Support for EC KeyTypes in Policy Specification

Added support for Elliptic Curve Key types when requesting certificates in VaaS

Author: rvelaVenafi

tests/test_pm.py

@@ -19,7 +19,7 @@
 
 from test_env import (TPP_TOKEN_URL, CLOUD_APIKEY, CLOUD_URL, TPP_PM_ROOT, CLOUD_ENTRUST_CA_NAME,
                       CLOUD_DIGICERT_CA_NAME, TPP_CA_NAME, TPP_USER, TPP_PASSWORD)
-from test_utils import timestamp
+from test_utils import get_tpp_policy_name, get_vaas_zone
 from vcert import TPPTokenConnection, CloudConnection, Authentication, SCOPE_PM, logger, VenafiError, KeyType
 from vcert.parser import json_parser, yaml_parser
 from vcert.parser.utils import parse_policy_spec
@@ -50,7 +50,7 @@ def test_json_parsing(self):
         self._assert_policy_spec(ps)
 
     def test_json_serialization(self):
-        ps = PolicySpecification(policy=_get_policy_obj(), defaults=_get_defaults_obj())
+        ps = PolicySpecification(policy=get_policy_obj(), defaults=get_defaults_obj())
         json_parser.serialize(ps, 'test_json_serialization.json')
 
     def test_yaml_11_parsing(self):
@@ -61,7 +61,7 @@ def test_yaml_12_parsing(self):
         self._assert_policy_spec(ps)
 
     def test_yaml_serialization(self):
-        ps = PolicySpecification(policy=_get_policy_obj(), defaults=_get_defaults_obj())
+        ps = PolicySpecification(policy=get_policy_obj(), defaults=get_defaults_obj())
         yaml_parser.serialize(ps, 'test_yaml_serialization.yaml')
 
     def _assert_policy_spec(self, ps):
@@ -105,23 +105,23 @@ def test_create_policy_yaml(self):
         pass
 
     def test_create_policy_full(self):
-        policy = _get_policy_obj(ca_type=CA_TYPE_TPP)
+        policy = get_policy_obj(ca_type=CA_TYPE_TPP)
         policy.key_pair.rsa_key_sizes = [2048]
-        self._create_policy_tpp(policy=policy, defaults=_get_defaults_obj())
+        self._create_policy_tpp(policy=policy, defaults=get_defaults_obj())
 
     def test_create_policy_empty(self):
         self._create_policy_tpp()
 
     def test_create_policy_no_policy(self):
-        self._create_policy_tpp(defaults=_get_defaults_obj())
+        self._create_policy_tpp(defaults=get_defaults_obj())
 
     def test_create_policy_no_defaults(self):
-        policy = _get_policy_obj(ca_type=CA_TYPE_TPP)
+        policy = get_policy_obj(ca_type=CA_TYPE_TPP)
         policy.key_pair.rsa_key_sizes = [2048]
         self._create_policy_tpp(policy=policy)
 
     def _create_policy_tpp(self, policy_spec=None, policy=None, defaults=None):
-        zone = f"{TPP_PM_ROOT}\\{_get_tpp_policy_name()}"
+        zone = f"{TPP_PM_ROOT}\\{get_tpp_policy_name()}"
         create_policy(self.tpp_conn, zone, policy_spec, policy, defaults)
 
 
@@ -143,25 +143,25 @@ def test_create_policy_yaml(self):
         pass
 
     def test_create_policy_full(self):
-        self._create_policy_cloud(policy=_get_policy_obj(), defaults=_get_defaults_obj())
+        self._create_policy_cloud(policy=get_policy_obj(), defaults=get_defaults_obj())
 
     def test_create_policy_empty(self):
         self._create_policy_cloud()
 
     def test_create_policy_no_policy(self):
-        self._create_policy_cloud(defaults=_get_defaults_obj())
+        self._create_policy_cloud(defaults=get_defaults_obj())
 
     def test_create_policy_no_defaults(self):
-        self._create_policy_cloud(policy=_get_policy_obj())
+        self._create_policy_cloud(policy=get_policy_obj())
 
     def test_create_policy_entrust(self):
-        self._create_policy_cloud(policy=_get_policy_obj(ca_type=CA_TYPE_ENTRUST), defaults=_get_defaults_obj())
+        self._create_policy_cloud(policy=get_policy_obj(ca_type=CA_TYPE_ENTRUST), defaults=get_defaults_obj())
 
     def test_create_policy_digicert(self):
-        self._create_policy_cloud(policy=_get_policy_obj(ca_type=CA_TYPE_DIGICERT), defaults=_get_defaults_obj())
+        self._create_policy_cloud(policy=get_policy_obj(ca_type=CA_TYPE_DIGICERT), defaults=get_defaults_obj())
 
     def test_validate_domains(self):
-        policy = self._create_policy_cloud(policy=_get_policy_obj())
+        policy = self._create_policy_cloud(policy=get_policy_obj())
         self.assertListEqual(policy.policy.domains, POLICY_DOMAINS)
 
     def test_csr_attributes_service(self):
@@ -183,15 +183,15 @@ def test_csr_attributes_not_specified(self):
         self.assertTrue(cit.key_generated_by_venafi_allowed, "keyGeneratedByVenafiAllowed is not True")
 
     def test_ec_key_pair(self):
-        policy = _get_policy_obj()
+        policy = get_policy_obj()
         kp = KeyPair(
             key_types=['EC'],
             rsa_key_sizes=[2048, 4096],
             elliptic_curves=['P521', 'P384'],
             reuse_allowed=False)
         policy.key_pair = kp
 
-        defaults = _get_defaults_obj()
+        defaults = get_defaults_obj()
         defaults.key_pair = DefaultKeyPair(
             key_type='EC',
             rsa_key_size=2048,
@@ -205,7 +205,7 @@ def test_ec_key_pair(self):
         self.assertIn('P384', ['P521', 'P384'], "[P384] is not in the allowed Elliptic Curves list")
 
     def _create_policy_cloud(self, policy_spec=None, policy=None, defaults=None):
-        zone = self._get_random_zone()
+        zone = get_vaas_zone()
         response = create_policy(self.cloud_conn, zone, policy_spec, policy, defaults)
         return response
 
@@ -215,18 +215,14 @@ def _create_csr_attributes_policy(self, service_generated_csr=None):
         :param bool service_generated_csr:
         :rtype: common.Policy
         """
-        policy = _get_policy_obj()
+        policy = get_policy_obj()
         policy.key_pair.service_generated = service_generated_csr
-        zone = self._get_random_zone()
+        zone = get_vaas_zone()
         create_policy(connector=self.cloud_conn, zone=zone, policy_spec=None, policy=policy)
         cit = self.cloud_conn._get_template_by_id(zone)
 
         return cit
 
-    @staticmethod
-    def _get_random_zone():
-        return _get_zone()
-
 
 class TestLocalMethods(unittest.TestCase):
     def test_exceptions_tpp(self):
@@ -588,7 +584,7 @@ def create_policy(connector, zone, policy_spec=None, policy=None, defaults=None)
 POLICY_DOMAINS = ['vfidev.com', 'vfidev.net', 'venafi.example']
 
 
-def _get_policy_obj(ca_type=None):
+def get_policy_obj(ca_type=None):
     policy = Policy(
         subject=Subject(
             orgs=['OSS Venafi, Inc.'],
@@ -625,7 +621,7 @@ def _get_policy_obj(ca_type=None):
     return policy
 
 
-def _get_defaults_obj():
+def get_defaults_obj():
     defaults = Defaults(
         d_subject=DefaultSubject(
             org='OSS Venafi, Inc.',
@@ -639,24 +635,3 @@ def _get_defaults_obj():
             elliptic_curve='P521'),
         auto_installed=False)
     return defaults
-
-
-def _get_app_name():
-    name = 'vcert-python-app-{}'
-    return name
-
-
-def _get_cit_name():
-    cit_name = 'vcert-python-cit-{}'
-    return cit_name
-
-
-def _get_zone():
-    time = timestamp()
-    zone = f"{_get_app_name().format(time)}\\{_get_cit_name().format(time)}"
-    return zone
-
-
-def _get_tpp_policy_name():
-    time = timestamp()
-    return f"{_get_app_name().format(time)}"

tests/test_utils.py

@@ -39,6 +39,27 @@ def timestamp():
     return datetime.today().strftime('%Y.%m.%d-%Hh%Mm%Ss')
 
 
+def _get_app_name():
+    name = 'vcert-python-app-{}'
+    return name
+
+
+def _get_cit_name():
+    cit_name = 'vcert-python-cit-{}'
+    return cit_name
+
+
+def get_vaas_zone():
+    t = timestamp()
+    zone = f"{_get_app_name().format(t)}\\{_get_cit_name().format(t)}"
+    return zone
+
+
+def get_tpp_policy_name():
+    t = timestamp()
+    return f"{_get_app_name().format(t)}"
+
+
 def simple_enroll(conn, zone):
     req = CertificateRequest(common_name=f"{random_word(12)}.venafi.example.com")
     conn.request_cert(req, zone)

tests/test_vaas.py

@@ -21,11 +21,15 @@
 
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.x509.oid import NameOID
 
+from policy import KeyPair, DefaultKeyPair, PolicySpecification
 from test_env import CLOUD_ZONE, CLOUD_APIKEY, CLOUD_URL, RANDOM_DOMAIN
-from test_utils import random_word, enroll, renew, renew_by_thumbprint, renew_without_key_reuse, simple_enroll
+from test_pm import get_policy_obj, get_defaults_obj
+from test_utils import random_word, enroll, renew, renew_by_thumbprint, renew_without_key_reuse, simple_enroll, \
+    get_vaas_zone
 from vcert import CloudConnection, KeyType, CertificateRequest, CustomField, logger, CSR_ORIGIN_SERVICE
 
 log = logger.get_child("test-vaas")
@@ -165,3 +169,49 @@ def test_cloud_enroll_service_generated_csr(self):
 
         output = cert_object.as_pkcs12('FooBarPass123')
         log.info(f"PKCS12 created successfully for certificate with CN: {cn}")
+
+    def test_enroll_ec_key_certificate(self):
+        policy = get_policy_obj()
+        kp = KeyPair(
+            key_types=['EC'],
+            elliptic_curves=['P521', 'P384'],
+            reuse_allowed=False)
+        policy.key_pair = kp
+
+        defaults = get_defaults_obj()
+        defaults.key_pair = DefaultKeyPair(
+            key_type='EC',
+            elliptic_curve='P521')
+
+        policy_spec = PolicySpecification()
+        policy_spec.policy = policy
+        policy_spec.defaults = defaults
+
+        zone = get_vaas_zone()
+
+        self.cloud_conn.set_policy(zone, policy_spec)
+        password = 'FooBarPass123'
+
+        request = CertificateRequest(
+            common_name=f"{random_word(10)}.venafi.example",
+            key_type=KeyType(
+                key_type="ec",
+                option="P384"
+            ),
+            csr_origin=CSR_ORIGIN_SERVICE,
+            key_password=password
+        )
+
+        self.cloud_conn.request_cert(request, zone)
+        cert = self.cloud_conn.retrieve_cert(request)
+
+        p_key = None
+        try:
+            p_key = serialization.load_pem_private_key(data=cert.key.encode(), password=password.encode(),
+                                                       backend=default_backend())
+        except Exception as e:
+            log.error(msg=f"Error parsing Private Key: {e.message}")
+
+        if p_key:
+            self.assertIsInstance(p_key, EllipticCurvePrivateKey, "returned private key is not of type Elliptic Curve")
+            self.assertEqual(p_key.curve.key_size, 384, f"Private Key expected curve: 384. Got: {p_key.curve.key_size}")

vcert/connection_cloud.py

@@ -34,7 +34,7 @@
 from .policy.pm_cloud import (build_policy_spec, validate_policy_spec, AccountDetails, build_cit_request, build_user,
                               UserDetails, build_company, build_apikey, build_app_update_request, get_ca_info,
                               CertificateAuthorityDetails, CertificateAuthorityInfo, build_account_details,
-                              build_app_create_request)
+                              build_app_create_request, supported_rsa_key_sizes, supported_elliptic_curves)
 from .vaas_utils import AppDetails, RecommendedSettings, EdgeEncryptionKey, zip_to_pem, value_matches_regex
 
 TOKEN_HEADER_NAME = "tppl-api-key"  # nosec
@@ -50,6 +50,10 @@
 CSR_ATTR_COUNTRY = 'country'
 CSR_ATTR_SANS_BY_TYPE = 'subjectAlternativeNamesByType'
 CSR_ATTR_SANS_DNS = 'dnsNames'
+CSR_ATTR_KEY_TYPE_PARAMS = 'keyTypeParameters'
+CSR_ATTR_KEY_TYPE = 'keyType'
+CSR_ATTR_KEY_LENGTH = 'keyLength'
+CSR_ATTR_KEY_CURVE = 'keyCurve'
 
 log = get_child("connection-vaas")
 
@@ -739,7 +743,7 @@ def _get_service_generated_csr_attr(self, request, zone):
         if request.organization:
             if ps.policy and ps.policy.subject:
                 policy_orgs = ps.policy.subject.orgs
-                valid = value_matches_regex(value=request.organization,pattern_list=policy_orgs)
+                valid = value_matches_regex(value=request.organization, pattern_list=policy_orgs)
                 if not valid:
                     org_str = "Organization"
                     log.error(MSG_VALUE_NOT_MATCH_POLICY.format(org_str, f"{org_str}s", request.organization,
@@ -765,7 +769,7 @@ def _get_service_generated_csr_attr(self, request, zone):
                     log.error(MSG_VALUE_NOT_MATCH_POLICY.format(ou_str, f"{ou_str}s", request.organizational_unit,
                                                                 policy_ous))
                     raise ClientBadData
-            csr_attr_map[CSR_ATTR_ORG_UNIT] = request.organizational_unit
+            csr_attr_map[CSR_ATTR_ORG_UNIT] = org_units
         elif ps.defaults and ps.defaults.subject and ps.defaults.subject.org_units:
             csr_attr_map[CSR_ATTR_ORG_UNIT] = ps.defaults.subject.org_units
 
@@ -784,7 +788,7 @@ def _get_service_generated_csr_attr(self, request, zone):
 
         if request.province:
             if ps.policy and ps.policy.subject:
-                policy_provinces = ps.policy.subject.localities
+                policy_provinces = ps.policy.subject.states
                 valid = value_matches_regex(value=request.province, pattern_list=policy_provinces)
                 if not valid:
                     province_str = "Province"
@@ -815,6 +819,51 @@ def _get_service_generated_csr_attr(self, request, zone):
             }
             csr_attr_map[CSR_ATTR_SANS_BY_TYPE] = sans
 
+        if request.key_type:
+            if ps.policy and ps.policy.key_pair:
+                policy_kts = ps.policy.key_pair.key_types
+                valid = value_matches_regex(value=request.key_type.key_type.upper(), pattern_list=policy_kts)
+                if not valid:
+                    kt_str = "Key Type"
+                    log.error(MSG_VALUE_NOT_MATCH_POLICY.format(kt_str, f"{kt_str}s", request.key_type.key_type,
+                                                                policy_kts))
+                    raise ClientBadData
+                req_kt_option = request.key_type.option
+                if request.key_type.key_type.lower() == KeyType.RSA:
+                    policy_rsa_sizes = ps.policy.key_pair.rsa_key_sizes
+                    valid = value_matches_regex(value=req_kt_option, pattern_list=policy_rsa_sizes)
+                    if not valid:
+                        rsa_str = "RSA Key Size"
+                        log.error(MSG_VALUE_NOT_MATCH_POLICY.format(rsa_str, f"{rsa_str}s", req_kt_option,
+                                                                    policy_rsa_sizes))
+                        raise ClientBadData
+                elif request.key_type.key_type.lower() == KeyType.ECDSA:
+                    policy_ecs = ps.policy.key_pair.elliptic_curves
+                    valid = value_matches_regex(value=req_kt_option, pattern_list=policy_ecs)
+                    if not valid:
+                        ec_str = "Elliptic Curve"
+                        log.error(MSG_VALUE_NOT_MATCH_POLICY.format(ec_str, f"{ec_str}s", req_kt_option, policy_ecs))
+                        raise ClientBadData
+
+            kt_param = {
+                CSR_ATTR_KEY_TYPE: request.key_type.key_type.upper()
+            }
+            kt_option = request.key_type.option.upper()
+            if kt_option == KeyType.RSA:
+                kt_param[CSR_ATTR_KEY_LENGTH] = kt_option
+            elif request.key_type.key_type == KeyType.ECDSA:
+                kt_param[CSR_ATTR_KEY_CURVE] = kt_option
+
+            csr_attr_map[CSR_ATTR_KEY_TYPE_PARAMS] = kt_param
+        elif ps.defaults and ps.defaults.key_pair:
+            kt_param = {
+                CSR_ATTR_KEY_TYPE: ps.defaults.key_pair.key_type.upper()
+            }
+            if ps.defaults.key_pair.key_type.lower() == KeyType.RSA:
+                kt_param[CSR_ATTR_KEY_LENGTH] = ps.defaults.key_pair.rsa_key_size
+            elif ps.defaults.key_pair.key_type.lower() == KeyType.ECDSA:
+                kt_param[CSR_ATTR_KEY_CURVE] = ps.defaults.key_pair.elliptic_curve
+
         return csr_attr_map
 
     def _get_policy(self, zone, subject_cn_to_str):