def _default_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(exportable=True,
key_type=u'RSA',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type=u'application/x-pkcs12'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject=u'CN=CLIGetDefaultPolicy',
validity_in_months=12),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(name=u'Self', ),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
del template.issuer_parameters.certificate_type
del template.lifetime_actions[0].trigger.lifetime_percentage
del template.x509_certificate_properties.subject_alternative_names
del template.x509_certificate_properties.ekus
return template
def _scaffold_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(
exportable=True,
key_type=u'(optional) RSA or RSA-HSM (default RSA)',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type=u'application/x-pkcs12 or application/x-pem-file'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject_alternative_names=SubjectAlternativeNames(
emails=[u'*****@*****.**'],
dns_names=[u'hr.contoso.com', u'm.contoso.com'],
upns=[]),
subject=
u'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
ekus=[u'1.3.6.1.5.5.7.3.1'],
validity_in_months=24),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(
name=u'Unknown, Self, or {IssuerName}',
certificate_type=u'(optional) DigiCert, GlobalSign or WoSign'),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
return template
def create_certificate(client,
vault_base_url,
certificate_name,
certificate_policy,
disabled=False,
tags=None,
validity=None):
from azure.keyvault.models import CertificateAttributes
cert_attrs = CertificateAttributes(not disabled)
logger.info(
"Starting long-running operation 'keyvault certificate create'")
if validity is not None:
certificate_policy['x509_certificate_properties'][
'validity_in_months'] = validity
client.create_certificate(vault_base_url, certificate_name,
certificate_policy, cert_attrs, tags)
if certificate_policy['issuer_parameters']['name'].lower() == 'unknown':
# return immediately for a pending certificate
return client.get_certificate_operation(vault_base_url,
certificate_name)
# otherwise loop until the certificate creation is complete
while True:
check = client.get_certificate_operation(vault_base_url,
certificate_name)
if check.status != 'inProgress':
logger.info(
"Long-running operation 'keyvault certificate create' finished with result %s.",
check)
return check
try:
time.sleep(10)
except KeyboardInterrupt:
logger.info("Long-running operation wait cancelled.")
raise
except Exception as client_exception:
telemetry.set_exception(
exception=client_exception,
fault_type='cert-create-error',
summary='Unexpected client exception during cert creation')
message = getattr(client_exception, 'message', client_exception)
try:
ex_message = json.loads(client_exception.response.text) # pylint: disable=no-member
message = str(message) + ' ' + ex_message['error']['details'][
0]['message']
except: # pylint: disable=bare-except
pass
raise CLIError('{}'.format(message))
def import_certificate(client,
vault_base_url,
certificate_name,
certificate_data,
disabled=False,
password=None,
certificate_policy=None,
tags=None):
import binascii
x509 = None
content_type = None
try:
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, certificate_data)
# if we get here, we know it was a PEM file
content_type = 'application/x-pem-file'
try:
# for PEM files (including automatic endline conversion for Windows)
certificate_data = certificate_data.decode('utf-8').replace(
'\r\n', '\n')
except UnicodeDecodeError:
certificate_data = binascii.b2a_base64(certificate_data).decode(
'utf-8')
except (ValueError, crypto.Error):
pass
if not x509:
try:
if password:
x509 = crypto.load_pkcs12(certificate_data,
password).get_certificate()
else:
x509 = crypto.load_pkcs12(certificate_data).get_certificate()
content_type = 'application/x-pkcs12'
certificate_data = binascii.b2a_base64(certificate_data).decode(
'utf-8')
except crypto.Error:
raise CLIError(
'We could not parse the provided certificate as .pem or .pfx. Please verify the certificate with OpenSSL.') # pylint: disable=line-too-long
not_before, not_after = None, None
if x509.get_notBefore():
not_before = _asn1_to_iso8601(x509.get_notBefore())
if x509.get_notAfter():
not_after = _asn1_to_iso8601(x509.get_notAfter())
cert_attrs = CertificateAttributes(enabled=not disabled,
not_before=not_before,
expires=not_after)
if certificate_policy:
secret_props = certificate_policy.get('secret_properties')
if secret_props:
secret_props['content_type'] = content_type
elif certificate_policy and not secret_props:
certificate_policy['secret_properties'] = SecretProperties(
content_type=content_type)
else:
certificate_policy = CertificatePolicy(
secret_properties=SecretProperties(content_type=content_type))
logger.info("Starting 'keyvault certificate import'")
result = client.import_certificate(
vault_base_url=vault_base_url,
certificate_name=certificate_name,
base64_encoded_certificate=certificate_data,
certificate_attributes=cert_attrs,
certificate_policy=certificate_policy,
tags=tags,
password=password)
logger.info("Finished 'keyvault certificate import'")
return result