diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-20 17:33:00 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-20 20:14:12 +0200 |
commit | bfadd6dfb5969f231097353a76ada3b839964a19 (patch) | |
tree | 5c9cae9c04121dd082c0a7a3e6d262df27c86489 /python/vyos | |
parent | 1554d3316eb74971d2ac7e3608173f6f113684e0 (diff) | |
download | vyos-1x-bfadd6dfb5969f231097353a76ada3b839964a19.tar.gz vyos-1x-bfadd6dfb5969f231097353a76ada3b839964a19.zip |
pki: eapol: T3642: Migrate EAPoL to use PKI configuration
Diffstat (limited to 'python/vyos')
-rw-r--r-- | python/vyos/configverify.py | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 979e28b11..58028b604 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -149,9 +149,38 @@ def verify_eapol(config): recurring validation of EAPoL configuration. """ if 'eapol' in config: - if not {'cert_file', 'key_file'} <= set(config['eapol']): - raise ConfigError('Both cert and key-file must be specified '\ - 'when using EAPoL!') + if 'certificate' not in config['eapol']: + raise ConfigError('Certificate must be specified when using EAPoL!') + + if 'certificate' not in config['pki']: + raise ConfigError('Invalid certificate specified for EAPoL') + + cert_name = config['eapol']['certificate'] + + if cert_name not in config['pki']['certificate']: + raise ConfigError('Invalid certificate specified for EAPoL') + + cert = config['pki']['certificate'][cert_name] + + if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']: + raise ConfigError('Invalid certificate/private key specified for EAPoL') + + if 'password_protected' in cert['private']: + raise ConfigError('Encrypted private key cannot be used for EAPoL') + + if 'ca_certificate' in config['eapol']: + if 'ca' not in config['pki']: + raise ConfigError('Invalid CA certificate specified for EAPoL') + + ca_cert_name = config['eapol']['ca_certificate'] + + if ca_cert_name not in config['pki']['ca']: + raise ConfigError('Invalid CA certificate specified for EAPoL') + + ca_cert = config['pki']['ca'][cert_name] + + if 'certificate' not in ca_cert: + raise ConfigError('Invalid CA certificate specified for EAPoL') def verify_mirror(config): """ |