diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-07-20 20:33:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-20 20:33:54 +0200 |
commit | 4d55afded46a07c761a724989e0e66fe88d705c7 (patch) | |
tree | 5c9cae9c04121dd082c0a7a3e6d262df27c86489 /python/vyos/configverify.py | |
parent | 4ff379d18a750314fda2b2fec5a1e285bd92f15c (diff) | |
parent | bfadd6dfb5969f231097353a76ada3b839964a19 (diff) | |
download | vyos-1x-4d55afded46a07c761a724989e0e66fe88d705c7.tar.gz vyos-1x-4d55afded46a07c761a724989e0e66fe88d705c7.zip |
Merge pull request #931 from sarthurdev/pki_eapol
pki: eapol: T3642: Migrate EAPoL to use PKI configuration
Diffstat (limited to 'python/vyos/configverify.py')
-rw-r--r-- | python/vyos/configverify.py | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 979e28b11..58028b604 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -149,9 +149,38 @@ def verify_eapol(config): recurring validation of EAPoL configuration. """ if 'eapol' in config: - if not {'cert_file', 'key_file'} <= set(config['eapol']): - raise ConfigError('Both cert and key-file must be specified '\ - 'when using EAPoL!') + if 'certificate' not in config['eapol']: + raise ConfigError('Certificate must be specified when using EAPoL!') + + if 'certificate' not in config['pki']: + raise ConfigError('Invalid certificate specified for EAPoL') + + cert_name = config['eapol']['certificate'] + + if cert_name not in config['pki']['certificate']: + raise ConfigError('Invalid certificate specified for EAPoL') + + cert = config['pki']['certificate'][cert_name] + + if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']: + raise ConfigError('Invalid certificate/private key specified for EAPoL') + + if 'password_protected' in cert['private']: + raise ConfigError('Encrypted private key cannot be used for EAPoL') + + if 'ca_certificate' in config['eapol']: + if 'ca' not in config['pki']: + raise ConfigError('Invalid CA certificate specified for EAPoL') + + ca_cert_name = config['eapol']['ca_certificate'] + + if ca_cert_name not in config['pki']['ca']: + raise ConfigError('Invalid CA certificate specified for EAPoL') + + ca_cert = config['pki']['ca'][cert_name] + + if 'certificate' not in ca_cert: + raise ConfigError('Invalid CA certificate specified for EAPoL') def verify_mirror(config): """ |