diff options
author | goodNETnick <33053932+goodNETnick@users.noreply.github.com> | 2022-03-31 13:48:47 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-31 13:48:47 +1000 |
commit | aa5b35b68c1170bfd0b9661bafa72bb10fe6ca95 (patch) | |
tree | 46f3ffc41c29666c3251f25f2f93cb1f1b9a6c60 /src/conf_mode/interfaces-ethernet.py | |
parent | b776003cf55e1035ac83186e44f72764e52e9e0d (diff) | |
parent | bafb1973d906707cb571385e994a949d0d90b645 (diff) | |
download | vyos-1x-aa5b35b68c1170bfd0b9661bafa72bb10fe6ca95.tar.gz vyos-1x-aa5b35b68c1170bfd0b9661bafa72bb10fe6ca95.zip |
Merge branch 'vyos:current' into ocserv_local_otp
Diffstat (limited to 'src/conf_mode/interfaces-ethernet.py')
-rwxr-xr-x | src/conf_mode/interfaces-ethernet.py | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index e7250fb49..3eeddf190 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -28,11 +28,14 @@ from vyos.configverify import verify_interface_exists from vyos.configverify import verify_mirror from vyos.configverify import verify_mtu from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_redirect from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ethtool import Ethtool from vyos.ifconfig import EthernetIf -from vyos.pki import wrap_certificate +from vyos.pki import find_chain +from vyos.pki import encode_certificate +from vyos.pki import load_certificate from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call @@ -82,6 +85,7 @@ def verify(ethernet): verify_vrf(ethernet) verify_eapol(ethernet) verify_mirror(ethernet) + verify_redirect(ethernet) ethtool = Ethtool(ifname) # No need to check speed and duplex keys as both have default values. @@ -159,16 +163,26 @@ def generate(ethernet): cert_name = ethernet['eapol']['certificate'] pki_cert = ethernet['pki']['certificate'][cert_name] - write_file(cert_file_path, wrap_certificate(pki_cert['certificate'])) + loaded_pki_cert = load_certificate(pki_cert['certificate']) + loaded_ca_certs = {load_certificate(c['certificate']) + for c in ethernet['pki']['ca'].values()} + + cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs) + + write_file(cert_file_path, + '\n'.join(encode_certificate(c) for c in cert_full_chain)) write_file(cert_key_path, wrap_private_key(pki_cert['private']['key'])) if 'ca_certificate' in ethernet['eapol']: ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem') ca_cert_name = ethernet['eapol']['ca_certificate'] - pki_ca_cert = ethernet['pki']['ca'][cert_name] + pki_ca_cert = ethernet['pki']['ca'][ca_cert_name] + + loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) + ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) write_file(ca_cert_file_path, - wrap_certificate(pki_ca_cert['certificate'])) + '\n'.join(encode_certificate(c) for c in ca_full_chain)) else: # delete configuration on interface removal if os.path.isfile(wpa_suppl_conf.format(**ethernet)): |