Skip to content

Commit

Permalink
Merge de78d67 into 022173c
Browse files Browse the repository at this point in the history
  • Loading branch information
@pinmarva
pinmarva committed Nov 27, 2023
2 parents 022173c + de78d67 commit b76377c
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 5 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ Added ability for new versions of LEMUR_TOKEN_SECRET via the LEMUR_TOKEN_SECRETS
migration and rotation of the secret.
Added ENTRUST_INFER_EKU config property which attempts to computes the appropriate EKU value from the csr (default False).
Added DIGICERT_CIS_USE_CSR_FIELDS to control the `use_csr_fields` create certificate API field (default False).
Added Digicert source plugin. Enable it with DIGICERT_SOURCE_ENABLED
Added AWS ACM source plugin. This plugin retreives all certificates for an account and a region.
Added AWS ACM destination plugin. This plugin uploads a certificate to AWS ACM.



1.6.0 - `2023-10-23`
~~~~~~~~~~~~~~~~~~~~
Add NTLM auth support for ADCS issuer.
Expand Down
32 changes: 32 additions & 0 deletions docs/administration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1627,6 +1627,38 @@ The following configuration properties are required to use the Digicert issuer p

This is whether or not to issue a private certificate. (Default: False)



Digicert Source
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Digicert Source Plugin will read from one Digicert organization.


.. data:: DIGICERT_SOURCE_ENABLED
:noindex:

Boolean. This enables or disables the plugin.


.. data:: DIGICERT_URL
:noindex:

This is the url for the Digicert API (e.g. https://www.digicert.com)


.. data:: DIGICERT_API_KEY
:noindex:

This is the Digicert API key


.. data:: DIGICERT_ORG_ID
:noindex:

This is the Digicert organization ID


Digicert CIS Issuer Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down
74 changes: 70 additions & 4 deletions lemur/plugins/lemur_digicert/plugin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
from flask import current_app, g
from retrying import retry
from urllib3.util.retry import Retry
from cryptography.hazmat.primitives import serialization

from lemur.common.utils import validate_conf, convert_pkcs7_bytes_to_pem
from lemur.extensions import metrics
Expand Down Expand Up @@ -297,13 +298,14 @@ class DigiCertSourcePlugin(SourcePlugin):
author = "Kevin Glisson"
author_url = "https://github.com/netflix/lemur.git"

additional_options: List[Dict[str, Any]] = []

def __init__(self, *args, **kwargs):
"""Initialize source with appropriate details."""
required_vars = [
"DIGICERT_API_KEY",
"DIGICERT_URL",
"DIGICERT_ORG_ID",
"DIGICERT_ROOT",
]
validate_conf(current_app, required_vars)

Expand All @@ -317,10 +319,74 @@ def __init__(self, *args, **kwargs):

self.session.hooks = dict(response=log_status_code)

# max_retries applies only to failed DNS lookups, socket connections and connection timeouts,
# never to requests where data has made it to the server.
# we Retry we also covers HTTP status code 406, 500, 502, 503, 504
retry_strategy = Retry(total=3, backoff_factor=0.1, status_forcelist=[406, 500, 502, 503, 504])
adapter = requests.adapters.HTTPAdapter(max_retries=retry_strategy)
self.session.mount("https://", adapter)

super().__init__(*args, **kwargs)

def get_certificates(self):
pass
def get_certificates(self, options, **kwargs):
"""Fetch all Digicert certificates."""

if current_app.config.get("DIGICERT_SOURCE_ENABLED"):

base_url = current_app.config.get("DIGICERT_URL")

# make request
search_url = f"{base_url}/services/v2/order/certificate"

certs = []
offset = 0
limit = 40

while True:
response = self.session.get(
search_url, params={
"filters[status]": "issued",
"filters[organization_id]": current_app.config["DIGICERT_ORG_ID"],
"offset": offset,
"limit": limit
}
)

data = handle_response(response)

for c in data["orders"]:
# https://dev.digicert.com/en/certcentral-apis/services-api/glossary.html#certificate-formats
# ID 29. pem_all
if c["status"] == "issued":
download_url = "{0}/services/v2/certificate/{1}/download/platform/{2}".format(
base_url,
c["certificate"]["id"],
29
)

pem_all = self.session.get(download_url)

certificates = x509.load_pem_x509_certificates(pem_all.content)
certificate = certificates[0].public_bytes(serialization.Encoding.PEM).decode()
chains = certificates[1:]
chain_str = ""
for chain in chains:
chain_str += chain.public_bytes(serialization.Encoding.PEM).decode()

# normalize serial
serial = str(int(c["certificate"]["serial_number"], 16))
cert = {
"body": certificate,
"chain": chain_str,
"serial": serial,
"external_id": str(c["certificate"]["id"])
}
certs.append(cert)

offset += limit
if offset >= data["page"]["total"]:
break
return certs


class DigiCertIssuerPlugin(IssuerPlugin):
Expand Down Expand Up @@ -484,7 +550,7 @@ def create_authority(options):
class DigiCertCISSourcePlugin(SourcePlugin):
"""Wrap the Digicert CIS Certifcate API."""

title = "DigiCert"
title = "DigiCert CIS"
slug = "digicert-cis-source"
description = "Enables the use of Digicert as a source of existing certificates."
version = digicert.VERSION
Expand Down
1 change: 1 addition & 0 deletions setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,7 @@ def run(self):
'cryptography_issuer = lemur.plugins.lemur_cryptography.plugin:CryptographyIssuerPlugin',
'cfssl_issuer = lemur.plugins.lemur_cfssl.plugin:CfsslIssuerPlugin',
'digicert_issuer = lemur.plugins.lemur_digicert.plugin:DigiCertIssuerPlugin',
'digicert_source = lemur.plugins.lemur_digicert.plugin:DigiCertSourcePlugin',
'digicert_cis_issuer = lemur.plugins.lemur_digicert.plugin:DigiCertCISIssuerPlugin',
'digicert_cis_source = lemur.plugins.lemur_digicert.plugin:DigiCertCISSourcePlugin',
'csr_export = lemur.plugins.lemur_csr.plugin:CSRExportPlugin',
Expand Down

0 comments on commit b76377c

Please sign in to comment.