diff options
author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-08-09 20:57:53 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-09 20:57:53 +0300 |
commit | daf8f26f0d7cd67ad015e280ce297bc794800a7f (patch) | |
tree | dae070a1f3ad40b6fb9bc503a7f4e6d1750f6468 | |
parent | e4b932ed0a140c9ced9a4eb501d520560b125406 (diff) | |
parent | 9427d7b001bd9cb769fb2940cfa263a448d62b80 (diff) | |
download | vyos-1x-daf8f26f0d7cd67ad015e280ce297bc794800a7f.tar.gz vyos-1x-daf8f26f0d7cd67ad015e280ce297bc794800a7f.zip |
Merge pull request #2143 from dmbaturin/T5273-cert-fingerprint
pki: T5273: add a certificate fingerprint command
-rw-r--r-- | op-mode-definitions/pki.xml.in | 9 | ||||
-rw-r--r-- | python/vyos/pki.py | 14 | ||||
-rwxr-xr-x | src/op_mode/pki.py | 13 |
3 files changed, 34 insertions, 2 deletions
diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in index c5abf86cd..ca0eb3687 100644 --- a/op-mode-definitions/pki.xml.in +++ b/op-mode-definitions/pki.xml.in @@ -535,6 +535,15 @@ </properties> <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --pem</command> </leafNode> + <tagNode name="fingerprint"> + <properties> + <help>Show x509 certificate fingerprint</help> + <completionHelp> + <list>sha256 sha384 sha512</list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --fingerprint "$6"</command> + </tagNode> </children> </tagNode> <leafNode name="crl"> diff --git a/python/vyos/pki.py b/python/vyos/pki.py index cd15e3878..792e24b76 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -63,6 +63,18 @@ private_format_map = { 'OpenSSH': serialization.PrivateFormat.OpenSSH } +hash_map = { + 'sha256': hashes.SHA256, + 'sha384': hashes.SHA384, + 'sha512': hashes.SHA512, +} + +def get_certificate_fingerprint(cert, hash): + hash_algorithm = hash_map[hash]() + fp = cert.fingerprint(hash_algorithm) + + return fp.hex(':').upper() + def encode_certificate(cert): return cert.public_bytes(encoding=serialization.Encoding.PEM).decode('utf-8') diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index 4c31291ad..f638c51bc 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -28,6 +28,7 @@ from vyos.config import Config from vyos.configquery import ConfigTreeQuery from vyos.configdict import dict_merge from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters +from vyos.pki import get_certificate_fingerprint from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list from vyos.pki import create_private_key from vyos.pki import create_dh_parameters @@ -916,6 +917,12 @@ def show_certificate(name=None, pem=False): print("Certificates:") print(tabulate.tabulate(data, headers)) +def show_certificate_fingerprint(name, hash): + cert = get_config_certificate(name=name) + cert = load_certificate(cert['certificate']) + + print(get_certificate_fingerprint(cert, hash)) + def show_crl(name=None, pem=False): headers = ['CA Name', 'Updated', 'Revokes'] data = [] @@ -961,6 +968,7 @@ if __name__ == '__main__': parser.add_argument('--sign', help='Sign certificate with specified CA', required=False) parser.add_argument('--self-sign', help='Self-sign the certificate', action='store_true') parser.add_argument('--pem', help='Output using PEM encoding', action='store_true') + parser.add_argument('--fingerprint', help='Show fingerprint and exit', action='store') # SSH parser.add_argument('--ssh', help='SSH Key', required=False) @@ -1057,7 +1065,10 @@ if __name__ == '__main__': if not conf.exists(['pki', 'certificate', cert_name]): print(f'Certificate "{cert_name}" does not exist!') exit(1) - show_certificate(None if args.certificate == 'all' else args.certificate, args.pem) + if args.fingerprint is None: + show_certificate(None if args.certificate == 'all' else args.certificate, args.pem) + else: + show_certificate_fingerprint(args.certificate, args.fingerprint) elif args.crl: show_crl(None if args.crl == 'all' else args.crl, args.pem) else: |