244 lines
5.7 KiB
Python
244 lines
5.7 KiB
Python
# -*- coding: utf-8 -*- #
|
|
# Copyright 2020 Google LLC. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Helpers for building x509 parameters using a preset profile."""
|
|
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import unicode_literals
|
|
|
|
from googlecloudsdk.api_lib.privateca import base as privateca_base
|
|
from googlecloudsdk.api_lib.util import messages as messages_util
|
|
from googlecloudsdk.calliope import exceptions
|
|
|
|
_LEAF_CLIENT_TLS = {
|
|
'caOptions': {
|
|
'isCa': False
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'clientAuth': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'digitalSignature': True,
|
|
'keyEncipherment': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_LEAF_CODE_SIGNING = {
|
|
'caOptions': {
|
|
'isCa': False
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'codeSigning': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'digitalSignature': True,
|
|
'contentCommitment': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_LEAF_MTLS = {
|
|
'caOptions': {
|
|
'isCa': False
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'serverAuth': True,
|
|
'clientAuth': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'digitalSignature': True,
|
|
'keyEncipherment': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_LEAF_SERVER_TLS = {
|
|
'caOptions': {
|
|
'isCa': False
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'serverAuth': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'digitalSignature': True,
|
|
'keyEncipherment': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_LEAF_SMIME = {
|
|
'caOptions': {
|
|
'isCa': False
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'emailProtection': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'digitalSignature': True,
|
|
'contentCommitment': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_ROOT_UNCONSTRAINED = {
|
|
'caOptions': {
|
|
'isCa': True
|
|
},
|
|
'keyUsage': {
|
|
'baseKeyUsage': {
|
|
'certSign': True,
|
|
'crlSign': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_SUBORDINATE_CLIENT_TLS_PATHLEN_0 = {
|
|
'caOptions': {
|
|
'isCa': True,
|
|
'maxIssuerPathLength': 0
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'clientAuth': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'certSign': True,
|
|
'crlSign': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_SUBORDINATE_CODE_SIGNING_PATHLEN_0 = {
|
|
'caOptions': {
|
|
'isCa': True,
|
|
'maxIssuerPathLength': 0
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'codeSigning': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'certSign': True,
|
|
'crlSign': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_SUBORDINATE_MTLS_PATHLEN_0 = {
|
|
'caOptions': {
|
|
'isCa': True,
|
|
'maxIssuerPathLength': 0
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'serverAuth': True,
|
|
'clientAuth': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'certSign': True,
|
|
'crlSign': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_SUBORDINATE_SERVER_TLS_PATHLEN_0 = {
|
|
'caOptions': {
|
|
'isCa': True,
|
|
'maxIssuerPathLength': 0
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'serverAuth': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'certSign': True,
|
|
'crlSign': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_SUBORDINATE_SMIME_PATHLEN_0 = {
|
|
'caOptions': {
|
|
'isCa': True,
|
|
'maxIssuerPathLength': 0
|
|
},
|
|
'keyUsage': {
|
|
'extendedKeyUsage': {
|
|
'emailProtection': True
|
|
},
|
|
'baseKeyUsage': {
|
|
'certSign': True,
|
|
'crlSign': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_SUBORDINATE_UNCONSTRAINED_PATHLEN_0 = {
|
|
'caOptions': {
|
|
'isCa': True,
|
|
'maxIssuerPathLength': 0
|
|
},
|
|
'keyUsage': {
|
|
'baseKeyUsage': {
|
|
'certSign': True,
|
|
'crlSign': True
|
|
}
|
|
}
|
|
}
|
|
|
|
_PRESET_PROFILES = {
|
|
'leaf_client_tls': _LEAF_CLIENT_TLS,
|
|
'leaf_code_signing': _LEAF_CODE_SIGNING,
|
|
'leaf_mtls': _LEAF_MTLS,
|
|
'leaf_server_tls': _LEAF_SERVER_TLS,
|
|
'leaf_smime': _LEAF_SMIME,
|
|
'root_unconstrained': _ROOT_UNCONSTRAINED,
|
|
'subordinate_client_tls_pathlen_0': _SUBORDINATE_CLIENT_TLS_PATHLEN_0,
|
|
'subordinate_code_signing_pathlen_0': _SUBORDINATE_CODE_SIGNING_PATHLEN_0,
|
|
'subordinate_mtls_pathlen_0': _SUBORDINATE_MTLS_PATHLEN_0,
|
|
'subordinate_server_tls_pathlen_0': _SUBORDINATE_SERVER_TLS_PATHLEN_0,
|
|
'subordinate_smime_pathlen_0': _SUBORDINATE_SMIME_PATHLEN_0,
|
|
'subordinate_unconstrained_pathlen_0': _SUBORDINATE_UNCONSTRAINED_PATHLEN_0
|
|
}
|
|
|
|
|
|
def GetPresetProfileOptions():
|
|
"""Returns the possible string options for the use-preset-profile flag."""
|
|
return sorted(_PRESET_PROFILES.keys())
|
|
|
|
|
|
def GetPresetX509Parameters(profile_name):
|
|
"""Parses the profile name string into the corresponding API X509Parameters.
|
|
|
|
Args:
|
|
profile_name: The preset profile name.
|
|
|
|
Returns:
|
|
An X509Parameters object.
|
|
"""
|
|
if profile_name not in _PRESET_PROFILES:
|
|
raise exceptions.InvalidArgumentException(
|
|
'--use-preset-profile',
|
|
'The preset profile that was specified does not exist.')
|
|
messages = privateca_base.GetMessagesModule('v1')
|
|
return messages_util.DictToMessageWithErrorCheck(
|
|
_PRESET_PROFILES[profile_name], messages.X509Parameters)
|