def validate_default_key_pair_with_policy_subject(policy_spec):
"""
:param PolicySpecification policy_spec:
"""
if not policy_spec.defaults or not policy_spec.defaults.key_pair or not policy_spec.policy \
or not policy_spec.policy.key_pair:
return
kp = policy_spec.policy.key_pair
dkp = policy_spec.defaults.key_pair
if kp.key_types and kp.key_types[0] and dkp.key_type:
if kp.key_types[0] != dkp.key_type:
raise VenafiError(no_match_error_msg.format('key types', dkp.key_type, kp.key_types[0]))
if kp.rsa_key_sizes and kp.rsa_key_sizes[0] and dkp.rsa_key_size:
if kp.rsa_key_sizes[0] != dkp.rsa_key_size:
raise VenafiError(no_match_error_msg.format('rsa key sizes', dkp.rsa_key_size, kp.rsa_key_sizes[0]))
if kp.elliptic_curves and kp.elliptic_curves[0] and dkp.elliptic_curve:
if kp.elliptic_curves[0] != dkp.elliptic_curve:
raise VenafiError(no_match_error_msg.format('elliptic curves', dkp.elliptic_curve, kp.elliptic_curves[0]))
if kp.service_generated and dkp.service_generated:
if kp.service_generated != dkp.service_generated:
raise VenafiError(no_match_error_msg.format('generation type', dkp.service_generated, kp.service_generated))
def validate_default_subject(policy_spec):
"""
:param PolicySpecification policy_spec:
"""
if not policy_spec.defaults or not policy_spec.defaults.subject:
return
if not policy_spec.policy or not policy_spec.policy.subject:
return
s = policy_spec.policy.subject
ds = policy_spec.defaults.subject
if s.orgs and s.orgs[0] and ds.org:
if s.orgs[0] != ds.org:
raise VenafiError(no_match_error_msg.format('organizations', ds.org, s.orgs[0]))
if s.org_units and len(s.org_units) > 0 and ds.org_units and len(ds.org_units) > 0:
if not member_of(ds.org_units, s.org_units):
raise VenafiError(no_match_error_msg.format('orgUnits', ds.org_units[0], s.org_units[0]))
if s.localities and s.localities[0] and ds.locality:
if s.localities[0] != ds.locality:
raise VenafiError(no_match_error_msg.format('localities', ds.locality, s.localities[0]))
if s.states and s.states[0] and ds.state:
if s.states[0] != ds.state:
raise VenafiError(no_match_error_msg.format('states', ds.state, s.states[0]))
if s.countries and s.countries and ds.country:
if s.countries[0] != ds.country:
raise VenafiError(no_match_error_msg.format('countries', ds.country, s.countries[0]))
def validate_key_pair(policy_spec):
"""
:param PolicySpecification policy_spec:
"""
if not policy_spec.policy.key_pair:
raise VenafiError("Key Pair structure is empty")
kp = policy_spec.policy.key_pair
# validate key algorithm
if len(kp.key_types) > 1:
raise VenafiError(too_many_error_msg.format('key types'))
if len(kp.key_types) > 0 and not member_of(kp.key_types, supported_key_types):
raise VenafiError(unsupported_error_msg.format('key types', pprint(supported_key_types), pprint(kp.key_types)))
# validate key bit strength
if len(kp.rsa_key_sizes) > 1:
raise VenafiError(too_many_error_msg.format('key bit strength'))
if len(kp.rsa_key_sizes) > 0 and not member_of(kp.rsa_key_sizes, supported_rsa_key_sizes):
raise VenafiError(unsupported_error_msg.format('key bit strength', pprint(supported_rsa_key_sizes),
pprint(kp.rsa_key_sizes)))
# validate elliptic curve
if len(kp.elliptic_curves) > 1:
raise VenafiError(too_many_error_msg.format('elliptic curve'))
if len(kp.elliptic_curves) > 0 and not member_of(kp.elliptic_curves, supported_elliptic_curves):
raise VenafiError(unsupported_error_msg.format('elliptic_curve', pprint(supported_elliptic_curves),
pprint(kp.elliptic_curves)))
def validate_default_key_pair(policy_spec):
"""
:param PolicySpecification policy_spec:
"""
if not policy_spec.defaults or not policy_spec.defaults.key_pair:
return
dkp = policy_spec.defaults.key_pair
if dkp.key_type and not member_of([dkp.key_type], supported_key_types):
raise VenafiError(unsupported_error_msg.format('key type', pprint(supported_key_types), dkp.key_type))
if dkp.rsa_key_size and not member_of([dkp.rsa_key_size], supported_rsa_key_sizes):
raise VenafiError(unsupported_error_msg.format('rsa key size', pprint(supported_rsa_key_sizes),
dkp.rsa_key_size))
if dkp.elliptic_curve and not member_of([dkp.elliptic_curve], supported_elliptic_curves):
raise VenafiError(unsupported_error_msg.format('elliptic curve', pprint(supported_elliptic_curves),
dkp.elliptic_curve))
def get_ca_info(ca_name):
"""
:param str ca_name:
:rtype: CertificateAuthorityInfo
"""
data = ca_name.split("\\")
if len(data) < 3:
raise VenafiError(f"Certificate Authority name invalid [{ca_name}]")
return CertificateAuthorityInfo(data[0], data[1], data[2])
def is_service_generated_csr(csr_generation):
"""
:param str csr_generation:
:param:
:rtype: CertField
"""
if not csr_generation:
raise VenafiError("csr generation value cannot be empty")
if csr_generation == user_generated_csr:
return False
else:
return True
def validate_policy_spec(policy_spec):
"""
:param PolicySpecification policy_spec:
:rtype: bool
"""
if policy_spec.policy:
validate_policy_subject(policy_spec)
validate_key_pair(policy_spec)
validate_default_subject(policy_spec)
validate_default_key_pair_with_policy_subject(policy_spec)
validate_default_key_pair(policy_spec)
d = policy_spec.defaults
p = policy_spec.policy
if not d or not p:
return
if p.auto_installed is not None:
if p.auto_installed != d.auto_installed:
raise VenafiError(no_match_error_msg.format('autoinstalled', d.auto_installed, p.auto_installed))
return True
def get_cit_data_from_response(data):
"""
Returns the issuing template id and name from the response after creation
:param dict data:
:rtype: (str, str)
"""
cit_id = None
cit_name = None
if 'certificateIssuingTemplates' in data:
cit_list = data['certificateIssuingTemplates']
if cit_list and len(cit_list) > 0:
cit_id = data['certificateIssuingTemplates'][0]['id']
cit_name = data['certificateIssuingTemplates'][0]['name']
elif 'id' in data:
cit_id = data['id']
cit_name = data['name']
if cit_name and cit_id:
return cit_id, cit_name
else:
raise VenafiError(
'Error while creating Application request. CIT name or id not found.'
)
def validate_policy_subject(policy_spec):
"""
:param PolicySpecification policy_spec:
"""
if not policy_spec.policy.subject:
raise VenafiError("Subject structure is empty")
s = policy_spec.policy.subject
if len(s.orgs) > 1:
raise VenafiError(too_many_error_msg.format('organizations'))
if len(s.localities) > 1:
raise VenafiError(too_many_error_msg.format('localities'))
if len(s.states) > 1:
raise VenafiError(too_many_error_msg.format('states'))
if len(s.countries) > 1:
raise VenafiError(too_many_error_msg.format('countries'))
# Country values should follow ISO Alpha-2 standard, e.g.: US, MX, CA, FR, etc.
if len(s.countries[0]) != 2:
raise VenafiError(f"country code [{s.countries[0]}] does not match ISO Alpha-2 specification")
def build_policy_spec(cit, ca_info, subject_cn_to_str=True):
"""
:param Cit cit:
:param CertificateAuthorityInfo ca_info:
:param bool subject_cn_to_str: Indicates whether or not to remove the regex pattern from the Common Name values
:rtype: PolicySpecification
"""
if not cit:
raise VenafiError("Certificate issuing template is empty")
ps = PolicySpecification()
p = Policy()
p.wildcard_allowed = is_wildcard_allowed(cit.SubjectCNRegexes)
if len(cit.SubjectCNRegexes) > 0:
if subject_cn_to_str:
domains = convert_to_string(cit.SubjectCNRegexes,
p.wildcard_allowed)
p.domains = domains
else:
p.domains = cit.SubjectCNRegexes
else:
p.domains = None
if cit.validity_period:
# getting days in format P#D
days = cit.validity_period[1:len(cit.validity_period) - 1]
int_value = int(days)
p.max_valid_days = int_value
if ca_info:
ca = f"{ca_info.ca_type}\\{ca_info.ca_account_key}\\{ca_info.vendor_name}"
p.certificate_authority = ca
s = Subject()
create_subject = False
if len(cit.SubjectORegexes) > 0:
create_subject = True
s.orgs = cit.SubjectORegexes
if len(cit.SubjectOURegexes) > 0:
create_subject = True
s.org_units = cit.SubjectOURegexes
if len(cit.SubjectLRegexes) > 0:
create_subject = True
s.localities = cit.SubjectLRegexes
if len(cit.SubjectSTRegexes) > 0:
create_subject = True
s.states = cit.SubjectSTRegexes
if len(cit.SubjectCRegexes) > 0:
create_subject = True
s.countries = cit.SubjectCRegexes
p.subject = s if create_subject else None
kp = KeyPair()
create_kp = False
if len(cit.key_types) > 0:
key_types = []
key_sizes = []
for allowed_kt in cit.key_types:
kt = allowed_kt.key_type
kl = allowed_kt.option
# Only include one instance of the KeyType
if kt not in key_types:
key_types.append(kt)
key_sizes.append(kl)
create_kp = True
kp.key_types = key_types
kp.rsa_key_sizes = key_sizes
kp.reuse_allowed = cit.key_reuse
p.key_pair = kp if create_kp else None
sans = SubjectAltNames(False, False, False, False, False)
if cit.SANRegexes:
sans.dns_allowed = True
p.subject_alt_names = sans
ps.policy = p
rs = cit.recommended_settings
if rs:
d = Defaults()
ds = DefaultSubject()
create_ds = False
if rs.subjectOValue:
ds.org = rs.subjectOValue
create_ds = True
if rs.subjectOUValue:
ds.org_units = [rs.subjectOUValue]
create_ds = True
if rs.subjectLValue:
ds.locality = rs.subjectLValue
create_ds = True
if rs.subjectSTValue:
ds.state = rs.subjectSTValue
create_ds = True
if rs.subjectCValue:
ds.country = rs.subjectCValue
create_ds = True
d.subject = ds if create_ds else None
kt = rs.keyType
if kt:
dkp = DefaultKeyPair()
create_dkp = False
if kt.key_type:
dkp.key_type = kt.key_type
create_dkp = True
if kt.option:
dkp.rsa_key_size = kt.option
create_dkp = True
d.key_pair = dkp if create_dkp else None
ps.defaults = d
return ps
def validate_policy_spec(policy_spec):
"""
:param PolicySpecification policy_spec:
"""
default_error_msg = 'Default value does not match with policy values.' \
'\nAttribute: {}\nDefault value:{}\nPolicy values:{}'
# validate policy values
if policy_spec.policy:
p = policy_spec.policy
# validate key pair values
if policy_spec.policy.key_pair:
if len(policy_spec.policy.key_pair.key_types) > 1:
raise VenafiError(
"Key Type values exceeded. Only one Key Type is allowed by Venafi Cloud"
)
if policy_spec.policy.key_pair.key_types \
and policy_spec.policy.key_pair.key_types[0].lower() != KeyType.RSA:
raise VenafiError(
f"Key Type [{p.key_pair.key_types[0]}] is not supported by Venafi Cloud"
)
if len(policy_spec.policy.key_pair.rsa_key_sizes) > 0:
invalid_value = get_invalid_cloud_rsa_key_size_value(
policy_spec.policy.key_pair.rsa_key_sizes)
if invalid_value:
raise VenafiError(
f"The Key Size [{invalid_value}] is not supported by Venafi Cloud"
)
# validate subject CN and SAN regexes
if p.subject_alt_names:
sans = get_sans(policy_spec.policy.subject_alt_names)
if len(sans) > 0:
for k, v in sans.items():
if v is True and not (k == RPA.TPP_DNS_ALLOWED):
raise VenafiError(
f"Subject Alt name [{k}] is not allowed by Venafi Cloud"
)
# validate default subject values against policy values
if policy_spec.defaults and policy_spec.defaults.subject and policy_spec.policy.subject:
ds = policy_spec.defaults.subject
s = policy_spec.policy.subject
if ds.org and len(s.orgs) > 0:
if not is_valid_policy_value(s.orgs, ds.org):
raise VenafiError(
default_error_msg.format('Organization', ds.org,
s.orgs))
if ds.org_units and len(ds.org_units) > 0 and len(s.org_units) > 0:
if not member_of(ds.org_units, s.org_units):
raise VenafiError(
default_error_msg.format('Org Units', ds.org_units,
s.org_units))
if ds.locality and len(s.localities) > 0:
if not is_valid_policy_value(s.localities, ds.locality):
raise VenafiError(
default_error_msg.format('Localities', ds.locality,
s.localities))
if ds.state and len(s.states) > 0:
if not is_valid_policy_value(s.states, ds.state):
raise VenafiError(
default_error_msg.format('States', ds.state, s.states))
if ds.country and len(s.countries) > 0:
if not is_valid_policy_value(s.countries, ds.country):
raise VenafiError(
default_error_msg.format('Countries', ds.country,
s.countries))
# validate default key pair values against policy values
if policy_spec.defaults and policy_spec.defaults.key_pair and policy_spec.policy.key_pair:
dkp = policy_spec.defaults.key_pair
kp = policy_spec.policy.key_pair
if dkp.key_type and len(kp.key_types) > 0:
if dkp.key_type not in kp.key_types:
raise VenafiError(
default_error_msg.format('Key Types', dkp.key_type,
kp.key_types))
if dkp.rsa_key_size and len(kp.rsa_key_sizes) > 0:
if dkp.rsa_key_size not in kp.rsa_key_sizes:
raise VenafiError(
default_error_msg.format('RSA Key Sizes',
dkp.rsa_key_size,
kp.rsa_key_sizes))
if dkp.elliptic_curve and len(kp.elliptic_curves) > 0:
if dkp.elliptic_curve not in kp.elliptic_curves:
raise VenafiError(
default_error_msg.format('Elliptic Curves',
dkp.elliptic_curve,
kp.elliptic_curves))
if dkp.service_generated is not None and kp.service_generated is not None:
if dkp.service_generated != kp.service_generated:
raise VenafiError(
default_error_msg.format('Service Generated',
dkp.service_generated,
kp.service_generated))
else:
policy_spec.policy = Policy()
# validate default values when policy is not defined
if policy_spec.defaults and policy_spec.defaults.key_pair:
dkp = policy_spec.defaults.key_pair
if dkp.key_type and dkp.key_type != "RSA":
raise VenafiError(
f"Default Key Type [{dkp.key_type}] is not supported by Venafi Cloud"
)
if dkp.rsa_key_size:
invalid_value = get_invalid_cloud_rsa_key_size_value(
[dkp.rsa_key_size])
if invalid_value:
raise VenafiError(
f"Default Key Size [{invalid_value}] is not supported by Venafi Cloud"
)