From e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 30 May 2024 11:20:56 +0200 Subject: op-mode: ipsec: T6407: fix profile generation Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile. --- data/templates/ipsec/ios_profile.j2 | 11 ++++++++--- src/op_mode/ikev2_profile_generator.py | 19 +++++++++++++------ 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 index eb74924b8..a9ae1c7a9 100644 --- a/data/templates/ipsec/ios_profile.j2 +++ b/data/templates/ipsec/ios_profile.j2 @@ -83,12 +83,15 @@ +{% if certs is vyos_defined %} +{% for cert in certs %} + PayloadIdentifier - org.example.ca + org.{{ cert.ca_cn | lower | replace(' ', '.') | replace('_', '.') }} PayloadUUID - {{ '' | get_uuid }} + {{ cert.ca_cn | generate_uuid4 }} PayloadType com.apple.security.root PayloadVersion @@ -96,9 +99,11 @@ PayloadContent - {{ ca_cert }} + {{ cert.ca_cert }} +{% endfor %} +{% endif %} diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py index 2b29f94bf..4ac4fb14a 100755 --- a/src/op_mode/ikev2_profile_generator.py +++ b/src/op_mode/ikev2_profile_generator.py @@ -144,15 +144,22 @@ tmp = reversed(tmp) data['rfqdn'] = '.'.join(tmp) pki = conf.get_config_dict(pki_base, get_first_key=True) -ca_name = data['authentication']['x509']['ca_certificate'] cert_name = data['authentication']['x509']['certificate'] -ca_cert = load_certificate(pki['ca'][ca_name]['certificate']) -cert = load_certificate(pki['certificate'][cert_name]['certificate']) +data['certs'] = [] + +for ca_name in data['authentication']['x509']['ca_certificate']: + tmp = {} + ca_cert = load_certificate(pki['ca'][ca_name]['certificate']) + cert = load_certificate(pki['certificate'][cert_name]['certificate']) + + + tmp['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value + tmp['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value + tmp['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate']) + + data['certs'].append(tmp) -data['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value -data['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value -data['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate']) esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'], key_mangling=('-', '_'), get_first_key=True) -- cgit v1.2.3