Ejemplo n.º 1
0
def _scaffold_certificate_profile():
    template = CertificatePolicy(
        key_properties=KeyProperties(
            exportable=True,
            key_type='(optional) RSA or RSA-HSM (default RSA)',
            key_size=2048,
            reuse_key=True),
        secret_properties=SecretProperties(
            content_type='application/x-pkcs12 or application/x-pem-file'),
        x509_certificate_properties=X509CertificateProperties(
            key_usage=[
                KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
                KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
                KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
            ],
            subject_alternative_names=SubjectAlternativeNames(
                emails=['*****@*****.**'],
                dns_names=['hr.contoso.com', 'm.contoso.com'],
                upns=[]),
            subject=
            'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
            ekus=['1.3.6.1.5.5.7.3.1'],
            validity_in_months=24),
        lifetime_actions=[
            LifetimeAction(trigger=Trigger(days_before_expiry=90),
                           action=Action(action_type=ActionType.auto_renew))
        ],
        issuer_parameters=IssuerParameters(
            name='Unknown, Self, or {IssuerName}',
            certificate_type='(optional) DigiCert, GlobalSign or WoSign'),
        attributes=CertificateAttributes(enabled=True))
    del template.id
    del template.attributes
    return template
Ejemplo n.º 2
0
def _default_certificate_profile():
    template = CertificatePolicy(
        key_properties=KeyProperties(exportable=True,
                                     key_type='RSA',
                                     key_size=2048,
                                     reuse_key=True),
        secret_properties=SecretProperties(
            content_type='application/x-pkcs12'),
        x509_certificate_properties=X509CertificateProperties(
            key_usage=[
                KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
                KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
                KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
            ],
            subject=
            'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
            validity_in_months=12),
        lifetime_actions=[
            LifetimeAction(trigger=Trigger(days_before_expiry=90),
                           action=Action(action_type=ActionType.auto_renew))
        ],
        issuer_parameters=IssuerParameters(name='Self', ),
        attributes=CertificateAttributes(enabled=True))
    del template.id
    del template.attributes
    del template.issuer_parameters.certificate_type
    del template.lifetime_actions[0].trigger.lifetime_percentage
    del template.x509_certificate_properties.subject_alternative_names
    del template.x509_certificate_properties.ekus
    return template
Ejemplo n.º 3
0
def certificate_policy_template():
    from azure.keyvault.generated.models import \
        (CertificatePolicy, CertificateAttributes, KeyProperties, SecretProperties,
         X509CertificateProperties, SubjectAlternativeNames, LifetimeAction, Action, Trigger,
         IssuerParameters)
    from azure.keyvault.generated.models.key_vault_client_enums \
        import ActionType, JsonWebKeyType, KeyUsageType
    # create sample policy
    template = CertificatePolicy(
        key_properties=KeyProperties(
            exportable=False,
            key_type='{{ {} }}'.format(' | '.join([x.value for x in JsonWebKeyType])),
            key_size=2048,
            reuse_key=False),
        secret_properties=SecretProperties('text/plain'),
        x509_certificate_properties=X509CertificateProperties(
            subject_alternative_names=SubjectAlternativeNames(
                emails=['*****@*****.**', '*****@*****.**'],
                dns_names=['www.mydomain.com'],
                upns=['principal-name']
            ),
            subject='X509 Distinguished Name',
            ekus=['ekus'],
            key_usage=['{{ {} }}'.format(' | '.join([x.value for x in KeyUsageType]))],
            validity_in_months=60
        ),
        lifetime_actions=[
            LifetimeAction(
                Trigger(lifetime_percentage=90, days_before_expiry=7),
                Action(action_type='{{ {} }}'.format(' | '.join([x.value for x in ActionType])))
            )
        ],
        issuer_parameters=IssuerParameters(name='issuer-name'),
        attributes=CertificateAttributes(
            enabled=True
        )
    )
    # remove properties which are read only
    del template.id
    del template.attributes.created
    del template.attributes.updated
    return template
Ejemplo n.º 4
0
def import_certificate(client,
                       vault_base_url,
                       certificate_name,
                       certificate_data,
                       disabled=False,
                       password=None,
                       certificate_policy=None,
                       tags=None):
    import binascii

    x509 = None
    content_type = None
    try:
        x509 = crypto.load_certificate(crypto.FILETYPE_PEM, certificate_data)
        # if we get here, we know it was a PEM file
        content_type = 'application/x-pem-file'
        try:
            # for PEM files (including automatic endline conversion for Windows)
            certificate_data = certificate_data.decode('utf-8').replace(
                '\r\n', '\n')
        except UnicodeDecodeError:
            certificate_data = binascii.b2a_base64(certificate_data).decode(
                'utf-8')
    except (ValueError, crypto.Error):
        pass

    if not x509:
        try:
            if password:
                x509 = crypto.load_pkcs12(certificate_data,
                                          password).get_certificate()
            else:
                x509 = crypto.load_pkcs12(certificate_data).get_certificate()
            content_type = 'application/x-pkcs12'
            certificate_data = binascii.b2a_base64(certificate_data).decode(
                'utf-8')
        except crypto.Error:
            raise CLIError('We could not parse the provided certificate as .pem or .pfx. Please verify the certificate with OpenSSL.')  # pylint: disable=line-too-long

    not_before, not_after = None, None

    if x509.get_notBefore():
        not_before = _asn1_to_iso8601(x509.get_notBefore())

    if x509.get_notAfter():
        not_after = _asn1_to_iso8601(x509.get_notAfter())

    cert_attrs = CertificateAttributes(enabled=not disabled,
                                       not_before=not_before,
                                       expires=not_after)

    if certificate_policy:
        secret_props = certificate_policy.get('secret_properties')
        if secret_props:
            secret_props['content_type'] = content_type
        elif certificate_policy and not secret_props:
            certificate_policy['secret_properties'] = SecretProperties(
                content_type=content_type)
    else:
        certificate_policy = CertificatePolicy(
            secret_properties=SecretProperties(content_type=content_type))

    logger.info("Starting 'keyvault certificate import'")
    result = client.import_certificate(
        vault_base_url=vault_base_url,
        certificate_name=certificate_name,
        base64_encoded_certificate=certificate_data,
        certificate_attributes=cert_attrs,
        certificate_policy=certificate_policy,
        tags=tags,
        password=password)
    logger.info("Finished 'keyvault certificate import'")
    return result