From 788703ce12b9e3783fe6cd3ce00d3ebf98caf9e3 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 20 Oct 2020 16:43:57 -0700 Subject: [PATCH 1/5] Fix cert reissue when L/OU is not set get_certificate_primitives complains with None L/OU --- lemur/certificates/schemas.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index cc0a607e..77f49c9b 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -353,6 +353,12 @@ class CertificateOutputSchema(LemurOutputSchema): data.pop("organization", None) data.pop("organizational_unit", None) + # Removing optional fields if None, else it complains in de-serialization + if "location" in data and data["location"] is None: + data.pop("location") + if "organizational_unit" in data and data["organizational_unit"] is None: + data.pop("organizational_unit") + class CertificateShortOutputSchema(LemurOutputSchema): id = fields.Integer() From 01dddd2a557286cbf8ecf1229ec5ed51518fd65f Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 20 Oct 2020 17:17:28 -0700 Subject: [PATCH 2/5] iterate over subject details --- lemur/certificates/schemas.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index 77f49c9b..3dc864e7 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -340,6 +340,8 @@ class CertificateOutputSchema(LemurOutputSchema): @post_dump def handle_subject_details(self, data): + subject_details = ["country", "state", "location", "organization", "organizational_unit"] + # Remove subject details if authority is CA/Browser Forum compliant. The code will use default set of values in that case. # If CA/Browser Forum compliance of an authority is unknown (None), it is safe to fallback to default values. Thus below # condition checks for 'not False' ==> 'True or None' @@ -347,17 +349,13 @@ class CertificateOutputSchema(LemurOutputSchema): is_cab_compliant = data.get("authority").get("isCabCompliant") if is_cab_compliant is not False: - data.pop("country", None) - data.pop("state", None) - data.pop("location", None) - data.pop("organization", None) - data.pop("organizational_unit", None) + for field in subject_details: + data.pop(field, None) - # Removing optional fields if None, else it complains in de-serialization - if "location" in data and data["location"] is None: - data.pop("location") - if "organizational_unit" in data and data["organizational_unit"] is None: - data.pop("organizational_unit") + # Removing subject fields if None, else it complains in de-serialization + for field in subject_details: + if field in data and data[field] is None: + data.pop(field) class CertificateShortOutputSchema(LemurOutputSchema): From 49971652351ec487961234c353cad0ed62158984 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 20 Oct 2020 17:59:50 -0700 Subject: [PATCH 3/5] Removing ECC 192 and 521 from UI not CAB supported. Keeping 521 for authority --- .../static/app/angular/authorities/authority/options.tpl.html | 1 - .../app/angular/certificates/certificate/options.tpl.html | 4 +--- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/lemur/static/app/angular/authorities/authority/options.tpl.html b/lemur/static/app/angular/authorities/authority/options.tpl.html index 01928fc3..adf8eacc 100644 --- a/lemur/static/app/angular/authorities/authority/options.tpl.html +++ b/lemur/static/app/angular/authorities/authority/options.tpl.html @@ -24,7 +24,6 @@ ng-options="option.value as option.name for option in [ {'name': 'RSA-2048', 'value': 'RSA2048'}, {'name': 'RSA-4096', 'value': 'RSA4096'}, - {'name': 'ECC-PRIME192V1', 'value': 'ECCPRIME192V1'}, {'name': 'ECC-PRIME256V1', 'value': 'ECCPRIME256V1'}, {'name': 'ECC-SECP384R1', 'value': 'ECCSECP384R1'}, {'name': 'ECC-SECP521R1', 'value': 'ECCSECP521R1'}]" diff --git a/lemur/static/app/angular/certificates/certificate/options.tpl.html b/lemur/static/app/angular/certificates/certificate/options.tpl.html index 2c02c693..11b8fe68 100644 --- a/lemur/static/app/angular/certificates/certificate/options.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/options.tpl.html @@ -35,10 +35,8 @@ ng-options="option.value as option.name for option in [ {'name': 'RSA-2048', 'value': 'RSA2048'}, {'name': 'RSA-4096', 'value': 'RSA4096'}, - {'name': 'ECC-PRIME192V1', 'value': 'ECCPRIME192V1'}, {'name': 'ECC-PRIME256V1', 'value': 'ECCPRIME256V1'}, - {'name': 'ECC-SECP384R1', 'value': 'ECCSECP384R1'}, - {'name': 'ECC-SECP521R1', 'value': 'ECCSECP521R1'}]" + {'name': 'ECC-SECP384R1', 'value': 'ECCSECP384R1'}]" ng-init="certificate.keyType = 'RSA2048'"> From 757e190b6094966ff16113d2e82b5677ca8bb025 Mon Sep 17 00:00:00 2001 From: sayali Date: Wed, 21 Oct 2020 12:11:41 -0700 Subject: [PATCH 4/5] Check if OU and L is present in subject fixing index out of range --- lemur/common/defaults.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/lemur/common/defaults.py b/lemur/common/defaults.py index b9c88e49..d94c3563 100644 --- a/lemur/common/defaults.py +++ b/lemur/common/defaults.py @@ -110,9 +110,11 @@ def organizational_unit(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATIONAL_UNIT_NAME)[ - 0 - ].value.strip() + ou = cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATIONAL_UNIT_NAME) + if not ou: + return None + + return ou[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get organizational unit! {0}".format(e)) @@ -155,9 +157,11 @@ def location(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_LOCALITY_NAME)[ - 0 - ].value.strip() + loc = cert.subject.get_attributes_for_oid(x509.OID_LOCALITY_NAME) + if not loc: + return None + + return loc[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get location! {0}".format(e)) From 43483cb1c7c6c29bfe0dde757e501faecd31a493 Mon Sep 17 00:00:00 2001 From: sayali Date: Wed, 21 Oct 2020 15:11:10 -0700 Subject: [PATCH 5/5] Check if present - Organization, State, Country --- lemur/common/defaults.py | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/lemur/common/defaults.py b/lemur/common/defaults.py index d94c3563..d7b37292 100644 --- a/lemur/common/defaults.py +++ b/lemur/common/defaults.py @@ -95,9 +95,11 @@ def organization(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATION_NAME)[ - 0 - ].value.strip() + o = cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATION_NAME) + if not o: + return None + + return o[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get organization! {0}".format(e)) @@ -127,9 +129,11 @@ def country(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_COUNTRY_NAME)[ - 0 - ].value.strip() + c = cert.subject.get_attributes_for_oid(x509.OID_COUNTRY_NAME) + if not c: + return None + + return c[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get country! {0}".format(e)) @@ -142,9 +146,11 @@ def state(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_STATE_OR_PROVINCE_NAME)[ - 0 - ].value.strip() + s = cert.subject.get_attributes_for_oid(x509.OID_STATE_OR_PROVINCE_NAME) + if not s: + return None + + return s[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get state! {0}".format(e))