def create_certificate(self, csr, issuer_options):
"""
Creates an Entrust certificate.
:param csr:
:param issuer_options:
:return: :raise Exception:
"""
log_data = {
"function": f"{__name__}.{sys._getframe().f_code.co_name}",
"message": "Requesting options",
"options": issuer_options
}
current_app.logger.info(log_data)
if current_app.config.get("ENTRUST_USE_DEFAULT_CLIENT_ID"):
# The ID of the primary client is 1.
client_id = 1
else:
client_id = get_client_id(self.session,
issuer_options.get("organization"))
log_data = {
"function": f"{__name__}.{sys._getframe().f_code.co_name}",
"message": f"Organization id: {client_id}"
}
current_app.logger.info(log_data)
url = current_app.config.get("ENTRUST_URL") + "/certificates"
data = process_options(issuer_options, client_id)
data["csr"] = csr
response_dict = order_and_download_certificate(self.session, url, data)
external_id = response_dict['trackingId']
cert = response_dict['endEntityCert']
if len(response_dict['chainCerts']) < 2:
# certificate signed by CA directly, no ICA included in the chain
chain = None
else:
chain = response_dict['chainCerts'][1]
if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K"
) and get_key_type_from_certificate(
cert) == "RSA2048":
chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K")
if current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F"
) and get_key_type_from_certificate(
cert) == "ECCPRIME256V1":
chain = current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F")
log_data["message"] = "Received Chain"
log_data["options"] = f"chain: {chain}"
current_app.logger.info(log_data)
return cert, chain, external_id
def load_data(self, data):
if data.get("replacements"):
data["replaces"] = data[
"replacements"] # TODO remove when field is deprecated
if data.get("csr"):
csr_sans = cert_utils.get_sans_from_csr(data["csr"])
if not data.get("extensions"):
data["extensions"] = {"subAltNames": {"names": []}}
elif not data["extensions"].get("subAltNames"):
data["extensions"]["subAltNames"] = {"names": []}
elif not data["extensions"]["subAltNames"].get("names"):
data["extensions"]["subAltNames"]["names"] = []
data["extensions"]["subAltNames"]["names"] = csr_sans
common_name = cert_utils.get_cn_from_csr(data["csr"])
if common_name:
data["common_name"] = common_name
key_type = cert_utils.get_key_type_from_csr(data["csr"])
if key_type:
data["key_type"] = key_type
# This code will be exercised for certificate import (without CSR)
if data.get("key_type") is None:
if data.get("body"):
data["key_type"] = utils.get_key_type_from_certificate(
data["body"])
else:
data["key_type"] = "RSA2048" # default value
return missing.convert_validity_years(data)
def update_key_type():
conn = op.get_bind()
start_time = time.time()
# Loop through all certificates that are valid today or expired in the last 30 days.
for cert_id, body in conn.execute(
text(
"select id, body from certificates where not_after > CURRENT_DATE - 31 and key_type is null"
)):
try:
cert_key_type = utils.get_key_type_from_certificate(body)
except ValueError as e:
log.error("Error in processing certificate - ID: %s Error: %s \n" %
(cert_id, str(e)))
else:
log.info("Processing certificate - ID: %s key_type: %s\n" %
(cert_id, cert_key_type))
stmt = text(
"update certificates set key_type=:key_type where id=:id")
stmt = stmt.bindparams(key_type=cert_key_type, id=cert_id)
op.execute(stmt)
commit()
log.info("--- %s seconds ---\n" % (time.time() - start_time))
def load_data(self, data):
if data.get("body"):
try:
data["key_type"] = utils.get_key_type_from_certificate(data["body"])
except ValueError:
raise ValidationError(
"Public certificate presented is not valid.", field_names=["body"]
)
def test_get_key_type_from_certificate():
from lemur.common.utils import get_key_type_from_certificate
assert (get_key_type_from_certificate(SAN_CERT_STR) == "RSA2048")
assert (get_key_type_from_certificate(ECDSA_SECP384r1_CERT_STR) ==
"ECCSECP384R1")
