summaryrefslogtreecommitdiff
path: root/python/vyos
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2021-07-20 17:33:00 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2021-07-20 20:14:12 +0200
commitbfadd6dfb5969f231097353a76ada3b839964a19 (patch)
tree5c9cae9c04121dd082c0a7a3e6d262df27c86489 /python/vyos
parent1554d3316eb74971d2ac7e3608173f6f113684e0 (diff)
downloadvyos-1x-bfadd6dfb5969f231097353a76ada3b839964a19.tar.gz
vyos-1x-bfadd6dfb5969f231097353a76ada3b839964a19.zip
pki: eapol: T3642: Migrate EAPoL to use PKI configuration
Diffstat (limited to 'python/vyos')
-rw-r--r--python/vyos/configverify.py35
1 files changed, 32 insertions, 3 deletions
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 979e28b11..58028b604 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -149,9 +149,38 @@ def verify_eapol(config):
recurring validation of EAPoL configuration.
"""
if 'eapol' in config:
- if not {'cert_file', 'key_file'} <= set(config['eapol']):
- raise ConfigError('Both cert and key-file must be specified '\
- 'when using EAPoL!')
+ if 'certificate' not in config['eapol']:
+ raise ConfigError('Certificate must be specified when using EAPoL!')
+
+ if 'certificate' not in config['pki']:
+ raise ConfigError('Invalid certificate specified for EAPoL')
+
+ cert_name = config['eapol']['certificate']
+
+ if cert_name not in config['pki']['certificate']:
+ raise ConfigError('Invalid certificate specified for EAPoL')
+
+ cert = config['pki']['certificate'][cert_name]
+
+ if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']:
+ raise ConfigError('Invalid certificate/private key specified for EAPoL')
+
+ if 'password_protected' in cert['private']:
+ raise ConfigError('Encrypted private key cannot be used for EAPoL')
+
+ if 'ca_certificate' in config['eapol']:
+ if 'ca' not in config['pki']:
+ raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+ ca_cert_name = config['eapol']['ca_certificate']
+
+ if ca_cert_name not in config['pki']['ca']:
+ raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+ ca_cert = config['pki']['ca'][cert_name]
+
+ if 'certificate' not in ca_cert:
+ raise ConfigError('Invalid CA certificate specified for EAPoL')
def verify_mirror(config):
"""