Packaging

debian/rules

@@ -11,6 +11,8 @@ export PYBUILD_DISABLE_python3 = test
 	# only last version are supported by lemur
 	# but Ubuntu has not last version
 	sed -i "s/==\(\([[:digit:]]\)*\(\.\)*\)*//g" requirements.txt
+	# unecessary dependency
+	sed -i "s/zope.deferredimport/#zope.deferredimport/g" requirements.txt
 	dh $@ --with python3 --buildsystem=pybuild
 
 override_dh_install:

lemur/certificates/schemas.py

@@ -373,7 +373,8 @@ class CertificateOutputSchema(LemurOutputSchema):
             plugin = plugins.get(cert['authority']['plugin']['slug'])
         if plugin:
             plugin.wrap_certificate(cert)
-        del cert['root_authority']
+        if 'root_authority' in cert:
+            del cert['root_authority']
 
 
 class CertificateShortOutputSchema(LemurOutputSchema):

lemur/plugins/lemur_openssh/plugin.py

@@ -48,10 +48,15 @@ def split_cert(body):
 
 
 def sign_certificate(common_name, public_key, authority_private_key, user, extensions, not_before, not_after):
+    private_key = parse_private_key(authority_private_key).private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.OpenSSH,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
     with mktempfile() as issuer_tmp:
         cmd = ['ssh-keygen', '-s', issuer_tmp]
         with open(issuer_tmp, 'w') as i:
-            i.writelines(authority_private_key)
+            i.writelines(private_key)
         if 'extendedKeyUsage' in extensions and extensions['extendedKeyUsage'].get('useClientAuthentication'):
             cmd.extend(['-I', user['username'] + ' user key',
                         '-n', user['username']])
@@ -63,9 +68,9 @@ def sign_certificate(common_name, public_key, authority_private_key, user, exten
             cmd.extend(['-I', common_name + ' host key',
                         '-n', ','.join(domains),
                         '-h'])
-        # something like 20201024
-        ssh_not_before = datetime.fromisoformat(not_before).strftime("%Y%m%d")
-        ssh_not_after = datetime.fromisoformat(not_after).strftime("%Y%m%d")
+        # something like 20201024102030
+        ssh_not_before = datetime.fromisoformat(not_before).strftime("%Y%m%d%H%M%S")
+        ssh_not_after = datetime.fromisoformat(not_after).strftime("%Y%m%d%H%M%S")
         cmd.extend(['-V', ssh_not_before + ':' + ssh_not_after])
         with mktempfile() as cert_tmp:
             with open(cert_tmp, 'w') as f:
@@ -102,6 +107,8 @@ class OpenSSHIssuerPlugin(CryptographyIssuerPlugin):
         return cert_pem, private_key, chain_cert_pem, roles
 
     def wrap_certificate(self, cert):
+        if 'body' not in cert:
+            return
         # get public_key in OpenSSH format
         public_key = parse_certificate(cert['body']).public_key().public_bytes(
             encoding=serialization.Encoding.OpenSSH,
@@ -109,10 +116,11 @@ class OpenSSHIssuerPlugin(CryptographyIssuerPlugin):
         ).decode()
         public_key += ' ' + cert['user']['email']
         # sign it with authority private key
-        if 'root_authority' in cert:
-            root_authority = cert['root_authority']
+        if 'root_authority' in cert and cert['root_authority']:
+            authority = cert['root_authority']
         else:
-            root_authority = get_by_root_authority(cert['authority']['id'])
+            authority = cert['authority']
+        root_authority = get_by_root_authority(authority['id'])
         authority_private_key = root_authority.private_key
         cert['body'] = sign_certificate(
             cert['common_name'],