/ejbca-python-client-sdk

Client SDK in Python for the EJBCA REST API

Primary LanguagePythonApache License 2.0Apache-2.0

Community supported

We welcome contributions.

The EJBCA Python Client SDK is open source and community supported, meaning that there is no SLA applicable for these tools.

To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.

EJBCA Python Client SDK

Client SDK in Python for the EJBCA REST API

The SDK has three layers intended for consumer use:

  1. The contents of the ejbca folder are low-level modules autogenerated by the openapi-python-client tool, with modifications from a Keyfactor-maintained tool, and can be used directly. However, the added flexibility gained by using this directly comes at the cost of more cumbersome and less untuitive usage requirements. You can follow the readme in the ejbca folder for examples of doing this. You can also use this source code to find examples of calling the EJBCA API from Python without using any of the SDK modules.
  2. The ejbcaclient.py module is a wrapper for the openAPI-generated code. This module is itself generated by a Keyfactor-maintained tool, and greatly simplifies use of the openAPI-generated modules. An example is given below. cryptoOps.py provides some utilities that work in conjunction with the ejbcaclient.py module for generating and processing certificates and keys.
  3. The scenarios.py module is a user-friendly, high-level wrapper for ejbcaclient.py and cryptoOps.py, and provides the simplest access to a function for certificate enrollment. An example is given below.

Configuration

The environment.json file contains information needed by the client SDK to access the EJBCA instance. This includes:

  • URLbase: root directory for EJBCA REST calls
  • scheme: http or https
  • host: address or IP of EJBCA server
  • token: casic auth credentials (where supported)
  • certPath: file path to EJBCA client authentication certificate
  • keyPath: file path to private key for EJBCA client authentication certificate
  • ca: default CA to use for enrollment requests in highest-level scenarios wrapper
  • profile: default end entity ptofile to use for enrollment requests in highest-level scenarios wrapper

Example usage:

# Wrappers for python models and API calls
import ejbcaclient

# User-friendly interface to a combination of crypto operations and ejbca calls
import scenarios

# Generate a keypair on the device, sign a CSR with it, create a new end entity in EJBCA, submit the CSR with that entity, and return the signed cert
cert,key = scenarios.csrEnrollment("CN=pythonTest")

# Lower-level access to the EJBCA call to get a new certificate.
cert = ejbcaclient.certificate_request({"certificate_request":csr,"username":username,"password":password})["certificate"]