1 files changed, 46 insertions, 18 deletions

diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 1e78c3a03..35c7ce0e2 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -25,33 +25,31 @@ from cryptography import x509
 from cryptography.x509.oid import ExtendedKeyUsageOID
 
 from vyos.config import Config
-from vyos.configquery import ConfigTreeQuery
-from vyos.configdict import dict_merge
 from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters
+from vyos.pki import get_certificate_fingerprint
 from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list
 from vyos.pki import create_private_key
 from vyos.pki import create_dh_parameters
 from vyos.pki import load_certificate, load_certificate_request, load_private_key
 from vyos.pki import load_crl, load_dh_parameters, load_public_key
 from vyos.pki import verify_certificate
-from vyos.xml import defaults
-from vyos.util import ask_input, ask_yes_no
-from vyos.util import cmd
-from vyos.util import install_into_config
+from vyos.utils.io import ask_input
+from vyos.utils.io import ask_yes_no
+from vyos.utils.misc import install_into_config
+from vyos.utils.process import cmd
 
 CERT_REQ_END = '-----END CERTIFICATE REQUEST-----'
 auth_dir = '/config/auth'
 
 # Helper Functions
-conf = ConfigTreeQuery()
+conf = Config()
 def get_default_values():
     # Fetch default x509 values
     base = ['pki', 'x509', 'default']
     x509_defaults = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                     no_tag_node_value_mangle=True,
                                      get_first_key=True,
-                                     no_tag_node_value_mangle=True)
-    default_values = defaults(base)
-    x509_defaults = dict_merge(default_values, x509_defaults)
+                                     with_recursive_defaults=True)
 
     return x509_defaults
 
@@ -87,6 +85,9 @@ def get_config_certificate(name=None):
 
 def get_certificate_ca(cert, ca_certs):
     # Find CA certificate for given certificate
+    if not ca_certs:
+        return None
+
     for ca_name, ca_dict in ca_certs.items():
         if 'certificate' not in ca_dict:
             continue
@@ -187,7 +188,7 @@ def install_ssh_key(name, public_key, private_key, passphrase=None):
 
 def install_keypair(name, key_type, private_key=None, public_key=None, passphrase=None, prompt=True):
     # Show/install conf commands for key-pair
-    
+
     config_paths = []
 
     if public_key:
@@ -837,7 +838,7 @@ def import_openvpn_secret(name, path):
     install_openvpn_key(name, key_data, key_version)
 
 # Show functions
-def show_certificate_authority(name=None):
+def show_certificate_authority(name=None, pem=False):
     headers = ['Name', 'Subject', 'Issuer CN', 'Issued', 'Expiry', 'Private Key', 'Parent']
     data = []
     certs = get_config_ca_certificate()
@@ -849,6 +850,11 @@ def show_certificate_authority(name=None):
                 continue
 
             cert = load_certificate(cert_dict['certificate'])
+
+            if name and pem:
+                print(encode_certificate(cert))
+                return
+
             parent_ca_name = get_certificate_ca(cert, certs)
             cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0]
 
@@ -864,7 +870,7 @@ def show_certificate_authority(name=None):
     print("Certificate Authorities:")
     print(tabulate.tabulate(data, headers))
 
-def show_certificate(name=None):
+def show_certificate(name=None, pem=False):
     headers = ['Name', 'Type', 'Subject CN', 'Issuer CN', 'Issued', 'Expiry', 'Revoked', 'Private Key', 'CA Present']
     data = []
     certs = get_config_certificate()
@@ -882,6 +888,10 @@ def show_certificate(name=None):
             if not cert:
                 continue
 
+            if name and pem:
+                print(encode_certificate(cert))
+                return
+
             ca_name = get_certificate_ca(cert, ca_certs)
             cert_subject_cn = cert.subject.rfc4514_string().split(",")[0]
             cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0]
@@ -903,7 +913,13 @@ def show_certificate(name=None):
     print("Certificates:")
     print(tabulate.tabulate(data, headers))
 
-def show_crl(name=None):
+def show_certificate_fingerprint(name, hash):
+    cert = get_config_certificate(name=name)
+    cert = load_certificate(cert['certificate'])
+
+    print(get_certificate_fingerprint(cert, hash))
+
+def show_crl(name=None, pem=False):
     headers = ['CA Name', 'Updated', 'Revokes']
     data = []
     certs = get_config_ca_certificate()
@@ -924,9 +940,16 @@ def show_crl(name=None):
                 if not crl:
                     continue
 
+                if name and pem:
+                    print(encode_certificate(crl))
+                    continue
+
                 certs = get_revoked_by_serial_numbers([revoked.serial_number for revoked in crl])
                 data.append([cert_name, crl.last_update, ", ".join(certs)])
 
+    if name and pem:
+        return
+
     print("Certificate Revocation Lists:")
     print(tabulate.tabulate(data, headers))
 
@@ -940,6 +963,8 @@ if __name__ == '__main__':
     parser.add_argument('--crl', help='Certificate Revocation List', required=False)
     parser.add_argument('--sign', help='Sign certificate with specified CA', required=False)
     parser.add_argument('--self-sign', help='Self-sign the certificate', action='store_true')
+    parser.add_argument('--pem', help='Output using PEM encoding', action='store_true')
+    parser.add_argument('--fingerprint', help='Show fingerprint and exit', action='store')
 
     # SSH
     parser.add_argument('--ssh', help='SSH Key', required=False)
@@ -1029,16 +1054,19 @@ if __name__ == '__main__':
                     if not conf.exists(['pki', 'ca', ca_name]):
                         print(f'CA "{ca_name}" does not exist!')
                         exit(1)
-                show_certificate_authority(ca_name)
+                show_certificate_authority(ca_name, args.pem)
             elif args.certificate:
                 cert_name = None if args.certificate == 'all' else args.certificate
                 if cert_name:
                     if not conf.exists(['pki', 'certificate', cert_name]):
                         print(f'Certificate "{cert_name}" does not exist!')
                         exit(1)
-                show_certificate(None if args.certificate == 'all' else args.certificate)
+                if args.fingerprint is None:
+                    show_certificate(None if args.certificate == 'all' else args.certificate, args.pem)
+                else:
+                    show_certificate_fingerprint(args.certificate, args.fingerprint)
             elif args.crl:
-                show_crl(None if args.crl == 'all' else args.crl)
+                show_crl(None if args.crl == 'all' else args.crl, args.pem)
             else:
                 show_certificate_authority()
                 show_certificate()