Draft: feat(req): add parameter to hand over complete CSR

certipy/commands/parsers/req.py

@@ -53,6 +53,13 @@ def add_subparser(subparsers: argparse._SubParsersAction) -> Tuple[str, Callable
         metavar="pfx/p12 file name",
         help="Path to PFX for -on-behalf-of or -renew",
     )
+    group.add_argument(
+        "-csrfile",
+        action="store",
+        metavar="CSR file name",
+        help="Path to CSR file for use with OpenSSL-generated Certificate Requests",
+        # Conflicts with -upn,-dns,-sid,-subject,-retrieve,-on-behalf-of,-pfx
+    )    
     group.add_argument(
         "-key-size",
         action="store",

certipy/commands/req.py

@@ -22,6 +22,7 @@
     csr_to_der,
     der_to_cert,
     der_to_csr,
+    pem_to_csr,
     der_to_pem,
     get_identifications_from_certificate,
     get_object_sid_from_certificate,
@@ -526,6 +527,7 @@ def __init__(
         dns: str = None,
         sid: str = None,
         subject: str = None,
+        csrfile: str = None,
         retrieve: int = 0,
         on_behalf_of: str = None,
         pfx: str = None,
@@ -548,6 +550,7 @@ def __init__(
         self.alt_dns = dns
         self.alt_sid = sid
         self.subject = subject
+        self.csrfile = csrfile
         self.request_id = int(retrieve)
         self.on_behalf_of = on_behalf_of
         self.pfx = pfx
@@ -667,17 +670,23 @@ def request(self) -> bool:
             with open(self.pfx, "rb") as f:
                 renewal_key, renewal_cert = load_pfx(f.read())
 
-        csr, key = create_csr(
-            username,
-            alt_dns=self.alt_dns,
-            alt_upn=self.alt_upn,
-            alt_sid=self.alt_sid,
-            key=self.key,
-            key_size=self.key_size,
-            subject=self.subject,
-            renewal_cert=renewal_cert,
-        )
-        self.key = key
+        if self.csrfile:
+            # Read file
+            with open(self.csrfile, "rb") as c:
+                csr = pem_to_csr(c.read())
+
+        else:
+            csr, key = create_csr(
+                username,
+                alt_dns=self.alt_dns,
+                alt_upn=self.alt_upn,
+                alt_sid=self.alt_sid,
+                key=self.key,
+                key_size=self.key_size,
+                subject=self.subject,
+                renewal_cert=renewal_cert,
+            )
+            self.key = key
 
         csr = csr_to_der(csr)
 
@@ -743,14 +752,21 @@ def request(self) -> bool:
 
             out = out.rstrip("$").lower()
 
-        pfx = create_pfx(key, cert)
+        if self.csrfile:
+            pfx = create_pfx(None, cert)
+
+        else:
+            pfx = create_pfx(key, cert)
 
         outfile = "%s.pfx" % out
 
         with open(outfile, "wb") as f:
             f.write(pfx)
 
-        logging.info("Saved certificate and private key to %s" % repr(outfile))
+        if self.csrfile:
+            logging.info("Saved certificate without private key to %s" % repr(outfile))
+        else:
+            logging.info("Saved certificate and private key to %s" % repr(outfile))
 
         return pfx, outfile
 

certipy/lib/certificate.py

@@ -220,6 +220,8 @@ def der_to_pem(der: bytes, pem_type: str) -> bytes:
 def der_to_csr(csr: bytes) -> x509.CertificateSigningRequest:
     return x509.load_der_x509_csr(csr)
 
+def pem_to_csr(csr: bytes) -> x509.CertificateSigningRequest:
+    return x509.load_pem_x509_csr(csr)
 
 def der_to_key(key: bytes) -> rsa.RSAPrivateKey:
     return serialization.load_der_private_key(key, None)