Merge branch 'master' into entrust_source
This commit is contained in:
sirferl
GitHub
@ -23,7 +23,7 @@ class IssuerPlugin(Plugin):
|
||||
def create_authority(self, options):
|
||||
raise NotImplementedError
|
||||
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
raise NotImplementedError
|
||||
|
||||
def get_ordered_certificate(self, certificate):
|
||||
|
||||
@ -221,7 +221,7 @@ class AcmeHandler(object):
|
||||
current_app.logger.debug("Got these domains: {0}".format(domains))
|
||||
return domains
|
||||
|
||||
def revoke_certificate(self, certificate):
|
||||
def revoke_certificate(self, certificate, crl_reason=0):
|
||||
if not self.reuse_account(certificate.authority):
|
||||
raise InvalidConfiguration("There is no ACME account saved, unable to revoke the certificate.")
|
||||
acme_client, _ = self.setup_acme_client(certificate.authority)
|
||||
@ -231,7 +231,7 @@ class AcmeHandler(object):
|
||||
OpenSSL.crypto.FILETYPE_PEM, certificate.body))
|
||||
|
||||
try:
|
||||
acme_client.revoke(fullchain_com, 0) # revocation reason = 0
|
||||
acme_client.revoke(fullchain_com, crl_reason) # revocation reason as int (per RFC 5280 section 5.3.1)
|
||||
except (errors.ConflictError, errors.ClientError, errors.Error) as e:
|
||||
# Certificate already revoked.
|
||||
current_app.logger.error("Certificate revocation failed with message: " + e.detail)
|
||||
|
||||
@ -17,6 +17,7 @@ from acme.messages import Error as AcmeError
|
||||
from botocore.exceptions import ClientError
|
||||
from flask import current_app
|
||||
from lemur.authorizations import service as authorization_service
|
||||
from lemur.constants import CRLReason
|
||||
from lemur.dns_providers import service as dns_provider_service
|
||||
from lemur.exceptions import InvalidConfiguration
|
||||
from lemur.extensions import metrics, sentry
|
||||
@ -267,9 +268,13 @@ class ACMEIssuerPlugin(IssuerPlugin):
|
||||
# Needed to override issuer function.
|
||||
pass
|
||||
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
self.acme = AcmeDnsHandler()
|
||||
return self.acme.revoke_certificate(certificate)
|
||||
crl_reason = CRLReason.unspecified
|
||||
if "crl_reason" in reason:
|
||||
crl_reason = CRLReason[reason["crl_reason"]]
|
||||
|
||||
return self.acme.revoke_certificate(certificate, crl_reason.value)
|
||||
|
||||
|
||||
class ACMEHttpIssuerPlugin(IssuerPlugin):
|
||||
@ -368,6 +373,11 @@ class ACMEHttpIssuerPlugin(IssuerPlugin):
|
||||
# Needed to override issuer function.
|
||||
pass
|
||||
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
self.acme = AcmeHandler()
|
||||
return self.acme.revoke_certificate(certificate)
|
||||
|
||||
crl_reason = CRLReason.unspecified
|
||||
if "crl_reason" in reason:
|
||||
crl_reason = CRLReason[reason["crl_reason"]]
|
||||
|
||||
return self.acme.revoke_certificate(certificate, crl_reason.value)
|
||||
|
||||
@ -59,8 +59,8 @@ class ADCSIssuerPlugin(IssuerPlugin):
|
||||
)
|
||||
return cert, chain, None
|
||||
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
raise NotImplementedError("Not implemented\n", self, certificate, comments)
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
raise NotImplementedError("Not implemented\n", self, certificate, reason)
|
||||
|
||||
def get_ordered_certificate(self, order_id):
|
||||
raise NotImplementedError("Not implemented\n", self, order_id)
|
||||
|
||||
@ -18,6 +18,7 @@ from flask import current_app
|
||||
|
||||
from lemur.common.utils import parse_certificate
|
||||
from lemur.common.utils import get_authority_key
|
||||
from lemur.constants import CRLReason
|
||||
from lemur.plugins.bases import IssuerPlugin
|
||||
from lemur.plugins import lemur_cfssl as cfssl
|
||||
from lemur.extensions import metrics
|
||||
@ -102,16 +103,23 @@ class CfsslIssuerPlugin(IssuerPlugin):
|
||||
role = {"username": "", "password": "", "name": "cfssl"}
|
||||
return current_app.config.get("CFSSL_ROOT"), "", [role]
|
||||
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
"""Revoke a CFSSL certificate."""
|
||||
base_url = current_app.config.get("CFSSL_URL")
|
||||
create_url = "{0}/api/v1/cfssl/revoke".format(base_url)
|
||||
|
||||
crl_reason = CRLReason.unspecified
|
||||
if "crl_reason" in reason:
|
||||
crl_reason = CRLReason[reason["crl_reason"]]
|
||||
|
||||
data = (
|
||||
'{"serial": "'
|
||||
+ certificate.external_id
|
||||
+ '","authority_key_id": "'
|
||||
+ get_authority_key(certificate.body)
|
||||
+ '", "reason": "superseded"}'
|
||||
+ '", "reason": "'
|
||||
+ crl_reason
|
||||
+ '"}'
|
||||
)
|
||||
current_app.logger.debug("Revoking cert: {0}".format(data))
|
||||
response = self.session.post(
|
||||
|
||||
@ -368,7 +368,7 @@ class DigiCertIssuerPlugin(IssuerPlugin):
|
||||
certificate_id,
|
||||
)
|
||||
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
"""Revoke a Digicert certificate."""
|
||||
base_url = current_app.config.get("DIGICERT_URL")
|
||||
|
||||
@ -376,6 +376,11 @@ class DigiCertIssuerPlugin(IssuerPlugin):
|
||||
create_url = "{0}/services/v2/certificate/{1}/revoke".format(
|
||||
base_url, certificate.external_id
|
||||
)
|
||||
|
||||
comments = reason["comments"] if "comments" in reason else ''
|
||||
if "crl_reason" in reason:
|
||||
comments += '(' + reason["crl_reason"] + ')'
|
||||
|
||||
metrics.send("digicert_revoke_certificate", "counter", 1)
|
||||
response = self.session.put(create_url, data=json.dumps({"comments": comments}))
|
||||
return handle_response(response)
|
||||
@ -575,7 +580,7 @@ class DigiCertCISIssuerPlugin(IssuerPlugin):
|
||||
data["id"],
|
||||
)
|
||||
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
"""Revoke a Digicert certificate."""
|
||||
base_url = current_app.config.get("DIGICERT_CIS_URL")
|
||||
|
||||
@ -584,6 +589,10 @@ class DigiCertCISIssuerPlugin(IssuerPlugin):
|
||||
base_url, certificate.external_id
|
||||
)
|
||||
metrics.send("digicert_revoke_certificate_success", "counter", 1)
|
||||
|
||||
comments = reason["comments"] if "comments" in reason else ''
|
||||
if "crl_reason" in reason:
|
||||
comments += '(' + reason["crl_reason"] + ')'
|
||||
response = self.session.put(revoke_url, data=json.dumps({"comments": comments}))
|
||||
|
||||
if response.status_code != 204:
|
||||
|
||||
@ -5,6 +5,7 @@ import sys
|
||||
from flask import current_app
|
||||
from retrying import retry
|
||||
|
||||
from lemur.constants import CRLReason
|
||||
from lemur.plugins import lemur_entrust as entrust
|
||||
from lemur.plugins.bases import IssuerPlugin, SourcePlugin
|
||||
from lemur.extensions import metrics
|
||||
@ -257,16 +258,20 @@ class EntrustIssuerPlugin(IssuerPlugin):
|
||||
return cert, chain, external_id
|
||||
|
||||
@retry(stop_max_attempt_number=3, wait_fixed=1000)
|
||||
def revoke_certificate(self, certificate, comments):
|
||||
def revoke_certificate(self, certificate, reason):
|
||||
"""Revoke an Entrust certificate."""
|
||||
base_url = current_app.config.get("ENTRUST_URL")
|
||||
|
||||
# make certificate revoke request
|
||||
revoke_url = f"{base_url}/certificates/{certificate.external_id}/revocations"
|
||||
if not comments or comments == '':
|
||||
if "comments" not in reason or reason["comments"] == '':
|
||||
comments = "revoked via API"
|
||||
crl_reason = CRLReason.unspecified
|
||||
if "crl_reason" in reason:
|
||||
crl_reason = CRLReason[reason["crl_reason"]]
|
||||
|
||||
data = {
|
||||
"crlReason": "superseded", # enum (keyCompromise, affiliationChanged, superseded, cessationOfOperation)
|
||||
"crlReason": crl_reason, # per RFC 5280 section 5.3.1
|
||||
"revocationComment": comments
|
||||
}
|
||||
response = self.session.post(revoke_url, json=data)
|
||||
|
||||
Reference in New Issue
Block a user