Merge branch 'master' into allow-cert-deletion
This commit is contained in:
commit
a9735e129c
|
@ -147,6 +147,7 @@ def generate_private_key(key_type):
|
||||||
def check_cert_signature(cert, issuer_public_key):
|
def check_cert_signature(cert, issuer_public_key):
|
||||||
"""
|
"""
|
||||||
Check a certificate's signature against an issuer public key.
|
Check a certificate's signature against an issuer public key.
|
||||||
|
Before EC validation, make sure we support the algorithm, otherwise raise UnsupportedAlgorithm
|
||||||
On success, returns None; on failure, raises UnsupportedAlgorithm or InvalidSignature.
|
On success, returns None; on failure, raises UnsupportedAlgorithm or InvalidSignature.
|
||||||
"""
|
"""
|
||||||
if isinstance(issuer_public_key, rsa.RSAPublicKey):
|
if isinstance(issuer_public_key, rsa.RSAPublicKey):
|
||||||
|
@ -160,9 +161,10 @@ def check_cert_signature(cert, issuer_public_key):
|
||||||
else:
|
else:
|
||||||
padder = padding.PKCS1v15()
|
padder = padding.PKCS1v15()
|
||||||
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, padder, cert.signature_hash_algorithm)
|
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, padder, cert.signature_hash_algorithm)
|
||||||
|
elif isinstance(issuer_public_key, ec.EllipticCurvePublicKey) and isinstance(ec.ECDSA(cert.signature_hash_algorithm), ec.ECDSA):
|
||||||
|
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, ec.ECDSA(cert.signature_hash_algorithm))
|
||||||
else:
|
else:
|
||||||
# EllipticCurvePublicKey or DSAPublicKey
|
raise UnsupportedAlgorithm("Unsupported Algorithm '{var}'.".format(var=cert.signature_algorithm_oid._name))
|
||||||
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm)
|
|
||||||
|
|
||||||
|
|
||||||
def is_selfsigned(cert):
|
def is_selfsigned(cert):
|
||||||
|
|
|
@ -15,6 +15,8 @@ from cryptography.fernet import Fernet
|
||||||
from lemur.utils import mktempfile, mktemppath
|
from lemur.utils import mktempfile, mktemppath
|
||||||
from lemur.plugins.bases import ExportPlugin
|
from lemur.plugins.bases import ExportPlugin
|
||||||
from lemur.plugins import lemur_java as java
|
from lemur.plugins import lemur_java as java
|
||||||
|
from lemur.common.utils import parse_certificate
|
||||||
|
from lemur.common.defaults import common_name
|
||||||
|
|
||||||
|
|
||||||
def run_process(command):
|
def run_process(command):
|
||||||
|
@ -233,7 +235,7 @@ class JavaKeystoreExportPlugin(ExportPlugin):
|
||||||
if self.get_option('alias', options):
|
if self.get_option('alias', options):
|
||||||
alias = self.get_option('alias', options)
|
alias = self.get_option('alias', options)
|
||||||
else:
|
else:
|
||||||
alias = "blah"
|
alias = common_name(parse_certificate(body))
|
||||||
|
|
||||||
with mktemppath() as jks_tmp:
|
with mktemppath() as jks_tmp:
|
||||||
create_keystore(body, chain, jks_tmp, key, alias, passphrase)
|
create_keystore(body, chain, jks_tmp, key, alias, passphrase)
|
||||||
|
|
|
@ -14,7 +14,8 @@ from flask import current_app
|
||||||
from lemur.utils import mktempfile, mktemppath
|
from lemur.utils import mktempfile, mktemppath
|
||||||
from lemur.plugins.bases import ExportPlugin
|
from lemur.plugins.bases import ExportPlugin
|
||||||
from lemur.plugins import lemur_openssl as openssl
|
from lemur.plugins import lemur_openssl as openssl
|
||||||
from lemur.common.utils import get_psuedo_random_string
|
from lemur.common.utils import get_psuedo_random_string, parse_certificate
|
||||||
|
from lemur.common.defaults import common_name
|
||||||
|
|
||||||
|
|
||||||
def run_process(command):
|
def run_process(command):
|
||||||
|
@ -122,7 +123,7 @@ class OpenSSLExportPlugin(ExportPlugin):
|
||||||
if self.get_option('alias', options):
|
if self.get_option('alias', options):
|
||||||
alias = self.get_option('alias', options)
|
alias = self.get_option('alias', options)
|
||||||
else:
|
else:
|
||||||
alias = "blah"
|
alias = common_name(parse_certificate(body))
|
||||||
|
|
||||||
type = self.get_option('type', options)
|
type = self.get_option('type', options)
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
from lemur.tests.vectors import SAN_CERT, INTERMEDIATE_CERT, ROOTCA_CERT
|
from lemur.tests.vectors import SAN_CERT, INTERMEDIATE_CERT, ROOTCA_CERT, EC_CERT_EXAMPLE, ECDSA_PRIME256V1_CERT, ECDSA_SECP384r1_CERT, DSA_CERT
|
||||||
|
|
||||||
|
|
||||||
def test_generate_private_key():
|
def test_generate_private_key():
|
||||||
|
@ -83,3 +83,11 @@ def test_is_selfsigned(selfsigned_cert):
|
||||||
assert is_selfsigned(INTERMEDIATE_CERT) is False
|
assert is_selfsigned(INTERMEDIATE_CERT) is False
|
||||||
# Root CA certificates are also technically self-signed
|
# Root CA certificates are also technically self-signed
|
||||||
assert is_selfsigned(ROOTCA_CERT) is True
|
assert is_selfsigned(ROOTCA_CERT) is True
|
||||||
|
assert is_selfsigned(EC_CERT_EXAMPLE) is False
|
||||||
|
|
||||||
|
# selfsigned certs
|
||||||
|
assert is_selfsigned(ECDSA_PRIME256V1_CERT) is True
|
||||||
|
assert is_selfsigned(ECDSA_SECP384r1_CERT) is True
|
||||||
|
# unsupported algorithm (DSA)
|
||||||
|
with pytest.raises(Exception):
|
||||||
|
is_selfsigned(DSA_CERT)
|
||||||
|
|
|
@ -394,3 +394,98 @@ zm3Cn4Ul8DO26w9QS4fmZjmnPOZFXYMWoOR6osHzb62PWQ8FBMqXcdToBV2Q9Iw4
|
||||||
PiFAxlc0tVjlLqQ=
|
PiFAxlc0tVjlLqQ=
|
||||||
-----END CERTIFICATE REQUEST-----
|
-----END CERTIFICATE REQUEST-----
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
EC_CERT_STR = """
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDxzCCAq+gAwIBAgIIHsJeci1JWAkwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
|
||||||
|
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
|
||||||
|
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xOTAyMTMxNTM1NTdaFw0x
|
||||||
|
OTA1MDgxNTM1MDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
|
||||||
|
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
|
||||||
|
FQYDVQQDDA53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
|
||||||
|
BKwMlIbd4rAwf6eWoa6RrR2w0s5k1M40XOORPf96PByPmld+qhjRMLvA/xcAxdCR
|
||||||
|
XdcMfaX6EUr0Zw8CepitMB2jggFSMIIBTjATBgNVHSUEDDAKBggrBgEFBQcDATAO
|
||||||
|
BgNVHQ8BAf8EBAMCB4AwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB
|
||||||
|
BQUHAQEEXDBaMC0GCCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNH
|
||||||
|
SUFHMy5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJ
|
||||||
|
QUczMB0GA1UdDgQWBBQLovm8GG0oG91gOGCL58YPNoAlejAMBgNVHRMBAf8EAjAA
|
||||||
|
MB8GA1UdIwQYMBaAFHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYK
|
||||||
|
KwYBBAHWeQIFAzAIBgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2Ny
|
||||||
|
bC5wa2kuZ29vZy9HVFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBAKFbmNOA
|
||||||
|
e3pJ7UVI5EmkAMZgSDRdrsLHV6F7WluuyYCyE/HFpZjBd6y8xgGtYWcask6edwrq
|
||||||
|
zrcXNEN/GY34AYre0M+p0xAs+lKSwkrJd2sCgygmzsBFtGwjW6lhjm+rg83zPHhH
|
||||||
|
mQZ0ShUR1Kp4TvzXgxj44RXOsS5ZyDe3slGiG4aw/hl+igO8Y8JMvcv/Tpzo+V75
|
||||||
|
BkDAFmLRi08NayfeyCqK/TcRpzxKMKhS7jEHK8Pzu5P+FyFHKqIsobi+BA+psOix
|
||||||
|
5nZLhrweLdKNz387mE2lSSKzr7qeLGHSOMt+ajQtZio4YVyZqJvg4Y++J0n5+Rjw
|
||||||
|
MXp8GrvTfn1DQ+o=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
"""
|
||||||
|
EC_CERT_EXAMPLE = parse_certificate(EC_CERT_STR)
|
||||||
|
|
||||||
|
|
||||||
|
ECDSA_PRIME256V1_CERT_STR = """
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICUTCCAfYCCQCvH7H/e2nuiDAKBggqhkjOPQQDAjCBrzELMAkGA1UEBhMCVVMx
|
||||||
|
EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCUxvcyBHYXRvczEjMCEGA1UE
|
||||||
|
CgwaTGVtdXJUcnVzdCBFbnRlcnByaXNlcyBMdGQxJjAkBgNVBAsMHVVuaXR0ZXN0
|
||||||
|
aW5nIE9wZXJhdGlvbnMgQ2VudGVyMSowKAYDVQQDDCFMZW11clRydXN0IFVuaXR0
|
||||||
|
ZXN0cyBSb290IENBIDIwMTkwHhcNMTkwMjI2MTgxMTUyWhcNMjkwMjIzMTgxMTUy
|
||||||
|
WjCBrzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcM
|
||||||
|
CUxvcyBHYXRvczEjMCEGA1UECgwaTGVtdXJUcnVzdCBFbnRlcnByaXNlcyBMdGQx
|
||||||
|
JjAkBgNVBAsMHVVuaXR0ZXN0aW5nIE9wZXJhdGlvbnMgQ2VudGVyMSowKAYDVQQD
|
||||||
|
DCFMZW11clRydXN0IFVuaXR0ZXN0cyBSb290IENBIDIwMTkwWTATBgcqhkjOPQIB
|
||||||
|
BggqhkjOPQMBBwNCAAQsnAVUtpDCFMK/k9Chynu8BWRVUBUYbGQ9Q9xeLR60J4fD
|
||||||
|
uBt48YpTqg5RMZEclVknMReXqTmqphOBo37/YVdlMAoGCCqGSM49BAMCA0kAMEYC
|
||||||
|
IQDQZ6xfBiCTHxY4GM4+zLeG1iPBUSfIJOjkFNViFZY/XAIhAJYmrkVQb/YjWCdd
|
||||||
|
Vl89McYhmV4IV7WDgUmUhkUSFXgy
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
"""
|
||||||
|
ECDSA_PRIME256V1_CERT = parse_certificate(ECDSA_PRIME256V1_CERT_STR)
|
||||||
|
|
||||||
|
|
||||||
|
ECDSA_SECP384r1_CERT_STR = """
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICjjCCAhMCCQD2UadeQ7ub1jAKBggqhkjOPQQDAjCBrzELMAkGA1UEBhMCVVMx
|
||||||
|
EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCUxvcyBHYXRvczEjMCEGA1UE
|
||||||
|
CgwaTGVtdXJUcnVzdCBFbnRlcnByaXNlcyBMdGQxJjAkBgNVBAsMHVVuaXR0ZXN0
|
||||||
|
aW5nIE9wZXJhdGlvbnMgQ2VudGVyMSowKAYDVQQDDCFMZW11clRydXN0IFVuaXR0
|
||||||
|
ZXN0cyBSb290IENBIDIwMTgwHhcNMTkwMjI2MTgxODU2WhcNMjkwMjIzMTgxODU2
|
||||||
|
WjCBrzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcM
|
||||||
|
CUxvcyBHYXRvczEjMCEGA1UECgwaTGVtdXJUcnVzdCBFbnRlcnByaXNlcyBMdGQx
|
||||||
|
JjAkBgNVBAsMHVVuaXR0ZXN0aW5nIE9wZXJhdGlvbnMgQ2VudGVyMSowKAYDVQQD
|
||||||
|
DCFMZW11clRydXN0IFVuaXR0ZXN0cyBSb290IENBIDIwMTgwdjAQBgcqhkjOPQIB
|
||||||
|
BgUrgQQAIgNiAARuKyHIRp2e6PB5UcY8L/bUdavkL5Zf3IegNKvaAsvkDenhDGAI
|
||||||
|
zwWgsk3rOo7jmpMibn7yJQn404uZovwyeKcApn8uVv8ltheeYAx+ySzzn/APxNGy
|
||||||
|
cye/nv1D9cDW628wCgYIKoZIzj0EAwIDaQAwZgIxANl1ljDH4ykNK2OaRqKOkBOW
|
||||||
|
cKk1SvtiEZDS/wytiZGCeaxYteSYF+3GE8V2W1geWAIxAI8D7DY0HU5zw+oxAlTD
|
||||||
|
Uw/TeHA6q0QV4otPvrINW3V09iXDwFSPe265fTkHSfT6hQ==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
"""
|
||||||
|
ECDSA_SECP384r1_CERT = parse_certificate(ECDSA_SECP384r1_CERT_STR)
|
||||||
|
|
||||||
|
DSA_CERT_STR = """
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDmTCCA1YCCQD5h/cM7xYO9jALBglghkgBZQMEAwIwga8xCzAJBgNVBAYTAlVT
|
||||||
|
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlMb3MgR2F0b3MxIzAhBgNV
|
||||||
|
BAoMGkxlbXVyVHJ1c3QgRW50ZXJwcmlzZXMgTHRkMSYwJAYDVQQLDB1Vbml0dGVz
|
||||||
|
dGluZyBPcGVyYXRpb25zIENlbnRlcjEqMCgGA1UEAwwhTGVtdXJUcnVzdCBVbml0
|
||||||
|
dGVzdHMgUm9vdCBDQSAyMDE4MB4XDTE5MDIyNjE4MjUyMloXDTI5MDIyMzE4MjUy
|
||||||
|
Mlowga8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
|
||||||
|
DAlMb3MgR2F0b3MxIzAhBgNVBAoMGkxlbXVyVHJ1c3QgRW50ZXJwcmlzZXMgTHRk
|
||||||
|
MSYwJAYDVQQLDB1Vbml0dGVzdGluZyBPcGVyYXRpb25zIENlbnRlcjEqMCgGA1UE
|
||||||
|
AwwhTGVtdXJUcnVzdCBVbml0dGVzdHMgUm9vdCBDQSAyMDE4MIIBtjCCASsGByqG
|
||||||
|
SM44BAEwggEeAoGBAO2+6wO20rn9K7RtXJ7/kCSVFzYZsY1RKvmJ6BBkMFIepBkz
|
||||||
|
2pk62tRhJgNH07GKF7pyTPRRKqt38CaPK4ERUpavx3Ok6vZ3PKq8tMac/PMKBmT1
|
||||||
|
Xfpch54KDlCdreEMJqYiCwbIyiSCR4+PCH+7xC5Uh0PIZo6otNWe3Wkk53CfAhUA
|
||||||
|
8d4YAtto6D30f7qkEa7DMAccUS8CgYAiv8r0k0aUEaeioblcCAjmhvE0v8/tD5u1
|
||||||
|
anHO4jZIIv7uOrNFIGfqcNEOBs5AQkt5Bxn6x0b/VvtZ0FSrD0j4f36pTgro6noG
|
||||||
|
/0oRt0JngxsMSfo0LV4+bY62v21A0SneNgTgY+ugdfgGWvb0+9tpsIhiY69T+7c8
|
||||||
|
Oa0S6OWSPAOBhAACgYB5wa+nJJNZPoTWFum27JlWGYLO2flg5EpWlOvcEE0o5RfB
|
||||||
|
FPnMM033kKQQEI0YpCAq9fIMKhhUMk1X4mKUBUTt+Nrn1pY2l/wt5G6AQdHI8QXz
|
||||||
|
P1ecBbHPNZtWe3iVnfOgz/Pd8tU9slcXP9z5XbZ7R/oGcF/TPRTtbLEkYZNaDDAL
|
||||||
|
BglghkgBZQMEAwIDMAAwLQIVANubSNMSLt8plN9ZV3cp4pe3lMYCAhQPLLE7rTgm
|
||||||
|
92X+hWfyz000QEpYEQ==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
"""
|
||||||
|
DSA_CERT = parse_certificate(DSA_CERT_STR)
|
||||||
|
|
Loading…
Reference in New Issue