diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py
index 3eaba746..34305cc2 100644
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@@ -227,6 +227,10 @@ class Certificate(db.Model):
def location(self):
return defaults.location(self.parsed_cert)
+ @property
+ def distinguished_name(self):
+ return self.parsed_cert.subject.rfc4514_string()
+
@property
def key_type(self):
if isinstance(self.parsed_cert.public_key(), rsa.RSAPublicKey):
diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py
index 6b457086..946bd541 100644
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@@ -206,6 +206,7 @@ class CertificateOutputSchema(LemurOutputSchema):
cn = fields.String()
common_name = fields.String(attribute='cn')
+ distinguished_name = fields.String()
not_after = fields.DateTime()
validity_end = ArrowDateTime(attribute='not_after')
diff --git a/lemur/common/missing.py b/lemur/common/missing.py
index a4bbba77..5c7dffac 100644
--- a/lemur/common/missing.py
+++ b/lemur/common/missing.py
@@ -16,6 +16,7 @@ def convert_validity_years(data):
data['validity_start'] = now.isoformat()
end = now.replace(years=+int(data['validity_years']))
+
if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True):
if is_weekend(end):
end = end.replace(days=-2)
diff --git a/lemur/manage.py b/lemur/manage.py
index b972e8a5..184b9aa6 100755
--- a/lemur/manage.py
+++ b/lemur/manage.py
@@ -273,10 +273,11 @@ class CreateUser(Command):
Option('-u', '--username', dest='username', required=True),
Option('-e', '--email', dest='email', required=True),
Option('-a', '--active', dest='active', default=True),
- Option('-r', '--roles', dest='roles', action='append', default=[])
+ Option('-r', '--roles', dest='roles', action='append', default=[]),
+ Option('-p', '--password', dest='password', default=None)
)
- def run(self, username, email, active, roles):
+ def run(self, username, email, active, roles, password):
role_objs = []
for r in roles:
role_obj = role_service.get_by_name(r)
@@ -286,14 +287,16 @@ class CreateUser(Command):
sys.stderr.write("[!] Cannot find role {0}\n".format(r))
sys.exit(1)
- password1 = prompt_pass("Password")
- password2 = prompt_pass("Confirm Password")
+ if not password:
+ password1 = prompt_pass("Password")
+ password2 = prompt_pass("Confirm Password")
+ password = password1
- if password1 != password2:
- sys.stderr.write("[!] Passwords do not match!\n")
- sys.exit(1)
+ if password1 != password2:
+ sys.stderr.write("[!] Passwords do not match!\n")
+ sys.exit(1)
- user_service.create(username, password1, email, active, None, role_objs)
+ user_service.create(username, password, email, active, None, role_objs)
sys.stdout.write("[+] Created new user: {0}\n".format(username))
diff --git a/lemur/plugins/lemur_cfssl/plugin.py b/lemur/plugins/lemur_cfssl/plugin.py
index 030f290a..4bfefc85 100644
--- a/lemur/plugins/lemur_cfssl/plugin.py
+++ b/lemur/plugins/lemur_cfssl/plugin.py
@@ -10,6 +10,9 @@
import json
import requests
+import base64
+import hmac
+import hashlib
from flask import current_app
@@ -48,6 +51,21 @@ class CfsslIssuerPlugin(IssuerPlugin):
data = {'certificate_request': csr}
data = json.dumps(data)
+ try:
+ hex_key = current_app.config.get('CFSSL_KEY')
+ key = bytes.fromhex(hex_key)
+ except (ValueError, NameError):
+ # unable to find CFSSL_KEY in config, continue using normal sign method
+ pass
+ else:
+ data = data.encode()
+
+ token = base64.b64encode(hmac.new(key, data, digestmod=hashlib.sha256).digest())
+ data = base64.b64encode(data)
+
+ data = json.dumps({'token': token.decode('utf-8'), 'request': data.decode('utf-8')})
+
+ url = "{0}{1}".format(current_app.config.get('CFSSL_URL'), '/api/v1/cfssl/authsign')
response = self.session.post(url, data=data.encode(encoding='utf_8', errors='strict'))
if response.status_code > 399:
metrics.send('cfssl_create_certificate_failure', 'counter', 1)
diff --git a/lemur/plugins/lemur_verisign/plugin.py b/lemur/plugins/lemur_verisign/plugin.py
index 3e672a43..3f16f997 100644
--- a/lemur/plugins/lemur_verisign/plugin.py
+++ b/lemur/plugins/lemur_verisign/plugin.py
@@ -111,10 +111,19 @@ def process_options(options):
data['subject_alt_names'] = ",".join(get_additional_names(options))
+ if options.get('validity_end') > arrow.utcnow().replace(years=2):
+ raise Exception("Verisign issued certificates cannot exceed two years in validity")
+
if options.get('validity_end'):
- period = get_default_issuance(options)
- data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
- data['validityPeriod'] = period
+ # VeriSign (Symantec) only accepts strictly smaller than 2 year end date
+ if options.get('validity_end') < arrow.utcnow().replace(years=2).replace(days=-1):
+ period = get_default_issuance(options)
+ data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
+ data['validityPeriod'] = period
+ else:
+ # allowing Symantec website setting the end date, given the validity period
+ data['validityPeriod'] = str(get_default_issuance(options))
+ options.pop('validity_end', None)
elif options.get('validity_years'):
if options['validity_years'] in [1, 2]:
diff --git a/lemur/static/app/angular/certificates/view/view.tpl.html b/lemur/static/app/angular/certificates/view/view.tpl.html
index ba17ffa6..28b4e08e 100644
--- a/lemur/static/app/angular/certificates/view/view.tpl.html
+++ b/lemur/static/app/angular/certificates/view/view.tpl.html
@@ -83,6 +83,8 @@
+
Distinguished Name
+ {{ certificate.distinguishedName }}
Certificate Authority
{{ certificate.authority ? certificate.authority.name : "Imported" }} ({{ certificate.issuer }})
Serial
diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py
index a1df1c0d..db2d27cf 100644
--- a/lemur/tests/test_certificates.py
+++ b/lemur/tests/test_certificates.py
@@ -619,6 +619,12 @@ def test_certificate_get_body(client):
response_body = client.get(api.url_for(Certificates, certificate_id=1), headers=VALID_USER_HEADER_TOKEN).json
assert response_body['serial'] == '211983098819107449768450703123665283596'
assert response_body['serialHex'] == '9F7A75B39DAE4C3F9524C68B06DA6A0C'
+ assert response_body['distinguishedName'] == ('CN=LemurTrust Unittests Class 1 CA 2018,'
+ 'O=LemurTrust Enterprises Ltd,'
+ 'OU=Unittesting Operations Center,'
+ 'C=EE,'
+ 'ST=N/A,'
+ 'L=Earth')
@pytest.mark.parametrize("token,status", [
diff --git a/requirements-dev.txt b/requirements-dev.txt
index c1f55581..ac35f3e9 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -4,16 +4,17 @@
#
# pip-compile --no-index --output-file requirements-dev.txt requirements-dev.in
#
-aspy.yaml==1.1.1 # via pre-commit
+aspy.yaml==1.1.2 # via pre-commit
bleach==3.1.0 # via readme-renderer
certifi==2018.11.29 # via requests
cfgv==1.4.0 # via pre-commit
chardet==3.0.4 # via requests
docutils==0.14 # via readme-renderer
flake8==3.5.0
-identify==1.1.8 # via pre-commit
+identify==1.2.1 # via pre-commit
idna==2.8 # via requests
importlib-metadata==0.8 # via pre-commit
+importlib-resources==1.0.2 # via pre-commit
invoke==1.2.0
mccabe==0.6.1 # via flake8
nodeenv==1.3.3
@@ -24,13 +25,13 @@ pyflakes==1.6.0 # via flake8
pygments==2.3.1 # via readme-renderer
pyyaml==3.13 # via aspy.yaml, pre-commit
readme-renderer==24.0 # via twine
-requests-toolbelt==0.8.0 # via twine
+requests-toolbelt==0.9.0 # via twine
requests==2.21.0 # via requests-toolbelt, twine
six==1.12.0 # via bleach, cfgv, pre-commit, readme-renderer
toml==0.10.0 # via pre-commit
-tqdm==4.29.1 # via twine
+tqdm==4.30.0 # via twine
twine==1.12.1
urllib3==1.24.1 # via requests
-virtualenv==16.2.0 # via pre-commit
+virtualenv==16.3.0 # via pre-commit
webencodings==0.5.1 # via bleach
zipp==0.3.3 # via importlib-metadata
diff --git a/requirements-docs.txt b/requirements-docs.txt
index a7df5395..15085766 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -4,10 +4,10 @@
#
# pip-compile --no-index --output-file requirements-docs.txt requirements-docs.in
#
-acme==0.30.0
+acme==0.30.2
alabaster==0.7.12 # via sphinx
alembic-autogenerate-enums==0.0.2
-alembic==1.0.6
+alembic==1.0.7
amqp==2.4.0
aniso8601==4.1.0
arrow==0.13.0
@@ -17,15 +17,15 @@ babel==2.6.0 # via sphinx
bcrypt==3.1.6
billiard==3.5.0.5
blinker==1.4
-boto3==1.9.80
-botocore==1.12.80
+boto3==1.9.86
+botocore==1.12.86
celery[redis]==4.2.1
certifi==2018.11.29
cffi==1.11.5
chardet==3.0.4
click==7.0
cloudflare==2.1.0
-cryptography==2.4.2
+cryptography==2.5
dnspython3==1.15.0
dnspython==1.15.0
docutils==0.14
@@ -57,18 +57,18 @@ marshmallow-sqlalchemy==0.15.0
marshmallow==2.18.0
mock==2.0.0
ndg-httpsclient==0.5.1
-packaging==18.0 # via sphinx
+packaging==19.0 # via sphinx
paramiko==2.4.2
pbr==5.1.1
pem==18.2.0
-psycopg2==2.7.6.1
-pyasn1-modules==0.2.3
+psycopg2==2.7.7
+pyasn1-modules==0.2.4
pyasn1==0.4.5
pycparser==2.19
pygments==2.3.1 # via sphinx
pyjwt==1.7.1
pynacl==1.3.0
-pyopenssl==18.0.0
+pyopenssl==19.0.0
pyparsing==2.3.1 # via packaging
pyrfc3339==1.1
python-dateutil==2.7.5
@@ -77,7 +77,7 @@ pytz==2018.9
pyyaml==3.13
raven[flask]==6.10.0
redis==2.10.6
-requests-toolbelt==0.8.0
+requests-toolbelt==0.9.0
requests[security]==2.21.0
retrying==1.3.3
s3transfer==0.1.13
@@ -88,8 +88,8 @@ sphinx==1.8.3
sphinxcontrib-httpdomain==1.7.0
sphinxcontrib-websupport==1.1.0 # via sphinx
sqlalchemy-utils==0.33.11
-sqlalchemy==1.2.16
-tabulate==0.8.2
+sqlalchemy==1.2.17
+tabulate==0.8.3
urllib3==1.24.1
vine==1.2.0
werkzeug==0.14.1
diff --git a/requirements-tests.txt b/requirements-tests.txt
index 2d54dce6..c326e951 100644
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -8,30 +8,30 @@ asn1crypto==0.24.0 # via cryptography
atomicwrites==1.2.1 # via pytest
attrs==18.2.0 # via pytest
aws-xray-sdk==0.95 # via moto
-boto3==1.9.80 # via moto
+boto3==1.9.86 # via moto
boto==2.49.0 # via moto
-botocore==1.12.80 # via boto3, moto, s3transfer
+botocore==1.12.86 # via boto3, moto, s3transfer
certifi==2018.11.29 # via requests
cffi==1.11.5 # via cryptography
chardet==3.0.4 # via requests
click==7.0 # via flask
coverage==4.5.2
-cryptography==2.4.2 # via moto
+cryptography==2.5 # via moto
docker-pycreds==0.4.0 # via docker
docker==3.7.0 # via moto
docutils==0.14 # via botocore
ecdsa==0.13 # via python-jose
factory-boy==2.11.1
-faker==1.0.1
+faker==1.0.2
flask==1.0.2 # via pytest-flask
freezegun==0.3.11
future==0.17.1 # via python-jose
-idna==2.8 # via cryptography, requests
+idna==2.8 # via requests
itsdangerous==1.1.0 # via flask
jinja2==2.10 # via flask, moto
jmespath==0.9.3 # via boto3, botocore
jsondiff==1.1.1 # via moto
-jsonpickle==1.0 # via aws-xray-sdk
+jsonpickle==1.1 # via aws-xray-sdk
markupsafe==1.1.0 # via jinja2
mock==2.0.0 # via moto
more-itertools==5.0.0 # via pytest
@@ -42,8 +42,8 @@ pluggy==0.8.1 # via pytest
py==1.7.0 # via pytest
pyaml==18.11.0 # via moto
pycparser==2.19 # via cffi
-pycryptodome==3.7.2 # via python-jose
-pyflakes==2.0.0
+pycryptodome==3.7.3 # via python-jose
+pyflakes==2.1.0
pytest-flask==0.14.0
pytest-mock==1.10.0
pytest==4.1.1
@@ -60,5 +60,5 @@ text-unidecode==1.2 # via faker
urllib3==1.24.1 # via botocore, requests
websocket-client==0.54.0 # via docker
werkzeug==0.14.1 # via flask, moto, pytest-flask
-wrapt==1.11.0 # via aws-xray-sdk
+wrapt==1.11.1 # via aws-xray-sdk
xmltodict==0.11.0 # via moto
diff --git a/requirements.txt b/requirements.txt
index 3915fbcc..ed13c1f9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,9 +4,9 @@
#
# pip-compile --no-index --output-file requirements.txt requirements.in
#
-acme==0.30.0
+acme==0.30.2
alembic-autogenerate-enums==0.0.2
-alembic==1.0.6 # via flask-migrate
+alembic==1.0.7 # via flask-migrate
amqp==2.4.0 # via kombu
aniso8601==4.1.0 # via flask-restful
arrow==0.13.0
@@ -15,8 +15,8 @@ asyncpool==1.0
bcrypt==3.1.6 # via flask-bcrypt, paramiko
billiard==3.5.0.5 # via celery
blinker==1.4 # via flask-mail, flask-principal, raven
-boto3==1.9.80
-botocore==1.12.80
+boto3==1.9.86
+botocore==1.12.86
celery[redis]==4.2.1
certifi==2018.11.29
certsrv==2.1.0
@@ -24,7 +24,7 @@ cffi==1.11.5 # via bcrypt, cryptography, pynacl
chardet==3.0.4 # via requests
click==7.0 # via flask
cloudflare==2.1.0
-cryptography==2.4.2
+cryptography==2.5
dnspython3==1.15.0
dnspython==1.15.0 # via dnspython3
docutils==0.14 # via botocore
@@ -40,7 +40,7 @@ flask-sqlalchemy==2.3.2
flask==1.0.2
future==0.17.1
gunicorn==19.9.0
-idna==2.8 # via cryptography, requests
+idna==2.8 # via requests
inflection==0.3.1
itsdangerous==1.1.0 # via flask
jinja2==2.10
@@ -58,13 +58,13 @@ ndg-httpsclient==0.5.1
paramiko==2.4.2
pbr==5.1.1 # via mock
pem==18.2.0
-psycopg2==2.7.6.1
-pyasn1-modules==0.2.3 # via python-ldap
+psycopg2==2.7.7
+pyasn1-modules==0.2.4 # via python-ldap
pyasn1==0.4.5 # via ndg-httpsclient, paramiko, pyasn1-modules, python-ldap
pycparser==2.19 # via cffi
pyjwt==1.7.1
pynacl==1.3.0 # via paramiko
-pyopenssl==18.0.0
+pyopenssl==19.0.0
pyrfc3339==1.1 # via acme
python-dateutil==2.7.5 # via alembic, arrow, botocore
python-editor==1.0.3 # via alembic
@@ -73,14 +73,14 @@ pytz==2018.9 # via acme, celery, flask-restful, pyrfc3339
pyyaml==3.13 # via cloudflare
raven[flask]==6.10.0
redis==2.10.6
-requests-toolbelt==0.8.0 # via acme
+requests-toolbelt==0.9.0 # via acme
requests[security]==2.21.0
retrying==1.3.3
s3transfer==0.1.13 # via boto3
six==1.12.0
sqlalchemy-utils==0.33.11
-sqlalchemy==1.2.16 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils
-tabulate==0.8.2
+sqlalchemy==1.2.17 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils
+tabulate==0.8.3
urllib3==1.24.1 # via botocore, requests
vine==1.2.0 # via amqp
werkzeug==0.14.1 # via flask