Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #3404 from hosseinsh/entrust-crosssigned-ecc 

support for Entrust cross-signed EC
This commit is contained in:
Hossein Shafagh 2021-02-09 10:37:16 -08:00 committed by GitHub
parent 52b3fa9c79 9ef7f4d549
commit 47d617f066
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/administration.rst
View File

@ -959,10 +959,16 @@ The following parameters have to be set in the configuration files.
If there is a config variable ENTRUST_PRODUCT_<upper(authority.name)> take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names. If there is a config variable ENTRUST_PRODUCT_<upper(authority.name)> take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names.
.. data:: ENTRUST_CROSS_SIGNED_RSA .. data:: ENTRUST_CROSS_SIGNED_RSA_L1K
:noindex: :noindex:
This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA. This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA_L1K to the respective cross-signed RSA-based subCA PEM and Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA_L1K.
.. data:: ENTRUST_CROSS_SIGNED_ECC_L1F
:noindex:
This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_ECC_L1F to the respective cross-signed EC-based subCA PEM and Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_ECC_L1F.
.. data:: ENTRUST_USE_DEFAULT_CLIENT_ID .. data:: ENTRUST_USE_DEFAULT_CLIENT_ID

6
lemur/plugins/lemur_entrust/plugin.py
View File

@ -259,8 +259,10 @@ class EntrustIssuerPlugin(IssuerPlugin):
else: else:
chain = response_dict['chainCerts'][1] chain = response_dict['chainCerts'][1]
if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") and get_key_type_from_certificate(cert) == "RSA2048": if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K") and get_key_type_from_certificate(cert) == "RSA2048":
chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA_L1K")
if current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F") and get_key_type_from_certificate(cert) == "ECCPRIME256V1":
chain = current_app.config.get("ENTRUST_CROSS_SIGNED_ECC_L1F")
log_data["message"] = "Received Chain" log_data["message"] = "Received Chain"
log_data["options"] = f"chain: {chain}" log_data["options"] = f"chain: {chain}"