Merge branch 'master' into ADCS-plugin

2019-02-01 19:10:46 +01:00
parent c77ccdf46e c60b712523
commit 36ab1c0bec
12 changed files with 94 additions and 49 deletions
--- a/lemur/plugins/lemur_cfssl/plugin.py
+++ b/lemur/plugins/lemur_cfssl/plugin.py
@ -10,6 +10,9 @@

 import json
 import requests
+import base64
+import hmac
+import hashlib

 from flask import current_app

@ -48,6 +51,21 @@ class CfsslIssuerPlugin(IssuerPlugin):
        data = {'certificate_request': csr}
        data = json.dumps(data)

+        try:
+            hex_key = current_app.config.get('CFSSL_KEY')
+            key = bytes.fromhex(hex_key)
+        except (ValueError, NameError):
+            # unable to find CFSSL_KEY in config, continue using normal sign method
+            pass
+        else:
+            data = data.encode()
+
+            token = base64.b64encode(hmac.new(key, data, digestmod=hashlib.sha256).digest())
+            data = base64.b64encode(data)
+
+            data = json.dumps({'token': token.decode('utf-8'), 'request': data.decode('utf-8')})
+
+            url = "{0}{1}".format(current_app.config.get('CFSSL_URL'), '/api/v1/cfssl/authsign')
        response = self.session.post(url, data=data.encode(encoding='utf_8', errors='strict'))
        if response.status_code > 399:
            metrics.send('cfssl_create_certificate_failure', 'counter', 1)
--- a/lemur/plugins/lemur_verisign/plugin.py
+++ b/lemur/plugins/lemur_verisign/plugin.py
@ -111,10 +111,19 @@ def process_options(options):

    data['subject_alt_names'] = ",".join(get_additional_names(options))

+    if options.get('validity_end') > arrow.utcnow().replace(years=2):
+        raise Exception("Verisign issued certificates cannot exceed two years in validity")
+
    if options.get('validity_end'):
-        period = get_default_issuance(options)
-        data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
-        data['validityPeriod'] = period
+        # VeriSign (Symantec) only accepts strictly smaller than 2 year end date
+        if options.get('validity_end') < arrow.utcnow().replace(years=2).replace(days=-1):
+            period = get_default_issuance(options)
+            data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
+            data['validityPeriod'] = period
+        else:
+            # allowing Symantec website setting the end date, given the validity period
+            data['validityPeriod'] = str(get_default_issuance(options))
+            options.pop('validity_end', None)

    elif options.get('validity_years'):
        if options['validity_years'] in [1, 2]: