def test_certificate_output_schema_subject_details(session, certificate, issuer_plugin): from lemur.certificates.schemas import CertificateOutputSchema from lemur.authorities.service import update_options # Mark authority as non-cab-compliant update_options(certificate.authority.id, '[{"name": "cab_compliant","value":false}]') data, errors = CertificateOutputSchema().dump(certificate) assert not errors assert data["issuer"] == "LemurTrustUnittestsClass1CA2018" assert data["distinguishedName"] == "L=Earth,ST=N/A,C=EE,OU=Karate Lessons,O=Daniel San & co,CN=san.example.org" # Original subject details should be returned because of cab_compliant option update above assert data["country"] == "EE" assert data["state"] == "N/A" assert data["location"] == "Earth" assert data["organization"] == "Daniel San & co" assert data["organizationalUnit"] == "Karate Lessons" # Mark authority as cab-compliant update_options(certificate.authority.id, '[{"name": "cab_compliant","value":true}]') data, errors = CertificateOutputSchema().dump(certificate) assert not errors assert "country" not in data assert "state" not in data assert "location" not in data assert "organization" not in data assert "organizationalUnit" not in data
def test_reissue_certificate( issuer_plugin, crypto_authority, certificate, logged_in_user ): from lemur.certificates.service import reissue_certificate from lemur.authorities.service import update_options from lemur.tests.conf import LEMUR_DEFAULT_ORGANIZATION # test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead. certificate.authority = crypto_authority new_cert = reissue_certificate(certificate) assert new_cert assert new_cert.key_type == "RSA2048" assert new_cert.organization != certificate.organization # Check for default value since authority does not have cab_compliant option set assert new_cert.organization == LEMUR_DEFAULT_ORGANIZATION assert new_cert.description.startswith(f"Reissued by Lemur for cert ID {certificate.id}") # update cab_compliant option to false for crypto_authority to maintain subject details update_options(crypto_authority.id, '[{"name": "cab_compliant","value":false}]') new_cert = reissue_certificate(certificate) assert new_cert.organization == certificate.organization
def setup_acme_client(self, authority): if not authority.options: raise InvalidAuthority("Invalid authority. Options not set") options = {} for option in json.loads(authority.options): options[option["name"]] = option.get("value") email = options.get("email", current_app.config.get("ACME_EMAIL")) tel = options.get("telephone", current_app.config.get("ACME_TEL")) directory_url = options.get( "acme_url", current_app.config.get("ACME_DIRECTORY_URL")) existing_key = options.get("acme_private_key", current_app.config.get("ACME_PRIVATE_KEY")) existing_regr = options.get("acme_regr", current_app.config.get("ACME_REGR")) eab_kid = options.get("eab_kid", None) eab_hmac_key = options.get("eab_hmac_key", None) if existing_key and existing_regr: current_app.logger.debug("Reusing existing ACME account") # Reuse the same account for each certificate issuance # existing_key might be encrypted if not is_json(existing_key): # decrypt the private key, if not already in plaintext (json format) existing_key = data_decrypt(existing_key) key = jose.JWK.json_loads(existing_key) regr = messages.RegistrationResource.json_loads(existing_regr) current_app.logger.debug( "Connecting with directory at {0}".format(directory_url)) net = ClientNetwork(key, account=regr) client = BackwardsCompatibleClientV2(net, key, directory_url) return client, {} else: # Create an account for each certificate issuance key = jose.JWKRSA(key=generate_private_key("RSA2048")) current_app.logger.debug("Creating a new ACME account") current_app.logger.debug( "Connecting with directory at {0}".format(directory_url)) net = ClientNetwork(key, account=None, timeout=3600) client = BackwardsCompatibleClientV2(net, key, directory_url) if eab_kid and eab_hmac_key: # external account binding (eab_kid and eab_hmac_key could be potentially single use to establish # long-term credentials) eab = messages.ExternalAccountBinding.from_data( account_public_key=key.public_key(), kid=eab_kid, hmac_key=eab_hmac_key, directory=client.directory) registration = client.new_account_and_tos( messages.NewRegistration.from_data( email=email, external_account_binding=eab)) else: registration = client.new_account_and_tos( messages.NewRegistration.from_data(email=email)) # if store_account is checked, add the private_key and registration resources to the options if options['store_account']: new_options = json.loads(authority.options) # the key returned by fields_to_partial_json is missing the key type, so we add it manually key_dict = key.fields_to_partial_json() key_dict["kty"] = "RSA" acme_private_key = { "name": "acme_private_key", "value": data_encrypt(json.dumps(key_dict)) } new_options.append(acme_private_key) acme_regr = { "name": "acme_regr", "value": json.dumps({ "body": {}, "uri": registration.uri }) } new_options.append(acme_regr) authorities_service.update_options( authority.id, options=json.dumps(new_options)) current_app.logger.debug("Connected: {0}".format(registration.uri)) return client, registration
def setup_acme_client(self, authority): if not authority.options: raise InvalidAuthority("Invalid authority. Options not set") options = {} for option in json.loads(authority.options): options[option["name"]] = option.get("value") email = options.get("email", current_app.config.get("ACME_EMAIL")) tel = options.get("telephone", current_app.config.get("ACME_TEL")) directory_url = options.get( "acme_url", current_app.config.get("ACME_DIRECTORY_URL") ) existing_key = options.get( "acme_private_key", current_app.config.get("ACME_PRIVATE_KEY") ) existing_regr = options.get("acme_regr", current_app.config.get("ACME_REGR")) if existing_key and existing_regr: current_app.logger.debug("Reusing existing ACME account") # Reuse the same account for each certificate issuance key = jose.JWK.json_loads(existing_key) regr = messages.RegistrationResource.json_loads(existing_regr) current_app.logger.debug( "Connecting with directory at {0}".format(directory_url) ) net = ClientNetwork(key, account=regr) client = BackwardsCompatibleClientV2(net, key, directory_url) return client, {} else: # Create an account for each certificate issuance key = jose.JWKRSA(key=generate_private_key("RSA2048")) current_app.logger.debug("Creating a new ACME account") current_app.logger.debug( "Connecting with directory at {0}".format(directory_url) ) net = ClientNetwork(key, account=None, timeout=3600) client = BackwardsCompatibleClientV2(net, key, directory_url) registration = client.new_account_and_tos( messages.NewRegistration.from_data(email=email) ) # if store_account is checked, add the private_key and registration resources to the options if options['store_account']: new_options = json.loads(authority.options) # the key returned by fields_to_partial_json is missing the key type, so we add it manually key_dict = key.fields_to_partial_json() key_dict["kty"] = "RSA" acme_private_key = { "name": "acme_private_key", "value": json.dumps(key_dict) } new_options.append(acme_private_key) acme_regr = { "name": "acme_regr", "value": json.dumps({"body": {}, "uri": registration.uri}) } new_options.append(acme_regr) authorities_service.update_options(authority.id, options=json.dumps(new_options)) current_app.logger.debug("Connected: {0}".format(registration.uri)) return client, registration