Merge branch 'master' into ADCS-plugin
This commit is contained in:
sirferl
GitHub
@ -227,6 +227,10 @@ class Certificate(db.Model):
|
||||
def location(self):
|
||||
return defaults.location(self.parsed_cert)
|
||||
|
||||
@property
|
||||
def distinguished_name(self):
|
||||
return self.parsed_cert.subject.rfc4514_string()
|
||||
|
||||
@property
|
||||
def key_type(self):
|
||||
if isinstance(self.parsed_cert.public_key(), rsa.RSAPublicKey):
|
||||
|
||||
@ -206,6 +206,7 @@ class CertificateOutputSchema(LemurOutputSchema):
|
||||
|
||||
cn = fields.String()
|
||||
common_name = fields.String(attribute='cn')
|
||||
distinguished_name = fields.String()
|
||||
|
||||
not_after = fields.DateTime()
|
||||
validity_end = ArrowDateTime(attribute='not_after')
|
||||
|
||||
@ -16,6 +16,7 @@ def convert_validity_years(data):
|
||||
data['validity_start'] = now.isoformat()
|
||||
|
||||
end = now.replace(years=+int(data['validity_years']))
|
||||
|
||||
if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True):
|
||||
if is_weekend(end):
|
||||
end = end.replace(days=-2)
|
||||
|
||||
@ -273,10 +273,11 @@ class CreateUser(Command):
|
||||
Option('-u', '--username', dest='username', required=True),
|
||||
Option('-e', '--email', dest='email', required=True),
|
||||
Option('-a', '--active', dest='active', default=True),
|
||||
Option('-r', '--roles', dest='roles', action='append', default=[])
|
||||
Option('-r', '--roles', dest='roles', action='append', default=[]),
|
||||
Option('-p', '--password', dest='password', default=None)
|
||||
)
|
||||
|
||||
def run(self, username, email, active, roles):
|
||||
def run(self, username, email, active, roles, password):
|
||||
role_objs = []
|
||||
for r in roles:
|
||||
role_obj = role_service.get_by_name(r)
|
||||
@ -286,14 +287,16 @@ class CreateUser(Command):
|
||||
sys.stderr.write("[!] Cannot find role {0}\n".format(r))
|
||||
sys.exit(1)
|
||||
|
||||
password1 = prompt_pass("Password")
|
||||
password2 = prompt_pass("Confirm Password")
|
||||
if not password:
|
||||
password1 = prompt_pass("Password")
|
||||
password2 = prompt_pass("Confirm Password")
|
||||
password = password1
|
||||
|
||||
if password1 != password2:
|
||||
sys.stderr.write("[!] Passwords do not match!\n")
|
||||
sys.exit(1)
|
||||
if password1 != password2:
|
||||
sys.stderr.write("[!] Passwords do not match!\n")
|
||||
sys.exit(1)
|
||||
|
||||
user_service.create(username, password1, email, active, None, role_objs)
|
||||
user_service.create(username, password, email, active, None, role_objs)
|
||||
sys.stdout.write("[+] Created new user: {0}\n".format(username))
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,9 @@
|
||||
|
||||
import json
|
||||
import requests
|
||||
import base64
|
||||
import hmac
|
||||
import hashlib
|
||||
|
||||
from flask import current_app
|
||||
|
||||
@ -48,6 +51,21 @@ class CfsslIssuerPlugin(IssuerPlugin):
|
||||
data = {'certificate_request': csr}
|
||||
data = json.dumps(data)
|
||||
|
||||
try:
|
||||
hex_key = current_app.config.get('CFSSL_KEY')
|
||||
key = bytes.fromhex(hex_key)
|
||||
except (ValueError, NameError):
|
||||
# unable to find CFSSL_KEY in config, continue using normal sign method
|
||||
pass
|
||||
else:
|
||||
data = data.encode()
|
||||
|
||||
token = base64.b64encode(hmac.new(key, data, digestmod=hashlib.sha256).digest())
|
||||
data = base64.b64encode(data)
|
||||
|
||||
data = json.dumps({'token': token.decode('utf-8'), 'request': data.decode('utf-8')})
|
||||
|
||||
url = "{0}{1}".format(current_app.config.get('CFSSL_URL'), '/api/v1/cfssl/authsign')
|
||||
response = self.session.post(url, data=data.encode(encoding='utf_8', errors='strict'))
|
||||
if response.status_code > 399:
|
||||
metrics.send('cfssl_create_certificate_failure', 'counter', 1)
|
||||
|
||||
@ -111,10 +111,19 @@ def process_options(options):
|
||||
|
||||
data['subject_alt_names'] = ",".join(get_additional_names(options))
|
||||
|
||||
if options.get('validity_end') > arrow.utcnow().replace(years=2):
|
||||
raise Exception("Verisign issued certificates cannot exceed two years in validity")
|
||||
|
||||
if options.get('validity_end'):
|
||||
period = get_default_issuance(options)
|
||||
data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
|
||||
data['validityPeriod'] = period
|
||||
# VeriSign (Symantec) only accepts strictly smaller than 2 year end date
|
||||
if options.get('validity_end') < arrow.utcnow().replace(years=2).replace(days=-1):
|
||||
period = get_default_issuance(options)
|
||||
data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
|
||||
data['validityPeriod'] = period
|
||||
else:
|
||||
# allowing Symantec website setting the end date, given the validity period
|
||||
data['validityPeriod'] = str(get_default_issuance(options))
|
||||
options.pop('validity_end', None)
|
||||
|
||||
elif options.get('validity_years'):
|
||||
if options['validity_years'] in [1, 2]:
|
||||
|
||||
@ -83,6 +83,8 @@
|
||||
</div>
|
||||
<!-- Certificate fields -->
|
||||
<div class="list-group-item">
|
||||
<dt>Distinguished Name</dt>
|
||||
<dd>{{ certificate.distinguishedName }}</dd>
|
||||
<dt>Certificate Authority</dt>
|
||||
<dd>{{ certificate.authority ? certificate.authority.name : "Imported" }} <span class="text-muted">({{ certificate.issuer }})</span></dd>
|
||||
<dt>Serial</dt>
|
||||
|
||||
@ -619,6 +619,12 @@ def test_certificate_get_body(client):
|
||||
response_body = client.get(api.url_for(Certificates, certificate_id=1), headers=VALID_USER_HEADER_TOKEN).json
|
||||
assert response_body['serial'] == '211983098819107449768450703123665283596'
|
||||
assert response_body['serialHex'] == '9F7A75B39DAE4C3F9524C68B06DA6A0C'
|
||||
assert response_body['distinguishedName'] == ('CN=LemurTrust Unittests Class 1 CA 2018,'
|
||||
'O=LemurTrust Enterprises Ltd,'
|
||||
'OU=Unittesting Operations Center,'
|
||||
'C=EE,'
|
||||
'ST=N/A,'
|
||||
'L=Earth')
|
||||
|
||||
|
||||
@pytest.mark.parametrize("token,status", [
|
||||
|
||||
Reference in New Issue
Block a user