Python client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

Related tags

Miscellaneouspythoncertificatespypi-packagevenafi-platformvenafi-cloudmachine-identity-management
Overview

Venafi Apache 2.0 License Community Supported Compatible with TPP 17.3+ & VaaS
This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. We welcome and appreciate all contributions. Got questions or want to discuss something with our team? Join us on Slack!

VCert Python

VCert Python is a Python library and SDK designed to simplify key generation and enrollment of machine identities (also known as SSL/TLS certificates and keys) that comply with enterprise security policy by using the Venafi Trust Protection Platform or Venafi as a Service.

This implementation is based on the original Go library, https://github.com/Venafi/vcert.

Compatibility

VCert supports Python 3, and Python 2.7 (when the future module is installed). VCert releases are tested using the latest version of Trust Protection Platform. The latest VCert release should be compatible with Trust Protection Platform 17.3 or higher based on the subset of API methods it consumes.

Installation

Get the library using pip:
pip install vcert

You also can install latest version from github:
pip install https://github.com/Venafi/vcert-python/archive/master.zip

If installation fails collecting dependancies, make sure your python setuptools is up to date. Run the following command to upgrade to the latest version of setuptools. pip install setuptools -U

Usage example

For code samples of programmatic use, please review the files in /examples.

  • For Trust Protection Platform, the zone format is the DN of a policy with or without the "\VED\Policy" prefix (e.g. "\VED\Policy\Certificates\VCert" or simply "Certificates\VCert")
  • For Venafi as a Service, the zone format is the name of an OutagePREDICT Application and the API Alias of an Issuing Template assigned to it delimited by a single backslash character (e.g. "My Application\My CIT")

Prerequisites for using with Trust Protection Platform

  1. A user account that has an authentication token with "certificate:manage,revoke" scope (i.e. access to the "Venafi VCert SDK" API Application as of 20.1) or has been granted WebSDK Access
  2. A folder (zone) where the user has been granted the following permissions: View, Read, Write, Create, Revoke (for the revoke action), and Private Key Read (for the pickup action when CSR is service generated)
  3. Policy applied to the folder which specifies:
    1. CA Template that Trust Protection Platform will use to enroll certificate requests submitted by VCert
    2. Subject DN values for Organizational Unit (OU), Organization (O), City (L), State (ST) and Country (C)
    3. Management Type not locked or locked to 'Enrollment'
    4. Certificate Signing Request (CSR) Generation not locked or locked to 'Service Generated CSR'
    5. Generate Key/CSR on Application not locked or locked to 'No'
    6. (Recommended) Disable Automatic Renewal set to 'Yes'
    7. (Recommended) Key Bit Strength set to 2048 or higher
    8. (Recommended) Domain Whitelisting policy appropriately assigned

The requirement for the CA Template to be assigned by policy follows a long standing Venafi best practice which also met our design objective to keep the certificate request process simple for VCert users. If you require the ability to specify the CA Template with the request you can use the TPP REST APIs but please be advised this goes against Venafi recommendations.

Prerequisites for using with Venafi as a Service

  1. The Venafi as a Service REST API is accessible at https://api.venafi.cloud from the system where VCert will be executed.
  2. You have successfully registered for a Venafi as a Service account, have been granted at least the "Resource Owner" role, and know your API key.
  3. A CA Account and Issuing Template exist and have been configured with:
    1. Recommended Settings values for:
      1. Organizational Unit (OU)
      2. Organization (O)
      3. City/Locality (L)
      4. State/Province (ST)
      5. Country (C)
    2. Issuing Rules that:
      1. (Recommended) Limits Common Name and Subject Alternative Name to domains that are allowed by your organization
      2. (Recommended) Restricts the Key Length to 2048 or higher
      3. (Recommended) Does not allow Private Key Reuse
  4. An Application exists where you are among the owners, and you know the Application Name.
  5. An Issuing Template is assigned to the Application, and you know its API Alias.

Contributing to VCert

Venafi welcomes contributions from the developer community.

  1. Fork it to your account (https://github.com/Venafi/vcert-python/fork)
  2. Clone your fork (git clone [email protected]:youracct/vcert-python.git)
  3. Create a feature branch (git checkout -b your-branch-name)
  4. Implement and test your changes
  5. Commit your changes (git commit -am 'Added some cool functionality')
  6. Push to the branch (git push origin your-branch-name)
  7. Create a new Pull Request (https://github.com/youracct/vcert-python/pull/new/your-branch-name)

NOTE: While developing with vcert-python, it is helpful if you are using a virtualenv to install the vcert-python library from source in development mode with pip install --editable. See https://packaging.python.org/guides/installing-using-pip-and-virtual-environments/

License

Copyright © Venafi, Inc. All rights reserved.

VCert is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Please direct questions/comments to [email protected].

Comments
  • Add support for UPN and URI SAN types

    Add support for UPN and URI SAN types

    This PR updates vcert-python to support additional SAN types, userPrincipalName and URL. The UPN extension was added per MS OID specifications. A fix to the tests was also made to ensure that custom extensions are added; the enroll method in test_e2e.py was not properly evaluating the connection type and was skipping the code that added custom extensions to CSR. Also made a minor update to the README to help developers that are actively updating vcert-python itself. Note: this was developed and tested in Python 3 only.

    opened by wgoulet 8
  • TPPTokenConnection not able to customize ClientID

    TPPTokenConnection not able to customize ClientID

    TPPTokenConnection always sends client_id value equal to vcert-sdk. Paul Cleary requested that our products use a different client_id value, for tracking purposes to tell which integrations are seeing the most use in your customer base.

    However, TPPTokenConnection does not allow customizing client_id. TPPTokenConnection's constructor creates an Authentication object with only very limited customization options. The client which constructs TPPTokenConnection is not able to customize the Authentication object's client_id option.

    bug 
    opened by FooBarWidget 2
  • TPPTokenConnection not able to customize OAuth scope

    TPPTokenConnection not able to customize OAuth scope

    PROBLEM SUMMARY TPPTokenConnection always uses the certificate:manage,revoke;configuration:manage scope when POSTing to /vedauth/authorize/oauth. This is hardcoded, as opposed to customizable.

    On my TPP this causes an authorization issue. I'm not able to authorize with my TPP until I remove the 'configuration:manage' scope.

    COMMENTS/WORKAROUNDS TPPTokenConnection's constructor creates an Authentication object with no way to customize its scope property. As a result, the Authentication object always uses the default SCOPE constant, whose value is certificate:manage,revoke;configuration:manage.

    bug 
    opened by FooBarWidget 2
  • Examples link on pypi not working

    Examples link on pypi not working

    PROBLEM SUMMARY The link to examples, https://pypi.org/examples, on https://pypi.org/project/vcert/ does not work. The same link from github's readme is fine.

    STEPS TO REPRODUCE Click the link :)

    EXPECTED RESULTS

    ACTUAL RESULTS

    ENVIRONMENT DETAILS

    COMMENTS/WORKAROUNDS

    bug 
    opened by gdbarron 1
  • Support for central key/CSR generation or Service generation through Venafi TPP

    Support for central key/CSR generation or Service generation through Venafi TPP

    BUSINESS PROBLEM Most of my customers Certificate solutions use central key/CSR generation. They would like to use vcert-python but this is a blocker for them to deploy to their teams.

    PROPOSED SOLUTION Adding Service Generated Keys/CSRs to vcert-Python

    CURRENT ALTERNATIVES Customer is either building the certs manually through Venafi TPP UI and importing the certs manually or using the API to generate and then retrieve the cert then manually install the cert.

    VENAFI EXPERIENCE My customer has been using Venafi for well over a decade and uses Venafi on a daily basis to service their entire certificate inventory.

    enhancement 
    opened by GeoffVenafi 1
  • Fix policy management for VaaS after Org Unit removed

    Fix policy management for VaaS after Org Unit removed

    The Org Unit construct was dropped from Venafi as a Service last week and since then the certificate policy assignment feature has not worked. This update addresses that.

    opened by tr1ck3r 0
  • Adding ability to disable subject fields for VaaS

    Adding ability to disable subject fields for VaaS

    The following fields can now be disabled when creating a Policy Specification on VaaS:

    • organization
    • organizational units
    • localities
    • states
    • countries

    To do so, an array with an empty string must be passedd to the attribute, e.g.: { "subject": { "orgs": [ "" ], "orgUnits": [ "" ], "localities": [ "sample_locality" ] } }

    opened by rvelaVenafi 0
  • Adding support for PKCS1 format on private keys

    Adding support for PKCS1 format on private keys

    VaaS and TPP now default private key formats to PKCS8, a flag has been introduced allowing users to indicate they want the private key on the legacy PKCS1 format

    opened by rvelaVenafi 0
  • fix: remove infinite while loop and added error handling for retrieve_cert()

    fix: remove infinite while loop and added error handling for retrieve_cert()

    Working with TPP, trying to retrieve a non-existing cert would result in an infinite while loop with the following error message...

    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}

    Instead we now log the error once and raise a RetrieveCertificateNotFound error.

    opened by mowdash 0
  • Replicate the VCert-go GetZonesByParent() feature

    Replicate the VCert-go GetZonesByParent() feature

    From https://github.com/Venafi/vcert/pull/220 description.

    BUSINESS PROBLEM Both TPP and VaaS can support situations where multiple policies have been defined for use by a single consumer. For TPP, this is done by creating multiple child policy folders in a common parent policy folder. For VaaS, this is done by assigning multiple Issuing Templates to a single application.

    PROPOSED SOLUTION The new GetZonesByParent methods for TPP and VaaS allow VCert client SDK consumers to enumerate those policies (zones) rather than having to know them individually.

    enhancement 
    opened by marcos-albornoz 0
  • Implement missing operations on Fake Connector

    Implement missing operations on Fake Connector

    The FakeConnector class is missing several operations. These operations should be returning mockup data for testing or demoing purposes.

    The following operations need implementation:

    • renew_cert(self, request, reuse_key=False):
    • read_zone_conf(self, tag):
    • import_cert(self, request):
    • get_policy(self, zone):
    • set_policy(self, zone, policy_spec):
    • request_ssh_cert(self, request):
    • retrieve_ssh_cert(self, request):
    • retrieve_ssh_config(self, ca_request):
    opened by rvelaVenafi 0
  • Refactor and optimize code

    Refactor and optimize code

    @warrior-abhijit has suggested several changes to vcert-python code. We can address them together in one issue.

    switch case will be better here ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488175192

    address todo now ?? as these are lot of if, else in here Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488176457

    regex match API would be lot better here and will remove lot of duplicate code below w.r.t regex match Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177162

    switch case may be here as well ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177862

    There is a handy Python wrapper called @property. This can be handy here. It would look like this: @property def base_url(self): # This is a getter return self._base_url

    @base_url.setter def base_url(self, value): # This is the setter method self._base_url = self._normalize_and_verify_base_url(value)

    It's nicer for refactoring and is pretty explicit. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r492452816

    How safe is it in this method to assume that these dictionary keys resolve? I'm new to this code, but I usually think thrice before trying to access a node in the dictionary without .get(). Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173154

    Just a tidbit of input: Python string objects have a .startswith() method that's easier to read than a regex, although a regex works fine. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173571

    No use in having a doc string if the parameters aren't described, IMO. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493174068

    enhancement 
    opened by rvelaVenafi 0
Releases(v0.15.0)

  • v0.15.0(May 17, 2022)

    • Support for contacts/owners when creating a policy on both TPP and VaaS
    • Support for legacy PKCS1 format on private keys when requesting a certificate
    • Support for SANs: email, IP, URI when creating a policy on VaaS
    • Ability to disable Subject fields on VaaS: organizations, org units, localities, states, countries
    • Support for EC private keys on VaaS
    • Support for Service generated related attributes on VaaS
    Source code(tar.gz)
    Source code(zip)

  • v0.14.0(Feb 4, 2022)

    • Dropped for support for Python 2 as it has reached end of life. New baseline is Python 3.6 and higher.
    • Added integration with sonarcloud for test coverage.
    • Added version history file.
    • Added test cases for json/yaml file parsing.
    • Minor issues fixed.
    Source code(tar.gz)
    Source code(zip)

  • v0.13.2(Dec 7, 2021)

    • Added the ability to fill up the empty attributes of the certificate request with the default values of the policy/zone where the certificate is going to be created. Supported values: organization, organizational units, locality, state, country
    Source code(tar.gz)
    Source code(zip)

  • v0.13.1(Nov 30, 2021)

  • v0.13.0(Nov 30, 2021)

  • v0.12.5(Oct 30, 2021)

  • v0.12.4(Oct 12, 2021)

    • Support for PKCS12 has been added to the response certificate. Calling certificate.as_pkcs12("password") shall return the certificate content as PKCS12.
    • Support for flexible validity periods has been added. Setting a value to request.validity_hours =144 will create a certificate with the specified expiration time period. Additionally, an issuer can be defined for TPP with request.issuer_hint=IssuerHint.MICROSOFT (or any value available on the IssuerHint object)
    Source code(tar.gz)
    Source code(zip)

  • v0.12.3(Sep 29, 2021)

  • v0.12.2(Sep 27, 2021)

  • v0.12.1(Sep 2, 2021)

    • Removed 'keyReuse' attribute for policy specification creation on VaaS.
    • Fixed an issue on the url validation that failed for urls containing upper cases.
    Source code(tar.gz)
    Source code(zip)

  • v0.12.0(Aug 17, 2021)

    Added support for SSH certificates in Trust Protection Platform through the new methods: request_ssh_cert() and retrieve_ssh_cert(). For usage examples check: https://github.com/Venafi/vcert-python/tree/master/examples/ssh_certificates

    Source code(tar.gz)
    Source code(zip)

  • v0.11.2(Jul 29, 2021)

  • v0.11.1(Jul 14, 2021)

    • Policy Management token scope separated from Certificate Management scope. Certificate Management scope is now default.
    • Fixed an issue where retrieving a policy from VaaS returned the domains values with appended regexes if the Policy was created using any of the vcert sdks. This issue does not happen if the policy was created using VaaS UI.
    • Fixed an issue where the Country regexes where being returned as the CN regexes when retrieving a Policy from VaaS.
    • Fixed an issue where certificates requested from VaaS would fail to be retrieved even when the status of the Certificate is ISSUED. A timeout has been added to the request, so the sdk will try to retrieve the Certificate for that long before failing.
    Source code(tar.gz)
    Source code(zip)

  • v0.11.0(May 12, 2021)

    Added Certificate Policy Management for Trust Protection Platform and Venafi as a Service through the new set_policy() and get_policy() methods of the CloudConnection, TPPConnection and TPPTokenConnection classes. For a usage example see https://github.com/Venafi/vcert-python/blob/master/examples/set_policy.py

    Source code(tar.gz)
    Source code(zip)

  • v0.10.0(Jan 23, 2021)

    This release updates the Venafi Cloud integration to use OutagePREDICT instead of DevOpsACCELERATE. The only impact to Venafi Cloud users of VCert-Python is the change in zone syntax. The zone is now "{ApplicationName}\{IssuingTemplateApiAlias}" (e.g. "My Application\My CIT").

    Source code(tar.gz)
    Source code(zip)

  • v0.9.1(Dec 15, 2020)

  • v0.9.0(Sep 30, 2020)

  • v0.8.0(Apr 10, 2020)

  • v0.7.4(Jan 14, 2020)

  • v0.7.1(Nov 22, 2019)

  • v0.7.0(Nov 20, 2019)

  • v0.6.9(Nov 18, 2019)

  • v0.6.7(Oct 29, 2019)

  • csr-fix(Sep 11, 2019)

  • v0.6.0(Jul 1, 2019)

  • v0.3.1(Jan 11, 2019)

  • v0.3.0(Jan 10, 2019)

Owner
Venafi, Inc.
Venafi solutions find, protect and secure machine identities for our hyper-connected world.
Venafi, Inc.
GitHub Repository
A python package for bitclout.

BitClout.py A python package for bitclout. Developed by ItsAditya Run pip install bitclout to install the module! Examples of How To Use BitClout.py G

ItsAditya 9 Dec 31, 2021
mypy plugin for PynamoDB

pynamodb-mypy A plugin for mypy which gives it deeper understanding of PynamoDB (beyond what's possible through type stubs). Usage Add it to the plugi

1 Oct 21, 2022
Really bad lisp implementation. Fun with pattern matching.

Lisp-py This is a horrible, ugly interpreter for a trivial lisp. Don't use it. It was written as an excuse to mess around with the new pattern matchin

Erik Derohanian 1 Nov 23, 2021
Pacman - A suite of tools for manipulating debian packages

Overview Repository is a suite of tools for manipulating debian packages. At a h

Pardis Pashakhanloo 1 Feb 24, 2022
Python module for creating the circuit simulation definitions for Elmer FEM

elmer_circuitbuilder Python module for creating the circuit simulation definitions for Elmer FEM. The circuit definitions enable easy setup of coils (

5 Oct 03, 2022
A compilation of useful scripts to automate common tasks

Scripts-To-Automate-This A compilation of useful scripts for common tasks Name What it does Type Add file extensions Adds ".png" to a list of file nam

0 Nov 05, 2021
Bootcamp de Introducción a la Programación. Módulo 6: Matemáticas Discretas

Módulo 6: Matemáticas Discretas Última actualización: 12 de marzo Irónicamente, las matemáticas discretas son las matemáticas que lo cuentan todo. Si

Cynthia Castillo 34 Sep 29, 2022
This repo holds custom callback plugin, so your Ansible could write everything in the PostgreSQL database.

English What is it? This is callback plugin that dumps most of the Ansible internal state to the external PostgreSQL database. What is this for? If yo

Sergey Pechenko 19 Oct 21, 2022
Python-Kite: Simple python code to make kite pattern

Python-Kite Simple python code to make kite pattern. Getting Started These instr

Anoint 0 Mar 22, 2022
dragmap-meth: Fast and accurate aligner for bisulfite sequencing reads using dragmap

dragmap_meth (dragmap_meth.py) Alignment of BS-Seq reads using dragmap. Intro This works for single-end reads and for paired-end reads from the direct

Shaojun Xie 3 Jul 14, 2022
Kellogg bad | Union good | Support strike funds

KelloggBot Credit to SeanDaBlack for the basis of the script. req.py is selenium python bot. sc.js is a the base of the ios shortcut [COMING SOON] Set

407 Nov 17, 2022
Example code for the book Fluent Python, 1st Edition (O'Reilly, 2015)

Fluent Python, First Edition: example code This repository is archived and will not be updated.

Fluent Python 5.4k Jan 09, 2023
The fundamentals of Python!

The fundamentals of Python Author: Mohamed NIANG, Staff ML Scientist Presentation This repository contains notebooks on the fundamentals of Python. Th

Mohamed NIANG 1 Mar 15, 2022
A python tool used for hacking WhatsApp by diverting otp

W-HACK A python tool used for hacking WhatsApp by diverting otp You can hack WhatsApp easily with this tool Note:OTP expires after 5 seconds HOW TO IN

Spider Anongreyhat 3 Oct 17, 2021
Simple programming language built on Python.

Serial Another programming language. Built on Python. Building and running program In order to run the program on serial, unfortunately you still need

Aleksey Demchenkov 1 Dec 09, 2021
Demodulate and error correct FIS-B and ADS-B signals on 978 MHz.

FIS-B 978 ('fisb-978') is a set of programs that demodulates and error corrects FIS-B (Flight Information System - Broadcast) and ADS-B (Automatic Dep

2 Nov 15, 2022
Providing a working, flexible, easier and faster installer than the one officially provided by Arch Linux

Purpose The purpose is to bring more people to Arch Linux by providing a working, flexible, easier and faster installer than the one officially provid

André Luís 0 Nov 09, 2022
Data and analysis relating to the 5.8M Melbourne quake of 2021

quake2021 Data and analysis relating to the 5.8M Melbourne quake of 2021 Monash University Woodside Living Lab Building The building is located here T

Colin Caprani 6 May 16, 2022
Block fingerprinting for the beacon chain, for client identification & client diversity metrics

blockprint This is a repository for discussion and development of tools for Ethereum block fingerprinting. The primary aim is to measure beacon chain

Sigma Prime 49 Dec 08, 2022
Built with Python programming language and QT library and Guess the number in three easy, medium and hard rolls

password-generator Built with Python programming language and QT library and Guess the number in three easy, medium and hard rolls Password generator

Amir Hussein Sharifnezhad 3 Oct 09, 2021