean\fP) \-\- use root URI instead of subsystem URI as base .UNINDENT .TP .B Returns request.response \-\- response from the server .TP .B Raises Exception from python\-requests in case the DEL was not successful, or returns an error code. .UNINDENT .UNINDENT .INDENT 7.0 .TP .B get(path, headers=None, params=None, payload=None, use_root_uri=False, timeout=None) Uses python\-requests to issue a GET request to the server. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBpath\fP (\fIstr\fP) \-\- path URI for the GET request .IP \(bu 2 \fBheaders\fP (\fIdict\fP) \-\- headers for the GET request .IP \(bu 2 \fBparams\fP (\fIdict\fP\fI or \fP\fIbytes\fP) \-\- Query parameters for the GET request .IP \(bu 2 \fBpayload\fP (\fIdict\fP\fI, \fP\fIbytes\fP\fI, \fP\fIfile\-like object\fP) \-\- data to be sent in the body of the request .IP \(bu 2 \fBuse_root_uri\fP (\fIboolean\fP) \-\- use root URI instead of subsystem URI as base .UNINDENT .TP .B Returns request.response \-\- response from the server .TP .B Raises Exception from python\-requests in case the GET was not successful, or returns an error code. .UNINDENT .UNINDENT .INDENT 7.0 .TP .B post(path, payload, headers=None, params=None, use_root_uri=False) Uses python\-requests to issue a POST request to the server. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBpath\fP (\fIstr\fP) \-\- path URI for the POST request .IP \(bu 2 \fBpayload\fP (\fIdict\fP\fI, \fP\fIbytes\fP\fI, \fP\fIfile\-like object\fP) \-\- data to be sent in the body of the request .IP \(bu 2 \fBheaders\fP (\fIdict\fP) \-\- headers for the POST request .IP \(bu 2 \fBparams\fP (\fIdict\fP\fI or \fP\fIbytes\fP) \-\- Query parameters for the POST request .IP \(bu 2 \fBuse_root_uri\fP (\fIboolean\fP) \-\- use root URI instead of subsystem URI as base .UNINDENT .TP .B Returns request.response \-\- response from the server .TP .B Raises Exception from python\-requests in case the POST was not successful, or returns an error code. .UNINDENT .UNINDENT .INDENT 7.0 .TP .B put(path, payload, headers=None, use_root_uri=False) Uses python\-requests to issue a PUT request to the server. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBpath\fP (\fIstr\fP) \-\- path URI for the PUT request .IP \(bu 2 \fBpayload\fP (\fIdict\fP\fI, \fP\fIbytes\fP\fI, \fP\fIfile\-like object\fP) \-\- data to be sent in the body of the request .IP \(bu 2 \fBheaders\fP (\fIdict\fP) \-\- headers for the PUT request .IP \(bu 2 \fBuse_root_uri\fP (\fIboolean\fP) \-\- use root URI instead of subsystem URI as base .UNINDENT .TP .B Returns request.response \-\- response from the server .TP .B Raises Exception from python\-requests in case the PUT was not successful, or returns an error code. .UNINDENT .UNINDENT .INDENT 7.0 .TP .B set_authentication_cert(pem_cert_path, pem_key_path=None) Set the path to the PEM file containing the certificate and private key for the client certificate to be used for authentication to the server, when client certificate authentication is required. The private key may optionally be stored in a different path. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBpem_cert_path\fP (\fIstr\fP) \-\- path to the PEM file .IP \(bu 2 \fBpem_key_path\fP (\fIstr\fP) \-\- path to the PEM\-formatted private key file .UNINDENT .TP .B Returns None .TP .B Raises Exception if path is empty or None. .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.client.SSLContextAdapter(pool_connections=10, pool_maxsize=10, max_retries=0, pool_block=False, verify=True, cert_paths=None) Bases: \fBHTTPAdapter\fP .sp Custom SSLContext Adapter for requests .INDENT 7.0 .TP .B init_poolmanager(connections, maxsize, block=False, **pool_kwargs) Initializes a urllib3 PoolManager. .sp This method should not be called from user code, and is only exposed for use when subclassing the \fBHTTPAdapter\fP\&. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBconnections\fP \-\- The number of urllib3 connection pools to cache. .IP \(bu 2 \fBmaxsize\fP \-\- The maximum number of connections to save in the pool. .IP \(bu 2 \fBblock\fP \-\- Block when no free connections are available. .IP \(bu 2 \fBpool_kwargs\fP \-\- Extra keyword arguments used to initialize the Pool Manager. .UNINDENT .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.client.catch_insecure_warning(func) Temporary silence InsecureRequestWarning .sp PKIConnection is not able to verify HTTPS connections yet. This decorator catches the warning. .INDENT 7.0 .TP .B See \fI\%https://fedorahosted.org/pki/ticket/1253\fP .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.client.main() Test code for the PKIConnection class. :return: None .UNINDENT .SS \fBcrypto\fP Module .sp Module containing crypto classes. .INDENT 0.0 .TP .B class pki.crypto.CryptoProvider Bases: \fBobject\fP .sp Abstract class containing methods to do cryptographic operations. .INDENT 7.0 .TP .B abstract asymmetric_wrap(data, wrapping_cert, mechanism=None) encrypt a symmetric key with the public key of a transport cert. .sp The mechanism is the type of symmetric key, which defaults to a 56 bit DES3 key. .UNINDENT .INDENT 7.0 .TP .B abstract generate_nonce_iv(mechanism) Create a random initialization vector .UNINDENT .INDENT 7.0 .TP .B abstract generate_session_key() Generate a session key to be used for wrapping data to the DRM This must return a 3DES 168 bit key .UNINDENT .INDENT 7.0 .TP .B abstract generate_symmetric_key(mechanism=None, size=0) Generate and return a symmetric key .UNINDENT .INDENT 7.0 .TP .B abstract get_cert(cert_nick) Get the certificate for the specified cert_nick. .UNINDENT .INDENT 7.0 .TP .B abstract get_supported_algorithm_keyset() returns highest supported algorithm keyset .UNINDENT .INDENT 7.0 .TP .B abstract initialize() Initialization code .UNINDENT .INDENT 7.0 .TP .B abstract key_unwrap(mechanism, data, wrapping_key, nonce_iv) Unwrap data that has been key wrapped using AES KeyWrap .UNINDENT .INDENT 7.0 .TP .B abstract set_algorithm_keyset(level) sets required keyset .UNINDENT .INDENT 7.0 .TP .B abstract symmetric_unwrap(data, wrapping_key, mechanism=None, nonce_iv=None) decrypt data originally encrypted with symmetric key (wrapping key) .sp We expect the data and nonce_iv values to be base64 encoded. The mechanism is the type of key used to do the wrapping. It defaults to a 56 bit DES3 key. .UNINDENT .INDENT 7.0 .TP .B abstract symmetric_wrap(data, wrapping_key, mechanism=None, nonce_iv=None) encrypt data using a symmetric key (wrapping key) .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.crypto.CryptographyCryptoProvider(transport_cert_nick, transport_cert, backend=) Bases: \fI\%CryptoProvider\fP .sp Class that defines python\-cryptography implementation of CryptoProvider. Requires a PEM file containing the agent cert to be initialized. .sp Note that all inputs and outputs are unencoded. .INDENT 7.0 .TP .B asymmetric_wrap(data, wrapping_cert, mechanism=None) :param data Data to be wrapped :param wrapping_cert Public key to wrap data :param mechanism algorithm of symmetric key to be wrapped .sp Wrap (encrypt) data using the supplied asymmetric key .UNINDENT .INDENT 7.0 .TP .B generate_nonce_iv(mechanism=\(aqAES\(aq) Create a random initialization vector .UNINDENT .INDENT 7.0 .TP .B generate_session_key() Returns a session key to be used when wrapping secrets for the DRM. .UNINDENT .INDENT 7.0 .TP .B generate_symmetric_key(mechanism=None, size=0) Returns a symmetric key. .UNINDENT .INDENT 7.0 .TP .B get_cert(cert_nick) :param cert_nick Nickname for the certificate to be returned. .UNINDENT .INDENT 7.0 .TP .B get_supported_algorithm_keyset() returns highest supported algorithm keyset .UNINDENT .INDENT 7.0 .TP .B initialize() Any operations here that need to be performed before crypto operations. .UNINDENT .INDENT 7.0 .TP .B key_unwrap(mechanism, data, wrapping_key, nonce_iv) :param mechanism key wrapping mechanism :param data: data to unwrap :param wrapping_key: AES key used to wrap data :param nonce_iv Nonce data :return: unwrapped data .sp Unwrap the encrypted data which has been wrapped using a KeyWrap mechanism. .UNINDENT .INDENT 7.0 .TP .B set_algorithm_keyset(level) sets required keyset .UNINDENT .INDENT 7.0 .TP .B symmetric_unwrap(data, wrapping_key, mechanism=None, nonce_iv=None) :param data Data to be unwrapped :param wrapping_key Symmetric key to unwrap data :param mechanism Mechanism to use when unwrapping :param nonce_iv iv data .sp Unwrap (decrypt) data using the supplied symmetric key .UNINDENT .INDENT 7.0 .TP .B symmetric_wrap(data, wrapping_key, mechanism=None, nonce_iv=None) :param data Data to be wrapped :param wrapping_key Symmetric key to wrap data :param mechanism Mechanism to use for wrapping key :param nonce_iv Nonce for initialization vector .sp Wrap (encrypt) data using the supplied symmetric key .UNINDENT .UNINDENT .SS \fBencoder\fP Module .INDENT 0.0 .TP .B pki.encoder.CustomTypeDecoder(dct) .UNINDENT .INDENT 0.0 .TP .B class pki.encoder.CustomTypeEncoder(*, skipkeys=False, ensure_ascii=True, check_circular=True, allow_nan=True, sort_keys=False, indent=None, separators=None, default=None) Bases: \fBJSONEncoder\fP .sp A custom JSONEncoder class that knows how to encode core custom objects. .sp Custom objects are encoded as JSON object literals (ie, dicts) with one key, \(aqTypeName\(aq where \(aqTypeName\(aq is the actual name of the type to which the object belongs. That single key maps to another object literal which is just the __dict__ of the object encoded. .sp Reason for ignoring the error: E0202 \- An attribute affected in json.encoder line 157 hide this method reported by pylint: .sp The error is in json.encoder.JSONEncoder class. There is a default method (which is overridden here) and also a class attribute self.default initialized in the init method of the class. The intention of such usage being that a custom default method object can be passed to init when creating an instance of JSONEncoder, which is then assigned to class\(aqs default method. (which is valid) But pylint raises an issue due to the usage of same name for a method and an attribute in which case the attribute definition hides the method. The reason and example for the issue: (top rated comment) .INDENT 7.0 .INDENT 3.5 \fI\%http://stackoverflow.com/questions/12949064/python\-what\-happens\fP\- when\-instance\-variable\-name\-is\-same\-as\-method\-name .UNINDENT .UNINDENT .INDENT 7.0 .TP .B static attr_name_conversion(attr_dict, object_class) .UNINDENT .INDENT 7.0 .TP .B default(o) Implement this method in a subclass such that it returns a serializable object for \fBo\fP, or calls the base implementation (to raise a \fBTypeError\fP). .sp For example, to support arbitrary iterators, you could implement default like this: .INDENT 7.0 .INDENT 3.5 .sp .nf .ft C def default(self, o): try: iterable = iter(o) except TypeError: pass else: return list(iterable) # Let the base class default method raise the TypeError return JSONEncoder.default(self, o) .ft P .fi .UNINDENT .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.encoder.decode_cert(data) base64 decode X.509 certificate .INDENT 7.0 .TP .B Parameters \fBdata\fP (\fIstr\fP\fI, \fP\fIbytes\fP) \-\- data as bytes or ASCII text .TP .B Return type bytes .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.encoder.encode_cert(data) base64 encode X.509 certificate .sp Python 3\(aqs base64.b64encode() doesn\(aqt support ASCII text. .INDENT 7.0 .TP .B Parameters \fBdata\fP (\fIstr\fP\fI, \fP\fIbytes\fP) \-\- data as bytes or ASCII text .TP .B Return type bytes .UNINDENT .UNINDENT .SS \fBkey\fP Module .sp Module containing the Python client classes for the KeyClient and KeyRequestClient REST API on a DRM .INDENT 0.0 .TP .B class pki.key.AsymKeyGenerationRequest(client_key_id=None, key_size=None, key_algorithm=None, key_usages=None, trans_wrapped_session_key=None, realm=None) Bases: \fI\%ResourceMessage\fP .sp Class representing the data sent to the DRM when generating and archiving asymmetric keys in the DRM. .INDENT 7.0 .TP .B DECRYPT_USAGE = \(aqdecrypt\(aq .UNINDENT .INDENT 7.0 .TP .B DERIVE_USAGE = \(aqderive\(aq .UNINDENT .INDENT 7.0 .TP .B ENCRYPT_USAGE = \(aqencrypt\(aq .UNINDENT .INDENT 7.0 .TP .B SIGN_RECOVER_USAGE = \(aqsign_recover\(aq .UNINDENT .INDENT 7.0 .TP .B SIGN_USAGE = \(aqsign\(aq .UNINDENT .INDENT 7.0 .TP .B UNWRAP_USAGE = \(aqunwrap\(aq .UNINDENT .INDENT 7.0 .TP .B VERIFY_RECOVER_USAGE = \(aqverify_recover\(aq .UNINDENT .INDENT 7.0 .TP .B VERIFY_USAGE = \(aqverify\(aq .UNINDENT .INDENT 7.0 .TP .B WRAP_USAGE = \(aqwrap\(aq .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.Key(key_data) Bases: \fBobject\fP .sp An instance of this class stores the decoded encrypted secret present in the KeyData object passed in the constructor. All the key retrieval requests return this object. .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyArchivalRequest(client_key_id=None, data_type=None, wrapped_private_data=None, trans_wrapped_session_key=None, pki_archive_options=None, algorithm_oid=None, symkey_params=None, key_algorithm=None, key_size=None, realm=None) Bases: \fI\%ResourceMessage\fP .sp Class representing the object sent to the DRM when archiving a secret. .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyClient(connection, crypto, transport_cert_nick=None, info_client=None) Bases: \fBobject\fP .sp Class that encapsulates and mirrors the functions in the KeyResource and KeyRequestResource Java classes in the DRM REST API. .INDENT 7.0 .TP .B AES_ALGORITHM = \(aqAES\(aq .UNINDENT .INDENT 7.0 .TP .B ASYMMETRIC_KEY_TYPE = \(aqasymmetricKey\(aq .UNINDENT .INDENT 7.0 .TP .B DES3_ALGORITHM = \(aqDES3\(aq .UNINDENT .INDENT 7.0 .TP .B DESEDE_ALGORITHM = \(aqDESede\(aq .UNINDENT .INDENT 7.0 .TP .B DES_ALGORITHM = \(aqDES\(aq .UNINDENT .INDENT 7.0 .TP .B DSA_ALGORITHM = \(aqDSA\(aq .UNINDENT .INDENT 7.0 .TP .B KEY_STATUS_ACTIVE = \(aqactive\(aq .UNINDENT .INDENT 7.0 .TP .B KEY_STATUS_INACTIVE = \(aqinactive\(aq .UNINDENT .INDENT 7.0 .TP .B PASS_PHRASE_TYPE = \(aqpassPhrase\(aq .UNINDENT .INDENT 7.0 .TP .B RC2_ALGORITHM = \(aqRC2\(aq .UNINDENT .INDENT 7.0 .TP .B RC4_ALGORITHM = \(aqRC4\(aq .UNINDENT .INDENT 7.0 .TP .B RSA_ALGORITHM = \(aqRSA\(aq .UNINDENT .INDENT 7.0 .TP .B SYMMETRIC_KEY_TYPE = \(aqsymmetricKey\(aq .UNINDENT .INDENT 7.0 .TP .B approve_request(request_id) Approve a secret recovery request .UNINDENT .INDENT 7.0 .TP .B archive_encrypted_data(client_key_id, data_type, encrypted_data, wrapped_session_key, algorithm_oid=None, nonce_iv=None, key_algorithm=None, key_size=None, realm=None) Archive a secret (symmetric key or passphrase) on the DRM. .sp Refer to archive_key() comments for a description of client_key_id, data_type, key_algorithm and key_size. .INDENT 7.0 .TP .B The following parameters are also required: .INDENT 7.0 .IP \(bu 2 encrypted_data \- which is the data encrypted by a session key (168 bit 3DES symmetric key) .IP \(bu 2 wrapped_session_key \- the above session key wrapped by the DRM transport certificate public key. .IP \(bu 2 the algorithm_oid string for the symmetric key wrap .IP \(bu 2 the nonce_iv for the symmetric key wrap .UNINDENT .UNINDENT .sp This function is useful if the caller wants to do their own wrapping of the secret, or if the secret was generated on a separate client machine and the wrapping was done there. .sp The function returns a KeyRequestResponse object containing a KeyRequestInfo object with details about the archival request and key archived. .UNINDENT .INDENT 7.0 .TP .B archive_key(client_key_id, data_type, private_data, key_algorithm=None, key_size=None, realm=None) Archive a secret (symmetric key or passphrase) on the DRM. .sp Requires a user\-supplied client ID. There can be only one active key with a specified client ID. If a record for a duplicate active key exists, a BadRequestException is thrown. .INDENT 7.0 .TP .B data_type can be one of the following: KeyClient.SYMMETRIC_KEY_TYPE, KeyClient.ASYMMETRIC_KEY_TYPE, KeyClient.PASS_PHRASE_TYPE .UNINDENT .sp key_algorithm and key_size are applicable to symmetric keys only. If a symmetric key is being archived, these parameters are required. .sp private_data is the raw secret to be archived. It will be wrapped and sent to the DRM. .sp The function returns a KeyRequestResponse object containing a KeyRequestInfo object with details about the archival request and key archived. .UNINDENT .INDENT 7.0 .TP .B archive_pki_options(client_key_id, data_type, pki_archive_options, key_algorithm=None, key_size=None, realm=None) Archive a secret (symmetric key or passphrase) on the DRM. .sp Refer to archive_key() comments for a description of client_key_id, data_type, key_algorithm and key_size. .sp pki_archive_options is the data to be archived wrapped in a PKIArchiveOptions structure, .sp The function returns a KeyRequestResponse object containing a KeyRequestInfo object with details about the archival request and key archived. .UNINDENT .INDENT 7.0 .TP .B cancel_request(request_id) Cancel a secret recovery request .UNINDENT .INDENT 7.0 .TP .B generate_asymmetric_key(client_key_id, algorithm=None, key_size=None, usages=None, trans_wrapped_session_key=None, realm=None) Generate and archive asymmetric keys in the DRM. Supports algorithms RSA and DSA. Valid key size for RSA = 256 + (16 * n), where n: 0\-496 Valid key size for DSA = 512, 768, 1024. p,q,g params are not supported. .sp Return a KeyRequestResponse which contains a KeyRequestInfo object that describes the URL for the request and generated keys. .UNINDENT .INDENT 7.0 .TP .B generate_symmetric_key(client_key_id, algorithm=None, size=None, usages=None, trans_wrapped_session_key=None, realm=None) Generate and archive a symmetric key on the DRM. .sp Return a KeyRequestResponse which contains a KeyRequestInfo object that describes the URL for the request and generated key. .UNINDENT .INDENT 7.0 .TP .B get_active_key_info(client_key_id) Get the info in the KeyRecord for the active secret in the DRM. .UNINDENT .INDENT 7.0 .TP .B get_client_keyset() .UNINDENT .INDENT 7.0 .TP .B get_key_info(key_id) Get the info in the KeyRecord for a specific secret in the DRM. .UNINDENT .INDENT 7.0 .TP .B get_request_info(request_id) Return a KeyRequestInfo object for a specific request. .UNINDENT .INDENT 7.0 .TP .B get_server_keyset() .UNINDENT .INDENT 7.0 .TP .B list_keys(client_key_id=None, status=None, max_results=None, max_time=None, start=None, size=None, realm=None) List/Search archived secrets in the DRM. .sp See KRAClient.list_keys for the valid values of status. Returns a KeyInfoCollection object. .UNINDENT .INDENT 7.0 .TP .B list_requests(request_state=None, request_type=None, client_key_id=None, start=None, page_size=None, max_results=None, max_time=None, realm=None) List/Search key requests in the DRM. .sp See KRAClient.list_requests for the valid values of request_state and request_type. Returns a KeyRequestInfoCollection object. .UNINDENT .INDENT 7.0 .TP .B modify_key_status(key_id, status) Modify the status of a key .UNINDENT .INDENT 7.0 .TP .B process_returned_key(key, session_key) Decrypt the returned key and place in key.data .sp The data will either by encrypted using an encryption algorithm \- in which case, the key data will contain an encryption algorithm OID, or it will be key wrapped \- in which case, the key data will contain a key wrap mechanism name. .sp Only one of these should be present. If we are talking to an older server, and none is present, we will assume encryption. .UNINDENT .INDENT 7.0 .TP .B recover_key(key_id, request_id=None, session_wrapped_passphrase=None, trans_wrapped_session_key=None, b64certificate=None, nonce_data=None) Create a request to recover a secret. .sp To retrieve a symmetric key or passphrase, the only parameter that is required is the keyId. It is possible (but not required) to pass in the session keys/passphrase and nonceData for the retrieval at this time. Those parameters are documented in the docstring for retrieve_key below. .sp To retrieve an asymmetric key, the keyId and the the base\-64 encoded certificate is required. .UNINDENT .INDENT 7.0 .TP .B reject_request(request_id) Reject a secret recovery request. .UNINDENT .INDENT 7.0 .TP .B retrieve_key(key_id=None, trans_wrapped_session_key=None, request_id=None) Retrieve a secret (passphrase or symmetric key) from the DRM. .sp This method will retrieve a key from the KRA given the key_id or request_id (one of which must be specified). The data is returned as a KeyData object (which is recast to a Key object). .sp If request_id is specified, then the value of key_id is ignored. Exceptions will be thrown if the caller is not the originator of the request, or the request is not approved. .sp If key_id is specified instead, the following behavior applies: .INDENT 7.0 .IP \(bu 2 If the key can be retrieved synchronously \- ie. only one agent\(aqs approval is required, then the KeyData will include the secret. .IP \(bu 2 If the key cannot be retrieved synchronously \- ie. if more than one approval is needed, then the KeyData object will include the request ID for a recovery request that was created on the server. When that request is approved, callers can retrieve the key using retrieve_key() and setting the request_id. .UNINDENT .sp To ensure data security in transit, the data will be returned encrypted by a session key (168 bit 3DES symmetric key) \- which is first wrapped (encrypted) by the public key of the DRM transport certificate before being sent to the DRM. The parameter trans_wrapped_session_key refers to this wrapped session key. .sp If the trans_wrapped_session_key is not provided by caller, the method will call CryptoProvider methods to generate and wrap the session key. The function will return the KeyData object with a private_data attribute which stores the unwrapped key information. .sp If the trans_wrapped_session_key is provided by the caller, the method will simply pass the data to the KRA, and will return the secret wrapped in the session key. The secret will still need to be unwrapped by the caller. The function will return the KeyData object, where the KeyData structure includes the wrapped secret and some nonce data to be used as a salt when unwrapping. .UNINDENT .INDENT 7.0 .TP .B retrieve_key_by_passphrase(key_id=None, request_id=None, passphrase=None, trans_wrapped_session_key=None, session_wrapped_passphrase=None, nonce_data=None) Retrieve a secret (passphrase or symmetric key) from the DRM using a passphrase. .sp This function generates a key recovery request, approves it, and retrieves the secret referred to by key_id. This assumes that only one approval is required to authorize the recovery. .sp The secret is secured in transit by wrapping the secret with a passphrase using PBE encryption. .sp There are two ways of using this function: .INDENT 7.0 .IP 1. 3 A passphrase is provided by the caller. .sp In this case, CryptoProvider methods will be called to create the data to securely send the passphrase to the DRM. Basically, three pieces of data will be sent: .INDENT 3.0 .IP \(bu 2 the passphrase wrapped by a 168 bit 3DES symmetric key (the session key). This is referred to as the parameter session_wrapped_passphrase. .IP \(bu 2 the session key wrapped with the public key in the DRM transport certificate. This is referred to as the trans_wrapped_session_key. .IP \(bu 2 ivps nonce data, referred to as nonce_data .UNINDENT .sp The function will return the tuple (KeyData, unwrapped_secret) .IP 2. 3 The caller provides the trans_wrapped_session_key, session_wrapped_passphrase and nonce_data. .sp In this case, the data will simply be passed to the DRM. The function will return the secret encrypted by the passphrase using PBE Encryption. The secret will still need to be decrypted by the caller. .sp The function will return the tuple (KeyData, None) .UNINDENT .UNINDENT .INDENT 7.0 .TP .B retrieve_key_by_pkcs12(key_id, certificate, passphrase) Retrieve an asymmetric private key and return it as PKCS12 data. .sp This function generates a key recovery request, approves it, and retrieves the secret referred to by key_id in a PKCS12 file. This assumes that only one approval is required to authorize the recovery. .sp This function requires the following parameters: \- key_id : the ID of the key \- certificate: the certificate associated with the private key \- passphrase: A passphrase for the pkcs12 file. .sp The function returns a KeyData object. .UNINDENT .INDENT 7.0 .TP .B retrieve_key_data(data) Retrieve a secret from the DRM. .sp @param: data \- a KeyRecoveryRequest containing the keyId of the secret being retrieved, the request_id of the approved recovery request and a wrapping mechanism. More details at KRAClient.retrieve_key. .sp Returns a KeyData object containing the wrapped secret. .UNINDENT .INDENT 7.0 .TP .B set_crypto_algorithms() .UNINDENT .INDENT 7.0 .TP .B set_transport_cert(transport_cert_nick) Set the transport certificate for crypto operations .UNINDENT .INDENT 7.0 .TP .B submit_request(request) Submit an archival, recovery or key generation request to the DRM. .sp @param request \- is either a KeyArchivalRequest, KeyRecoverRequest, SymKeyGenerationRequest or AsymKeyGenerationRequest. .sp returns a KeyRequestResponse object. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyData Bases: \fBobject\fP .sp This is the object that contains the encoded wrapped secret when that secret is retrieved. It is used by the DRM to send information of the key in the key retrieval requests. .INDENT 7.0 .TP .B classmethod from_json(attr_list) Return a KeyData object from a JSON dict .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqencryptAlgorithmOID\(aq: \(aqencrypt_algorithm_oid\(aq, \(aqnonceData\(aq: \(aqnonce_data\(aq, \(aqpublicKey\(aq: \(aqpublic_key\(aq, \(aqrequestID\(aq: \(aqrequest_id\(aq, \(aqwrapAlgorithm\(aq: \(aqwrap_algorithm\(aq, \(aqwrappedPrivateData\(aq: \(aqwrapped_private_data\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyInfo Bases: \fBobject\fP .sp This is the object that contains information stored in the database record for an archived secret. It does not contain the secret itself. .INDENT 7.0 .TP .B classmethod from_json(attr_list) Return KeyInfo from JSON dict .UNINDENT .INDENT 7.0 .TP .B get_key_id() Return the key ID as parsed from key URL .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqclientKeyID\(aq: \(aqclient_key_id\(aq, \(aqkeyURL\(aq: \(aqkey_url\(aq, \(aqownerName\(aq: \(aqowner_name\(aq, \(aqpublicKey\(aq: \(aqpublic_key\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyInfoCollection Bases: \fBobject\fP .sp This class represents data returned when searching the DRM archived secrets. Essentially, its a list of KeyInfo objects. .INDENT 7.0 .TP .B classmethod from_json(json_value) Return a KeyInfoCollection object from its JSON representation .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyRecoveryRequest(key_id=None, request_id=None, trans_wrapped_session_key=None, session_wrapped_passphrase=None, nonce_data=None, certificate=None, passphrase=None, payload_wrapping_name=None, payload_encryption_oid=None) Bases: \fI\%ResourceMessage\fP .sp Class representing the data sent to the DRM when either creating a request for the recovery of a secret, or, once the request is approved, retrieving the secret. .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyRequestInfo Bases: \fBobject\fP .sp This class represents data about key requests (archival, recovery, key generation etc.) in the DRM. .INDENT 7.0 .TP .B classmethod from_json(attr_list) Return a KeyRequestInfo object from a JSON dict. .UNINDENT .INDENT 7.0 .TP .B get_key_id() Return the ID of the secret referred to by this request. .UNINDENT .INDENT 7.0 .TP .B get_request_id() Return the request ID by parsing the request URL. .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqkeyURL\(aq: \(aqkey_url\(aq, \(aqrequestStatus\(aq: \(aqrequest_status\(aq, \(aqrequestType\(aq: \(aqrequest_type\(aq, \(aqrequestURL\(aq: \(aqrequest_url\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyRequestInfoCollection Bases: \fBobject\fP .sp This class represents the data returned when searching the key requests in the DRM. Essentially, its a list of KeyRequestInfo objects. .INDENT 7.0 .TP .B classmethod from_json(json_value) Return a KeyRequestInfoCollection object from its JSON representation. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.KeyRequestResponse Bases: \fBobject\fP .sp This class is returned when an archival, recovery or key generation request is created. It includes a KeyRequestInfo object with information about the created request, and a KeyData structure which contains the wrapped secret (if that operation is supported). .INDENT 7.0 .TP .B classmethod from_json(json_value) Return a KeyRequestResponse object from its JSON representation. .UNINDENT .INDENT 7.0 .TP .B get_key_id() Return the id for the key archived, recovered or generated .UNINDENT .INDENT 7.0 .TP .B get_request_id() Return the id for the created request .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.key.RequestId(req_id) Bases: \fBobject\fP .sp Class representing a Request ID .UNINDENT .INDENT 0.0 .TP .B class pki.key.SymKeyGenerationRequest(client_key_id=None, key_size=None, key_algorithm=None, key_usages=None, trans_wrapped_session_key=None, realm=None) Bases: \fI\%ResourceMessage\fP .sp Class representing the data sent to the DRM when generating and archiving a symmetric key in the DRM. .INDENT 7.0 .TP .B DECRYPT_USAGE = \(aqdecrypt\(aq .UNINDENT .INDENT 7.0 .TP .B ENCRYPT_USAGE = \(aqencrypt\(aq .UNINDENT .INDENT 7.0 .TP .B SIGN_USAGE = \(aqsign\(aq .UNINDENT .INDENT 7.0 .TP .B UNWRAP_USAGE = \(aqunwrap\(aq .UNINDENT .INDENT 7.0 .TP .B VERIFY_USAGE = \(aqverify\(aq .UNINDENT .INDENT 7.0 .TP .B WRAP_USAGE = \(aqwrap\(aq .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.key.main() Some unit tests \- basically printing different types of requests .UNINDENT .SS \fBkra\fP Module .sp Module containing KRAClient class. This class should be used by Python clients to interact with the DRM to expose the functionality of the KeyClient and KeyRequestResource REST APIs. .INDENT 0.0 .TP .B class pki.kra.KRAClient(connection, crypto, transport_cert_nick=None) Bases: \fBobject\fP .sp Client class that models interactions with a KRA using the Key and KeyRequest REST APIs. .UNINDENT .SS \fBprofile\fP Module .INDENT 0.0 .TP .B class pki.profile.Descriptor(syntax=None, constraint=None, description=None, default_value=None) Bases: \fBobject\fP .sp This class represents the description of a ProfileAttribute. It stores information such as the syntax, constraint and default value of a profile attribute. .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqConstraint\(aq: \(aqconstraint\(aq, \(aqDefaultValue\(aq: \(aqdefault_value\(aq, \(aqDescription\(aq: \(aqdescription\(aq, \(aqSyntax\(aq: \(aqsyntax\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.PolicyConstraint(name=None, description=None, class_id=None, policy_constraint_values=None) Bases: \fBobject\fP .sp An object of this class contains the policy constraints applied to a ProfileInput used by a certificate enrollment request. .INDENT 7.0 .TP .B add_constraint_value(policy_constraint_value) Add a PolicyConstraintValue to the policy_constraint_values list. .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_constraint_value(policy_constraint_value_name) Returns a PolicyConstraintValue object with the given name. None, if there is no match. .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqclassId\(aq: \(aqclass_id\(aq, \(aqconstraint\(aq: \(aqpolicy_constraint_values\(aq, \(aqid\(aq: \(aqname\(aq} .UNINDENT .INDENT 7.0 .TP .B remove_constraint_value(policy_constraint_value_name) Removes a PolicyConstraintValue with the given name form the policy_constraint_values list. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.PolicyConstraintValue(name=None, value=None, descriptor=None) Bases: \fBobject\fP .sp Represents a PolicyConstraintValue .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B property name .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.PolicyDefault(name=None, class_id=None, description=None, policy_attributes=None, policy_params=None) Bases: \fBobject\fP .sp An object of this class contains information of the default usage of a specific ProfileInput. .INDENT 7.0 .TP .B add_attribute(policy_attribute) Add a policy attribute to the attribute list. @param policy_attribute \- A ProfileAttribute object .UNINDENT .INDENT 7.0 .TP .B add_parameter(policy_parameter) Add a profile parameter to the parameters list. @param policy_parameter \- A ProfileParameter object. .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_attribute(policy_attribute_name) Fetch the policy attribute with the given name from the attributes list. .UNINDENT .INDENT 7.0 .TP .B get_parameter(profile_parameter_name) Fetch a profile parameter with the given name from the parameters list. .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqclassId\(aq: \(aqclass_id\(aq, \(aqid\(aq: \(aqname\(aq, \(aqparams\(aq: \(aqpolicy_params\(aq, \(aqpolicyAttribute\(aq: \(aqpolicy_attributes\(aq} .UNINDENT .INDENT 7.0 .TP .B remove_attribute(policy_attribute_name) Remove a policy attribute with the given name from the attributes list. .UNINDENT .INDENT 7.0 .TP .B remove_parameter(profile_parameter_name) Remove a profile parameter with the given name from the parameters list. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.PolicySet(name=None, policy_list=None) Bases: \fBobject\fP .sp An object of this class contains a name value pair of the policy name and the ProfilePolicy object. .INDENT 7.0 .TP .B add_policy(profile_policy) Add a ProfilePolicy object to the policy_list .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_policy(policy_id) Returns a ProfilePolicy object with the given profile id. .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqid\(aq: \(aqname\(aq, \(aqvalue\(aq: \(aqpolicy_list\(aq} .UNINDENT .INDENT 7.0 .TP .B remove_policy(policy_id) Removes a ProfilePolicy with the given ID from the PolicySet. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.PolicySetList(policy_sets=None) Bases: \fBobject\fP .sp An object of this class stores a list of ProfileSet objects. .INDENT 7.0 .TP .B add_policy_set(policy_set) Add a PolicySet object to the policy_sets list. .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_policy_set(policy_set_name) Fetch the PolicySet object for the given name. Returns None, if not found. .UNINDENT .INDENT 7.0 .TP .B property policy_sets .UNINDENT .INDENT 7.0 .TP .B remove_policy_set(policy_set_name) Remove a PolicySet object with the given name from the policy_sets list. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.Profile(profile_id=None, class_id=None, name=None, description=None, enabled=None, visible=None, enabled_by=None, authenticator_id=None, authorization_acl=None, renewal=None, xml_output=None, inputs=None, outputs=None, policy_set_list=None, link=None) Bases: \fBobject\fP .sp This class represents an enrollment profile. .INDENT 7.0 .TP .B add_input(profile_input) Add a ProfileInput object to the inputs list of the Profile. .UNINDENT .INDENT 7.0 .TP .B add_output(profile_output) Add a ProfileOutput object to the outputs list of the Profile. .UNINDENT .INDENT 7.0 .TP .B add_policy_set(policy_set) Add a PolicySet object to the policy_sets list of the Profile. .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_input(profile_input_id) Fetches a ProfileInput with the given ProfileInput id. Returns None, if there is no matching input. .UNINDENT .INDENT 7.0 .TP .B get_output(profile_output_id) Fetches a ProfileOutput with the given ProfileOutput id. Returns None, if there is no matching output. .UNINDENT .INDENT 7.0 .TP .B get_policy_set(policy_set_name) Fetches a ProfileInput with the given ProfileInput id. Returns None, if there is no matching input. .UNINDENT .INDENT 7.0 .TP .B static get_profile_data_from_file(path_to_file) Reads the file for the serialized Profile object. Currently supports only data format in json. .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqInput\(aq: \(aqinputs\(aq, \(aqOutput\(aq: \(aqoutputs\(aq, \(aqPolicySets\(aq: \(aqpolicy_set_list\(aq, \(aqauthenticatorId\(aq: \(aqauthenticator_id\(aq, \(aqauthzAcl\(aq: \(aqauthorization_acl\(aq, \(aqclassId\(aq: \(aqclass_id\(aq, \(aqenabledBy\(aq: \(aqenabled_by\(aq, \(aqid\(aq: \(aqprofile_id\(aq, \(aqxmlOutput\(aq: \(aqxml_output\(aq} .UNINDENT .INDENT 7.0 .TP .B remove_input(profile_input_id) Remove a ProfileInput from the inputs list of the Profile. .UNINDENT .INDENT 7.0 .TP .B remove_output(profile_output_id) Remove a ProfileOutput from the outputs list of the Profile. .UNINDENT .INDENT 7.0 .TP .B remove_policy_set(policy_set_name) Remove a PolicySet from the policy_sets list of the Profile. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfileAttribute(name=None, value=None, descriptor=None) Bases: \fBobject\fP .sp Represents a profile attribute of a ProfileInput. .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqDescriptor\(aq: \(aqdescriptor\(aq, \(aqValue\(aq: \(aqvalue\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfileClient(connection) Bases: \fBobject\fP .sp This class consists of methods for accessing the ProfileResource. .INDENT 7.0 .TP .B create_profile(profile_data) Create a new profile for the given Profile object. .UNINDENT .INDENT 7.0 .TP .B create_profile_from_file(path_to_file) Reads the file for the serialized Profile object. Performs the profile create operation. Currently supports only data format in json. .UNINDENT .INDENT 7.0 .TP .B delete_profile(profile_id) Delete a profile with the given Profile Id. .UNINDENT .INDENT 7.0 .TP .B disable_profile(profile_id) Disables a profile. .UNINDENT .INDENT 7.0 .TP .B enable_profile(profile_id) Enables a profile. .UNINDENT .INDENT 7.0 .TP .B get_profile(profile_id) Fetches information for the profile for the given profile id. Returns a ProfileData object. .UNINDENT .INDENT 7.0 .TP .B list_profiles(start=None, size=None) Fetches the list of profiles. The start and size arguments provide pagination support. Returns a ProfileDataInfoCollection object. .UNINDENT .INDENT 7.0 .TP .B modify_profile(profile_data) Modify an existing profile with the given Profile object. .UNINDENT .INDENT 7.0 .TP .B modify_profile_from_file(path_to_file) Reads the file for the serialized Profile object. Performs the profile modify operation. Currently supports only data format in json. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfileDataInfo Bases: \fBobject\fP .sp Stores information about a profile .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqprofileDescription\(aq: \(aqprofile_description\(aq, \(aqprofileId\(aq: \(aqprofile_id\(aq, \(aqprofileName\(aq: \(aqprofile_name\(aq, \(aqprofileURL\(aq: \(aqprofile_url\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfileDataInfoCollection Bases: \fBobject\fP .sp Represents a collection of ProfileDataInfo objects. Also encapsulates the links for the list of the objects stored. .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfileInput(profile_input_id=None, class_id=None, name=None, text=None, attributes=None, config_attributes=None) Bases: \fBobject\fP .sp This class encapsulates all the attributes of a profile to generate a specific property of a certificate. Ex. Subject name, Requestor Information etc. .INDENT 7.0 .TP .B add_attribute(profile_attribute) Add a ProfileAttribute object to the attributes list. .UNINDENT .INDENT 7.0 .TP .B add_config_attribute(profile_attribute) Add a ProfileAttribute object to the config_attributes list. .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_attribute(profile_attribute_name) Returns a ProfileAttribute object for the given name. None, if no match. .UNINDENT .INDENT 7.0 .TP .B get_config_attribute(config_attribute_name) Returns a ProfileAttribute object with the given name. None, if there is no match in the config_attributes list. .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqAttribute\(aq: \(aqattributes\(aq, \(aqClassID\(aq: \(aqclass_id\(aq, \(aqConfigAttribute\(aq: \(aqconfig_attributes\(aq, \(aqName\(aq: \(aqname\(aq, \(aqText\(aq: \(aqtext\(aq, \(aqid\(aq: \(aqprofile_input_id\(aq} .UNINDENT .INDENT 7.0 .TP .B remove_attribute(profile_attribute_name) Remove a ProfileAttribute object with the given name from the attributes list. .UNINDENT .INDENT 7.0 .TP .B remove_config_attribute(config_attribute_name) Remove a ProfileAttribute object with the given name from the config_attributes list. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfileOutput(profile_output_id=None, name=None, text=None, class_id=None, attributes=None) Bases: \fBobject\fP .sp This class defines the output of a certificate enrollment request using a profile. .INDENT 7.0 .TP .B add_attribute(profile_attribute) Add a ProfileAttribute object to the attributes list. .UNINDENT .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B get_attribute(profile_attribute_name) Returns a ProfileAttribute object for the given name. None, if no match. .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqclassId\(aq: \(aqclass_id\(aq, \(aqid\(aq: \(aqprofile_output_id\(aq} .UNINDENT .INDENT 7.0 .TP .B remove_attribute(profile_attribute_name) Remove a ProfileAttribute object with the given name from the attributes list. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfileParameter(name=None, value=None) Bases: \fBobject\fP .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfilePolicy(policy_id=None, policy_default=None, policy_constraint=None) Bases: \fBobject\fP .sp This class represents the policy a profile adheres to. An object of this class stores the default values for profile and the constraints present on the values of the attributes of the profile submitted for an enrollment request. .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .INDENT 7.0 .TP .B json_attribute_names = {\(aqconstraint\(aq: \(aqpolicy_constraint\(aq, \(aqdef\(aq: \(aqpolicy_default\(aq, \(aqid\(aq: \(aqpolicy_id\(aq} .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.profile.ProfilePolicySet Bases: \fBobject\fP .sp Stores a list of ProfilePolicy objects. .INDENT 7.0 .TP .B classmethod from_json(attr_list) .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.profile.main() .UNINDENT .SS \fBsystem\fP Module .INDENT 0.0 .TP .B class pki.system.AdminSetupRequest Bases: \fBobject\fP .UNINDENT .INDENT 0.0 .TP .B class pki.system.AdminSetupResponse Bases: \fBobject\fP .UNINDENT .INDENT 0.0 .TP .B class pki.system.CertificateSetupRequest Bases: \fBobject\fP .UNINDENT .INDENT 0.0 .TP .B class pki.system.CertificateSetupResponse Bases: \fBobject\fP .UNINDENT .INDENT 0.0 .TP .B class pki.system.DomainInfo Bases: \fBobject\fP .sp Class representing the entire security domain. This is essentially a list of SecurityDomainSubsystem components. .INDENT 7.0 .TP .B classmethod from_json(json_value) Create a DomainInfo object from JSON. .INDENT 7.0 .TP .B Parameters \fBjson_value\fP (\fIstr\fP) \-\- JSON representation of a security domain. .TP .B Returns DomainInfo .UNINDENT .UNINDENT .INDENT 7.0 .TP .B property systems .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.system.InstallToken Bases: \fBobject\fP .INDENT 7.0 .TP .B classmethod from_json(json_value) .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.system.SecurityDomainClient(connection) Bases: \fBobject\fP .sp Client used to get the security domain from a security domain CA. The connection details for the security domain CA are specified in a PKIConnection object used to construct this client. .INDENT 7.0 .TP .B get_domain_info() Contact the security domain CA specified in the connection object used to construct this client and get the security domain using the REST API. .INDENT 7.0 .TP .B Returns pki.system.DomainInfo .UNINDENT .UNINDENT .INDENT 7.0 .TP .B get_install_token(hostname, subsystem) .INDENT 7.0 .TP .B Returns pki.system.InstallToken .UNINDENT .UNINDENT .INDENT 7.0 .TP .B get_old_domain_info() Contact the security domain CA specified in the connection object used to construct this client and get the security domain using the old servlet\-based interface. This method is useful when contacting old servers which do not provide the REST API. .INDENT 7.0 .TP .B Returns pki.system.DomainInfo .UNINDENT .UNINDENT .INDENT 7.0 .TP .B get_security_domain_info() .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.system.SecurityDomainHost Bases: \fBobject\fP .sp Class representing a security domain host. .INDENT 7.0 .TP .B classmethod from_json(json_value) Constructs a SecurityDomainHost object from JSON. .INDENT 7.0 .TP .B Parameters \fBjson_value\fP (\fIstr\fP) \-\- JSON string representing a security domain host. .TP .B Returns SecurityDomainHost .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.system.SecurityDomainSubsystem Bases: \fBobject\fP .sp Class representing a security domain subsystem. This is essentially a list of SecurityDomainHost objects of a particular subsystem type (ca, kra, tps, tks, ocsp). .INDENT 7.0 .TP .B classmethod from_json(json_value) Constructs a SecurityDomainSubsystem from a JSON representation. .INDENT 7.0 .TP .B Parameters \fBjson_value\fP (\fIstr\fP) \-\- JSON representation of the Security Domain Subsystem .TP .B Returns SecurityDomainSubsystem .UNINDENT .UNINDENT .INDENT 7.0 .TP .B get_host(hostname, secure_port) .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.system.SystemCertData Bases: \fBobject\fP .sp Class used to represent the data for a system certificate, which is used in the data passed into and returned from the Java installation servlet during the execution of pkispawn. .sp This class is the python equivalent of the Java class: com.netscape.certsrv.system.SystemCertData .UNINDENT .INDENT 0.0 .TP .B class pki.system.SystemConfigClient(connection, subsystem=None) Bases: \fBobject\fP .sp Client used to interact with the Java configuration servlet to configure a Dogtag subsystem during the execution of pkispawn. .sp The connection details for the system being configured are passed in the PKIConnection object used when constructing this object. .INDENT 7.0 .TP .B createCert(request) Create certificate. .INDENT 7.0 .TP .B Parameters \fBrequest\fP (\fI\%CertificateSetupRequest\fP) \-\- Certificate setup request .TP .B Returns SystemCertData .UNINDENT .UNINDENT .INDENT 7.0 .TP .B createCertID(request) Create certificate ID. .INDENT 7.0 .TP .B Parameters \fBrequest\fP (\fI\%CertificateSetupRequest\fP) \-\- Certificate setup request .TP .B Returns SystemCertData .UNINDENT .UNINDENT .INDENT 7.0 .TP .B createRequestID(request) Create certificate request ID. .INDENT 7.0 .TP .B Parameters \fBrequest\fP (\fI\%CertificateSetupRequest\fP) \-\- Certificate setup request .TP .B Returns SystemCertData .UNINDENT .UNINDENT .INDENT 7.0 .TP .B initSubsystem(request) Initialize subsystem. .INDENT 7.0 .TP .B Parameters \fBrequest\fP (\fI\%CertificateSetupRequest\fP) \-\- Certificate setup request .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.system.SystemStatusClient(connection, subsystem=None) Bases: \fBobject\fP .sp Client used to check the status of a Dogtag subsystem. .INDENT 7.0 .TP .B get_status(timeout=None) Checks the status of the subsystem by calling the getStatus() servlet. This is used to determine if the server is up and ready to receive and process requests. .INDENT 7.0 .TP .B Returns str \- getStatus response .UNINDENT .UNINDENT .UNINDENT .SS \fBsystemcert\fP Module .sp Module containing the Python client classes for the SystemCert REST API .INDENT 0.0 .TP .B class pki.systemcert.SystemCertClient(connection, subsystem=None) Bases: \fBobject\fP .sp Class encapsulating and mirroring the functionality in the SystemCertResource Java interface class defining the REST API for system certificate resources. .INDENT 7.0 .TP .B get_transport_cert() Return transport certificate. .INDENT 7.0 .TP .B Returns pki.cert.CertData \-\- transport certificate data .UNINDENT .UNINDENT .UNINDENT .SS \fBupgrade\fP Module .INDENT 0.0 .TP .B class pki.upgrade.PKIUpgradeScriptlet Bases: \fBobject\fP .INDENT 7.0 .TP .B backup(path) .UNINDENT .INDENT 7.0 .TP .B get_backup_dir() .UNINDENT .INDENT 7.0 .TP .B upgrade_system() .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.upgrade.PKIUpgradeTracker(name, filename, delimiter=\(aq=\(aq, version_key=\(aqPKI_VERSION\(aq, index_key=\(aqPKI_UPGRADE_INDEX\(aq) Bases: \fBobject\fP .INDENT 7.0 .TP .B get_index() .UNINDENT .INDENT 7.0 .TP .B get_version() .UNINDENT .INDENT 7.0 .TP .B remove() .UNINDENT .INDENT 7.0 .TP .B remove_index() .UNINDENT .INDENT 7.0 .TP .B remove_version() .UNINDENT .INDENT 7.0 .TP .B set(version) .UNINDENT .INDENT 7.0 .TP .B set_index(index) .UNINDENT .INDENT 7.0 .TP .B set_version(version) .UNINDENT .INDENT 7.0 .TP .B show() .UNINDENT .UNINDENT .INDENT 0.0 .TP .B class pki.upgrade.PKIUpgrader(upgrade_dir=\(aq/usr/share/pki/upgrade\(aq) Bases: \fBobject\fP .INDENT 7.0 .TP .B all_versions() .UNINDENT .INDENT 7.0 .TP .B backup(scriptlet, path) .UNINDENT .INDENT 7.0 .TP .B copydirs(source, dest, force=False) .UNINDENT .INDENT 7.0 .TP .B copyfile(source, dest, force=False) .UNINDENT .INDENT 7.0 .TP .B get_current_version() .UNINDENT .INDENT 7.0 .TP .B get_target_version() .UNINDENT .INDENT 7.0 .TP .B get_tracker() .UNINDENT .INDENT 7.0 .TP .B init_scriptlet(scriptlet) .UNINDENT .INDENT 7.0 .TP .B is_complete() .UNINDENT .INDENT 7.0 .TP .B makedirs(path, exist_ok=False) .UNINDENT .INDENT 7.0 .TP .B record(scriptlet, path) .UNINDENT .INDENT 7.0 .TP .B remove_tracker() .UNINDENT .INDENT 7.0 .TP .B reset_tracker() .UNINDENT .INDENT 7.0 .TP .B revert() .UNINDENT .INDENT 7.0 .TP .B revert_scriptlet(scriptlet) .UNINDENT .INDENT 7.0 .TP .B revert_version(version) .UNINDENT .INDENT 7.0 .TP .B run_scriptlet(scriptlet) .UNINDENT .INDENT 7.0 .TP .B scriptlets(version) .UNINDENT .INDENT 7.0 .TP .B set_tracker(version) .UNINDENT .INDENT 7.0 .TP .B show_tracker() .UNINDENT .INDENT 7.0 .TP .B status() .UNINDENT .INDENT 7.0 .TP .B touch(path) .UNINDENT .INDENT 7.0 .TP .B update_tracker(scriptlet) .UNINDENT .INDENT 7.0 .TP .B upgrade() .UNINDENT .INDENT 7.0 .TP .B upgrade_version(version) .UNINDENT .INDENT 7.0 .TP .B validate() .UNINDENT .INDENT 7.0 .TP .B version_dir(version) .UNINDENT .INDENT 7.0 .TP .B versions() .UNINDENT .UNINDENT .SS \fButil\fP Module .sp Module containing utility functions and classes for the Dogtag python code .INDENT 0.0 .TP .B class pki.util.Version(obj) Bases: \fBobject\fP .UNINDENT .INDENT 0.0 .TP .B pki.util.chmod(path, mode) Change permissions of a file, link, or folder recursively. .UNINDENT .INDENT 0.0 .TP .B pki.util.chown(path, uid, gid) Change ownership of a file, link, or folder recursively. .UNINDENT .INDENT 0.0 .TP .B pki.util.copy(source, dest, uid=\-1, gid=\-1, dir_mode=None, file_mode=None, force=False) Copy a file or a folder and its contents. .UNINDENT .INDENT 0.0 .TP .B pki.util.copydirs(source, dest, uid=\-1, gid=\-1, mode=None, force=False) Copy a folder and its parents (without the contents) while preserving their attributes. .UNINDENT .INDENT 0.0 .TP .B pki.util.copyfile(source, dest, slots=None, params=None, uid=None, gid=None, mode=None, force=False) Copy a file or link while preserving its attributes. .UNINDENT .INDENT 0.0 .TP .B pki.util.copytree(src, dst, symlinks=False, ignore=None) Recursively copy a directory tree using copy2(). .INDENT 7.0 .TP .B PATCH: This code was copied from \(aqshutil.py\(aq and patched to allow \(aqThe destination directory to already exist.\(aq .UNINDENT .sp If exception(s) occur, an Error is raised with a list of reasons. .sp If the optional symlinks flag is true, symbolic links in the source tree result in symbolic links in the destination tree; if it is false, the contents of the files pointed to by symbolic links are copied. .sp The optional ignore argument is a callable. If given, it is called with the \fIsrc\fP parameter, which is the directory being visited by copytree(), and \fInames\fP which is the list of \fIsrc\fP contents, as returned by os.listdir(): .INDENT 7.0 .INDENT 3.5 callable(src, names) \-> ignored_names .UNINDENT .UNINDENT .sp Since copytree() is called recursively, the callable will be called once for each directory that is copied. It returns a list of names relative to the \fIsrc\fP directory that should not be copied. .sp Consider this example code rather than the ultimate tool. .UNINDENT .INDENT 0.0 .TP .B pki.util.customize_file(input_file, output_file, params) Customize a file with specified parameters. .UNINDENT .INDENT 0.0 .TP .B pki.util.load_properties(filename, properties) .UNINDENT .INDENT 0.0 .TP .B pki.util.makedirs(path, mode=511, exist_ok=False, uid=\-1, gid=\-1, force=False) .UNINDENT .INDENT 0.0 .TP .B pki.util.read_environment_files(env_file_list=None) .UNINDENT .INDENT 0.0 .TP .B pki.util.read_text(message, options=None, default=None, delimiter=\(aq:\(aq, case_sensitive=True, password=False, required=False) Get an input from the user. This is used, for example, in pkispawn and pkidestroy to obtain user input. .INDENT 7.0 .TP .B Parameters .INDENT 7.0 .IP \(bu 2 \fBmessage\fP (\fIstr\fP) \-\- prompt to display to the user .IP \(bu 2 \fBoptions\fP (\fIlist\fP) \-\- list of possible inputs by the user. .IP \(bu 2 \fBdefault\fP (\fIstr\fP) \-\- default value of parameter being prompted. .IP \(bu 2 \fBdelimiter\fP (\fIstr\fP) \-\- delimiter to be used at the end of the prompt. .IP \(bu 2 \fBcase_sensitive\fP (\fIboolean \-\- True/False\fP) \-\- Allow input to be case sensitive. .IP \(bu 2 \fBpassword\fP (\fIboolean \-\- True/False\fP) \-\- Input is a password. Don\(aqt show the value. .IP \(bu 2 \fBrequired\fP (\fIboolean \-\- True/False\fP) \-\- Input must be non\-empty. .UNINDENT .TP .B Returns str \-\- value obtained from user input. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B pki.util.remove(path, force=False) .UNINDENT .INDENT 0.0 .TP .B pki.util.replace_params(line, params=None) Replace all occurrences of [param] in the line with the value of the parameter. .UNINDENT .INDENT 0.0 .TP .B pki.util.rmtree(path, force=False) .UNINDENT .INDENT 0.0 .TP .B pki.util.set_property(properties, name, value) .UNINDENT .INDENT 0.0 .TP .B pki.util.store_properties(filename, properties) .UNINDENT .INDENT 0.0 .TP .B pki.util.symlink(source, dest, uid=\-1, gid=\-1, force=False) .UNINDENT .INDENT 0.0 .TP .B pki.util.unlink(link, force=False) .UNINDENT .INDENT 0.0 .IP \(bu 2 \fI\%Index\fP .IP \(bu 2 \fI\%Module Index\fP .IP \(bu 2 \fI\%Search Page\fP .UNINDENT .SH AUTHOR Dogtag PKI Project Team .SH COPYRIGHT 2023, Dogtag PKI Team .\" Generated by docutils manpage writer. .