tiny_ca.ca_factory.utils.file_loader module

CA material loading: Protocol definition and PEM-file-backed implementation.

This module provides two public symbols:

• ICALoader — a @runtime_checkable Protocol that defines the minimum

  interface any CA-material provider must satisfy. Consumers (e.g. CertificateFactory) depend only on this Protocol, never on a concrete loader class (DIP).

• CAFileLoader — reads a CA certificate and private key from PEM files on

  the local filesystem and exposes them through ICALoader.

class tiny_ca.ca_factory.utils.file_loader.CAFileLoader(ca_cert_path, ca_key_path, ca_key_password=None, logger=None)

Bases: object

Loads a CA certificate and private key from PEM files on the local filesystem.

Responsibility: file reading and PEM deserialisation only. Does not generate certificates, manage sessions, or perform any cryptographic operations beyond deserialisation.

On construction the loader: 1. Validates that both paths point to existing, regular files with

permitted extensions (see ALLOWED_CERT_EXTENSIONS).

2. Deserialises the CA certificate and private key from PEM.

3. Extracts CertificateInfo from the CA certificate’s Subject.

After successful construction all three ICALoader properties are available and will not change for the lifetime of the instance.

Parameters:

• ca_cert_path (str | Path) – Path to the PEM-encoded CA certificate file.

• ca_key_path (str | Path) – Path to the PEM-encoded CA private key file.

• ca_key_password (str | bytes | None) – Optional password protecting the private key. A str value is encoded to bytes using UTF-8 before being passed to the cryptography library. None means the key is unencrypted.

• logger (Logger | None) – Logger instance for diagnostic messages. Falls back to DEFAULT_LOGGER when None.

__init__(ca_cert_path, ca_key_path, ca_key_password=None, logger=None)

Parameters:

• ca_cert_path (str | Path)

• ca_key_path (str | Path)

• ca_key_password (str | bytes | None)

• logger (Logger | None)

Return type:

None

property base_info: CertificateInfo

Structured metadata extracted from the CA certificate Subject.

Returns:

Contains organization, organizational_unit, country, state, and locality fields; any absent attribute is None.

Return type:

CertificateInfo

property ca_cert: Certificate

The deserialized CA certificate.

Returns:

The CA certificate loaded from ca_cert_path.

Return type:

x509.Certificate

property ca_key: RSAPrivateKey

The deserialized CA private key.

Returns:

The private key loaded from ca_key_path.

Return type:

rsa.RSAPrivateKey

class tiny_ca.ca_factory.utils.file_loader.ICALoader(*args, **kwargs)

Bases: Protocol

Protocol that defines the minimum contract for CA-material providers.

Any object that exposes the three properties below satisfies this Protocol and can be injected into CertificateFactory without any inheritance. This makes it trivial to substitute the real filesystem loader with an in-memory stub, an HSM-backed loader, or a mock in unit tests.

Properties

ca_certx509.Certificate

The loaded CA certificate object.

ca_keyrsa.RSAPrivateKey

The loaded CA private key used for signing.

base_infoCertificateInfo

Structured metadata extracted from the CA certificate’s Subject field (organization, country, state, locality, organizational unit).

__init__(*args, **kwargs)

property base_info: CertificateInfo

property ca_cert: Certificate

property ca_key: RSAPrivateKey