14.2.1.2.2. Certificate Token¶
- class edumfa.lib.tokens.certificatetoken.CertificateTokenClass(aToken)[source]¶
Token to implement an X509 certificate. The certificate can be enrolled by sending a CSR to the server or the keypair is created by the server. If the server creates the keypair, the user can download a PKCS12 file. The OTP PIN is used as passphrase for the PKCS12 file.
eduMFA is capable of working with different CA connectors.
Valid parameters are request or certificate, both PEM encoded. If you pass a request you also need to pass the ca that should be used to sign the request. Passing a certificate just uploads the certificate to a new token object.
A certificate token can be created by an administrative task with the token/init api like this:
Example Initialization Request:
POST /auth HTTP/1.1 Host: example.com Accept: application/json type=certificate user=cornelius realm=realm1 request=<PEM encoded request> attestation=<PEM encoded attestation certificate> ca=<name of the ca connector>
Example Initialization Request, key generation on servers side
In this case the certificate is created on behalf of another user.
POST /auth HTTP/1.1 Host: example.com Accept: application/json type=certificate user=cornelius realm=realm1 generate=1 ca=<name of the ca connector>
Example response:
HTTP/1.1 200 OK Content-Type: application/json { "detail": { "certificate": "...PEM..." }, "id": 1, "jsonrpc": "2.0", "result": { "status": true, "value": true }, "version": "eduMFA unknown" }
Create a new token object.
- Parameters:
db_token (Token) – A database token object
- Returns:
A TokenClass object
- get_as_dict()[source]¶
This returns the token data as a dictionary. It is used to display the token list at /token/list.
The certificate token can add the PKCS12 file if it exists
- Returns:
The token data as dict
- Return type:
dict
- static get_class_info(key=None, ret='all')[source]¶
returns a subtree of the token definition
- Parameters:
key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found
- Returns:
subsection if key exists or user defined
- Return type:
dict or scalar
- classmethod get_default_settings(g, params)[source]¶
This method returns a dictionary with additional settings for token enrollment. The settings that are evaluated are SCOPE.ADMIN|SCOPE.USER, action=trusted_Assertion_CA_path It sets a list of configured paths.
The returned dictionary is added to the parameters of the API call. :param g: context object, see documentation of
Match
:param params: The call parameters :type params: dict :return: default parameters
- get_init_detail(params=None, user=None)[source]¶
At the end of the initialization we return the certificate and the PKCS12 file, if the private key exists.
- hKeyRequired = False¶
- revoke()[source]¶
This revokes the token. We need to determine the CA, which issues the certificate, contact the connector and revoke the certificate
Some token types may revoke a token without locking it.
- set_pin(pin, encrypt=False)[source]¶
set the PIN of a token. The PIN of the certificate token is stored encrypted. It is used as passphrase for the PKCS12 file.
- Parameters:
pin (basestring) – the pin to be set for the token
encrypt (bool) – If set to True, the pin is stored encrypted and can be retrieved from the database again
- update(param)[source]¶
This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None
- using_pin = False¶