django_ca.pydantic - Pydantic models

Type aliases

Reusable type aliases for Pydantic models.

django_ca.pydantic.type_aliases.AnnotatedEllipticCurveName

Annotated version of EllipticCurveName.

This type will also accept instances of EllipticCurve and convert them transparently.

alias of Annotated[Literal[‘sect571r1’, ‘sect409r1’, ‘sect283r1’, ‘sect233r1’, ‘sect163r2’, ‘sect571k1’, ‘sect409k1’, ‘sect283k1’, ‘sect233k1’, ‘sect163k1’, ‘secp521r1’, ‘secp384r1’, ‘secp256r1’, ‘secp256k1’, ‘secp224r1’, ‘secp192r1’, ‘brainpoolP256r1’, ‘brainpoolP384r1’, ‘brainpoolP512r1’], BeforeValidator(func=elliptic_curve_validator, json_schema_input_type=PydanticUndefined)]

django_ca.pydantic.type_aliases.AnnotatedSignatureHashAlgorithmName

Annotated version of SignatureHashAlgorithmName.

This type will also accept instances of HashAlgorithm and convert them transparently.

alias of Annotated[Literal[‘SHA-224’, ‘SHA-256’, ‘SHA-384’, ‘SHA-512’, ‘SHA3/224’, ‘SHA3/256’, ‘SHA3/384’, ‘SHA3/512’], BeforeValidator(func=signature_hash_algorithm_validator, json_schema_input_type=PydanticUndefined)]

django_ca.pydantic.type_aliases.AnnotatedSignatureHashAlgorithmNameWithLegacy

Same as AnnotatedSignatureHashAlgorithmName, but also accepts legacy algorithms.

alias of Annotated[Literal[‘MD5’, ‘SHA1’] | Literal[‘SHA-224’, ‘SHA-256’, ‘SHA-384’, ‘SHA-512’, ‘SHA3/224’, ‘SHA3/256’, ‘SHA3/384’, ‘SHA3/512’], BeforeValidator(func=signature_hash_algorithm_validator_with_legacy_names, json_schema_input_type=PydanticUndefined)]

django_ca.pydantic.type_aliases.Base64EncodedBytes

A str type that converts bytes to base64-encoded strings.

This type differs from pydantic.Base64Bytes in that bytes will be considered as unencoded input and converted to base64.

alias of Annotated[str, BeforeValidator(func=bytes_to_base64_str_validator, json_schema_input_type=PydanticUndefined), AfterValidator(func=base64_str_validator)]

django_ca.pydantic.type_aliases.CertificateRevocationListReasonCode

A subset of ReasonFlags that allows only reason codes valid in a certificate revocation list (CRL).

alias of Annotated[ReasonFlags, BeforeValidator(func=reason_flag_validator, json_schema_input_type=PydanticUndefined), AfterValidator(func=reason_flag_crl_scope_validator)]

django_ca.pydantic.type_aliases.OIDType

A string that will convert ObjectIdentifier objects.

This type alias will also validate the x509 dotted string format.

alias of Annotated[str, BeforeValidator(func=oid_parser, json_schema_input_type=PydanticUndefined), AfterValidator(func=oid_validator)]

django_ca.pydantic.type_aliases.PowerOfTwoInt

A type alias for an integer that is a power of two, e.g. an RSA/DSA KeySize.

Note that this type alias does not validate CA_MIN_KEY_SIZE, as validators in this module must not use any settings, as this would cause a circular import.

alias of Annotated[int, AfterValidator(func=is_power_two_validator)]

django_ca.pydantic.type_aliases.PromiseTypeAlias

Type alias for Djangos lazily translated strings.

Translated strings will be evaluated (= translated) upon JSON serialization. For JSON schemas, this type alias identifies itself as a normal string.

alias of Annotated[Promise, PlainSerializer(func=~django_ca.pydantic.type_aliases., return_type=str, when_used=always)]

django_ca.pydantic.type_aliases.Serial

A certificate serial as a hex string, as they are stored in the database.

This type will convert integers to hex, upper-case any lower-case strings and remove ‘:’. The minimum length is 1 character, the maximum length is 40 (RFC 5280, section 4.1.2.2 specifies a maximum of 20 octets, which equals 40 characters in hex).

alias of Annotated[str, BeforeValidator(func=int_to_hex_parser, json_schema_input_type=PydanticUndefined), AfterValidator(func=serial_validator), FieldInfo(annotation=NoneType, required=True, metadata=[MinLen(min_length=1), MaxLen(max_length=40), _PydanticGeneralMetadata(pattern=’^[A-F0-9]+$’)])]

Cryptography classes

All cryptography-related classes share that they can be instantiated from cryptography instances using model_validate() and share a cryptography property that converts a model instance into a cryptography instance:

>>> from cryptography import x509
>>> from cryptography.x509.oid import NameOID
>>> from django_ca.pydantic.name import NameAttributeModel
>>> attr = x509.NameAttribute(oid=NameOID.COMMON_NAME, value="example.com")
>>> model = NameAttributeModel.model_validate(attr)
>>> model
NameAttributeModel(oid='2.5.4.3', value='example.com')
>>> model.cryptography == attr
True

Name

class django_ca.pydantic.NameAttributeModel[source]

Pydantic model wrapping NameAttribute.

For the oid, you can either use a dotted string or an alias from NAME_OID_TYPES:

from django_ca.pydantic import NameAttributeModel

NameAttributeModel(
    oid="CN",  #  or "commonName" or NameOID.COMMON_NAME or just "2.5.4.3"
    value="example.com",
)

from cryptography import x509
from cryptography.x509.oid import NameOID

x509.NameAttribute(oid=NameOID.COMMON_NAME, value="example.com")

{
    "oid": "2.5.4.3",
    "value": "example.com"
}

When processing a x500 unique identifier attribute, the value is expected to be base64 encoded:

import base64

from django_ca.pydantic import NameAttributeModel

value = base64.b64encode(b"example.com")
NameAttributeModel(oid="x500UniqueIdentifier", value=value)

from cryptography import x509
from cryptography.x509.name import _ASN1Type
from cryptography.x509.oid import NameOID

x509.NameAttribute(
    oid=NameOID.X500_UNIQUE_IDENTIFIER, value=b"example.com", _type=_ASN1Type.BitString
)

{
    "oid": "2.5.4.45",
    "value": "ZXhhbXBsZS5jb20="
}

property cryptography: NameAttribute[str | bytes]

The NameAttribute instance for this model.

class django_ca.pydantic.NameModel[source]

Pydantic model wrapping Name.

This model is a Pydantic RootModel that takes a list of NameAttributeModel instances:

from django_ca.pydantic import NameAttributeModel, NameModel

NameModel(
    [
        NameAttributeModel(oid="C", value="AT"),
        NameAttributeModel(oid="CN", value="example.com"),
    ]
)

from cryptography import x509
from cryptography.x509.oid import NameOID

x509.Name(
    [
        x509.NameAttribute(oid=NameOID.COUNTRY_NAME, value="AT"),
        x509.NameAttribute(oid=NameOID.COMMON_NAME, value="example.com"),
    ]
)

[
    {
        "oid": "2.5.4.6",
        "value": "AT"
    },
    {
        "oid": "2.5.4.3",
        "value": "example.com"
    }
]

property cryptography: Name

The Name instance for this model.

GeneralName

class django_ca.pydantic.GeneralNameModel[source]

Pydantic model wrapping NameAttribute.

This model takes a type named in GENERAL_NAME_TYPES and a value that is usually a str:

from django_ca.pydantic import GeneralNameModel

GeneralNameModel(type="DNS", value="example.com")

from cryptography import x509

x509.DNSName("example.com")

{
    "type": "DNS",
    "value": "example.com"
}

For directory names, you have to pass a NameModel instead:

from django_ca.pydantic import GeneralNameModel, NameAttributeModel, NameModel

name = NameModel([NameAttributeModel(oid="CN", value="example.com")])
GeneralNameModel(type="dirName", value=name)

from cryptography import x509
from cryptography.x509.oid import NameOID

name = x509.Name([x509.NameAttribute(oid=NameOID.COMMON_NAME, value="example.com")])
x509.DirectoryName(name)

{
    "type": "dirName",
    "value": [
        {
            "oid": "2.5.4.3",
            "value": "example.com"
        }
    ]
}

For OtherName instances, pass a OtherNameModel instead:

from django_ca.pydantic import GeneralNameModel, OtherNameModel

other_name = OtherNameModel(oid="1.2.3", type="UTF8String", value="some_string")
GeneralNameModel(type="otherName", value=other_name)

from asn1crypto.core import UTF8String
from cryptography import x509

value = UTF8String("some_string").dump()  # equals b"\x0c\x0bsome_string"
x509.OtherName(type_id=x509.ObjectIdentifier("1.2.3"), value=value)

{
    "type": "otherName",
    "value": {
        "oid": "1.2.3",
        "type": "UTF8String",
        "value": "some_string"
    }
}

property cryptography: GeneralName

Convert to a GeneralName instance.

class django_ca.pydantic.OtherNameModel[source]

Pydantic model wrapping OtherName.

The oid argument may be any valid object identifier as dotted string (e.g. "1.2.3").

The type argument may be any type in OTHER_NAME_TYPES or OTHER_NAME_ALIASES.

The type of the value argument depends on the type value. String variants (UTFString, etc.) require a str, boolean requires a bool value and so on:

from django_ca.pydantic import OtherNameModel

OtherNameModel(oid="1.2.3", type="UTF8String", value="some_string")

from asn1crypto.core import UTF8String
from cryptography import x509

value = UTF8String("some_string").dump()  # equals b"\x0c\x0bsome_string"
x509.OtherName(type_id=x509.ObjectIdentifier("1.2.3"), value=value)

{
    "oid": "1.2.3",
    "type": "UTF8String",
    "value": "some_string"
}

For datetime variants (UTCTIME and GENERALIZEDTIME), you must pass a timezone-aware object:

from datetime import datetime, timezone

from django_ca.pydantic import OtherNameModel

dt = datetime(2021, 10, 5, 22, 1, 4, tzinfo=timezone.utc)
OtherNameModel(oid="1.2.3", type="UTCTIME", value=dt)

from datetime import datetime, timezone

from asn1crypto.core import UTCTime
from cryptography import x509

dt = datetime(2021, 10, 5, 22, 1, 4, tzinfo=timezone.utc)
value = UTCTime(dt).dump()  # equals b"\x0c\x0bsome_string"
x509.OtherName(type_id=x509.ObjectIdentifier("1.2.3"), value=value)

{
    "oid": "1.2.3",
    "type": "UTCTIME",
    "value": "2021-10-05T22:01:04Z"
}

For INTEGER, you can pass an int or a str for a base 16 integer:

from django_ca.pydantic import OtherNameModel

OtherNameModel(oid="1.2.3", type="INTEGER", value="0x0C")  # or pass 12 (equals 0x0C)

from asn1crypto.core import Integer
from cryptography import x509

value = Integer(12).dump()
x509.OtherName(type_id=x509.ObjectIdentifier("1.2.3"), value=value)

{
    "oid": "1.2.3",
    "type": "INTEGER",
    "value": 12
}

Finally, for an OctetString, pass the raw bytes or as a hex-encoded string:

from django_ca.pydantic import OtherNameModel

# Or pass decoded b"\x61\x62\x63" for a value
OtherNameModel(oid="1.2.3", type="OctetString", value="616263")

from asn1crypto.core import OctetString
from cryptography import x509

value = OctetString(b"\x61\x62\x63").dump()  # equals b"\x61\x62\x63"
x509.OtherName(type_id=x509.ObjectIdentifier("1.2.3"), value=value)

{
    "oid": "1.2.3",
    "type": "OctetString",
    "value": "616263"
}

As usual, the cryptography property will return the cryptography variant of the model:

>>> OtherNameModel(oid="1.2.3", type="IA5STRING", value="some string").cryptography
<OtherName(type_id=<ObjectIdentifier(oid=1.2.3, name=Unknown OID)>, value=b'\x16\x0bsome string')>
property cryptography: OtherName

Convert to a OtherName instance.

Extensions

Pydantic models for x509 extensions.

Every extension model has exactly three parameters, critical, value and type.

The critical parameter is a boolean value. It usually defaults to the recommended value (usually in RFC 5280), but is mandatory in some extensions where no value is defined. Default values are defined in EXTENSION_DEFAULT_CRITICAL.

The value parameter represents the actual value of the extension, and its format is different for every extension. In trivial extensions (for example in the InhibitAnyPolicyModel), this is usually a basic type:

>>> InhibitAnyPolicyModel(value=1)
InhibitAnyPolicyModel(critical=True, value=1)

More complex extensions require a nested model:

>>> dpoint = DistributionPointModel(
...     full_name=[{"type": "URI", "value": "https://ca.example.com/crl"}]
... )
>>> CRLDistributionPointsModel(value=[dpoint])
CRLDistributionPointsModel(
    critical=False,
    value=[DistributionPointModel(
        full_name=[GeneralNameModel(type='URI', value='https://ca.example.com/crl')],
        relative_name=None, crl_issuer=None, reasons=None
    )]
)

Nested models are described in more details under Extension attributes.

Every model has a cryptography property returning the Extension instance and an extension_type property returning the ExtensionType instance:

>>> ext_model = InhibitAnyPolicyModel(value=1)
>>> ext_model.extension_type
<InhibitAnyPolicy(skip_certs=1)>
>>> ext_model.cryptography
<Extension(
    oid=<ObjectIdentifier(oid=2.5.29.54, name=inhibitAnyPolicy)>,
    critical=True,
    value=<InhibitAnyPolicy(skip_certs=1)>
)>

Finally, the type parameter is a literal string used to identify the type of extension. It is mandatory in serialized versions of a model (e.g. as JSON), but does not have to be given when instantiating a model directly.

class django_ca.pydantic.AdmissionsModel[source]

Pydantic model for a Admissions extension.

Added in version 2.1.0.

The value is a AdmissionsValueModel:

from django_ca.pydantic import (
    AdmissionModel,
    AdmissionsModel,
    AdmissionsValueModel,
    ProfessionInfoModel,
)

AdmissionsModel(
    value=AdmissionsValueModel(
        admissions=[
            AdmissionModel(
                profession_infos=[ProfessionInfoModel(profession_items=["info"])]
            )
        ],
    )
)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

profession_info = x509.ProfessionInfo(
    naming_authority=None,
    profession_items=["info"],
    profession_oids=None,
    registration_number=None,
    add_profession_info=None,
)
admission = x509.Admission(
    admission_authority=None,
    naming_authority=None,
    profession_infos=[profession_info],
)
x509.Extension(
    critical=False,
    oid=ExtensionOID.ADMISSIONS,
    value=x509.Admissions(authority=None, admissions=[admission]),
)

{
    "type": "admissions",
    "critical": false,
    "value": {
        "authority": null,
        "admissions": [
            {
                "admission_authority": null,
                "naming_authority": null,
                "profession_infos": [
                    {
                        "naming_authority": null,
                        "profession_items": [
                            "info"
                        ],
                        "profession_oids": null,
                        "registration_number": null,
                        "add_profession_info": null
                    }
                ]
            }
        ]
    }
}

The model supports an arbitrary number of Admission and ProfessionInfo instances:

from django_ca.pydantic import (
    AdmissionModel,
    AdmissionsModel,
    AdmissionsValueModel,
    GeneralNameModel,
    NamingAuthorityModel,
    ProfessionInfoModel,
)

AdmissionsModel(
    value=AdmissionsValueModel(
        authority=GeneralNameModel(type="URI", value="https://example.com"),
        admissions=[
            AdmissionModel(
                profession_infos=[ProfessionInfoModel(profession_items=["info"])]
            ),
            AdmissionModel(
                admission_authority=GeneralNameModel(
                    type="URI", value="https://example.com"
                ),
                naming_authority=NamingAuthorityModel(
                    id="1.2.3", url="https://naming.example.com", text="some text"
                ),
                profession_infos=[
                    ProfessionInfoModel(profession_items=["info"]),
                    ProfessionInfoModel(
                        naming_authority=NamingAuthorityModel(
                            id="1.2.3",
                            url="https://sub.naming.example.com",
                            text="naming authority for second info model",
                        ),
                        profession_items=["info one", "info two"],
                        profession_oids=["1.2.4", "1.2.5"],
                        registration_number="abc",
                        add_profession_info="kA==",
                    ),
                ],
            ),
        ],
    )
)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

profession_info_one = x509.ProfessionInfo(
    naming_authority=None,
    profession_items=["info"],
    profession_oids=None,
    registration_number=None,
    add_profession_info=None,
)
profession_info_two = x509.ProfessionInfo(
    naming_authority=x509.NamingAuthority(
        id=x509.ObjectIdentifier("1.2.3"),
        url="https://sub.naming.example.com",
        text="naming authority for second info model",
    ),
    profession_items=["info one", "info two"],
    profession_oids=[x509.ObjectIdentifier("1.2.4"), x509.ObjectIdentifier("1.2.5")],
    registration_number="abc",
    add_profession_info=b"\x90",
)
admission_one = x509.Admission(
    admission_authority=None,
    naming_authority=None,
    profession_infos=[profession_info_one],
)
admission_two = x509.Admission(
    admission_authority=x509.UniformResourceIdentifier("https://example.com"),
    naming_authority=x509.NamingAuthority(
        id=x509.ObjectIdentifier("1.2.3"),
        url="https://naming.example.com",
        text="some text",
    ),
    profession_infos=[profession_info_one, profession_info_two],
)
x509.Extension(
    critical=False,
    oid=ExtensionOID.ADMISSIONS,
    value=x509.Admissions(
        authority=x509.UniformResourceIdentifier("https://example.com"),
        admissions=[admission_one, admission_two],
    ),
)

{
    "type": "admissions",
    "critical": false,
    "value": {
        "authority": {
            "type": "URI",
            "value": "https://example.com"
        },
        "admissions": [
            {
                "admission_authority": null,
                "naming_authority": null,
                "profession_infos": [
                    {
                        "naming_authority": null,
                        "profession_items": [
                            "info"
                        ],
                        "profession_oids": null,
                        "registration_number": null,
                        "add_profession_info": null
                    }
                ]
            },
            {
                "admission_authority": {
                    "type": "URI",
                    "value": "https://example.com"
                },
                "naming_authority": {
                    "id": "1.2.3",
                    "url": "https://naming.example.com",
                    "text": "some text"
                },
                "profession_infos": [
                    {
                        "naming_authority": null,
                        "profession_items": [
                            "info"
                        ],
                        "profession_oids": null,
                        "registration_number": null,
                        "add_profession_info": null
                    },
                    {
                        "naming_authority": {
                            "id": "1.2.3",
                            "url": "https://sub.naming.example.com",
                            "text": "naming authority for second info model"
                        },
                        "profession_items": [
                            "info one",
                            "info two"
                        ],
                        "profession_oids": [
                            "1.2.4",
                            "1.2.5"
                        ],
                        "registration_number": "abc",
                        "add_profession_info": "kA=="
                    }
                ]
            }
        ]
    }
}

test

class django_ca.pydantic.AuthorityInformationAccessModel[source]

Pydantic model for a AuthorityInformationAccess extension.

The value is a list of AccessDescriptionModel instances:

from django_ca.pydantic import (
    AccessDescriptionModel,
    AuthorityInformationAccessModel,
    GeneralNameModel,
)

AuthorityInformationAccessModel(
    value=[
        AccessDescriptionModel(
            access_method="ocsp",
            access_location=GeneralNameModel(type="URI", value="http://ocsp.example.com"),
        ),
        AccessDescriptionModel(
            access_method="ca_issuers",
            access_location=GeneralNameModel(type="URI", value="http://example.com"),
        ),
    ]
)

from cryptography import x509
from cryptography.x509.oid import AuthorityInformationAccessOID, ExtensionOID

x509.Extension(
    critical=False,
    oid=ExtensionOID.AUTHORITY_INFORMATION_ACCESS,
    value=x509.AuthorityInformationAccess(
        [
            x509.AccessDescription(
                access_method=AuthorityInformationAccessOID.OCSP,
                access_location=x509.UniformResourceIdentifier("http://ocsp.example.com"),
            ),
            x509.AccessDescription(
                access_method=AuthorityInformationAccessOID.CA_ISSUERS,
                access_location=x509.UniformResourceIdentifier("http://example.com"),
            ),
        ]
    ),
)

{
    "type": "authority_information_access",
    "critical": false,
    "value": [
        {
            "access_method": "1.3.6.1.5.5.7.48.1",
            "access_location": {
                "type": "URI",
                "value": "http://ocsp.example.com"
            }
        },
        {
            "access_method": "1.3.6.1.5.5.7.48.2",
            "access_location": {
                "type": "URI",
                "value": "http://example.com"
            }
        }
    ]
}

class django_ca.pydantic.AuthorityKeyIdentifierModel[source]

Pydantic model for a AuthorityKeyIdentifier extension.

The value is a AuthorityKeyIdentifierValueModel instance:

from django_ca.pydantic import (
    AuthorityKeyIdentifierModel,
    AuthorityKeyIdentifierValueModel,
)

AuthorityKeyIdentifierModel(
    value=AuthorityKeyIdentifierValueModel(
        key_identifier="MTIz"  # or b"123"
    )
)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=False,
    oid=ExtensionOID.AUTHORITY_KEY_IDENTIFIER,
    value=x509.AuthorityKeyIdentifier(
        key_identifier=b"123",
        authority_cert_issuer=None,
        authority_cert_serial_number=None,
    ),
)

{
    "type": "authority_key_identifier",
    "critical": false,
    "value": {
        "key_identifier": "MTIz",
        "authority_cert_issuer": null,
        "authority_cert_serial_number": null
    }
}

A version with an authority certificate would look like this:

from django_ca.pydantic import (
    AuthorityKeyIdentifierModel,
    AuthorityKeyIdentifierValueModel,
    GeneralNameModel,
)

AuthorityKeyIdentifierModel(
    value=AuthorityKeyIdentifierValueModel(
        key_identifier=None,
        authority_cert_issuer=[GeneralNameModel(type="URI", value="http://example.com")],
        authority_cert_serial_number=123,
    )
)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=False,
    oid=ExtensionOID.AUTHORITY_KEY_IDENTIFIER,
    value=x509.AuthorityKeyIdentifier(
        key_identifier=None,
        authority_cert_issuer=[x509.UniformResourceIdentifier("http://example.com")],
        authority_cert_serial_number=123,
    ),
)

{
    "type": "authority_key_identifier",
    "critical": false,
    "value": {
        "key_identifier": null,
        "authority_cert_issuer": [
            {
                "type": "URI",
                "value": "http://example.com"
            }
        ],
        "authority_cert_serial_number": 123
    }
}

class django_ca.pydantic.BasicConstraintsModel[source]

Pydantic model for a BasicConstraints extension.

The value is a BasicConstraintsValueModel instance. For example, for end-entity certificates, ca is False and path_length is None:

from django_ca.pydantic import BasicConstraintsModel, BasicConstraintsValueModel

value = BasicConstraintsValueModel(ca=False, path_length=None)
BasicConstraintsModel(value=value)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

value = x509.BasicConstraints(ca=False, path_length=None)
x509.Extension(critical=True, oid=ExtensionOID.BASIC_CONSTRAINTS, value=value)

{
    "type": "basic_constraints",
    "critical": true,
    "value": {
        "ca": false,
        "path_length": null
    }
}

For certificate authorities, ca is True, and path_length may be a positive integer:

from django_ca.pydantic import BasicConstraintsModel, BasicConstraintsValueModel

value = BasicConstraintsValueModel(ca=True, path_length=0)
BasicConstraintsModel(value=value)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

value = x509.BasicConstraints(ca=True, path_length=0)
x509.Extension(critical=True, oid=ExtensionOID.BASIC_CONSTRAINTS, value=value)

{
    "type": "basic_constraints",
    "critical": true,
    "value": {
        "ca": true,
        "path_length": 0
    }
}

class django_ca.pydantic.CRLDistributionPointsModel[source]

Pydantic model for a CRLDistributionPoints extension.

The value is a list of DistributionPointModel instances:

from django_ca.pydantic import (
    CRLDistributionPointsModel,
    DistributionPointModel,
    GeneralNameModel,
    NameAttributeModel,
    NameModel,
)

simple_distribution_point = DistributionPointModel(
    full_name=[GeneralNameModel(type="URI", value="https://ca.example.com/crl")]
)

# Unusual distribution point: not observed in practice, usually only a full name is used.
unusual_distribution_point = DistributionPointModel(
    relative_name=NameModel([NameAttributeModel(oid="2.5.4.3", value="example.com")]),
    crl_issuer=[GeneralNameModel(type="URI", value="https://ca.example.com/issuer")],
    reasons={"key_compromise"},
)

CRLDistributionPointsModel(value=[simple_distribution_point, unusual_distribution_point])

from cryptography import x509
from cryptography.x509.oid import ExtensionOID, NameOID

simple_distribution_point = x509.DistributionPoint(
    full_name=[x509.UniformResourceIdentifier("https://ca.example.com/crl")],
    relative_name=None,
    crl_issuer=None,
    reasons=None,
)

# Unusual distribution point: not observed in practice, usually only a full name is used.
unusual_distribution_point = x509.DistributionPoint(
    full_name=None,
    relative_name=x509.RelativeDistinguishedName(
        [x509.NameAttribute(oid=NameOID.COMMON_NAME, value="example.com")]
    ),
    crl_issuer=[x509.UniformResourceIdentifier("https://ca.example.com/issuer")],
    reasons=frozenset([x509.ReasonFlags.key_compromise]),
)

x509.Extension(
    critical=False,
    oid=ExtensionOID.CRL_DISTRIBUTION_POINTS,
    value=x509.CRLDistributionPoints(
        [simple_distribution_point, unusual_distribution_point]
    ),
)

{
    "type": "crl_distribution_points",
    "critical": false,
    "value": [
        {
            "full_name": [
                {
                    "type": "URI",
                    "value": "https://ca.example.com/crl"
                }
            ],
            "relative_name": null,
            "crl_issuer": null,
            "reasons": null
        },
        {
            "full_name": null,
            "relative_name": [
                {
                    "oid": "2.5.4.3",
                    "value": "example.com"
                }
            ],
            "crl_issuer": [
                {
                    "type": "URI",
                    "value": "https://ca.example.com/issuer"
                }
            ],
            "reasons": [
                "key_compromise"
            ]
        }
    ]
}

class django_ca.pydantic.CertificatePoliciesModel[source]

Pydantic model for a CertificatePolicies extension.

The value is a list of PolicyInformationModel instances:

from django_ca.pydantic import (
    CertificatePoliciesModel,
    PolicyInformationModel,
    UserNoticeModel,
)

# anyPolicy model with no qualifiers.
any_policy = PolicyInformationModel(policy_identifier="2.5.29.32.0")

# CPS statement with a text and a user notice.
# NOTE: user notices are not observed in practice.
cps = PolicyInformationModel(
    policy_identifier="1.3.6.1.5.5.7.2.1",
    policy_qualifiers=[
        "https://ca.example.com/cps",
        UserNoticeModel(explicit_text="my text"),
    ],
)

CertificatePoliciesModel(value=[any_policy, cps])

from cryptography import x509
from cryptography.x509.oid import CertificatePoliciesOID, ExtensionOID

# anyPolicy model with no qualifiers.
any_policy = x509.PolicyInformation(
    policy_identifier=CertificatePoliciesOID.ANY_POLICY,
    policy_qualifiers=None,
)

# CPS statement with a text and a user notice.
# NOTE: user notices are not observed in practice.
cps = x509.PolicyInformation(
    policy_identifier=CertificatePoliciesOID.CPS_QUALIFIER,
    policy_qualifiers=[
        "https://ca.example.com/cps",
        x509.UserNotice(explicit_text="my text", notice_reference=None),
    ],
)

x509.Extension(
    critical=False,
    oid=ExtensionOID.CERTIFICATE_POLICIES,
    value=x509.CertificatePolicies([any_policy, cps]),
)

{
    "type": "certificate_policies",
    "critical": false,
    "value": [
        {
            "policy_identifier": "2.5.29.32.0",
            "policy_qualifiers": null
        },
        {
            "policy_identifier": "1.3.6.1.5.5.7.2.1",
            "policy_qualifiers": [
                "https://ca.example.com/cps",
                {
                    "notice_reference": null,
                    "explicit_text": "my text"
                }
            ]
        }
    ]
}

class django_ca.pydantic.ExtendedKeyUsageModel[source]

Pydantic model for a ExtendedKeyUsage extension.

The value is a list valid object identifiers as dotted strings. For convenience, any name from EXTENDED_KEY_USAGE_NAMES can also be given:

from django_ca.pydantic import ExtendedKeyUsageModel

ExtendedKeyUsageModel(value=["clientAuth", "1.3.6.1.5.5.7.3.1"])

from cryptography import x509
from cryptography.x509.oid import ExtendedKeyUsageOID, ExtensionOID

x509.Extension(
    critical=False,
    oid=ExtensionOID.EXTENDED_KEY_USAGE,
    value=x509.ExtendedKeyUsage(
        [ExtendedKeyUsageOID.CLIENT_AUTH, x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1")]
    ),
)

{
    "type": "extended_key_usage",
    "critical": false,
    "value": [
        "1.3.6.1.5.5.7.3.2",
        "1.3.6.1.5.5.7.3.1"
    ]
}

class django_ca.pydantic.FreshestCRLModel[source]

Pydantic model for a FreshestCRL extension.

This model behaves exactly like CRLDistributionPointsModel.

class django_ca.pydantic.InhibitAnyPolicyModel[source]

Pydantic model for a InhibitAnyPolicy extension.

The value attribute is an integer:

from django_ca.pydantic import InhibitAnyPolicyModel

InhibitAnyPolicyModel(value=1)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=True, oid=ExtensionOID.INHIBIT_ANY_POLICY, value=x509.InhibitAnyPolicy(1)
)

{
    "type": "inhibit_any_policy",
    "critical": true,
    "value": 1
}

class django_ca.pydantic.IssuerAlternativeNameModel[source]

Pydantic model for a IssuerAlternativeName extension.

This model behaves exactly like SubjectAlternativeNameModel.

class django_ca.pydantic.KeyUsageModel[source]

Pydantic model for a KeyUsage extension.

All key usages default to False, so you can skip giving any usages you don’t care about. For convenience, the model also accepts values as used in RFC 5280 (full mapping in KEY_USAGE_NAMES):

from django_ca.pydantic import KeyUsageModel

# Use key OR value from KEY_USAGE_NAMES:
KeyUsageModel(value=["key_agreement", "keyEncipherment"])

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=True,
    oid=ExtensionOID.KEY_USAGE,
    value=x509.KeyUsage(
        content_commitment=False,
        crl_sign=False,
        data_encipherment=False,
        decipher_only=False,
        digital_signature=False,
        encipher_only=False,
        key_agreement=True,
        key_cert_sign=False,
        key_encipherment=True,
    ),
)

{
    "type": "key_usage",
    "critical": true,
    "value": [
        "key_agreement",
        "key_encipherment"
    ]
}

class django_ca.pydantic.MSCertificateTemplateModel[source]

Pydantic model for a MSCertificateTemplate extension.

The value is a MSCertificateTemplateValueModel instance, where major_version and minor_version are both optional:

from django_ca.pydantic import MSCertificateTemplateModel, MSCertificateTemplateValueModel

MSCertificateTemplateModel(
    critical=True,
    value=MSCertificateTemplateValueModel(
        template_id="1.2.3", major_version=1, minor_version=2
    ),
)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=True,
    oid=ExtensionOID.MS_CERTIFICATE_TEMPLATE,
    value=x509.MSCertificateTemplate(
        template_id=x509.ObjectIdentifier("1.2.3"), major_version=1, minor_version=2
    ),
)

{
    "type": "ms_certificate_template",
    "critical": true,
    "value": {
        "template_id": "1.2.3",
        "major_version": 1,
        "minor_version": 2
    }
}

Note that this extension does not have a default defined for the critical parameter, so it is mandatory.

class django_ca.pydantic.NameConstraintsModel[source]

Pydantic model for a NameConstraints extension.

The value is a NameConstraintsValueModel instance, where at least one of permitted_subtrees and excluded_subtrees must be given. For example, a certificate authority that can only sign certificates under .com would look like this:

from django_ca.pydantic import (
    GeneralNameModel,
    NameConstraintsModel,
    NameConstraintsValueModel,
)

value = NameConstraintsValueModel(
    permitted_subtrees=[GeneralNameModel(type="DNS", value=".com")]
)
NameConstraintsModel(value=value)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=True,
    oid=ExtensionOID.NAME_CONSTRAINTS,
    value=x509.NameConstraints(
        permitted_subtrees=[x509.DNSName(".com")], excluded_subtrees=None
    ),
)

{
    "type": "name_constraints",
    "critical": true,
    "value": {
        "permitted_subtrees": [
            {
                "type": "DNS",
                "value": ".com"
            }
        ],
        "excluded_subtrees": null
    }
}

In this example, the certificate authority can sign certificates for .com, except for one.example.com and two.example.com:

from django_ca.pydantic import (
    GeneralNameModel,
    NameConstraintsModel,
    NameConstraintsValueModel,
)

value = NameConstraintsValueModel(
    permitted_subtrees=[GeneralNameModel(type="DNS", value=".com")],
    excluded_subtrees=[
        GeneralNameModel(type="DNS", value="one.example.com"),
        GeneralNameModel(type="DNS", value="two.example.com"),
    ],
)
NameConstraintsModel(value=value)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=True,
    oid=ExtensionOID.NAME_CONSTRAINTS,
    value=x509.NameConstraints(
        permitted_subtrees=[x509.DNSName(".com")],
        excluded_subtrees=[
            x509.DNSName("one.example.com"),
            x509.DNSName("two.example.com"),
        ],
    ),
)

{
    "type": "name_constraints",
    "critical": true,
    "value": {
        "permitted_subtrees": [
            {
                "type": "DNS",
                "value": ".com"
            }
        ],
        "excluded_subtrees": [
            {
                "type": "DNS",
                "value": "one.example.com"
            },
            {
                "type": "DNS",
                "value": "two.example.com"
            }
        ]
    }
}

class django_ca.pydantic.OCSPNoCheckModel[source]

Pydantic model for a OCSPNoCheck extension.

This extension does not have a value, and thus can be instantiated without any parameters (but None is also accepted):

from django_ca.pydantic import OCSPNoCheckModel

OCSPNoCheckModel()

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(critical=False, oid=ExtensionOID.OCSP_NO_CHECK, value=x509.OCSPNoCheck())

{
    "type": "ocsp_no_check",
    "critical": false,
    "value": null
}

class django_ca.pydantic.PolicyConstraintsModel[source]

Pydantic model for a PolicyConstraints extension.

The value is a PolicyConstraintsValueModel instance. Both require_explicit_policy and inhibit_policy_mapping are optional integers >= 0, but at least one of them must be set:

from django_ca.pydantic import PolicyConstraintsModel, PolicyConstraintsValueModel

value = PolicyConstraintsValueModel(require_explicit_policy=0, inhibit_policy_mapping=1)
PolicyConstraintsModel(value=value)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

value = x509.PolicyConstraints(require_explicit_policy=0, inhibit_policy_mapping=1)
x509.Extension(critical=True, oid=ExtensionOID.POLICY_CONSTRAINTS, value=value)

{
    "type": "policy_constraints",
    "critical": true,
    "value": {
        "require_explicit_policy": 0,
        "inhibit_policy_mapping": 1
    }
}

class django_ca.pydantic.PrecertPoisonModel[source]

Pydantic model for a PrecertPoison extension.

This extension does not have a value, and thus can be instantiated without any parameters (but None is also accepted):

from django_ca.pydantic import PrecertPoisonModel

PrecertPoisonModel()

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(critical=True, oid=ExtensionOID.PRECERT_POISON, value=x509.PrecertPoison())

{
    "type": "precert_poison",
    "critical": true,
    "value": null
}

class django_ca.pydantic.PrecertificateSignedCertificateTimestampsModel[source]

Model for a PrecertificateSignedCertificateTimestamps extension.

Note

Due to library limitations, this model cannot be converted to a cryptography class.

The value is a list of SignedCertificateTimestampModel instances:

>>> from datetime import datetime
>>> sct = SignedCertificateTimestampModel(
...     log_id="MTIz", timestamp=datetime(2023, 12, 10), entry_type="precertificate"
... )
>>> PrecertificateSignedCertificateTimestampsModel(value=[sct])
PrecertificateSignedCertificateTimestampsModel(
    critical=False,
    value=[
        SignedCertificateTimestampModel(
            version='v1',
            log_id='MTIz',
            timestamp=datetime.datetime(2023, 12, 10, 0, 0),
            entry_type='precertificate'
        )
    ]
)
class django_ca.pydantic.SignedCertificateTimestampsModel[source]

Pydantic model for a SignedCertificateTimestamps extension.

This model behaves exactly like PrecertificateSignedCertificateTimestampsModel.

class django_ca.pydantic.SubjectAlternativeNameModel[source]

Pydantic model for a SubjectAlternativeName extension.

The general_names attribute is a list of GeneralNameModel instances:

from django_ca.pydantic import GeneralNameModel, SubjectAlternativeNameModel

SubjectAlternativeNameModel(
    value=[
        GeneralNameModel(type="DNS", value="example.com"),
        GeneralNameModel(type="DNS", value="example.net"),
    ]
)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

value = x509.SubjectAlternativeName(
    [x509.DNSName("example.com"), x509.DNSName("example.net")]
)
x509.Extension(critical=False, oid=ExtensionOID.SUBJECT_ALTERNATIVE_NAME, value=value)

{
    "type": "subject_alternative_name",
    "critical": false,
    "value": [
        {
            "type": "DNS",
            "value": "example.com"
        },
        {
            "type": "DNS",
            "value": "example.net"
        }
    ]
}

class django_ca.pydantic.SubjectInformationAccessModel[source]

Pydantic model for a SubjectInformationAccess extension.

This model behaves like the AuthorityInformationAccessModel, except that the access methods have to be ca_repository.

class django_ca.pydantic.SubjectKeyIdentifierModel[source]

Pydantic model for a SubjectKeyIdentifier extension.

The value is a base64-encoded for the model:

from django_ca.pydantic import SubjectKeyIdentifierModel

SubjectKeyIdentifierModel(value="kA==", critical=False)

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=False,
    oid=ExtensionOID.SUBJECT_KEY_IDENTIFIER,
    value=x509.SubjectKeyIdentifier(b"\x90"),
)

{
    "type": "subject_key_identifier",
    "critical": false,
    "value": "kA=="
}

class django_ca.pydantic.TLSFeatureModel[source]

Pydantic model for a TLSFeature extension.

The value is a list of one or both of "status_request" and "status_request_v2".

from django_ca.pydantic import TLSFeatureModel

TLSFeatureModel(value=["status_request"])

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=False,
    oid=ExtensionOID.TLS_FEATURE,
    value=x509.TLSFeature([x509.TLSFeatureType.status_request]),
)

{
    "type": "tls_feature",
    "critical": false,
    "value": [
        "status_request"
    ]
}

For convenience, the model also accepts keys named in TLS_FEATURE_NAMES:

from django_ca.pydantic import TLSFeatureModel

TLSFeatureModel(value=["OCSPMustStaple"])

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

x509.Extension(
    critical=False,
    oid=ExtensionOID.TLS_FEATURE,
    value=x509.TLSFeature([x509.TLSFeatureType.status_request]),
)

{
    "type": "tls_feature",
    "critical": false,
    "value": [
        "status_request"
    ]
}

class django_ca.pydantic.UnrecognizedExtensionModel[source]

Pydantic model for a UnrecognizedExtension extension.

The value a UnrecognizedExtensionValueModel value, the value is thus base64 encoded for the model:

from django_ca.pydantic import UnrecognizedExtensionModel, UnrecognizedExtensionValueModel

value = UnrecognizedExtensionValueModel(value="MTIz", oid="1.2.3")
UnrecognizedExtensionModel(critical=True, value=value)

from cryptography import x509

oid = x509.ObjectIdentifier("1.2.3")
value = x509.UnrecognizedExtension(oid=oid, value=b"123")
x509.Extension(critical=True, oid=oid, value=value)

{
    "type": "unknown",
    "critical": true,
    "value": {
        "oid": "1.2.3",
        "value": "MTIz"
    }
}

Extension attributes

Some extensions use a more complex datastructure, so attributes are represented as nested models.

class django_ca.pydantic.extension_attributes.AccessDescriptionModel[source]

Pydantic model wrapping AccessDescription.

The access_method may be a dotted string OID or one of the aliases listed in ACCESS_METHOD_TYPES. The access_location is a GeneralNameModel:

from django_ca.pydantic import AccessDescriptionModel, GeneralNameModel

access_location = GeneralNameModel(type="URI", value="http://ocsp.example.com")
AccessDescriptionModel(
    access_method="ocsp",  # or the OID: "1.3.6.1.5.5.7.48.1"
    access_location=access_location,
)

from cryptography import x509
from cryptography.x509.oid import AuthorityInformationAccessOID

access_location = x509.UniformResourceIdentifier("http://ocsp.example.com")
x509.AccessDescription(
    access_method=AuthorityInformationAccessOID.OCSP, access_location=access_location
)

{
    "access_method": "1.3.6.1.5.5.7.48.1",
    "access_location": {
        "type": "URI",
        "value": "http://ocsp.example.com"
    }
}

The syntax is identical for CA issuers:

from django_ca.pydantic import AccessDescriptionModel, GeneralNameModel

access_location = GeneralNameModel(type="URI", value="http://ca-issuers.example.com")
AccessDescriptionModel(
    access_method="ca_issuers",  # or the OID: "1.3.6.1.5.5.7.48.2"
    access_location=access_location,
)

from cryptography import x509
from cryptography.x509.oid import AuthorityInformationAccessOID

access_location = x509.UniformResourceIdentifier("http://ca-issuers.example.com")
x509.AccessDescription(
    access_method=AuthorityInformationAccessOID.CA_ISSUERS,
    access_location=access_location,
)

{
    "access_method": "1.3.6.1.5.5.7.48.2",
    "access_location": {
        "type": "URI",
        "value": "http://ca-issuers.example.com"
    }
}

property cryptography: AccessDescription

Convert to a AccessDescription instance.

class django_ca.pydantic.extension_attributes.AdmissionModel[source]

Pydantic model wrapping Admission.

Added in version 2.1.0.

property cryptography: Admission

Convert to a Admission instance.

class django_ca.pydantic.extension_attributes.AdmissionsValueModel[source]

Pydantic model wrapping Admissions.

Added in version 2.1.0.

property cryptography: Admissions

Convert to a Admissions instance.

class django_ca.pydantic.extension_attributes.AuthorityKeyIdentifierValueModel[source]

Pydantic model wrapping AuthorityKeyIdentifier.

In its by far most common form, this model will just set the key_identifier attribute, with a value based on the certificate authority. This is a base64-encoded string:

>>> AuthorityKeyIdentifierValueModel(key_identifier="MTIz")
AuthorityKeyIdentifierValueModel(
    key_identifier='MTIz', authority_cert_issuer=None, authority_cert_serial_number=None
)

You may also pass bytes instead, in which case the value will be base64 encoded:

>>> AuthorityKeyIdentifierValueModel(key_identifier=b"123")
AuthorityKeyIdentifierValueModel(
    key_identifier='MTIz', authority_cert_issuer=None, authority_cert_serial_number=None
)

You can also give a authority_cert_issuer (a list of GeneralNameModel) and an authority_cert_serial_number:

>>> AuthorityKeyIdentifierValueModel(
...     key_identifier=None,
...     authority_cert_issuer=[{'type': 'URI', 'value': 'http://example.com'}],
...     authority_cert_serial_number=123
... )
AuthorityKeyIdentifierValueModel(
    key_identifier=None,
    authority_cert_issuer=[GeneralNameModel(type='URI', value='http://example.com')],
    authority_cert_serial_number=123
)

The restrictions defined in RFC 5280 apply, so authority_cert_issuer and authority_cert_serial_number must either be both present or None, and either key_identifier and/or authority_cert_issuer must be given.

property cryptography: AuthorityKeyIdentifier

Convert to a AuthorityKeyIdentifier instance.

class django_ca.pydantic.extension_attributes.BasicConstraintsValueModel[source]

Pydantic model wrapping BasicConstraints.

For a certificate representing a certificate authority, this extension sets ca to True and a path length, which may be None:

>>> BasicConstraintsValueModel(ca=True, path_length=0)
BasicConstraintsValueModel(ca=True, path_length=0)

For end-entity certificates, this extension sets ca to False and must set path_length to None:

>>> BasicConstraintsValueModel(ca=False, path_length=None)
BasicConstraintsValueModel(ca=False, path_length=None)
property cryptography: BasicConstraints

Convert to a BasicConstraints instance.

class django_ca.pydantic.extension_attributes.DistributionPointModel[source]

Pydantic model wrapping DistributionPoint.

In its by far most common form, this model only has a full_name containing a URI:

>>> DistributionPointModel(
...     full_name=[{"type": "URI", "value": "https://ca.example.com/crl"}]
... )
DistributionPointModel(
    full_name=[GeneralNameModel(type='URI', value='https://ca.example.com/crl')],
    relative_name=None, crl_issuer=None, reasons=None
)

Of course, other fields are also supported:

>>> DistributionPointModel(
...     relative_name=[{"oid": "2.5.4.3", "value": "example.com"}],
...     crl_issuer=[{"type": "URI", "value": "https://ca.example.com/issuer"}],
...     reasons={"key_compromise",}
... )
DistributionPointModel(
    full_name=None,
    relative_name=NameModel(root=[NameAttributeModel(oid='2.5.4.3', value='example.com')]),
    crl_issuer=[GeneralNameModel(type='URI', value='https://ca.example.com/issuer')],
    reasons={'key_compromise'}
)
property cryptography: DistributionPoint

Convert to a DistributionPoint instance.

class django_ca.pydantic.extension_attributes.IssuingDistributionPointValueModel[source]

Pydantic model wrapping IssuingDistributionPoint.

>>> full_name = [{"type": "URI", "value": "https://ca.example.com/crl"}]
>>> IssuingDistributionPointValueModel(full_name=full_name)
IssuingDistributionPointValueModel(
    only_contains_user_certs=False,
    only_contains_ca_certs=False,
    indirect_crl=False,
    only_contains_attribute_certs=False,
    only_some_reasons=None,
    full_name=[GeneralNameModel(type='URI', value='https://ca.example.com/crl')],
    relative_name=None
)

Note that all attributes default to False or None and can thus be omitted, but at least one parameter needs to be given.

property cryptography: IssuingDistributionPoint

Convert to a IssuingDistributionPoint instance.

class django_ca.pydantic.extension_attributes.MSCertificateTemplateValueModel[source]

Pydantic model wrapping MSCertificateTemplate.

The template_id parameter is a dotted-string object identifier, while major_version and minor_version are optional integers:

>>> MSCertificateTemplateValueModel(template_id="1.2.3", major_version=1)
MSCertificateTemplateValueModel(template_id='1.2.3', major_version=1, minor_version=None)
property cryptography: MSCertificateTemplate

Convert to a MSCertificateTemplate instance.

class django_ca.pydantic.extension_attributes.NameConstraintsValueModel[source]

Pydantic model wrapping NameConstraints.

Both permitted_subtrees and excluded_subtrees are optional, but at least one of them must be given. They are a list of GeneralNameModel instances:

>>> NameConstraintsValueModel(
...     permitted_subtrees=[{"type": "DNS", "value": ".com"}]
... )
NameConstraintsValueModel(
    permitted_subtrees=[GeneralNameModel(type='DNS', value='.com')], excluded_subtrees=None
)
property cryptography: NameConstraints

Convert to a NameConstraints instance.

class django_ca.pydantic.extension_attributes.NamingAuthorityModel[source]

Pydantic model wrapping NamingAuthority.

Added in version 2.1.0.

property cryptography: NamingAuthority

Convert to a NamingAuthority instance.

class django_ca.pydantic.extension_attributes.NoticeReferenceModel[source]

Pydantic model wrapping NoticeReference.

>>> NoticeReferenceModel(organization="MyOrg", notice_numbers=[1, 2, 3])
NoticeReferenceModel(organization='MyOrg', notice_numbers=[1, 2, 3])

Note that organization is optional.

property cryptography: NoticeReference

Convert to a NoticeReference instance.

class django_ca.pydantic.extension_attributes.PolicyConstraintsValueModel[source]

Pydantic model wrapping PolicyConstraints.

The require_explicit_policy and inhibit_policy_mapping are both optional and must be integers if set. At least one value must be given.

>>> PolicyConstraintsValueModel(require_explicit_policy=0, inhibit_policy_mapping=1)
PolicyConstraintsValueModel(require_explicit_policy=0, inhibit_policy_mapping=1)
property cryptography: PolicyConstraints

Convert to a PolicyConstraints instance.

class django_ca.pydantic.extension_attributes.PolicyInformationModel[source]

Pydantic model wrapping PolicyInformation.

In its simplest for, this model requires only a policy_identifier:

>>> PolicyInformationModel(policy_identifier="2.5.29.32.0")
PolicyInformationModel(policy_identifier='2.5.29.32.0', policy_qualifiers=None)

A list of policy_qualifiers may also be passed, with elements being either a str or a UserNoticeModel:

>>> notice = UserNoticeModel(explicit_text="my text")
>>> PolicyInformationModel(
...     policy_identifier="1.3.6.1.5.5.7.2.1",
...     policy_qualifiers=["https://ca.example.com/cps", notice]
... )
PolicyInformationModel(
    policy_identifier='1.3.6.1.5.5.7.2.1',
    policy_qualifiers=[
        'https://ca.example.com/cps',
        UserNoticeModel(notice_reference=None, explicit_text='my text')
    ]
)
property cryptography: PolicyInformation

Convert to a PolicyInformation instance.

class django_ca.pydantic.extension_attributes.PrivateKeyUsagePeriodValueModel[source]

Pydantic model wrapping PrivateKeyUsagePeriod.

validate_values() Self[source]

Validate that at least one value is set, and order of values.

class django_ca.pydantic.extension_attributes.ProfessionInfoModel[source]

Pydantic model wrapping ProfessionInfo.

Added in version 2.1.0.

check_consistency() ProfessionInfoModel[source]

Verify that profession_oids has the same length as profession_items if set.

property cryptography: ProfessionInfo

Convert to a ProfessionInfo instance.

class django_ca.pydantic.extension_attributes.SignedCertificateTimestampModel[source]

Pydantic model wrapping SignedCertificateTimestamp.

Note

Due to library limitations, this model cannot be converted to a cryptography class.

>>> SignedCertificateTimestampModel(
...     log_id="MTIz", timestamp=datetime(2023, 12, 10), entry_type="precertificate"
... )
SignedCertificateTimestampModel(
    version='v1',
    log_id='MTIz',
    timestamp=datetime.datetime(2023, 12, 10, 0, 0),
    entry_type='precertificate'
)
property cryptography: NoReturn

Will always raise an exception for this class.

class django_ca.pydantic.extension_attributes.UnrecognizedExtensionValueModel[source]

Pydantic model for a UnrecognizedExtension extension.

The value a base64 encoded string, and the oid is any dotted string:

>>> UnrecognizedExtensionValueModel(value="MTIz", oid="1.2.3")
UnrecognizedExtensionValueModel(oid='1.2.3', value='MTIz')

You can also pass bytes to value, in which case it will base base64 encoded:

>>> UnrecognizedExtensionValueModel(value=b"123", oid="1.2.3")
UnrecognizedExtensionValueModel(oid='1.2.3', value='MTIz')
property cryptography: UnrecognizedExtension

The UnrecognizedExtension instance.

class django_ca.pydantic.extension_attributes.UserNoticeModel[source]

Pydantic model wrapping UserNotice.

In its simplest form, the model can just take an explicit text:

>>> UserNoticeModel(explicit_text="my text")
UserNoticeModel(notice_reference=None, explicit_text='my text')

But it may also take notice reference:

>>> ref = NoticeReferenceModel(notice_numbers=[1, 2, 3])
>>> UserNoticeModel(notice_reference=ref, explicit_text="my text")
UserNoticeModel(notice_reference=NoticeReferenceModel(organization=None,
                    notice_numbers=[1, 2, 3]),
                explicit_text='my text')
property cryptography: UserNotice

Convert to a UserNotice instance.

CRL extensions

Models for CRL extensions are not currently used within the project itself.

class django_ca.pydantic.CRLNumberModel[source]

Pydantic model for a CRLNumber extension.

The value is an integer:

>>> CRLNumberModel(value=1)
CRLNumberModel(critical=False, value=1)
class django_ca.pydantic.DeltaCRLIndicatorModel[source]

Pydantic model for a DeltaCRLIndicator extension.

The value is an integer:

>>> DeltaCRLIndicatorModel(value=1)
DeltaCRLIndicatorModel(critical=True, value=1)

Validators

Validators for Pydantic models.

django_ca.pydantic.validators.access_method_parser(value: Any) Any[source]

Convert access method type aliases to dotted string.

django_ca.pydantic.validators.base64_str_validator(value: str) str[source]

Validator that asserts that the passed string is a valid Base64 encoded string.

django_ca.pydantic.validators.bytes_to_base64_str_validator(value: Any) Any[source]

Encode bytes as base64-encoded string.

django_ca.pydantic.validators.crl_scope_validator(only_contains_ca_certs: bool, only_contains_user_certs: bool, only_contains_attribute_certs: bool, only_some_reasons: Iterable[ReasonFlags] | None) None[source]

Validate the scope of a certificate revocation list (CRL).

django_ca.pydantic.validators.dns_validator(name: str) str[source]

IDNA encoding for domains.

Examples:

>>> dns_validator('example.com')
'example.com'
>>> dns_validator('exämple.com')
'xn--exmple-cua.com'
>>> dns_validator('.exämple.com')
'.xn--exmple-cua.com'
>>> dns_validator('*.exämple.com')
'*.xn--exmple-cua.com'
django_ca.pydantic.validators.elliptic_curve_validator(value: Any) Any[source]

Convert a EllipticCurve into a canonical name.

django_ca.pydantic.validators.email_validator(addr: str) str[source]

Validate an email address.

This function raises ValueError if the email address is not valid.

>>> email_validator("user@example.com")
'user@example.com'
>>> email_validator("user@exämple.com")
'user@xn--exmple-cua.com'
django_ca.pydantic.validators.extended_key_usage_validator(value: str) str[source]

Convert human-readable ExtendedKeyUsage values into dotted strings.

django_ca.pydantic.validators.int_to_hex_parser(value: Any) Any[source]

Convert an integer to an upper-case hex-string.

django_ca.pydantic.validators.is_power_two_validator(value: int) int[source]

Validate that a given integer is a power of two.

django_ca.pydantic.validators.key_usage_validator(value: Any) Any[source]

Convert a human-readable key usage name to a valid parameter.

django_ca.pydantic.validators.name_oid_dotted_string_parser(value: Any) Any[source]

Convert human-readable NameOID values into dotted strings.

django_ca.pydantic.validators.name_oid_parser(value: Any) Any[source]

Parse a NameOID string or dotted string to a x509 Object Identifier.

django_ca.pydantic.validators.non_empty_validator(value: list[str]) list[str][source]

Validate that the given list is not empty.

django_ca.pydantic.validators.oid_parser(value: str | ObjectIdentifier) str[source]

Validate a ObjectIdentifier.

django_ca.pydantic.validators.oid_validator(value: str) str[source]

Validate that the given value is a valid dotted string.

django_ca.pydantic.validators.pem_csr_validator(value: bytes) bytes[source]

Validate that the given bytes is a valid CSR in PEM format.

django_ca.pydantic.validators.reason_flag_crl_scope_validator(value: ReasonFlags) ReasonFlags[source]

Ensure that the ReasonFlags is allowed in a CRL scope.

django_ca.pydantic.validators.reason_flag_validator(value: Any) Any[source]

Validate a str to a ReasonFlags.

django_ca.pydantic.validators.serial_validator(value: str) str[source]

Validator for serials.

django_ca.pydantic.validators.signature_hash_algorithm_validator(value: Any) Any[source]

Convert a HashAlgorithm into a canonical name.

django_ca.pydantic.validators.signature_hash_algorithm_validator_with_legacy_names(value: Any) Any[source]

Same, but allows legacy names.

django_ca.pydantic.validators.timedelta_as_number_parser(unit: Literal['seconds', 'hours', 'days'] = 'seconds') Callable[[Any], Any][source]

Validator for timedelta.

Warning

This validator differs in that it has to be called with a unit for timedeltas.

django_ca.pydantic.validators.tls_feature_validator(value: str | TLSFeatureType) str[source]

Validate a TLSFeatureType.

django_ca.pydantic.validators.unique_validator(value: Sequence[T]) Sequence[T][source]

Validate that every string in the list is unique.

django_ca.pydantic.validators.url_validator(url: str) str[source]

IDNA encoding for domains in URLs.

Examples:

>>> url_validator('https://example.com')
'https://example.com'
>>> url_validator('https://exämple.com/foobar')
'https://xn--exmple-cua.com/foobar'
>>> url_validator('https://exämple.com:8000/foobar')
'https://xn--exmple-cua.com:8000/foobar'