summaryrefslogtreecommitdiff
path: root/python/vyos/configverify.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-20 20:33:54 +0200
committerGitHub <noreply@github.com>2021-07-20 20:33:54 +0200
commit4d55afded46a07c761a724989e0e66fe88d705c7 (patch)
tree5c9cae9c04121dd082c0a7a3e6d262df27c86489 /python/vyos/configverify.py
parent4ff379d18a750314fda2b2fec5a1e285bd92f15c (diff)
parentbfadd6dfb5969f231097353a76ada3b839964a19 (diff)
downloadvyos-1x-4d55afded46a07c761a724989e0e66fe88d705c7.tar.gz
vyos-1x-4d55afded46a07c761a724989e0e66fe88d705c7.zip
Merge pull request #931 from sarthurdev/pki_eapol
pki: eapol: T3642: Migrate EAPoL to use PKI configuration
Diffstat (limited to 'python/vyos/configverify.py')
-rw-r--r--python/vyos/configverify.py35
1 files changed, 32 insertions, 3 deletions
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 979e28b11..58028b604 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -149,9 +149,38 @@ def verify_eapol(config):
recurring validation of EAPoL configuration.
"""
if 'eapol' in config:
- if not {'cert_file', 'key_file'} <= set(config['eapol']):
- raise ConfigError('Both cert and key-file must be specified '\
- 'when using EAPoL!')
+ if 'certificate' not in config['eapol']:
+ raise ConfigError('Certificate must be specified when using EAPoL!')
+
+ if 'certificate' not in config['pki']:
+ raise ConfigError('Invalid certificate specified for EAPoL')
+
+ cert_name = config['eapol']['certificate']
+
+ if cert_name not in config['pki']['certificate']:
+ raise ConfigError('Invalid certificate specified for EAPoL')
+
+ cert = config['pki']['certificate'][cert_name]
+
+ if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']:
+ raise ConfigError('Invalid certificate/private key specified for EAPoL')
+
+ if 'password_protected' in cert['private']:
+ raise ConfigError('Encrypted private key cannot be used for EAPoL')
+
+ if 'ca_certificate' in config['eapol']:
+ if 'ca' not in config['pki']:
+ raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+ ca_cert_name = config['eapol']['ca_certificate']
+
+ if ca_cert_name not in config['pki']['ca']:
+ raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+ ca_cert = config['pki']['ca'][cert_name]
+
+ if 'certificate' not in ca_cert:
+ raise ConfigError('Invalid CA certificate specified for EAPoL')
def verify_mirror(config):
"""