This PR updates vcert-python to support additional SAN types, userPrincipalName and URL. The UPN extension was added per MS OID specifications. A fix to the tests was also made to ensure that custom extensions are added; the enroll method in test_e2e.py was not properly evaluating the connection type and was skipping the code that added custom extensions to CSR. Also made a minor update to the README to help developers that are actively updating vcert-python itself. Note: this was developed and tested in Python 3 only.

TPPTokenConnection always sends client_id value equal to vcert-sdk. Paul Cleary requested that our products use a different client_id value, for tracking purposes to tell which integrations are seeing the most use in your customer base.

However, TPPTokenConnection does not allow customizing client_id. TPPTokenConnection's constructor creates an Authentication object with only very limited customization options. The client which constructs TPPTokenConnection is not able to customize the Authentication object's client_id option.

PROBLEM SUMMARY TPPTokenConnection always uses the certificate:manage,revoke;configuration:manage scope when POSTing to /vedauth/authorize/oauth. This is hardcoded, as opposed to customizable.

On my TPP this causes an authorization issue. I'm not able to authorize with my TPP until I remove the 'configuration:manage' scope.

COMMENTS/WORKAROUNDS TPPTokenConnection's constructor creates an Authentication object with no way to customize its scope property. As a result, the Authentication object always uses the default SCOPE constant, whose value is certificate:manage,revoke;configuration:manage.

PROBLEM SUMMARY The link to examples, https://pypi.org/examples, on https://pypi.org/project/vcert/ does not work. The same link from github's readme is fine.

STEPS TO REPRODUCE Click the link :)

EXPECTED RESULTS

ACTUAL RESULTS

ENVIRONMENT DETAILS

COMMENTS/WORKAROUNDS

BUSINESS PROBLEM Most of my customers Certificate solutions use central key/CSR generation. They would like to use vcert-python but this is a blocker for them to deploy to their teams.

PROPOSED SOLUTION Adding Service Generated Keys/CSRs to vcert-Python

CURRENT ALTERNATIVES Customer is either building the certs manually through Venafi TPP UI and importing the certs manually or using the API to generate and then retrieve the cert then manually install the cert.

VENAFI EXPERIENCE My customer has been using Venafi for well over a decade and uses Venafi on a daily basis to service their entire certificate inventory.

The Org Unit construct was dropped from Venafi as a Service last week and since then the certificate policy assignment feature has not worked. This update addresses that.

The following fields can now be disabled when creating a Policy Specification on VaaS:

• organization
• organizational units
• localities
• states
• countries

To do so, an array with an empty string must be passedd to the attribute, e.g.: { "subject": { "orgs": [ "" ], "orgUnits": [ "" ], "localities": [ "sample_locality" ] } }

VaaS and TPP now default private key formats to PKCS8, a flag has been introduced allowing users to indicate they want the private key on the legacy PKCS1 format

Working with TPP, trying to retrieve a non-existing cert would result in an infinite while loop with the following error message...

ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}

Instead we now log the error once and raise a RetrieveCertificateNotFound error.

From https://github.com/Venafi/vcert/pull/220 description.

BUSINESS PROBLEM Both TPP and VaaS can support situations where multiple policies have been defined for use by a single consumer. For TPP, this is done by creating multiple child policy folders in a common parent policy folder. For VaaS, this is done by assigning multiple Issuing Templates to a single application.

PROPOSED SOLUTION The new GetZonesByParent methods for TPP and VaaS allow VCert client SDK consumers to enumerate those policies (zones) rather than having to know them individually.

The FakeConnector class is missing several operations. These operations should be returning mockup data for testing or demoing purposes.

The following operations need implementation:

• renew_cert(self, request, reuse_key=False):
• read_zone_conf(self, tag):
• import_cert(self, request):
• get_policy(self, zone):
• set_policy(self, zone, policy_spec):
• request_ssh_cert(self, request):
• retrieve_ssh_cert(self, request):
• retrieve_ssh_config(self, ca_request):

@warrior-abhijit has suggested several changes to vcert-python code. We can address them together in one issue.

switch case will be better here ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488175192

address todo now ?? as these are lot of if, else in here Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488176457

regex match API would be lot better here and will remove lot of duplicate code below w.r.t regex match Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177162

switch case may be here as well ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177862

There is a handy Python wrapper called @property. This can be handy here. It would look like this: @property def base_url(self): # This is a getter return self._base_url

@base_url.setter def base_url(self, value): # This is the setter method self._base_url = self._normalize_and_verify_base_url(value)

It's nicer for refactoring and is pretty explicit. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r492452816

How safe is it in this method to assume that these dictionary keys resolve? I'm new to this code, but I usually think thrice before trying to access a node in the dictionary without .get(). Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173154

Just a tidbit of input: Python string objects have a .startswith() method that's easier to read than a regex, although a regex works fine. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173571

No use in having a doc string if the parameters aren't described, IMO. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493174068