Enabling RSA2048 and RSA4096 as available key types (#551)

* Enabling RSA2048 and RSA4096 as available key types * Fixing re-issuance
2016-12-01 15:41:53 -08:00
parent 41b59c5445
commit 81bf98c746
6 changed files with 38 additions and 16 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -9,6 +9,8 @@ import arrow

 from flask import current_app

+from cryptography.hazmat.primitives.asymmetric import rsa
+
 from sqlalchemy.orm import relationship
 from sqlalchemy.sql.expression import case
 from sqlalchemy.ext.hybrid import hybrid_property
@ -148,6 +150,12 @@ class Certificate(db.Model):
        cert = lemur.common.utils.parse_certificate(self.body)
        return defaults.location(cert)

+    @property
+    def key_type(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        if isinstance(cert.public_key(), rsa.RSAPublicKey):
+            return 'RSA{key_size}'.format(key_size=cert.public_key().key_size)
+
    @hybrid_property
    def expired(self):
        if self.not_after <= arrow.utcnow():
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@ -6,7 +6,7 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
 from flask import current_app
-from marshmallow import fields, validates_schema, post_load, pre_load
+from marshmallow import fields, validate, validates_schema, post_load, pre_load
 from marshmallow.exceptions import ValidationError

 from lemur.schemas import AssociatedAuthoritySchema, AssociatedDestinationSchema, AssociatedCertificateSchema, \
@ -58,6 +58,7 @@ class CertificateInputSchema(CertificateCreationSchema):
    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)

    csr = fields.String(validate=validators.csr)
+    key_type = fields.String(validate=validate.OneOf(['RSA2048', 'RSA4096']), missing='RSA2048')

    notify = fields.Boolean(default=True)

--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -316,11 +316,14 @@ def create_csr(**csr_config):

    :param csr_config:
    """
-    private_key = rsa.generate_private_key(
-        public_exponent=65537,
-        key_size=2048,
-        backend=default_backend()
-    )
+
+    if 'RSA' in csr_config.get('key_type'):
+        key_size = int(csr_config.get('key_type')[3:])
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=key_size,
+            backend=default_backend()
+        )

    # TODO When we figure out a better way to validate these options they should be parsed as str
    builder = x509.CertificateSigningRequestBuilder()
@ -512,7 +515,8 @@ def get_certificate_primitives(certificate):
        organizational_unit=certificate.organizational_unit,
        country=certificate.country,
        state=certificate.state,
-        location=certificate.location
+        location=certificate.location,
+        key_type=certificate.key_type
    )