def test_certificate_crud_operations(self):
cert_policy = CertificatePolicy(
KeyProperties(True, 'RSA', 2048, False),
SecretProperties('application/x-pkcs12'),
issuer_parameters=IssuerParameters('Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificate
interval_time = 5 if not self.is_playback() else 0
cert_operation = self.client.create_certificate(KEY_VAULT_URI, self.cert_name, cert_policy)
while True:
pending_cert = self.client.get_certificate_operation(KEY_VAULT_URI, self.cert_name)
self._validate_certificate_operation(pending_cert, KEY_VAULT_URI, self.cert_name, cert_policy)
if pending_cert.status.lower() == 'completed':
cert_id = keyvaultid.parse_certificate_operation_id(pending_cert.target)
break
elif pending_cert.status.lower() != 'inprogress':
raise Exception('Unknown status code for pending certificate: {}'.format(pending_cert))
time.sleep(interval_time)
# get certificate
cert_bundle = self.client.get_certificate(cert_id.base_id)
self._validate_certificate_bundle(cert_bundle, KEY_VAULT_URI, self.cert_name, cert_policy)
# get certificate as secret
secret_bundle = self.client.get_secret(cert_bundle.sid)
# update certificate
cert_policy.tags = {'tag1': 'value1'}
cert_bundle = self.client.update_certificate(cert_id.id, cert_policy)
self._validate_certificate_bundle(cert_bundle, KEY_VAULT_URI, self.cert_name, cert_policy)
# delete certificate
cert_bundle = self.client.delete_certificate(KEY_VAULT_URI, self.cert_name)
self._validate_certificate_bundle(cert_bundle, KEY_VAULT_URI, self.cert_name, cert_policy)
# get certificate returns not found
try:
self.client.get_certificate(cert_id.base_id)
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex, 'message') or 'Not Found' not in ex.message:
raise ex
def _scaffold_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(
exportable=True,
key_type='(optional) RSA or RSA-HSM (default RSA)',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type='application/x-pkcs12 or application/x-pem-file'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject_alternative_names=SubjectAlternativeNames(
emails=['*****@*****.**'],
dns_names=['hr.contoso.com', 'm.contoso.com'],
upns=[]),
subject=
'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
ekus=['1.3.6.1.5.5.7.3.1'],
validity_in_months=24),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(
name='Unknown, Self, or {IssuerName}',
certificate_type='(optional) DigiCert, GlobalSign or WoSign'),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
return template
def _default_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type='application/x-pkcs12'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject=
'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
validity_in_months=12),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(name='Self', ),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
del template.issuer_parameters.certificate_type
del template.lifetime_actions[0].trigger.lifetime_percentage
del template.x509_certificate_properties.subject_alternative_names
del template.x509_certificate_properties.ekus
return template
def certificate_policy_template():
from azure.keyvault.generated.models import \
(CertificatePolicy, CertificateAttributes, KeyProperties, SecretProperties,
X509CertificateProperties, SubjectAlternativeNames, LifetimeAction, Action, Trigger,
IssuerParameters)
from azure.keyvault.generated.models.key_vault_client_enums \
import ActionType, JsonWebKeyType, KeyUsageType
# create sample policy
template = CertificatePolicy(
key_properties=KeyProperties(
exportable=False,
key_type='{{ {} }}'.format(' | '.join([x.value for x in JsonWebKeyType])),
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties('text/plain'),
x509_certificate_properties=X509CertificateProperties(
subject_alternative_names=SubjectAlternativeNames(
emails=['*****@*****.**', '*****@*****.**'],
dns_names=['www.mydomain.com'],
upns=['principal-name']
),
subject='X509 Distinguished Name',
ekus=['ekus'],
key_usage=['{{ {} }}'.format(' | '.join([x.value for x in KeyUsageType]))],
validity_in_months=60
),
lifetime_actions=[
LifetimeAction(
Trigger(lifetime_percentage=90, days_before_expiry=7),
Action(action_type='{{ {} }}'.format(' | '.join([x.value for x in ActionType])))
)
],
issuer_parameters=IssuerParameters(name='issuer-name'),
attributes=CertificateAttributes(
enabled=True
)
)
# remove properties which are read only
del template.id
del template.attributes.created
del template.attributes.updated
return template
def import_certificate(client,
vault_base_url,
certificate_name,
certificate_data,
disabled=False,
password=None,
certificate_policy=None,
tags=None):
import binascii
x509 = None
content_type = None
try:
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, certificate_data)
# if we get here, we know it was a PEM file
content_type = 'application/x-pem-file'
try:
# for PEM files (including automatic endline conversion for Windows)
certificate_data = certificate_data.decode('utf-8').replace(
'\r\n', '\n')
except UnicodeDecodeError:
certificate_data = binascii.b2a_base64(certificate_data).decode(
'utf-8')
except (ValueError, crypto.Error):
pass
if not x509:
try:
if password:
x509 = crypto.load_pkcs12(certificate_data,
password).get_certificate()
else:
x509 = crypto.load_pkcs12(certificate_data).get_certificate()
content_type = 'application/x-pkcs12'
certificate_data = binascii.b2a_base64(certificate_data).decode(
'utf-8')
except crypto.Error:
raise CLIError('We could not parse the provided certificate as .pem or .pfx. Please verify the certificate with OpenSSL.') # pylint: disable=line-too-long
not_before, not_after = None, None
if x509.get_notBefore():
not_before = _asn1_to_iso8601(x509.get_notBefore())
if x509.get_notAfter():
not_after = _asn1_to_iso8601(x509.get_notAfter())
cert_attrs = CertificateAttributes(enabled=not disabled,
not_before=not_before,
expires=not_after)
if certificate_policy:
secret_props = certificate_policy.get('secret_properties')
if secret_props:
secret_props['content_type'] = content_type
elif certificate_policy and not secret_props:
certificate_policy['secret_properties'] = SecretProperties(
content_type=content_type)
else:
certificate_policy = CertificatePolicy(
secret_properties=SecretProperties(content_type=content_type))
logger.info("Starting 'keyvault certificate import'")
result = client.import_certificate(
vault_base_url=vault_base_url,
certificate_name=certificate_name,
base64_encoded_certificate=certificate_data,
certificate_attributes=cert_attrs,
certificate_policy=certificate_policy,
tags=tags,
password=password)
logger.info("Finished 'keyvault certificate import'")
return result