Initial code

Author: JDKeyfactor

cryptoOps.py

@@ -0,0 +1,43 @@
+# Copyright 2022 Keyfactor                                                   
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    
+# not use this file except in compliance with the License.  You may obtain a 
+# copy of the License at http://www.apache.org/licenses/LICENSE-2.0.  Unless 
+# required by applicable law or agreed to in writing, software distributed   
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES   
+# OR CONDITIONS OF ANY KIND, either express or implied. See the License for  
+# thespecific language governing permissions and limitations under the       
+# License. 
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import serialization, hashes
+import cryptography.hazmat.backends as backends
+
+oids = {"C":NameOID.COUNTRY_NAME, "CN":NameOID.COMMON_NAME, "E":NameOID.EMAIL_ADDRESS, "L":NameOID.LOCALITY_NAME, "O":NameOID.ORGANIZATION_NAME, "OU":NameOID.ORGANIZATIONAL_UNIT_NAME, "S":NameOID.STATE_OR_PROVINCE_NAME}
+backend = backends.default_backend()
+
+def genRSAKeypair(keySize):
+  return rsa.generate_private_key(public_exponent=65537,key_size=keySize,backend=backend)
+
+def getRSAPrivateKey(keypair):
+  bstr = keypair.private_bytes(serialization.Encoding.PEM, encryption_algorithm = serialization.NoEncryption(), format=serialization.PrivateFormat.PKCS8)
+  return str(bstr.decode("UTF-8")).replace("\\n","\n")
+
+def buildSubject(DN):
+  return x509.Name([x509.NameAttribute(oids[rdn[0]],rdn[1]) for rdn in map(lambda x: x.split('='),DN.split(','))])
+
+def buildDNSSans(domains):
+  return x509.SubjectAlternativeName([x509.DNSName(d) for d in domains])
+
+def getPublicBytes(CSR):
+  return str(CSR.public_bytes(serialization.Encoding.PEM).decode("UTF-8")).replace("\\n","\n")
+
+def getThumbprint(pem):
+  return x509.load_pem_x509_certificate(pem.encode("UTF-8"),backend=backend).fingerprint(hashes.SHA1()).hex()
+
+def createCSR(DN,domainSANs=[],keySize=2048):
+  csrBuilder = x509.CertificateSigningRequestBuilder().subject_name(buildSubject(DN)).add_extension(buildDNSSans(domainSANs),critical=False)
+  key = genRSAKeypair(keySize)
+  csr = csrBuilder.sign(key, hashes.SHA256(),backend=backend)
+  return (getPublicBytes(csr),getRSAPrivateKey(key))
+

ejbca/.gitignore

@@ -0,0 +1,23 @@
+__pycache__/
+build/
+dist/
+*.egg-info/
+.pytest_cache/
+
+# pyenv
+.python-version
+
+# Environments
+.env
+.venv
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# JetBrains
+.idea/
+
+/coverage.xml
+/.coverage

ejbca/README.md

@@ -0,0 +1,87 @@
+# ejbca-rest-interface-client
+A client library for accessing EJBCA REST Interface
+
+## Usage
+First, create a client:
+
+```python
+from ejbca_rest_interface_client import Client
+
+client = Client(base_url="https://api.example.com")
+```
+
+If the endpoints you're going to hit require authentication, use `AuthenticatedClient` instead:
+
+```python
+from ejbca_rest_interface_client import AuthenticatedClient
+
+client = AuthenticatedClient(base_url="https://api.example.com", token="SuperSecretToken")
+```
+
+Now call your endpoint and use your models:
+
+```python
+from ejbca_rest_interface_client.models import MyDataModel
+from ejbca_rest_interface_client.api.my_tag import get_my_data_model
+from ejbca_rest_interface_client.types import Response
+
+my_data: MyDataModel = get_my_data_model.sync(client=client)
+# or if you need more info (e.g. status_code)
+response: Response[MyDataModel] = get_my_data_model.sync_detailed(client=client)
+```
+
+Or do the same thing with an async version:
+
+```python
+from ejbca_rest_interface_client.models import MyDataModel
+from ejbca_rest_interface_client.api.my_tag import get_my_data_model
+from ejbca_rest_interface_client.types import Response
+
+my_data: MyDataModel = await get_my_data_model.asyncio(client=client)
+response: Response[MyDataModel] = await get_my_data_model.asyncio_detailed(client=client)
+```
+
+By default, when you're calling an HTTPS API it will attempt to verify that SSL is working correctly. Using certificate verification is highly recommended most of the time, but sometimes you may need to authenticate to a server (especially an internal server) using a custom certificate bundle.
+
+```python
+client = AuthenticatedClient(
+    base_url="https://internal_api.example.com", 
+    token="SuperSecretToken",
+    verify_ssl="/path/to/certificate_bundle.pem",
+)
+```
+
+You can also disable certificate validation altogether, but beware that **this is a security risk**.
+
+```python
+client = AuthenticatedClient(
+    base_url="https://internal_api.example.com", 
+    token="SuperSecretToken", 
+    verify_ssl=False
+)
+```
+
+Things to know:
+1. Every path/method combo becomes a Python module with four functions:
+    1. `sync`: Blocking request that returns parsed data (if successful) or `None`
+    1. `sync_detailed`: Blocking request that always returns a `Request`, optionally with `parsed` set if the request was successful.
+    1. `asyncio`: Like `sync` but async instead of blocking
+    1. `asyncio_detailed`: Like `sync_detailed` but async instead of blocking
+
+1. All path/query params, and bodies become method arguments.
+1. If your endpoint had any tags on it, the first tag will be used as a module name for the function (my_tag above)
+1. Any endpoint which did not have a tag will be in `ejbca_rest_interface_client.api.default`
+
+## Building / publishing this Client
+This project uses [Poetry](https://python-poetry.org/) to manage dependencies  and packaging.  Here are the basics:
+1. Update the metadata in pyproject.toml (e.g. authors, version)
+1. If you're using a private repository, configure it with Poetry
+    1. `poetry config repositories.<your-repository-name> <url-to-your-repository>`
+    1. `poetry config http-basic.<your-repository-name> <username> <password>`
+1. Publish the client with `poetry publish --build -r <your-repository-name>` or, if for public PyPI, just `poetry publish --build`
+
+If you want to install this client into another project without publishing it (e.g. for development) then:
+1. If that project **is using Poetry**, you can simply do `poetry add <path-to-this-client>` from that project
+1. If that project is not using Poetry:
+    1. Build a wheel with `poetry build -f wheel`
+    1. Install that wheel from the other project `pip install <path-to-wheel>`

ejbca/pyproject.toml

@@ -0,0 +1,39 @@
+[tool.poetry]
+name = "ejbca-rest-interface-client"
+version = "1.0"
+description = "A client library for accessing EJBCA REST Interface"
+
+authors = []
+
+readme = "README.md"
+packages = [
+    {include = "ejbca_rest_interface_client"},
+]
+include = ["CHANGELOG.md", "ejbca_rest_interface_client/py.typed"]
+
+[tool.poetry.dependencies]
+python = "^3.7"
+httpx = ">=0.15.4,<0.24.0"
+attrs = ">=21.3.0"
+python-dateutil = "^2.8.0"
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.black]
+line-length = 120
+target_version = ['py37', 'py38', 'py39']
+exclude = '''
+(
+  /(
+    | \.git
+    | \.venv
+    | \.mypy_cache
+  )/
+)
+'''
+
+[tool.isort]
+line_length = 120
+profile = "black"

ejbca/rest_client/__init__.py

@@ -0,0 +1,11 @@
+# Copyright 2022 Keyfactor                                                   
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    
+# not use this file except in compliance with the License.  You may obtain a 
+# copy of the License at http://www.apache.org/licenses/LICENSE-2.0.  Unless 
+# required by applicable law or agreed to in writing, software distributed   
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES   
+# OR CONDITIONS OF ANY KIND, either express or implied. See the License for  
+# thespecific language governing permissions and limitations under the       
+# License. 
+""" A client library for accessing EJBCA REST Interface """
+from .client import AuthenticatedClient, Client

ejbca/rest_client/api/__init__.py

@@ -0,0 +1,10 @@
+# Copyright 2022 Keyfactor                                                   
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    
+# not use this file except in compliance with the License.  You may obtain a 
+# copy of the License at http://www.apache.org/licenses/LICENSE-2.0.  Unless 
+# required by applicable law or agreed to in writing, software distributed   
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES   
+# OR CONDITIONS OF ANY KIND, either express or implied. See the License for  
+# thespecific language governing permissions and limitations under the       
+# License. 
+""" Contains methods for accessing the API """

ejbca/rest_client/api/v1ca/__init__.py

@@ -0,0 +1,9 @@
+# Copyright 2022 Keyfactor                                                   
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    
+# not use this file except in compliance with the License.  You may obtain a 
+# copy of the License at http://www.apache.org/licenses/LICENSE-2.0.  Unless 
+# required by applicable law or agreed to in writing, software distributed   
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES   
+# OR CONDITIONS OF ANY KIND, either express or implied. See the License for  
+# thespecific language governing permissions and limitations under the       
+# License. 

ejbca/rest_client/api/v1ca/create_crl.py

@@ -0,0 +1,166 @@
+# Copyright 2022 Keyfactor                                                   
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    
+# not use this file except in compliance with the License.  You may obtain a 
+# copy of the License at http://www.apache.org/licenses/LICENSE-2.0.  Unless 
+# required by applicable law or agreed to in writing, software distributed   
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES   
+# OR CONDITIONS OF ANY KIND, either express or implied. See the License for  
+# thespecific language governing permissions and limitations under the       
+# License. 
+from typing import Any, Dict, Optional, Union
+
+import httpx
+
+from ...client import Client
+from ...models.create_crl_rest_response import CreateCrlRestResponse
+from ...types import UNSET, Response, Unset
+
+
+def _get_kwargs(
+    issuer_dn: str,
+    *,
+    client: Client,
+    deltacrl: Union[Unset, None, bool] = False,
+) -> Dict[str, Any]:
+    url = "{}/v1/ca/{issuer_dn}/createcrl".format(client.base_url, issuer_dn=issuer_dn)
+
+    headers: Dict[str, str] = client.get_headers()
+    cookies: Dict[str, Any] = client.get_cookies()
+
+    params: Dict[str, Any] = {}
+    params["deltacrl"] = deltacrl
+
+    params = {k: v for k, v in params.items() if v is not UNSET and v is not None}
+
+    return {
+        "method": "post",
+        "url": url,
+        "headers": headers,
+        "cookies": cookies,
+        "timeout": client.get_timeout(),
+        "params": params,
+    }
+
+
+def _parse_response(*, response: httpx.Response) -> Optional[CreateCrlRestResponse]:
+    if response.status_code == 200:
+        response_200 = CreateCrlRestResponse.from_dict(response.json())
+
+        return response_200
+    return None
+
+
+def _build_response(*, response: httpx.Response) -> Response[CreateCrlRestResponse]:
+    return Response(
+        status_code=response.status_code,
+        content=response.content,
+        headers=response.headers,
+        parsed=_parse_response(response=response),
+    )
+
+
+def sync_detailed(
+    issuer_dn: str,
+    *,
+    client: Client,
+    deltacrl: Union[Unset, None, bool] = False,
+) -> Response[CreateCrlRestResponse]:
+    """Create CRL(main, partition and delta) issued by this CA
+
+    Args:
+        issuer_dn (str):
+        deltacrl (Union[Unset, None, bool]):
+
+    Returns:
+        Response[CreateCrlRestResponse]
+    """
+
+    kwargs = _get_kwargs(
+        issuer_dn=issuer_dn,
+        client=client,
+        deltacrl=deltacrl,
+    )
+
+    response = httpx.request(
+        cert=client.cert,
+        verify=client.verify_ssl,
+        **kwargs,
+    )
+
+    return _build_response(response=response)
+
+
+def sync(
+    issuer_dn: str,
+    *,
+    client: Client,
+    deltacrl: Union[Unset, None, bool] = False,
+) -> Optional[CreateCrlRestResponse]:
+    """Create CRL(main, partition and delta) issued by this CA
+
+    Args:
+        issuer_dn (str):
+        deltacrl (Union[Unset, None, bool]):
+
+    Returns:
+        Response[CreateCrlRestResponse]
+    """
+
+    return sync_detailed(
+        issuer_dn=issuer_dn,
+        client=client,
+        deltacrl=deltacrl,
+    ).parsed
+
+
+async def asyncio_detailed(
+    issuer_dn: str,
+    *,
+    client: Client,
+    deltacrl: Union[Unset, None, bool] = False,
+) -> Response[CreateCrlRestResponse]:
+    """Create CRL(main, partition and delta) issued by this CA
+
+    Args:
+        issuer_dn (str):
+        deltacrl (Union[Unset, None, bool]):
+
+    Returns:
+        Response[CreateCrlRestResponse]
+    """
+
+    kwargs = _get_kwargs(
+        issuer_dn=issuer_dn,
+        client=client,
+        deltacrl=deltacrl,
+    )
+
+    async with httpx.AsyncClient(verify=client.verify_ssl) as _client:
+        response = await _client.request(**kwargs)
+
+    return _build_response(response=response)
+
+
+async def asyncio(
+    issuer_dn: str,
+    *,
+    client: Client,
+    deltacrl: Union[Unset, None, bool] = False,
+) -> Optional[CreateCrlRestResponse]:
+    """Create CRL(main, partition and delta) issued by this CA
+
+    Args:
+        issuer_dn (str):
+        deltacrl (Union[Unset, None, bool]):
+
+    Returns:
+        Response[CreateCrlRestResponse]
+    """
+
+    return (
+        await asyncio_detailed(
+            issuer_dn=issuer_dn,
+            client=client,
+            deltacrl=deltacrl,
+        )
+    ).parsed