def create_certificate(self, csr, issuer_options): """ Creates an Entrust certificate. :param csr: :param issuer_options: :return: :raise Exception: """ log_data = { "function": f"{__name__}.{sys._getframe().f_code.co_name}", "message": "Requesting options", "options": issuer_options } current_app.logger.info(log_data) if current_app.config.get("ENTRUST_USE_DEFAULT_CLIENT_ID"): # The ID of the primary client is 1. client_id = 1 else: client_id = get_client_id(self.session, issuer_options.get("organization")) log_data = { "function": f"{__name__}.{sys._getframe().f_code.co_name}", "message": f"Organization id: {client_id}" } current_app.logger.info(log_data) url = current_app.config.get("ENTRUST_URL") + "/certificates" data = process_options(issuer_options, client_id) data["csr"] = csr response_dict = order_and_download_certificate(self.session, url, data) external_id = response_dict['trackingId'] cert = response_dict['endEntityCert'] if len(response_dict['chainCerts']) < 2: # certificate signed by CA directly, no ICA included in the chain chain = None else: chain = response_dict['chainCerts'][1] if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K" ) and get_key_type_from_certificate( cert) == "RSA2048": chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K") if current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F" ) and get_key_type_from_certificate( cert) == "ECCPRIME256V1": chain = current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F") log_data["message"] = "Received Chain" log_data["options"] = f"chain: {chain}" current_app.logger.info(log_data) return cert, chain, external_id
def load_data(self, data): if data.get("replacements"): data["replaces"] = data[ "replacements"] # TODO remove when field is deprecated if data.get("csr"): csr_sans = cert_utils.get_sans_from_csr(data["csr"]) if not data.get("extensions"): data["extensions"] = {"subAltNames": {"names": []}} elif not data["extensions"].get("subAltNames"): data["extensions"]["subAltNames"] = {"names": []} elif not data["extensions"]["subAltNames"].get("names"): data["extensions"]["subAltNames"]["names"] = [] data["extensions"]["subAltNames"]["names"] = csr_sans common_name = cert_utils.get_cn_from_csr(data["csr"]) if common_name: data["common_name"] = common_name key_type = cert_utils.get_key_type_from_csr(data["csr"]) if key_type: data["key_type"] = key_type # This code will be exercised for certificate import (without CSR) if data.get("key_type") is None: if data.get("body"): data["key_type"] = utils.get_key_type_from_certificate( data["body"]) else: data["key_type"] = "RSA2048" # default value return missing.convert_validity_years(data)
def update_key_type(): conn = op.get_bind() start_time = time.time() # Loop through all certificates that are valid today or expired in the last 30 days. for cert_id, body in conn.execute( text( "select id, body from certificates where not_after > CURRENT_DATE - 31 and key_type is null" )): try: cert_key_type = utils.get_key_type_from_certificate(body) except ValueError as e: log.error("Error in processing certificate - ID: %s Error: %s \n" % (cert_id, str(e))) else: log.info("Processing certificate - ID: %s key_type: %s\n" % (cert_id, cert_key_type)) stmt = text( "update certificates set key_type=:key_type where id=:id") stmt = stmt.bindparams(key_type=cert_key_type, id=cert_id) op.execute(stmt) commit() log.info("--- %s seconds ---\n" % (time.time() - start_time))
def load_data(self, data): if data.get("body"): try: data["key_type"] = utils.get_key_type_from_certificate(data["body"]) except ValueError: raise ValidationError( "Public certificate presented is not valid.", field_names=["body"] )
def test_get_key_type_from_certificate(): from lemur.common.utils import get_key_type_from_certificate assert (get_key_type_from_certificate(SAN_CERT_STR) == "RSA2048") assert (get_key_type_from_certificate(ECDSA_SECP384r1_CERT_STR) == "ECCSECP384R1")