diff options
author | Christian Breunig <christian@breunig.cc> | 2024-02-14 13:09:15 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-14 13:09:15 +0100 |
commit | 697ce8c51c2ae9667a699b3d95e0ffa6b1984328 (patch) | |
tree | 2b806062465db67714edeb672bb426ef6ca1f092 /src/conf_mode | |
parent | 5d70d5e4ff85d72c94b30c0340e96de6f4489f12 (diff) | |
parent | 86612b16ed2fa3df604c515dfcb6e45d700f3896 (diff) | |
download | vyos-1x-697ce8c51c2ae9667a699b3d95e0ffa6b1984328.tar.gz vyos-1x-697ce8c51c2ae9667a699b3d95e0ffa6b1984328.zip |
Merge pull request #3009 from vyos/mergify/bp/sagitta/pr-2988
rpki: T6034: move file based SSH keys for authentication to PKI subsystem (backport #2988)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/pki.py | 40 | ||||
-rwxr-xr-x | src/conf_mode/protocols_rpki.py | 47 |
2 files changed, 74 insertions, 13 deletions
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 4be40e99e..3ab6ac5c3 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -24,11 +24,12 @@ from vyos.config import config_dict_merge from vyos.configdep import set_dependents from vyos.configdep import call_dependents from vyos.configdict import node_changed -from vyos.configdiff import Diff from vyos.defaults import directories from vyos.pki import is_ca_certificate from vyos.pki import load_certificate from vyos.pki import load_public_key +from vyos.pki import load_openssh_public_key +from vyos.pki import load_openssh_private_key from vyos.pki import load_private_key from vyos.pki import load_crl from vyos.pki import load_dh_parameters @@ -64,6 +65,10 @@ sync_search = [ 'path': ['interfaces', 'sstpc'], }, { + 'keys': ['key'], + 'path': ['protocols', 'rpki', 'cache'], + }, + { 'keys': ['certificate', 'ca_certificate', 'local_key', 'remote_key'], 'path': ['vpn', 'ipsec'], }, @@ -86,7 +91,8 @@ sync_translate = { 'remote_key': 'key_pair', 'shared_secret_key': 'openvpn', 'auth_key': 'openvpn', - 'crypt_key': 'openvpn' + 'crypt_key': 'openvpn', + 'key': 'openssh', } def certbot_delete(certificate): @@ -150,6 +156,11 @@ def get_config(config=None): if 'changed' not in pki: pki.update({'changed':{}}) pki['changed'].update({'key_pair' : tmp}) + tmp = node_changed(conf, base + ['openssh'], recursive=True) + if tmp: + if 'changed' not in pki: pki.update({'changed':{}}) + pki['changed'].update({'openssh' : tmp}) + tmp = node_changed(conf, base + ['openvpn', 'shared-secret'], recursive=True) if tmp: if 'changed' not in pki: pki.update({'changed':{}}) @@ -241,6 +252,17 @@ def is_valid_private_key(raw_data, protected=False): return True return load_private_key(raw_data, passphrase=None, wrap_tags=True) +def is_valid_openssh_public_key(raw_data, type): + # If it loads correctly we're good, or return False + return load_openssh_public_key(raw_data, type) + +def is_valid_openssh_private_key(raw_data, protected=False): + # If it loads correctly we're good, or return False + # With encrypted private keys, we always return true as we cannot ask for password to verify + if protected: + return True + return load_openssh_private_key(raw_data, passphrase=None, wrap_tags=True) + def is_valid_crl(raw_data): # If it loads correctly we're good, or return False return load_crl(raw_data, wrap_tags=True) @@ -322,6 +344,20 @@ def verify(pki): if not is_valid_private_key(private['key'], protected): raise ConfigError(f'Invalid private key on key-pair "{name}"') + if 'openssh' in pki: + for name, key_conf in pki['openssh'].items(): + if 'public' in key_conf and 'key' in key_conf['public']: + if 'type' not in key_conf['public']: + raise ConfigError(f'Must define OpenSSH public key type for "{name}"') + if not is_valid_openssh_public_key(key_conf['public']['key'], key_conf['public']['type']): + raise ConfigError(f'Invalid OpenSSH public key "{name}"') + + if 'private' in key_conf and 'key' in key_conf['private']: + private = key_conf['private'] + protected = 'password_protected' in private + if not is_valid_openssh_private_key(private['key'], protected): + raise ConfigError(f'Invalid OpenSSH private key "{name}"') + if 'x509' in pki: if 'default' in pki['x509']: default_values = pki['x509']['default'] diff --git a/src/conf_mode/protocols_rpki.py b/src/conf_mode/protocols_rpki.py index 0fc14e868..a59ecf3e4 100755 --- a/src/conf_mode/protocols_rpki.py +++ b/src/conf_mode/protocols_rpki.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -16,16 +16,22 @@ import os +from glob import glob from sys import exit from vyos.config import Config +from vyos.pki import wrap_openssh_public_key +from vyos.pki import wrap_openssh_private_key from vyos.template import render_to_string -from vyos.utils.dict import dict_search +from vyos.utils.dict import dict_search_args +from vyos.utils.file import write_file from vyos import ConfigError from vyos import frr from vyos import airbag airbag.enable() +rpki_ssh_key_base = '/run/frr/id_rpki' + def get_config(config=None): if config: conf = config @@ -33,7 +39,8 @@ def get_config(config=None): conf = Config() base = ['protocols', 'rpki'] - rpki = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + rpki = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, with_pki=True) # Bail out early if configuration tree does not exist if not conf.exists(base): rpki.update({'deleted' : ''}) @@ -63,22 +70,40 @@ def verify(rpki): preferences.append(preference) if 'ssh' in peer_config: - files = ['private_key_file', 'public_key_file'] - for file in files: - if file not in peer_config['ssh']: - raise ConfigError('RPKI+SSH requires username and public/private ' \ - 'key file to be defined!') + if 'username' not in peer_config['ssh']: + raise ConfigError('RPKI+SSH requires username to be defined!') + + if 'key' not in peer_config['ssh'] or 'openssh' not in rpki['pki']: + raise ConfigError('RPKI+SSH requires key to be defined!') - filename = peer_config['ssh'][file] - if not os.path.exists(filename): - raise ConfigError(f'RPKI SSH {file.replace("-","-")} "{filename}" does not exist!') + if peer_config['ssh']['key'] not in rpki['pki']['openssh']: + raise ConfigError('RPKI+SSH key not found on PKI subsystem!') return None def generate(rpki): + for key in glob(f'{rpki_ssh_key_base}*'): + os.unlink(key) + if not rpki: return + + if 'cache' in rpki: + for cache, cache_config in rpki['cache'].items(): + if 'ssh' in cache_config: + key_name = cache_config['ssh']['key'] + public_key_data = dict_search_args(rpki['pki'], 'openssh', key_name, 'public', 'key') + public_key_type = dict_search_args(rpki['pki'], 'openssh', key_name, 'public', 'type') + private_key_data = dict_search_args(rpki['pki'], 'openssh', key_name, 'private', 'key') + + cache_config['ssh']['public_key_file'] = f'{rpki_ssh_key_base}_{cache}.pub' + cache_config['ssh']['private_key_file'] = f'{rpki_ssh_key_base}_{cache}' + + write_file(cache_config['ssh']['public_key_file'], wrap_openssh_public_key(public_key_data, public_key_type)) + write_file(cache_config['ssh']['private_key_file'], wrap_openssh_private_key(private_key_data)) + rpki['new_frr_config'] = render_to_string('frr/rpki.frr.j2', rpki) + return None def apply(rpki): |