def validate_default_key_pair_with_policy_subject(policy_spec): """ :param PolicySpecification policy_spec: """ if not policy_spec.defaults or not policy_spec.defaults.key_pair or not policy_spec.policy \ or not policy_spec.policy.key_pair: return kp = policy_spec.policy.key_pair dkp = policy_spec.defaults.key_pair if kp.key_types and kp.key_types[0] and dkp.key_type: if kp.key_types[0] != dkp.key_type: raise VenafiError(no_match_error_msg.format('key types', dkp.key_type, kp.key_types[0])) if kp.rsa_key_sizes and kp.rsa_key_sizes[0] and dkp.rsa_key_size: if kp.rsa_key_sizes[0] != dkp.rsa_key_size: raise VenafiError(no_match_error_msg.format('rsa key sizes', dkp.rsa_key_size, kp.rsa_key_sizes[0])) if kp.elliptic_curves and kp.elliptic_curves[0] and dkp.elliptic_curve: if kp.elliptic_curves[0] != dkp.elliptic_curve: raise VenafiError(no_match_error_msg.format('elliptic curves', dkp.elliptic_curve, kp.elliptic_curves[0])) if kp.service_generated and dkp.service_generated: if kp.service_generated != dkp.service_generated: raise VenafiError(no_match_error_msg.format('generation type', dkp.service_generated, kp.service_generated))
def validate_default_subject(policy_spec): """ :param PolicySpecification policy_spec: """ if not policy_spec.defaults or not policy_spec.defaults.subject: return if not policy_spec.policy or not policy_spec.policy.subject: return s = policy_spec.policy.subject ds = policy_spec.defaults.subject if s.orgs and s.orgs[0] and ds.org: if s.orgs[0] != ds.org: raise VenafiError(no_match_error_msg.format('organizations', ds.org, s.orgs[0])) if s.org_units and len(s.org_units) > 0 and ds.org_units and len(ds.org_units) > 0: if not member_of(ds.org_units, s.org_units): raise VenafiError(no_match_error_msg.format('orgUnits', ds.org_units[0], s.org_units[0])) if s.localities and s.localities[0] and ds.locality: if s.localities[0] != ds.locality: raise VenafiError(no_match_error_msg.format('localities', ds.locality, s.localities[0])) if s.states and s.states[0] and ds.state: if s.states[0] != ds.state: raise VenafiError(no_match_error_msg.format('states', ds.state, s.states[0])) if s.countries and s.countries and ds.country: if s.countries[0] != ds.country: raise VenafiError(no_match_error_msg.format('countries', ds.country, s.countries[0]))
def validate_key_pair(policy_spec): """ :param PolicySpecification policy_spec: """ if not policy_spec.policy.key_pair: raise VenafiError("Key Pair structure is empty") kp = policy_spec.policy.key_pair # validate key algorithm if len(kp.key_types) > 1: raise VenafiError(too_many_error_msg.format('key types')) if len(kp.key_types) > 0 and not member_of(kp.key_types, supported_key_types): raise VenafiError(unsupported_error_msg.format('key types', pprint(supported_key_types), pprint(kp.key_types))) # validate key bit strength if len(kp.rsa_key_sizes) > 1: raise VenafiError(too_many_error_msg.format('key bit strength')) if len(kp.rsa_key_sizes) > 0 and not member_of(kp.rsa_key_sizes, supported_rsa_key_sizes): raise VenafiError(unsupported_error_msg.format('key bit strength', pprint(supported_rsa_key_sizes), pprint(kp.rsa_key_sizes))) # validate elliptic curve if len(kp.elliptic_curves) > 1: raise VenafiError(too_many_error_msg.format('elliptic curve')) if len(kp.elliptic_curves) > 0 and not member_of(kp.elliptic_curves, supported_elliptic_curves): raise VenafiError(unsupported_error_msg.format('elliptic_curve', pprint(supported_elliptic_curves), pprint(kp.elliptic_curves)))
def validate_default_key_pair(policy_spec): """ :param PolicySpecification policy_spec: """ if not policy_spec.defaults or not policy_spec.defaults.key_pair: return dkp = policy_spec.defaults.key_pair if dkp.key_type and not member_of([dkp.key_type], supported_key_types): raise VenafiError(unsupported_error_msg.format('key type', pprint(supported_key_types), dkp.key_type)) if dkp.rsa_key_size and not member_of([dkp.rsa_key_size], supported_rsa_key_sizes): raise VenafiError(unsupported_error_msg.format('rsa key size', pprint(supported_rsa_key_sizes), dkp.rsa_key_size)) if dkp.elliptic_curve and not member_of([dkp.elliptic_curve], supported_elliptic_curves): raise VenafiError(unsupported_error_msg.format('elliptic curve', pprint(supported_elliptic_curves), dkp.elliptic_curve))
def get_ca_info(ca_name): """ :param str ca_name: :rtype: CertificateAuthorityInfo """ data = ca_name.split("\\") if len(data) < 3: raise VenafiError(f"Certificate Authority name invalid [{ca_name}]") return CertificateAuthorityInfo(data[0], data[1], data[2])
def is_service_generated_csr(csr_generation): """ :param str csr_generation: :param: :rtype: CertField """ if not csr_generation: raise VenafiError("csr generation value cannot be empty") if csr_generation == user_generated_csr: return False else: return True
def validate_policy_spec(policy_spec): """ :param PolicySpecification policy_spec: :rtype: bool """ if policy_spec.policy: validate_policy_subject(policy_spec) validate_key_pair(policy_spec) validate_default_subject(policy_spec) validate_default_key_pair_with_policy_subject(policy_spec) validate_default_key_pair(policy_spec) d = policy_spec.defaults p = policy_spec.policy if not d or not p: return if p.auto_installed is not None: if p.auto_installed != d.auto_installed: raise VenafiError(no_match_error_msg.format('autoinstalled', d.auto_installed, p.auto_installed)) return True
def get_cit_data_from_response(data): """ Returns the issuing template id and name from the response after creation :param dict data: :rtype: (str, str) """ cit_id = None cit_name = None if 'certificateIssuingTemplates' in data: cit_list = data['certificateIssuingTemplates'] if cit_list and len(cit_list) > 0: cit_id = data['certificateIssuingTemplates'][0]['id'] cit_name = data['certificateIssuingTemplates'][0]['name'] elif 'id' in data: cit_id = data['id'] cit_name = data['name'] if cit_name and cit_id: return cit_id, cit_name else: raise VenafiError( 'Error while creating Application request. CIT name or id not found.' )
def validate_policy_subject(policy_spec): """ :param PolicySpecification policy_spec: """ if not policy_spec.policy.subject: raise VenafiError("Subject structure is empty") s = policy_spec.policy.subject if len(s.orgs) > 1: raise VenafiError(too_many_error_msg.format('organizations')) if len(s.localities) > 1: raise VenafiError(too_many_error_msg.format('localities')) if len(s.states) > 1: raise VenafiError(too_many_error_msg.format('states')) if len(s.countries) > 1: raise VenafiError(too_many_error_msg.format('countries')) # Country values should follow ISO Alpha-2 standard, e.g.: US, MX, CA, FR, etc. if len(s.countries[0]) != 2: raise VenafiError(f"country code [{s.countries[0]}] does not match ISO Alpha-2 specification")
def build_policy_spec(cit, ca_info, subject_cn_to_str=True): """ :param Cit cit: :param CertificateAuthorityInfo ca_info: :param bool subject_cn_to_str: Indicates whether or not to remove the regex pattern from the Common Name values :rtype: PolicySpecification """ if not cit: raise VenafiError("Certificate issuing template is empty") ps = PolicySpecification() p = Policy() p.wildcard_allowed = is_wildcard_allowed(cit.SubjectCNRegexes) if len(cit.SubjectCNRegexes) > 0: if subject_cn_to_str: domains = convert_to_string(cit.SubjectCNRegexes, p.wildcard_allowed) p.domains = domains else: p.domains = cit.SubjectCNRegexes else: p.domains = None if cit.validity_period: # getting days in format P#D days = cit.validity_period[1:len(cit.validity_period) - 1] int_value = int(days) p.max_valid_days = int_value if ca_info: ca = f"{ca_info.ca_type}\\{ca_info.ca_account_key}\\{ca_info.vendor_name}" p.certificate_authority = ca s = Subject() create_subject = False if len(cit.SubjectORegexes) > 0: create_subject = True s.orgs = cit.SubjectORegexes if len(cit.SubjectOURegexes) > 0: create_subject = True s.org_units = cit.SubjectOURegexes if len(cit.SubjectLRegexes) > 0: create_subject = True s.localities = cit.SubjectLRegexes if len(cit.SubjectSTRegexes) > 0: create_subject = True s.states = cit.SubjectSTRegexes if len(cit.SubjectCRegexes) > 0: create_subject = True s.countries = cit.SubjectCRegexes p.subject = s if create_subject else None kp = KeyPair() create_kp = False if len(cit.key_types) > 0: key_types = [] key_sizes = [] for allowed_kt in cit.key_types: kt = allowed_kt.key_type kl = allowed_kt.option # Only include one instance of the KeyType if kt not in key_types: key_types.append(kt) key_sizes.append(kl) create_kp = True kp.key_types = key_types kp.rsa_key_sizes = key_sizes kp.reuse_allowed = cit.key_reuse p.key_pair = kp if create_kp else None sans = SubjectAltNames(False, False, False, False, False) if cit.SANRegexes: sans.dns_allowed = True p.subject_alt_names = sans ps.policy = p rs = cit.recommended_settings if rs: d = Defaults() ds = DefaultSubject() create_ds = False if rs.subjectOValue: ds.org = rs.subjectOValue create_ds = True if rs.subjectOUValue: ds.org_units = [rs.subjectOUValue] create_ds = True if rs.subjectLValue: ds.locality = rs.subjectLValue create_ds = True if rs.subjectSTValue: ds.state = rs.subjectSTValue create_ds = True if rs.subjectCValue: ds.country = rs.subjectCValue create_ds = True d.subject = ds if create_ds else None kt = rs.keyType if kt: dkp = DefaultKeyPair() create_dkp = False if kt.key_type: dkp.key_type = kt.key_type create_dkp = True if kt.option: dkp.rsa_key_size = kt.option create_dkp = True d.key_pair = dkp if create_dkp else None ps.defaults = d return ps
def validate_policy_spec(policy_spec): """ :param PolicySpecification policy_spec: """ default_error_msg = 'Default value does not match with policy values.' \ '\nAttribute: {}\nDefault value:{}\nPolicy values:{}' # validate policy values if policy_spec.policy: p = policy_spec.policy # validate key pair values if policy_spec.policy.key_pair: if len(policy_spec.policy.key_pair.key_types) > 1: raise VenafiError( "Key Type values exceeded. Only one Key Type is allowed by Venafi Cloud" ) if policy_spec.policy.key_pair.key_types \ and policy_spec.policy.key_pair.key_types[0].lower() != KeyType.RSA: raise VenafiError( f"Key Type [{p.key_pair.key_types[0]}] is not supported by Venafi Cloud" ) if len(policy_spec.policy.key_pair.rsa_key_sizes) > 0: invalid_value = get_invalid_cloud_rsa_key_size_value( policy_spec.policy.key_pair.rsa_key_sizes) if invalid_value: raise VenafiError( f"The Key Size [{invalid_value}] is not supported by Venafi Cloud" ) # validate subject CN and SAN regexes if p.subject_alt_names: sans = get_sans(policy_spec.policy.subject_alt_names) if len(sans) > 0: for k, v in sans.items(): if v is True and not (k == RPA.TPP_DNS_ALLOWED): raise VenafiError( f"Subject Alt name [{k}] is not allowed by Venafi Cloud" ) # validate default subject values against policy values if policy_spec.defaults and policy_spec.defaults.subject and policy_spec.policy.subject: ds = policy_spec.defaults.subject s = policy_spec.policy.subject if ds.org and len(s.orgs) > 0: if not is_valid_policy_value(s.orgs, ds.org): raise VenafiError( default_error_msg.format('Organization', ds.org, s.orgs)) if ds.org_units and len(ds.org_units) > 0 and len(s.org_units) > 0: if not member_of(ds.org_units, s.org_units): raise VenafiError( default_error_msg.format('Org Units', ds.org_units, s.org_units)) if ds.locality and len(s.localities) > 0: if not is_valid_policy_value(s.localities, ds.locality): raise VenafiError( default_error_msg.format('Localities', ds.locality, s.localities)) if ds.state and len(s.states) > 0: if not is_valid_policy_value(s.states, ds.state): raise VenafiError( default_error_msg.format('States', ds.state, s.states)) if ds.country and len(s.countries) > 0: if not is_valid_policy_value(s.countries, ds.country): raise VenafiError( default_error_msg.format('Countries', ds.country, s.countries)) # validate default key pair values against policy values if policy_spec.defaults and policy_spec.defaults.key_pair and policy_spec.policy.key_pair: dkp = policy_spec.defaults.key_pair kp = policy_spec.policy.key_pair if dkp.key_type and len(kp.key_types) > 0: if dkp.key_type not in kp.key_types: raise VenafiError( default_error_msg.format('Key Types', dkp.key_type, kp.key_types)) if dkp.rsa_key_size and len(kp.rsa_key_sizes) > 0: if dkp.rsa_key_size not in kp.rsa_key_sizes: raise VenafiError( default_error_msg.format('RSA Key Sizes', dkp.rsa_key_size, kp.rsa_key_sizes)) if dkp.elliptic_curve and len(kp.elliptic_curves) > 0: if dkp.elliptic_curve not in kp.elliptic_curves: raise VenafiError( default_error_msg.format('Elliptic Curves', dkp.elliptic_curve, kp.elliptic_curves)) if dkp.service_generated is not None and kp.service_generated is not None: if dkp.service_generated != kp.service_generated: raise VenafiError( default_error_msg.format('Service Generated', dkp.service_generated, kp.service_generated)) else: policy_spec.policy = Policy() # validate default values when policy is not defined if policy_spec.defaults and policy_spec.defaults.key_pair: dkp = policy_spec.defaults.key_pair if dkp.key_type and dkp.key_type != "RSA": raise VenafiError( f"Default Key Type [{dkp.key_type}] is not supported by Venafi Cloud" ) if dkp.rsa_key_size: invalid_value = get_invalid_cloud_rsa_key_size_value( [dkp.rsa_key_size]) if invalid_value: raise VenafiError( f"Default Key Size [{invalid_value}] is not supported by Venafi Cloud" )