PKI¶

The PKI module builds compact OpenSSH certificates and serializes certificate signing requests to protobuf for remote signing workflows.

Certificate Model¶

class paramiko_cloud.pki.CertificateParameters¶

Bases: object

All certificate parameters needed for signing

Parameters:

valid_for – duration of certificate validity, overridden by valid_before

Keyword Arguments:

type (CertificateType) – type of certificate to issue
key_id (str) – key identifier
serial (int) – certificate serial number
principals (List[str]) – list of valid principals
valid_after (int) – time after which the certificate is valid (unix epoch, defaults to now)
valid_before (int) – time before which the certificate is valid (unix epoch)
critical_opts (Dict[CertificateCriticalOptions, str]) – dict of certificate critical options
extensions (Dict[CertificateExtensions, str]) – dict of certificate extensions

__init__(valid_for=datetime.timedelta(seconds=3600), **kwargs)¶

Parameters:

valid_for (timedelta | None)
kwargs (object)

class paramiko_cloud.pki.CertificateSigningRequest¶

Bases: object

Combines the key to be signed and the certificate parameters

Parameters:

public_key – key to sign
cert_params – certificate parameters

__init__(public_key, cert_params)¶

Parameters:

public_key (PKey)
cert_params (CertificateParameters)

to_proto()¶

Serializes the certificate signing request into a protobuf object

Returns:: Certificate signing request protobuf object
Return type:: CSR

classmethod from_proto(csr)¶

Deserializes the certificate signing request from a protobuf object

Returns:: The original certificate signing request
Parameters:: csr (CSR)
Return type:: CertificateSigningRequest

sign(signing_key)¶

Signs the public key using the signing key

Parameters:: signing_key (PKey) – CA key used for signing
Returns:: The signed certificate
Return type:: CertificateBlob

class paramiko_cloud.pki.CertificateBlob¶

Bases: PublicBlob

A signed SSH certificate

Create a new public blob of given type and contents.

Parameters:

type (str) – Type indicator, eg ssh-rsa.
blob (bytes) – The blob bytes themselves.
comment (str) – A comment, if one was given (e.g. file-based.)

cert_string(comment=None)¶

Render a string suitable for OpenSSH authorized_keys files

Parameters:: comment (str | None) – an optional comment, defaulting to the current date and time in ISO format
Returns:: The public key string
Return type:: str

Signing Mixin¶

class paramiko_cloud.pki.CertificateSigningKeyMixin¶

Bases: PKey

Mixin that allows a key to act as a certificate authority

Create a new instance of this public key type. If msg is given, the key’s public part(s) will be filled in from the message. If data is given, the key’s public part(s) will be filled in from the string.

Parameters:

msg (.Message) – an optional SSH .Message containing a public key of this type.
data (bytes) – optional, the bytes of a public key of this type

Raises:

.SSHException – if a key cannot be created from the data or msg given, or no key was passed in.

sign_certificate(pub_key, principals, extensions=None, **kwargs)¶

Signs a public key to produce a certificate

Parameters:

pub_key (PKey) – the SSH public key
principals (List[str]) – a list of principals to encode into the certificate
extensions (Dict[CertificateExtensions, str] | None) – a dictionary of certificate extensions, see paramiko_cloud.pki.CertificateExtensions
**kwargs (Any) – additional certificate configuration parameters passed to the constructor of paramiko_cloud.pki.CertificateParameters

Returns:

A PublicBlob object containing the signed certificate

Return type:

CertificateBlob

Enums¶

class paramiko_cloud.pki.CertificateType¶

Bases: Enum

The type of certificate to issue

pb_enum()¶

Converts the enum into the correct protobuf value for serialization

Returns:: The serialized enum value
Return type:: int

classmethod from_pb_enum(value)¶

Deserializes the enum value

Parameters:: value (int) – the serialized enum value
Returns:: The original enum value
Return type:: CertificateType

class paramiko_cloud.pki.CertificateCriticalOptions¶

Bases: Enum

Certificate critical options

pb_enum()¶

Converts the enum into the correct protobuf value for serialization

Returns:: The serialized enum value
Return type:: int

classmethod from_pb_enum(value)¶

Deserializes the enum value

Parameters:: value (int) – the serialized enum value
Returns:: The original enum value
Return type:: CertificateCriticalOptions

class paramiko_cloud.pki.CertificateExtensions¶

Bases: Enum

Certificate extensions

classmethod permit_all()¶

Convenience method to return a dict enabling all extensions

Returns:: All available extensions
Return type:: Dict[CertificateExtensions, str]

pb_enum()¶

Converts the enum into the correct protobuf value for serialization

Returns:: The serialized enum value
Return type:: int

classmethod from_pb_enum(value)¶

Deserializes the enum value

Parameters:: value (int) – the serialized enum value
Returns:: The original enum value
Return type:: CertificateExtensions

PKI¶

Certificate Model¶

Signing Mixin¶

Enums¶

Paramiko-Cloud

Navigation

Related Topics