Enabling RSA2048 and RSA4096 as available key types (#551)

* Enabling RSA2048 and RSA4096 as available key types * Fixing re-issuance
2016-12-01 15:41:53 -08:00 · 2016-12-01 15:41:53 -08:00 · 81bf98c746
parent 41b59c5445
commit 81bf98c746
6 changed files with 38 additions and 16 deletions
--- a/lemur/authorities/service.py
+++ b/lemur/authorities/service.py
@ -51,7 +51,7 @@ def mint(**kwargs):
    elif len(values) == 4:
        body, private_key, chain, roles = values

-    roles = create_authority_roles(roles, kwargs['owner'], kwargs['plugin']['plugin_object'].title, None)
+    roles = create_authority_roles(roles, kwargs['owner'], kwargs['plugin']['plugin_object'].title, kwargs['creator'])
    return body, private_key, chain, roles


--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -9,6 +9,8 @@ import arrow

 from flask import current_app

+from cryptography.hazmat.primitives.asymmetric import rsa
+
 from sqlalchemy.orm import relationship
 from sqlalchemy.sql.expression import case
 from sqlalchemy.ext.hybrid import hybrid_property
@ -148,6 +150,12 @@ class Certificate(db.Model):
        cert = lemur.common.utils.parse_certificate(self.body)
        return defaults.location(cert)

+    @property
+    def key_type(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        if isinstance(cert.public_key(), rsa.RSAPublicKey):
+            return 'RSA{key_size}'.format(key_size=cert.public_key().key_size)
+
    @hybrid_property
    def expired(self):
        if self.not_after <= arrow.utcnow():
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@ -6,7 +6,7 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
 from flask import current_app
-from marshmallow import fields, validates_schema, post_load, pre_load
+from marshmallow import fields, validate, validates_schema, post_load, pre_load
 from marshmallow.exceptions import ValidationError

 from lemur.schemas import AssociatedAuthoritySchema, AssociatedDestinationSchema, AssociatedCertificateSchema, \
@ -58,6 +58,7 @@ class CertificateInputSchema(CertificateCreationSchema):
    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)

    csr = fields.String(validate=validators.csr)
+    key_type = fields.String(validate=validate.OneOf(['RSA2048', 'RSA4096']), missing='RSA2048')

    notify = fields.Boolean(default=True)

--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -316,11 +316,14 @@ def create_csr(**csr_config):

    :param csr_config:
    """
-    private_key = rsa.generate_private_key(
-        public_exponent=65537,
-        key_size=2048,
-        backend=default_backend()
-    )
+
+    if 'RSA' in csr_config.get('key_type'):
+        key_size = int(csr_config.get('key_type')[3:])
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=key_size,
+            backend=default_backend()
+        )

    # TODO When we figure out a better way to validate these options they should be parsed as str
    builder = x509.CertificateSigningRequestBuilder()
@ -512,7 +515,8 @@ def get_certificate_primitives(certificate):
        organizational_unit=certificate.organizational_unit,
        country=certificate.country,
        state=certificate.state,
-        location=certificate.location
+        location=certificate.location,
+        key_type=certificate.key_type
    )


--- a/lemur/static/app/angular/certificates/certificate/options.tpl.html
+++ b/lemur/static/app/angular/certificates/certificate/options.tpl.html
@ -8,7 +8,7 @@
        <div class="col-sm-3">
          <select class="form-control" ng-model="certificate.subAltType" ng-options="item for item in ['DNSName', 'IPAddress', 'uniformResourceIdentifier', 'directoryName','rfc822Name', 'registeredID', 'otherName', 'x400Address', 'EDIPartyName']"></select>
        </div>
-        <div class="col-sm-5">
+        <div class="col-sm-6">
          <div class="input-group">
            <input tooltip-trigger="focus" tooltip-placement="top" uib-tooltip="String or Base64-encoded DER ASN.1 structure for the value" class="form-control" name="value" ng-model="certificate.subAltValue" placeholder="Value" class="form-control" required/>
        <span class="input-group-btn">
@ -18,7 +18,7 @@
        </div>
      </div>
      <div class="form-group">
-        <div class="col-sm-8 col-sm-offset-2">
+        <div class="col-sm-10 col-sm-offset-2">
          <table class="table">
            <tr ng-repeat="alt in certificate.extensions.subAltNames.names track by $index">
              <td>{{ alt.nameType }}</td>
@ -30,6 +30,14 @@
          </table>
        </div>
      </div>
+      <div class="form-group">
+        <label class="control-label col-sm-2">
+            Key Type
+        </label>
+        <div class="col-sm-10">
+            <select class="form-control" ng-model="certificate.keyType" ng-options="option for option in ['RSA2048', 'RSA4096']" ng-init="certificate.keyType = 'RSA2048'"></select>
+        </div>
+      </div>
      <div class="form-group">
        <label class="control-label col-sm-2">
          Key Usage
@ -178,7 +186,7 @@
        <label class="control-label col-sm-2">
          cRL Distribution Points
        </label>
-        <div class="col-sm-8">
+        <div class="col-sm-10">
          <select class="form-control" ng-model="certificate.extensions.cRLDistributionPoints.includeCRLDP" ng-options="item for item in ['yes', 'no', 'default']"></select>
        </div>
      </div>
@ -210,7 +218,7 @@
      </div>
    </div>
    <div class="form-group">
-      <div class="col-sm-8 col-sm-offset-2">
+      <div class="col-sm-10 col-sm-offset-2">
        <table class="table">
          <tr ng-repeat="custom in certificate.extensions.custom track by $index">
            <td>{{ custom.oid }}</td>
--- a/lemur/tests/test_certificates.py
+++ b/lemur/tests/test_certificates.py
@ -41,7 +41,7 @@ def test_get_certificate_primitives(certificate):

    with freeze_time(datetime.date(year=2016, month=10, day=30)):
        primitives = get_certificate_primitives(certificate)
-        assert len(primitives) == 14
+        assert len(primitives) == 15


 def test_certificate_edit_schema(session):
@ -153,7 +153,7 @@ def test_certificate_input_schema(client, authority):
    assert data['country'] == 'US'
    assert data['location'] == 'Los Gatos'

-    assert len(data.keys()) == 15
+    assert len(data.keys()) == 16


 def test_certificate_input_with_extensions(client, authority):
@ -332,6 +332,7 @@ def test_create_basic_csr(client):
        state='CA',
        location='A place',
        owner='joe@example.com',
+        key_type='RSA2048',
        extensions=dict(names=dict(sub_alt_names=['test.example.com', 'test2.example.com']))
    )
    csr, pem = create_csr(**csr_config)
@ -381,13 +382,13 @@ def test_create_csr():
    from lemur.certificates.service import create_csr

    csr, private_key = create_csr(owner='joe@example.com', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
-                                  state='CA', location='Here')
+                                  state='CA', location='Here', key_type='RSA2048')
    assert csr
    assert private_key

    extensions = {'sub_alt_names': {'names': [{'name_type': 'DNSName', 'value': 'AnotherCommonName'}]}}
    csr, private_key = create_csr(owner='joe@example.com', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
-                                  state='CA', location='Here', extensions=extensions)
+                                  state='CA', location='Here', extensions=extensions, key_type='RSA2048')
    assert csr
    assert private_key