From 240c76b3cbcdbbd7fa69d9b9ba88ba8d47812b2d Mon Sep 17 00:00:00 2001
From: Hossein Shafagh <hshafagh@netflix.com>
Date: Fri, 5 Feb 2021 11:47:47 -0800
Subject: [PATCH 1/2] support for Entrust cross-signed EC

---
 lemur/plugins/lemur_entrust/plugin.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py
index 14bf9646..7187e5ee 100644
--- a/lemur/plugins/lemur_entrust/plugin.py
+++ b/lemur/plugins/lemur_entrust/plugin.py
@@ -259,8 +259,10 @@ class EntrustIssuerPlugin(IssuerPlugin):
         else:
             chain = response_dict['chainCerts'][1]
 
-        if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") and get_key_type_from_certificate(cert) == "RSA2048":
-            chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA")
+        if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K") and get_key_type_from_certificate(cert) == "RSA2048":
+            chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K")
+        if current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F") and get_key_type_from_certificate(cert) == "ECCPRIME256V1":
+            chain = current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F")
 
         log_data["message"] = "Received Chain"
         log_data["options"] = f"chain: {chain}"

From db13d8c0015ef3362627ef493682bb66278a45c6 Mon Sep 17 00:00:00 2001
From: Hossein Shafagh <hshafagh@netflix.com>
Date: Fri, 5 Feb 2021 11:51:30 -0800
Subject: [PATCH 2/2] documentation

---
 docs/administration.rst | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/administration.rst b/docs/administration.rst
index f150296b..3f282369 100644
--- a/docs/administration.rst
+++ b/docs/administration.rst
@@ -959,10 +959,16 @@ The following parameters have to be set in the configuration files.
         If there is a config variable ENTRUST_PRODUCT_<upper(authority.name)> take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names.
 
 
-.. data:: ENTRUST_CROSS_SIGNED_RSA
+.. data:: ENTRUST_CROSS_SIGNED_RSA_L1K
     :noindex:
 
-        This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA.
+        This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA_L1K to the respective cross-signed RSA-based subCA PEM and Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA_L1K.
+
+
+.. data:: ENTRUST_CROSS_SIGNED_ECC_L1F
+    :noindex:
+
+        This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_ECC_L1F to the respective cross-signed EC-based subCA PEM and Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_ECC_L1F.
 
 
 .. data:: ENTRUST_USE_DEFAULT_CLIENT_ID