openssh_key.key_params.cert.CertPublicKeyParams

class openssh_key.key_params.cert.CertPublicKeyParams(params)

Bases: openssh_key.key_params.common.PublicKeyParams, abc.ABC

The parameters comprising a certificate. OpenSSH supports certificates containing the following key types:

OpenSSH supports certificate authorities of the following key types:

The names and iteration order of parameters of a certificate is:

  • nonce: A random string of arbitrary length provided by the certificate authority to prevent hash collisions (bytes).

  • The parameters of the public key.

  • serial: An optional serial number for the certificates issued by a certificate authority; 0 if the certificate authority does not record serial numbers (eight bytes).

  • type: 1 if the certificate principals are users, or 2 if hosts (four bytes).

  • key_id: A human-readable identifier for the key (str).

  • valid_principals: A series of strings identifying the principals: usernames if the certificate principals are users, or hostnames if hosts; empty if the certificate is valid for any principal (bytes).

  • valid_after: The number of seconds since the Unix epoch before which the certificate is invalid (eight bytes).

  • valid_before: The number of seconds since the Unix epoch after which the certificate is invalid (eight bytes).

  • critical_options: A series of strings that specify the options that the validator must process for this certificate to be valid. The strings alternate a unique name with the corresponding data, and are sorted lexicographically by name (bytes).

  • extensions: A series of strings that specify the options that the validator may, but need not, process, for this certificate to be valid. The strings alternate a unique name with the corresponding data, and are sorted lexicographically by name (bytes).

  • reserved: Reserved by OpenSSH (str).

  • signature_key: The parameters of the public key of the certificate authority (bytes).

  • signature: The signature of the certificate authority over the previous parameters (str).

Parameters

params (Mapping[str, Any]) – The values with which to initialize this parameters object. All given values are saved, even those that do not exist in the format instructions for this key type.

Raises

UserWarning – A parameter value from the above list is missing from params or does not have the correct type.

__init__(params)

Methods

__init__(params)

check_params_are_valid()

Checks whether the values within this parameters object conform to the format instructions.

clear()

conversion_functions()

Functions to extract parameter values dicts for supported types of key objects.

convert_from(key_object)

Constructs and initializes a parameters object for this key type from attributes contained in the given object.

convert_to(destination_class)

Creates and initializes an object of the given type containing the values of this parameters object.

copy()

fromkeys(iterable[, value])

get(k[,d])

get_cert_base_public_key_class()

The type of the public key parameters that this certificate contains.

get_critical_option(option)

Returns the value of the specified critical option, or None if it does not exist.

get_extension_value(option)

Returns the value of the specified extension, or None if it does not exist.

get_format_instructions_dict()

The Pascal-style byte stream format instructions for the parameters of a key of this type.

get_signature_key()

Returns the public key of the certificate authority.

get_type()

Returns the type of the principals that can authenticate using this certificate.

get_valid_after()

Returns the timestamp before which the certificate is invalid.

get_valid_before()

Returns the timestamp after which the certificate is invalid.

get_valid_principals()

Returns the list of principals that can authenticate using this certificate.

items()

keys()

pack_list(l, format_instruction)

Packs a list of items into a byte stream as per format_instruction.

pack_options(d, format_instruction)

Packs a dict of items into a byte stream, with the keys packed as str and the values as per the provided format_instruction.

pack_signed_bytes()

Packs into a byte string the parameters of this certificate that would be signed by the certificate authority key to form the signature.

pop(k[,d])

If key is not found, d is returned if given, otherwise KeyError is raised.

popitem()

as a 2-tuple; but raise KeyError if D is empty.

set_critical_option(option, value)

Sets the value of the specified critical option.

set_extension_value(option, value)

Sets the value of the specified extension.

set_signature_key(signature_key)

Sets the public key of the certificate authority to that specified.

set_type(t)

Sets the type of the principals that can authenticate using this certificate.

set_valid_after(t)

Sets the timestamp before which the certificate is invalid.

set_valid_before(t)

Sets the timestamp after which the certificate is invalid.

set_valid_principals(principals)

Sets the list of principals that can authenticate using this certificate.

setdefault(k[,d])

update([E, ]**F)

If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

values()

Attributes

FORMAT_INSTRUCTIONS_DICT

The Pascal-style byte stream format instructions for the parameters of a key of this type.
check_params_are_valid()

Checks whether the values within this parameters object conform to the format instructions.

Raises

UserWarning – A parameter value is missing or does not have a type that matches the format instructions for this key type.

Return type

None

clear() None.  Remove all items from D.
classmethod conversion_functions()

Functions to extract parameter values dicts for supported types of key objects.

Return type

Mapping[Type[Any], ConversionFunctions]

Returns

A typing.Mapping from types of key objects to functions that take key objects of that type and return parameter values.

classmethod convert_from(key_object)

Constructs and initializes a parameters object for this key type from attributes contained in the given object.

This classmethod searches conversion_functions for a class that is a superclass of key_object. If one is found, it returns the parameters object from the typing.Mapping returned by the corresponding object_to_mapping function. Otherwise, it searches its subclasses’ conversion_functions, traversing pre-order.

Parameters

key_object (Any) – An object containing key parameter values.

Raises

NotImplementedErrorkey_object is not of a supported type, or it does not contain the attributes necessary to construct a parameters object of this class.

Return type

PublicKeyParams

convert_to(destination_class)

Creates and initializes an object of the given type containing the values of this parameters object.

This method searches conversion_functions for a class that is a subclass of key_object. If one is found, it passes this parameters object to the corresponding mapping_to_object. Otherwise, it searches its superclasses’ conversion_functions in the same way, in method resolution order, up to and including PublicKeyParams.

Parameters

destination_class (Type[Any]) – The type of the object to which the values of this parameters object are to be converted.

Raises

  • ValueErrordestination_class is not a class.

  • ImportErrordestination_class cannot be imported.

  • NotImplementedError – Converting this parameters object to an object of type destination_class is not supported.

Return type

Any

get(k[, d]) D[k] if k in D, else d.  d defaults to None.
abstract static get_cert_base_public_key_class()

The type of the public key parameters that this certificate contains.

Return type

Type[PublicKeyParams]

get_critical_option(option)

Returns the value of the specified critical option, or None if it does not exist.

Parameters

option (Union[CertCriticalOption, str]) – The critical option the value of which to return.

Raises

ValueError – A CertCriticalOption is provided, but is not valid for the principal types of this certificate.

Return type

Optional[bytes]

get_extension_value(option)

Returns the value of the specified extension, or None if it does not exist.

Parameters

option (Union[CertExtension, str]) – The extension the value of which to return.

Raises

ValueError – A CertExtension is provided, but is not valid for the principal types of this certificate.

Return type

Optional[bytes]

classmethod get_format_instructions_dict()

The Pascal-style byte stream format instructions for the parameters of a key of this type.

Return type

Mapping[str, Union[str, PascalStyleFormatInstruction, PascalStyleFormatInstructionStringLengthSize]]

get_signature_key()

Returns the public key of the certificate authority.

Raises

UserWarning – The certificate authority is a certificate; this is not supported by OpenSSH.

Return type

key.PublicKey

get_type()

Returns the type of the principals that can authenticate using this certificate.

Return type

CertPrincipalType

get_valid_after()

Returns the timestamp before which the certificate is invalid.

Return type

datetime

get_valid_before()

Returns the timestamp after which the certificate is invalid.

Return type

datetime

get_valid_principals()

Returns the list of principals that can authenticate using this certificate.

Return type

List[str]

items() a set-like object providing a view on D's items
keys() a set-like object providing a view on D's keys
static pack_list(l, format_instruction)

Packs a list of items into a byte stream as per format_instruction.

Parameters
Return type

bytes

static pack_options(d, format_instruction)

Packs a dict of items into a byte stream, with the keys packed as str and the values as per the provided format_instruction.

Parameters
Return type

bytes

pack_signed_bytes()

Packs into a byte string the parameters of this certificate that would be signed by the certificate authority key to form the signature.

Return type

bytes

Returns

A byte string containing the parameters of this certificate that would be signed by the certificate authority key to form the signature.

pop(k[, d]) v, remove specified key and return the corresponding value.

If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() (k, v), remove and return some (key, value) pair

as a 2-tuple; but raise KeyError if D is empty.

set_critical_option(option, value)

Sets the value of the specified critical option.

Parameters
Raises

ValueError – A CertCriticalOption is provided, but is not valid for the principal types of this certificate.

Return type

None

set_extension_value(option, value)

Sets the value of the specified extension.

Parameters

  • option (Union[CertExtension, str]) – The extension the value of which to set.

  • value (bytes) – The value to set the extension to.

Raises

ValueError – A CertExtension is provided, but is not valid for the principal types of this certificate.

Return type

None

set_signature_key(signature_key)

Sets the public key of the certificate authority to that specified.

Parameters

public_key – The public key of the certificate authority.

Raises

ValueError – The certificate authority is a certificate; this is not supported by OpenSSH.

Return type

None

set_type(t)

Sets the type of the principals that can authenticate using this certificate.

Return type

None

set_valid_after(t)

Sets the timestamp before which the certificate is invalid.

Return type

None

set_valid_before(t)

Sets the timestamp after which the certificate is invalid.

Return type

None

set_valid_principals(principals)

Sets the list of principals that can authenticate using this certificate.

Return type

None

setdefault(k[, d]) D.get(k,d), also set D[k]=d if k not in D
update([E, ]**F) None.  Update D from mapping/iterable E and F.

If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

values() an object providing a view on D's values