Closes #648, also fixes several issues #666. (#678)

2017-01-27 21:05:25 -08:00
parent f13a3505f3
commit bc94353850
10 changed files with 142 additions and 112 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -233,34 +233,46 @@ class Certificate(db.Model):
        return_extensions = {}
        cert = lemur.common.utils.parse_certificate(self.body)
        for extension in cert.extensions:
-            if isinstance(extension, x509.BasicConstraints):
-                return_extensions['basic_constraints'] = extension
-            elif isinstance(extension, x509.SubjectAlternativeName):
-                return_extensions['sub_alt_names'] = extension
-            elif isinstance(extension, x509.ExtendedKeyUsage):
-                return_extensions['extended_key_usage'] = extension
-            elif isinstance(extension, x509.KeyUsage):
-                return_extensions['key_usage'] = extension
-            elif isinstance(extension, x509.SubjectKeyIdentifier):
+            value = extension.value
+            if isinstance(value, x509.BasicConstraints):
+                return_extensions['basic_constraints'] = extension.value
+
+            elif isinstance(value, x509.SubjectAlternativeName):
+                return_extensions['sub_alt_names'] = {'names': extension.value}
+
+            elif isinstance(value, x509.ExtendedKeyUsage):
+                return_extensions['extended_key_usage'] = extension.value
+
+            elif isinstance(value, x509.KeyUsage):
+                return_extensions['key_usage'] = extension.value
+
+            elif isinstance(value, x509.SubjectKeyIdentifier):
                return_extensions['subject_key_identifier'] = {'include_ski': True}
-            elif isinstance(extension, x509.AuthorityInformationAccess):
+
+            elif isinstance(value, x509.AuthorityInformationAccess):
                return_extensions['certificate_info_access'] = {'include_aia': True}
-            elif isinstance(extension, x509.AuthorityKeyIdentifier):
+
+            elif isinstance(value, x509.AuthorityKeyIdentifier):
                aki = {
                    'use_key_identifier': False,
                    'use_authority_cert': False
                }
-                if extension.key_identifier:
+
+                if value.key_identifier:
                    aki['use_key_identifier'] = True
-                if extension.authority_cert_issuer:
+
+                if value.authority_cert_issuer:
                    aki['use_authority_cert'] = True
+
                return_extensions['authority_key_identifier'] = aki
-            elif isinstance(extension, x509.CRLDistributionPoints):
-                # FIXME: Don't support CRLDistributionPoints yet https://github.com/Netflix/lemur/issues/662
-                pass
+
+            # TODO: Don't support CRLDistributionPoints yet https://github.com/Netflix/lemur/issues/662
+            elif isinstance(value, x509.CRLDistributionPoints):
+                current_app.logger.warning('CRLDistributionPoints not yet supported for clone operation.')
+
+            # TODO: Not supporting custom OIDs yet. https://github.com/Netflix/lemur/issues/665
            else:
-                # FIXME: Not supporting custom OIDs yet. https://github.com/Netflix/lemur/issues/665
-                pass
+                current_app.logger.warning('Custom OIDs not yet supported for clone operation.')

        return return_extensions

--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -330,10 +330,8 @@ def create_csr(**csr_config):

    :param csr_config:
    """
-
    private_key = generate_private_key(csr_config.get('key_type'))

-    # TODO When we figure out a better way to validate these options they should be parsed as str
    builder = x509.CertificateSigningRequestBuilder()
    builder = builder.subject_name(x509.Name([
        x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name']),
@ -349,12 +347,17 @@ def create_csr(**csr_config):
    critical_extensions = ['basic_constraints', 'sub_alt_names', 'key_usage']
    noncritical_extensions = ['extended_key_usage']
    for k, v in extensions.items():
-        if k in critical_extensions and v:
-            current_app.logger.debug("Add CExt: {0} {1}".format(k, v))
-            builder = builder.add_extension(v, critical=True)
-        if k in noncritical_extensions and v:
-            current_app.logger.debug("Add Ext: {0} {1}".format(k, v))
-            builder = builder.add_extension(v, critical=False)
+        if v:
+            if k in critical_extensions:
+                current_app.logger.debug('Adding Critical Extension: {0} {1}'.format(k, v))
+                if k == 'sub_alt_names':
+                    builder = builder.add_extension(v['names'], critical=True)
+                else:
+                    builder = builder.add_extension(v, critical=True)
+
+            if k in noncritical_extensions:
+                current_app.logger.debug('Adding Extension: {0} {1}'.format(k, v))
+                builder = builder.add_extension(v, critical=False)

    ski = extensions.get('subject_key_identifier', {})
    if ski.get('include_ski', False):