summaryrefslogtreecommitdiff
path: root/src/op_mode/pki.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/op_mode/pki.py')
-rwxr-xr-xsrc/op_mode/pki.py85
1 files changed, 40 insertions, 45 deletions
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index e1428c581..bc7813052 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -35,6 +35,7 @@ from vyos.pki import verify_certificate
from vyos.xml import defaults
from vyos.util import ask_input, ask_yes_no
from vyos.util import cmd
+from vyos.util import install_into_config
CERT_REQ_END = '-----END CERTIFICATE REQUEST-----'
auth_dir = '/config/auth'
@@ -142,48 +143,50 @@ def get_revoked_by_serial_numbers(serial_numbers=[]):
return certs_out
def install_certificate(name, cert='', private_key=None, key_type=None, key_passphrase=None, is_ca=False):
- # Show conf commands for installing certificate
+ # Show/install conf commands for certificate
prefix = 'ca' if is_ca else 'certificate'
- print('Configure mode commands to install:')
- base = f"set pki {prefix} {name}"
+ base = f"pki {prefix} {name}"
+ config_paths = []
if cert:
cert_pem = "".join(encode_certificate(cert).strip().split("\n")[1:-1])
- print(f"{base} certificate '{cert_pem}'")
+ config_paths.append(f"{base} certificate '{cert_pem}'")
if private_key:
key_pem = "".join(encode_private_key(private_key, passphrase=key_passphrase).strip().split("\n")[1:-1])
- print(f"{base} private key '{key_pem}'")
+ config_paths.append(f"{base} private key '{key_pem}'")
if key_passphrase:
- print(f"{base} private password-protected")
+ config_paths.append(f"{base} private password-protected")
+
+ install_into_config(conf, config_paths)
def install_crl(ca_name, crl):
- # Show conf commands for installing crl
- print("Configure mode commands to install CRL:")
+ # Show/install conf commands for crl
crl_pem = "".join(encode_certificate(crl).strip().split("\n")[1:-1])
- print(f"set pki ca {ca_name} crl '{crl_pem}'")
+ install_into_config(conf, [f"pki ca {ca_name} crl '{crl_pem}'"])
def install_dh_parameters(name, params):
- # Show conf commands for installing dh params
- print("Configure mode commands to install DH parameters:")
+ # Show/install conf commands for dh params
dh_pem = "".join(encode_dh_parameters(params).strip().split("\n")[1:-1])
- print(f"set pki dh {name} parameters '{dh_pem}'")
+ install_into_config(conf, [f"pki dh {name} parameters '{dh_pem}'"])
def install_ssh_key(name, public_key, private_key, passphrase=None):
- # Show conf commands for installing ssh key
+ # Show/install conf commands for ssh key
key_openssh = encode_public_key(public_key, encoding='OpenSSH', key_format='OpenSSH')
username = os.getlogin()
type_key_split = key_openssh.split(" ")
- base = f"set system login user {username} authentication public-keys {name}"
- print("Configure mode commands to install SSH key:")
- print(f"{base} key '{type_key_split[1]}'")
- print(f"{base} type '{type_key_split[0]}'", end="\n\n")
+ base = f"system login user {username} authentication public-keys {name}"
+ install_into_config(conf, [
+ f"{base} key '{type_key_split[1]}'",
+ f"{base} type '{type_key_split[0]}'"
+ ])
print(encode_private_key(private_key, encoding='PEM', key_format='OpenSSH', passphrase=passphrase))
def install_keypair(name, key_type, private_key=None, public_key=None, passphrase=None):
- # Show conf commands for installing key-pair
- print("Configure mode commands to install key pair:")
+ # Show/install conf commands for key-pair
+
+ config_paths = []
if public_key:
install_public_key = ask_yes_no('Do you want to install the public key?', default=True)
@@ -191,7 +194,7 @@ def install_keypair(name, key_type, private_key=None, public_key=None, passphras
if install_public_key:
install_public_pem = "".join(public_key_pem.strip().split("\n")[1:-1])
- print(f"set pki key-pair {name} public key '{install_public_pem}'")
+ config_paths.append(f"pki key-pair {name} public key '{install_public_pem}'")
else:
print("Public key:")
print(public_key_pem)
@@ -202,13 +205,15 @@ def install_keypair(name, key_type, private_key=None, public_key=None, passphras
if install_private_key:
install_private_pem = "".join(private_key_pem.strip().split("\n")[1:-1])
- print(f"set pki key-pair {name} private key '{install_private_pem}'")
+ config_paths.append(f"pki key-pair {name} private key '{install_private_pem}'")
if passphrase:
- print(f"set pki key-pair {name} private password-protected")
+ config_paths.append(f"pki key-pair {name} private password-protected")
else:
print("Private key:")
print(private_key_pem)
+ install_into_config(conf, config_paths)
+
def install_wireguard_key(interface, private_key, public_key):
# Show conf commands for installing wireguard key pairs
from vyos.ifconfig import Section
@@ -217,20 +222,10 @@ def install_wireguard_key(interface, private_key, public_key):
exit(1)
# Check if we are running in a config session - if yes, we can directly write to the CLI
- cli_string = f"interfaces wireguard {interface} private-key '{private_key}'"
- if Config().in_session():
- cmd(f"/opt/vyatta/sbin/my_set {cli_string}")
-
- print('"generate" CLI command executed from config session.\nGenerated private-key was imported to CLI!',end='\n\n')
- print(f'Use the following command to verify: show interfaces wireguard {interface}')
- else:
- print('"generate" CLI command executed from operational level.\n'
- 'Generated private-key is not stored to CLI, use configure mode commands to install key:', end='\n\n')
- print(f"set {cli_string}", end="\n\n")
+ install_into_config(conf, [f"interfaces wireguard {interface} private-key '{private_key}'"])
print(f"Corresponding public-key to use on peer system is: '{public_key}'")
-
def install_wireguard_psk(interface, peer, psk):
from vyos.ifconfig import Section
if Section.section(interface) != 'wireguard':
@@ -238,17 +233,7 @@ def install_wireguard_psk(interface, peer, psk):
exit(1)
# Check if we are running in a config session - if yes, we can directly write to the CLI
- cli_string = f"interfaces wireguard {interface} peer {peer} preshared-key '{psk}'"
- if Config().in_session():
- cmd(f"/opt/vyatta/sbin/my_set {cli_string}")
-
- print('"generate" CLI command executed from config session.\nGenerated preshared-key was imported to CLI!',end='\n\n')
- print(f'Use the following command to verify: show interfaces wireguard {interface}')
- else:
- print('"generate" CLI command executed from operational level.\n'
- 'Generated preshared-key is not stored to CLI, use configure mode commands to install key:', end='\n\n')
- print(f"set {cli_string}", end="\n\n")
-
+ install_into_config(conf, [f"interfaces wireguard {interface} peer {peer} preshared-key '{psk}'"])
def ask_passphrase():
passphrase = None
@@ -858,8 +843,18 @@ if __name__ == '__main__':
elif args.action == 'show':
if args.ca:
- show_certificate_authority(None if args.ca == 'all' else args.ca)
+ ca_name = None if args.ca == 'all' else args.ca
+ if ca_name:
+ if not conf.exists(['pki', 'ca', ca_name]):
+ print(f'CA "{ca_name}" does not exist!')
+ exit(1)
+ show_certificate_authority(ca_name)
elif args.certificate:
+ cert_name = None if args.certificate == 'all' else args.certificate
+ if cert_name:
+ if not conf.exists(['pki', 'certificate', cert_name]):
+ print(f'Certificate "{cert_name}" does not exist!')
+ exit(1)
show_certificate(None if args.certificate == 'all' else args.certificate)
elif args.crl:
show_crl(None if args.crl == 'all' else args.crl)