def _scaffold_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(
exportable=True,
key_type=u'(optional) RSA or RSA-HSM (default RSA)',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type=u'application/x-pkcs12 or application/x-pem-file'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject_alternative_names=SubjectAlternativeNames(
emails=[u'*****@*****.**'],
dns_names=[u'hr.contoso.com', u'm.contoso.com'],
upns=[]),
subject=
u'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
ekus=[u'1.3.6.1.5.5.7.3.1'],
validity_in_months=24),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(
name=u'Unknown, Self, or {IssuerName}',
certificate_type=u'(optional) DigiCert, GlobalSign or WoSign'),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
return template
def test_manual_enrolled(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = 'unknownIssuerCert'
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Unknown'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# get pending certificate signing request
cert_operation = self.client.create_certificate(vault_uri, cert_name, cert_policy)
pending_version_csr = self.client.get_pending_certificate_signing_request(vault_uri, cert_name)
try:
self.assertEqual(cert_operation.csr, pending_version_csr)
except Exception as ex:
pass
finally:
self.client.delete_certificate(vault_uri, cert_name)
def _default_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(exportable=True,
key_type=u'RSA',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type=u'application/x-pkcs12'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject=u'CN=CLIGetDefaultPolicy',
validity_in_months=12),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(name=u'Self', ),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
del template.issuer_parameters.certificate_type
del template.lifetime_actions[0].trigger.lifetime_percentage
del template.x509_certificate_properties.subject_alternative_names
del template.x509_certificate_properties.ekus
return template
def test_recover_and_purge(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
certs = {}
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificates to recover
for i in range(0, self.list_test_size):
cert_name = self.get_resource_name('certrec{}'.format(str(i)))
certs[cert_name] = self._import_common_certificate(vault_uri, cert_name)
# create certificates to purge
for i in range(0, self.list_test_size):
cert_name = self.get_resource_name('certprg{}'.format(str(i)))
certs[cert_name] = self._import_common_certificate(vault_uri, cert_name)
# delete all certificates
for cert_name in certs.keys():
delcert = self.client.delete_certificate(vault_uri, cert_name)
print(delcert)
if not self.is_playback():
time.sleep(30)
# validate all our deleted certificates are returned by get_deleted_certificates
deleted = [KeyVaultId.parse_certificate_id(s.id).name for s in self.client.get_deleted_certificates(vault_uri)]
# self.assertTrue(all(s in deleted for s in certs.keys()))
# recover select secrets
for certificate_name in [s for s in certs.keys() if s.startswith('certrec')]:
self.client.recover_deleted_certificate(vault_uri, certificate_name)
# purge select secrets
for certificate_name in [s for s in certs.keys() if s.startswith('certprg')]:
self.client.purge_deleted_certificate(vault_uri, certificate_name)
if not self.is_playback():
time.sleep(30)
# validate none of our deleted certificates are returned by get_deleted_certificates
deleted = [KeyVaultId.parse_secret_id(s.id).name for s in self.client.get_deleted_certificates(vault_uri)]
self.assertTrue(not any(s in deleted for s in certs.keys()))
# validate the recovered certificates
expected = {k: v for k, v in certs.items() if k.startswith('certrec')}
actual = {k: self.client.get_certificate(vault_uri, k, KeyVaultId.version_none) for k in expected.keys()}
self.assertEqual(len(set(expected.keys()) & set(actual.keys())), len(expected))
def test_crud_operations(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = self.get_resource_name('cert')
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificate
interval_time = 5 if not self.is_playback() else 0
cert_operation = self.client.create_certificate(vault_uri, cert_name, cert_policy)
while True:
pending_cert = self.client.get_certificate_operation(vault_uri, cert_name)
self._validate_certificate_operation(pending_cert, vault_uri, cert_name, cert_policy)
if pending_cert.status.lower() == 'completed':
cert_id = KeyVaultId.parse_certificate_operation_id(pending_cert.target)
break
elif pending_cert.status.lower() != 'inprogress':
raise Exception('Unknown status code for pending certificate: {}'.format(pending_cert))
time.sleep(interval_time)
# get certificate
cert_bundle = self.client.get_certificate(cert_id.vault, cert_id.name, '')
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# get certificate as secret
secret_id = KeyVaultId.parse_secret_id(cert_bundle.sid)
secret_bundle = self.client.get_secret(secret_id.vault, secret_id.name, secret_id.version)
# update certificate
cert_policy.tags = {'tag1': 'value1'}
cert_bundle = self.client.update_certificate(cert_id.vault, cert_id.name, cert_id.version, cert_policy)
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# delete certificate
cert_bundle = self.client.delete_certificate(vault_uri, cert_name)
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# get certificate returns not found
try:
self.client.get_certificate(cert_id.vault, cert_id.name, '')
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex, 'message') or 'not found' not in ex.message.lower():
raise ex
def _import_common_certificate(self, vault_uri, cert_name):
cert_content = 'MIIJOwIBAzCCCPcGCSqGSIb3DQEHAaCCCOgEggjkMIII4DCCBgkGCSqGSIb3DQEHAaCCBfoEggX2MIIF8jCCBe4GCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAj15YH9pOE58AICB9AEggTYLrI+SAru2dBZRQRlJY7XQ3LeLkah2FcRR3dATDshZ2h0IA2oBrkQIdsLyAAWZ32qYR1qkWxLHn9AqXgu27AEbOk35+pITZaiy63YYBkkpR+pDdngZt19Z0PWrGwHEq5z6BHS2GLyyN8SSOCbdzCz7blj3+7IZYoMj4WOPgOm/tQ6U44SFWek46QwN2zeA4i97v7ftNNns27ms52jqfhOvTA9c/wyfZKAY4aKJfYYUmycKjnnRl012ldS2lOkASFt+lu4QCa72IY6ePtRudPCvmzRv2pkLYS6z3cI7omT8nHP3DymNOqLbFqr5O2M1ZYaLC63Q3xt3eVvbcPh3N08D1hHkhz/KDTvkRAQpvrW8ISKmgDdmzN55Pe55xHfSWGB7gPw8sZea57IxFzWHTK2yvTslooWoosmGxanYY2IG/no3EbPOWDKjPZ4ilYJe5JJ2immlxPz+2e2EOCKpDI+7fzQcRz3PTd3BK+budZ8aXX8aW/lOgKS8WmxZoKnOJBNWeTNWQFugmktXfdPHAdxMhjUXqeGQd8wTvZ4EzQNNafovwkI7IV/ZYoa++RGofVR3ZbRSiBNF6TDj/qXFt0wN/CQnsGAmQAGNiN+D4mY7i25dtTu/Jc7OxLdhAUFpHyJpyrYWLfvOiS5WYBeEDHkiPUa/8eZSPA3MXWZR1RiuDvuNqMjct1SSwdXADTtF68l/US1ksU657+XSC+6ly1A/upz+X71+C4Ho6W0751j5ZMT6xKjGh5pee7MVuduxIzXjWIy3YSd0fIT3U0A5NLEvJ9rfkx6JiHjRLx6V1tqsrtT6BsGtmCQR1UCJPLqsKVDvAINx3cPA/CGqr5OX2BGZlAihGmN6n7gv8w4O0k0LPTAe5YefgXN3m9pE867N31GtHVZaJ/UVgDNYS2jused4rw76ZWN41akx2QN0JSeMJqHXqVz6AKfz8ICS/dFnEGyBNpXiMRxrY/QPKi/wONwqsbDxRW7vZRVKs78pBkE0ksaShlZk5GkeayDWC/7Hi/NqUFtIloK9XB3paLxo1DGu5qqaF34jZdktzkXp0uZqpp+FfKZaiovMjt8F7yHCPk+LYpRsU2Cyc9DVoDA6rIgf+uEP4jppgehsxyT0lJHax2t869R2jYdsXwYUXjgwHIV0voj7bJYPGFlFjXOp6ZW86scsHM5xfsGQoK2Fp838VT34SHE1ZXU/puM7rviREHYW72pfpgGZUILQMohuTPnd8tFtAkbrmjLDo+k9xx7HUvgoFTiNNWuq/cRjr70FKNguMMTIrid+HwfmbRoaxENWdLcOTNeascER2a+37UQolKD5ksrPJG6RdNA7O2pzp3micDYRs/+s28cCIxO//J/d4nsgHp6RTuCu4+Jm9k0YTw2Xg75b2cWKrxGnDUgyIlvNPaZTB5QbMid4x44/lE0LLi9kcPQhRgrK07OnnrMgZvVGjt1CLGhKUv7KFc3xV1r1rwKkosxnoG99oCoTQtregcX5rIMjHgkc1IdflGJkZzaWMkYVFOJ4Weynz008i4ddkske5vabZs37Lb8iggUYNBYZyGzalruBgnQyK4fz38Fae4nWYjyildVfgyo/fCePR2ovOfphx9OQJi+M9BoFmPrAg+8ARDZ+R+5yzYuEc9ZoVX7nkp7LTGB3DANBgkrBgEEAYI3EQIxADATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGEAOAAwAGQAZgBmADgANgAtAGUAOQA2AGUALQA0ADIAMgA0AC0AYQBhADEAMQAtAGIAZAAxADkANABkADUAYQA2AGIANwA3MF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAHQAcgBvAG4AZwAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIwggLPBgkqhkiG9w0BBwagggLAMIICvAIBADCCArUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECNX+VL2MxzzWAgIH0ICCAojmRBO+CPfVNUO0s+BVuwhOzikAGNBmQHNChmJ/pyzPbMUbx7tO63eIVSc67iERda2WCEmVwPigaVQkPaumsfp8+L6iV/BMf5RKlyRXcwh0vUdu2Qa7qadD+gFQ2kngf4Dk6vYo2/2HxayuIf6jpwe8vql4ca3ZtWXfuRix2fwgltM0bMz1g59d7x/glTfNqxNlsty0A/rWrPJjNbOPRU2XykLuc3AtlTtYsQ32Zsmu67A7UNBw6tVtkEXlFDqhavEhUEO3dvYqMY+QLxzpZhA0q44ZZ9/ex0X6QAFNK5wuWxCbupHWsgxRwKftrxyszMHsAvNoNcTlqcctee+ecNwTJQa1/MDbnhO6/qHA7cfG1qYDq8Th635vGNMW1w3sVS7l0uEvdayAsBHWTcOC2tlMa5bfHrhY8OEIqj5bN5H9RdFy8G/W239tjDu1OYjBDydiBqzBn8HG1DSj1Pjc0kd/82d4ZU0308KFTC3yGcRad0GnEH0Oi3iEJ9HbriUbfVMbXNHOF+MktWiDVqzndGMKmuJSdfTBKvGFvejAWVO5E4mgLvoaMmbchc3BO7sLeraHnJN5hvMBaLcQI38N86mUfTR8AP6AJ9c2k514KaDLclm4z6J8dMz60nUeo5D3YD09G6BavFHxSvJ8MF0Lu5zOFzEePDRFm9mH8W0N/sFlIaYfD/GWU/w44mQucjaBk95YtqOGRIj58tGDWr8iUdHwaYKGqU24zGeRae9DhFXPzZshV1ZGsBQFRaoYkyLAwdJWIXTi+c37YaC8FRSEnnNmS79Dou1Kc3BvK4EYKAD2KxjtUebrV174gD0Q+9YuJ0GXOTspBvCFd5VT2Rw5zDNrA/J3F5fMCk4wOzAfMAcGBSsOAwIaBBSxgh2xyF+88V4vAffBmZXv8Txt4AQU4O/NX4MjxSodbE7ApNAMIvrtREwCAgfQ'
cert_password = '******'
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'))
return (
self.client.import_certificate(vault_uri, cert_name, cert_content, cert_password, cert_policy),
cert_policy
)
def test_async_request_cancellation_and_deletion(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = 'asyncCanceledDeletedCert'
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificate
self.client.create_certificate(vault_uri, cert_name, cert_policy)
# cancel certificate operation
cancel_operation = self.client.update_certificate_operation(vault_uri, cert_name, True)
self.assertTrue(hasattr(cancel_operation, 'cancellation_requested'))
self.assertTrue(cancel_operation.cancellation_requested)
self._validate_certificate_operation(cancel_operation, vault_uri, cert_name, cert_policy)
retrieved_operation = self.client.get_certificate_operation(vault_uri, cert_name)
self.assertTrue(hasattr(retrieved_operation, 'cancellation_requested'))
self.assertTrue(retrieved_operation.cancellation_requested)
self._validate_certificate_operation(retrieved_operation, vault_uri, cert_name, cert_policy)
# delete certificate operation
deleted_operation = self.client.delete_certificate_operation(vault_uri, cert_name)
self.assertIsNotNone(deleted_operation)
self._validate_certificate_operation(deleted_operation, vault_uri, cert_name, cert_policy)
try:
self.client.get_certificate_operation(vault_uri, cert_name)
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex, 'message') or 'not found' not in ex.message.lower():
raise ex
# delete cancelled certificate operation
self.client.delete_certificate(vault_uri, cert_name)
def test_policy(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = 'policyCertificate'
# get certificate policy
(cert_bundle, cert_policy) = self._import_common_certificate(vault_uri, cert_name)
retrieved_policy = self.client.get_certificate_policy(vault_uri, cert_name)
self.assertIsNotNone(retrieved_policy)
# update certificate policy
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self')
)
self.client.update_certificate_policy(vault_uri, cert_name, cert_policy)
updated_cert_policy = self.client.get_certificate_policy(vault_uri, cert_name)
self.assertIsNotNone(updated_cert_policy)
def import_certificate(client,
vault_base_url,
certificate_name,
certificate_data,
disabled=False,
password=None,
certificate_policy=None,
tags=None):
import binascii
x509 = None
content_type = None
try:
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, certificate_data)
# if we get here, we know it was a PEM file
content_type = 'application/x-pem-file'
try:
# for PEM files (including automatic endline conversion for Windows)
certificate_data = certificate_data.decode('utf-8').replace(
'\r\n', '\n')
except UnicodeDecodeError:
certificate_data = binascii.b2a_base64(certificate_data).decode(
'utf-8')
except (ValueError, crypto.Error):
pass
if not x509:
try:
if password:
x509 = crypto.load_pkcs12(certificate_data,
password).get_certificate()
else:
x509 = crypto.load_pkcs12(certificate_data).get_certificate()
content_type = 'application/x-pkcs12'
certificate_data = binascii.b2a_base64(certificate_data).decode(
'utf-8')
except crypto.Error:
raise CLIError(
'We could not parse the provided certificate as .pem or .pfx. Please verify the certificate with OpenSSL.') # pylint: disable=line-too-long
not_before, not_after = None, None
if x509.get_notBefore():
not_before = _asn1_to_iso8601(x509.get_notBefore())
if x509.get_notAfter():
not_after = _asn1_to_iso8601(x509.get_notAfter())
cert_attrs = CertificateAttributes(enabled=not disabled,
not_before=not_before,
expires=not_after)
if certificate_policy:
secret_props = certificate_policy.get('secret_properties')
if secret_props:
secret_props['content_type'] = content_type
elif certificate_policy and not secret_props:
certificate_policy['secret_properties'] = SecretProperties(
content_type=content_type)
else:
certificate_policy = CertificatePolicy(
secret_properties=SecretProperties(content_type=content_type))
logger.info("Starting 'keyvault certificate import'")
result = client.import_certificate(
vault_base_url=vault_base_url,
certificate_name=certificate_name,
base64_encoded_certificate=certificate_data,
certificate_attributes=cert_attrs,
certificate_policy=certificate_policy,
tags=tags,
password=password)
logger.info("Finished 'keyvault certificate import'")
return result
