From fef7c7a907df30cc572e0e9cf1d488332c6581ab Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 15 Jan 2021 16:49:14 -0800 Subject: [PATCH 1/3] support for cross-signed subCA --- lemur/plugins/lemur_entrust/plugin.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 903bd7a9..cf7d2307 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -9,7 +9,7 @@ from lemur.constants import CRLReason from lemur.plugins import lemur_entrust as entrust from lemur.plugins.bases import IssuerPlugin, SourcePlugin from lemur.extensions import metrics -from lemur.common.utils import validate_conf +from lemur.common.utils import validate_conf, get_key_type_from_certificate def log_status_code(r, *args, **kwargs): @@ -251,6 +251,9 @@ class EntrustIssuerPlugin(IssuerPlugin): else: chain = response_dict['chainCerts'][1] + if current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") and get_key_type_from_certificate(cert) == "RSA2048": + chain = current_app.config.get("ENTRUST_CROSS_SIGNED_RSA") + log_data["message"] = "Received Chain" log_data["options"] = f"chain: {chain}" current_app.logger.info(log_data) From 685cea47683fcccc4152accb1a865494f5c0bb7f Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 15 Jan 2021 16:51:24 -0800 Subject: [PATCH 2/3] documentation --- docs/administration.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/administration.rst b/docs/administration.rst index 59611c0f..818a24c4 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -941,6 +941,12 @@ The following parameters have to be set in the configuration files. If there is a config variable ENTRUST_PRODUCT_ take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names. +.. data:: ENTRUST_CROSS_SIGNED_RSA + :noindex: + + This is optional. Entrut provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA. + + Verisign Issuer Plugin ~~~~~~~~~~~~~~~~~~~~~~ From d914d37e6b04fdc849732cdbbff82c1d8eae7fd4 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 15 Jan 2021 16:52:32 -0800 Subject: [PATCH 3/3] typo --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index 818a24c4..15cff1f8 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -944,7 +944,7 @@ The following parameters have to be set in the configuration files. .. data:: ENTRUST_CROSS_SIGNED_RSA :noindex: - This is optional. Entrut provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA. + This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA. Verisign Issuer Plugin