Merge pull request #5089 from jmcrawford45/PS-6484

Config option to translate authorities on reissuance
Netflix · Feb 11, 2025 · a124fca · a124fca
2 parents 0f0a857 + 2a98e5e
commit a124fca
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 15 deletions.
diff --git a/docs/administration.rst b/docs/administration.rst
@@ -517,6 +517,15 @@ This needs 2 configurations
         AUTHORITY_TO_DISABLE_ROTATE_OF_DUPLICATE_CERTIFICATES = ["LetsEncrypt"]
 
 
+
+**Certificate re-issuance**
+
+When a cert is reissued (i.e. a new certificate is minted to replace it), *and* the re-issuance either fails or
+succeeds but the certificate has no associated endpoints (meaning the subsequent rotation step will not occur),
+Lemur will send a notification via email to the certificate owner. This notification is disabled by default;
+to enable it, you must set the option ``--notify`` (when using cron) or the configuration parameter
+``ENABLE_REISSUE_NOTIFICATION`` (when using celery).
+
 .. data:: DAYS_SINCE_ISSUANCE_DISABLE_ROTATE_OF_DUPLICATE_CERTIFICATES
     :noindex:
 
@@ -530,13 +539,17 @@ This needs 2 configurations
         DAYS_SINCE_ISSUANCE_DISABLE_ROTATE_OF_DUPLICATE_CERTIFICATES = 7
 
 
-**Certificate re-issuance**
 
-When a cert is reissued (i.e. a new certificate is minted to replace it), *and* the re-issuance either fails or
-succeeds but the certificate has no associated endpoints (meaning the subsequent rotation step will not occur),
-Lemur will send a notification via email to the certificate owner. This notification is disabled by default;
-to enable it, you must set the option ``--notify`` (when using cron) or the configuration parameter
-``ENABLE_REISSUE_NOTIFICATION`` (when using celery).
+.. data:: ROTATE_AUTHORITY_TRANSLATION
+    :noindex:
+
+        Use this config (optional) to migrate from one authority id to another on reissuance (useful for expiring authorities,
+        key migrations, etc).
+
+    ::
+
+        ROTATE_AUTHORITY_TRANSLATION = {1: 2}
+
 
 **Certificate rotation**
 

diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py
@@ -986,6 +986,11 @@ def reissue_certificate(certificate, notify=None, replace=None, user=None):
     if replace:
         primitives["replaces"] = [certificate]
 
+    if primitives["authority"].id in current_app.config.get("ROTATE_AUTHORITY_TRANSLATION", {}):
+        primitives["authority"] = database.get(Authority,
+            current_app.config.get("ROTATE_AUTHORITY_TRANSLATION", {})[primitives["authority"].id]
+        )
+
     # Modify description to include the certificate ID being reissued and mention that this is created by Lemur
     # as part of reissue
     reissue_message_prefix = "Reissued by Lemur for cert ID "
@@ -999,15 +1004,6 @@ def reissue_certificate(certificate, notify=None, replace=None, user=None):
     else:
         primitives["description"] = f"{reissue_message_prefix}{certificate.id}"
 
-    # Rotate the certificate to ECCPRIME256V1 if cert owner is present in the configured list
-    # This is a temporary change intending to rotate certificates to ECC, if opted in by certificate owners
-    # Unless identified a use case, this will be removed in mid-Q2 2021
-    ecc_reissue_owner_list = current_app.config.get("ROTATE_TO_ECC_OWNER_LIST", [])
-    ecc_reissue_exclude_cn_list = current_app.config.get("ECC_NON_COMPATIBLE_COMMON_NAMES", [])
-
-    if (certificate.owner in ecc_reissue_owner_list) and (certificate.cn not in ecc_reissue_exclude_cn_list):
-        primitives["key_type"] = "ECCPRIME256V1"
-
     # allow celery to send notifications for PendingCertificates using the old cert
     if notify:
         primitives["async_reissue_notification_cert_id"] = certificate.id

diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py
@@ -1,4 +1,5 @@
 import datetime
+from flask import current_app
 import json
 import ssl
 import threading
@@ -979,6 +980,18 @@ def test_reissue_certificate(
     assert new_cert.organization == certificate.organization
 
 
+def test_reissue_certificate_authority_translation(
+    issuer_plugin, crypto_authority, certificate, logged_in_user, authority
+):
+    from lemur.certificates.service import reissue_certificate
+
+    # test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead.
+    certificate.authority = authority
+    current_app.config["ROTATE_AUTHORITY_TRANSLATION"] = {authority.id: crypto_authority.id}
+    new_cert = reissue_certificate(certificate)
+    assert new_cert.authority_id == crypto_authority.id
+
+
 def test_reissue_command_by_name(
         issuer_plugin, crypto_authority, logged_in_user
 ):