diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-07-07 17:32:00 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-07 17:32:00 +0200 |
commit | 17dff308810497aab19428a6340a4261d91893e4 (patch) | |
tree | 8bde3ac286bc552bea9322efcdda33e05e3a86e9 /src/op_mode | |
parent | 511253635a9b67396788d24bacafd237594e0e12 (diff) | |
parent | 5a7c46016a23387312b2c9e18528ad7bb20e8366 (diff) | |
download | vyos-1x-17dff308810497aab19428a6340a4261d91893e4.tar.gz vyos-1x-17dff308810497aab19428a6340a4261d91893e4.zip |
Merge pull request #912 from sarthurdev/pki_ipsec_rsa
pki: T3642: Migrate rsa-keys to PKI configuration
Diffstat (limited to 'src/op_mode')
-rwxr-xr-x | src/op_mode/vpn_ipsec.py | 94 |
1 files changed, 3 insertions, 91 deletions
diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py index ad7efbf2d..06e227ccf 100755 --- a/src/op_mode/vpn_ipsec.py +++ b/src/op_mode/vpn_ipsec.py @@ -14,91 +14,14 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import base64 -import os import re -import struct -import sys import argparse from subprocess import TimeoutExpired -from vyos.util import ask_yes_no, call, cmd, process_named_running -from Cryptodome.PublicKey.RSA import importKey +from vyos.util import call -RSA_LOCAL_KEY_PATH = '/config/ipsec.d/rsa-keys/localhost.key' -RSA_LOCAL_PUB_PATH = '/etc/ipsec.d/certs/localhost.pub' -RSA_KEY_PATHS = ['/config/auth', '/config/ipsec.d/rsa-keys'] - -X509_CONFIG_PATH = '/etc/ipsec.d/key-pair.template' -X509_PATH = '/config/auth/' - -IPSEC_CONF = '/etc/ipsec.conf' SWANCTL_CONF = '/etc/swanctl/swanctl.conf' -def migrate_to_vyatta_key(path): - with open(path, 'r') as f: - key = importKey(f.read()) - e = key.e.to_bytes((key.e.bit_length() + 7) // 8, 'big') - n = key.n.to_bytes((key.n.bit_length() + 7) // 8, 'big') - return '0s' + str(base64.b64encode(struct.pack('B', len(e)) + e + n), 'ascii') - return None - -def find_rsa_keys(): - keys = [] - for path in RSA_KEY_PATHS: - if not os.path.exists(path): - continue - for filename in os.listdir(path): - full_path = os.path.join(path, filename) - if os.path.isfile(full_path) and full_path.endswith(".key"): - keys.append(full_path) - return keys - -def show_rsa_keys(): - for key_path in find_rsa_keys(): - print('Private key: ' + os.path.basename(key_path)) - print('Public key: ' + migrate_to_vyatta_key(key_path) + '\n') - -def generate_rsa_key(bits = 2192): - if (bits < 16 or bits > 4096) or bits % 16 != 0: - print('Invalid bit length') - return - - if os.path.exists(RSA_LOCAL_KEY_PATH): - if not ask_yes_no("A local RSA key file already exists and will be overwritten. Continue?"): - return - - print(f'Generating rsa-key to {RSA_LOCAL_KEY_PATH}') - - directory = os.path.dirname(RSA_LOCAL_KEY_PATH) - call(f'sudo mkdir -p {directory}') - result = call(f'sudo /usr/bin/openssl genrsa -out {RSA_LOCAL_KEY_PATH} {bits}') - - if result != 0: - print(f'Could not generate RSA key: {result}') - return - - call(f'sudo /usr/bin/openssl rsa -inform PEM -in {RSA_LOCAL_KEY_PATH} -pubout -out {RSA_LOCAL_PUB_PATH}') - - print('Your new local RSA key has been generated') - print('The public portion of the key is:\n') - print(migrate_to_vyatta_key(RSA_LOCAL_KEY_PATH)) - -def generate_x509_pair(name): - if os.path.exists(X509_PATH + name): - if not ask_yes_no("A certificate request with this name already exists and will be overwritten. Continue?"): - return - - result = os.system(f'openssl req -new -nodes -keyout {X509_PATH}{name}.key -out {X509_PATH}{name}.csr -config {X509_CONFIG_PATH}') - - if result != 0: - print(f'Could not generate x509 key-pair: {result}') - return - - print('Private key and certificate request has been generated') - print(f'CSR: {X509_PATH}{name}.csr') - print(f'Private key: {X509_PATH}{name}.key') - def get_peer_connections(peer, tunnel, return_all = False): search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*' matches = [] @@ -183,23 +106,12 @@ def debug_peer(peer, tunnel): if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--action', help='Control action', required=True) - parser.add_argument('--bits', help='Bits for rsa-key', required=False) - parser.add_argument('--name', help='Name for x509 key-pair, peer for reset', required=False) + parser.add_argument('--name', help='Name for peer reset', required=False) parser.add_argument('--tunnel', help='Specific tunnel of peer', required=False) args = parser.parse_args() - if args.action == 'rsa-key': - bits = int(args.bits) if args.bits else 2192 - generate_rsa_key(bits) - elif args.action == 'rsa-key-show': - show_rsa_keys() - elif args.action == 'x509': - if not args.name: - print('Invalid name for key-pair, aborting.') - sys.exit(0) - generate_x509_pair(args.name) - elif args.action == 'reset-peer': + if args.action == 'reset-peer': reset_peer(args.name, args.tunnel) elif args.action == "reset-profile": reset_profile(args.name, args.tunnel) |