def issuer(cert): """ Gets a sane issuer slug from a given certificate, stripping non-alphanumeric characters. For self-signed certificates, the special value '<selfsigned>' is returned. If issuer cannot be determined, '<unknown>' is returned. :param cert: Parsed certificate object :return: Issuer slug """ # If certificate is self-signed, we return a special value -- there really is no distinct "issuer" for it if is_selfsigned(cert): return "<selfsigned>" # Try Common Name or fall back to Organization name attrs = cert.issuer.get_attributes_for_oid( x509.OID_COMMON_NAME) or cert.issuer.get_attributes_for_oid( x509.OID_ORGANIZATION_NAME) if not attrs: current_app.logger.error( "Unable to get issuer! Cert serial {:x}".format( cert.serial_number)) return "<unknown>" return text_to_slug(attrs[0].value, "")
def send_authority_expiration_notifications(): """ This function will check for upcoming certificate authority certificate expiration, and send out notification emails at configured intervals. """ success = failure = 0 # security team gets all security_email = current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL") for owner, owner_cert_groups in get_eligible_authority_certificates().items(): for interval, certificates in owner_cert_groups.items(): notification_data = [] for certificate in certificates: cert_data = certificate_notification_output_schema.dump( certificate ).data cert_data['self_signed'] = is_selfsigned(certificate.parsed_cert) cert_data['issued_cert_count'] = certificates_service.get_issued_cert_count_for_authority(certificate.root_authority) notification_data.append(cert_data) email_recipients = security_email + [owner] if send_default_notification( "authority_expiration", notification_data, email_recipients, notification_options=[{'name': 'interval', 'value': interval}] ): success = len(email_recipients) else: failure = len(email_recipients) return success, failure
def test_is_selfsigned(selfsigned_cert): from lemur.common.utils import is_selfsigned assert is_selfsigned(selfsigned_cert) is True assert is_selfsigned(SAN_CERT) is False assert is_selfsigned(INTERMEDIATE_CERT) is False # Root CA certificates are also technically self-signed assert is_selfsigned(ROOTCA_CERT) is True assert is_selfsigned(EC_CERT_EXAMPLE) is False # selfsigned certs assert is_selfsigned(ECDSA_PRIME256V1_CERT) is True assert is_selfsigned(ECDSA_SECP384r1_CERT) is True # unsupported algorithm (DSA) with pytest.raises(Exception): is_selfsigned(DSA_CERT)