diff options
author | Christian Breunig <christian@breunig.cc> | 2023-08-31 17:14:53 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-31 17:14:53 +0200 |
commit | ca0cf364f05b391fbe2ebd1e87e2a022d94a2e6d (patch) | |
tree | 8452663292e66d52a0411a7ae4f8c9b2c5eaa02e | |
parent | af737cf57e53a08a53ec2037ee476ee9098d8216 (diff) | |
parent | 493d060922f638d81dd5d4a81ffdf19e16943e3e (diff) | |
download | vyos-1x-ca0cf364f05b391fbe2ebd1e87e2a022d94a2e6d.tar.gz vyos-1x-ca0cf364f05b391fbe2ebd1e87e2a022d94a2e6d.zip |
Merge pull request #2190 from sarthurdev/T4782
eapol: T4782: Support multiple CA chains
-rw-r--r-- | interface-definitions/include/interface/eapol.xml.i | 2 | ||||
-rw-r--r-- | python/vyos/configverify.py | 13 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_interfaces_ethernet.py | 9 | ||||
-rwxr-xr-x | src/conf_mode/interfaces-ethernet.py | 13 |
4 files changed, 23 insertions, 14 deletions
diff --git a/interface-definitions/include/interface/eapol.xml.i b/interface-definitions/include/interface/eapol.xml.i index c4cdeae0c..a3206f2c7 100644 --- a/interface-definitions/include/interface/eapol.xml.i +++ b/interface-definitions/include/interface/eapol.xml.i @@ -4,7 +4,7 @@ <help>Extensible Authentication Protocol over Local Area Network</help> </properties> <children> - #include <include/pki/ca-certificate.xml.i> + #include <include/pki/ca-certificate-multi.xml.i> #include <include/pki/certificate-key.xml.i> </children> </node> diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 5b94bd98b..52f9238b8 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -187,15 +187,14 @@ def verify_eapol(config): if 'ca' not in config['pki']: raise ConfigError('Invalid CA certificate specified for EAPoL') - ca_cert_name = config['eapol']['ca_certificate'] + for ca_cert_name in config['eapol']['ca_certificate']: + if ca_cert_name not in config['pki']['ca']: + raise ConfigError('Invalid CA certificate specified for EAPoL') - if ca_cert_name not in config['pki']['ca']: - raise ConfigError('Invalid CA certificate specified for EAPoL') - - ca_cert = config['pki']['ca'][ca_cert_name] + ca_cert = config['pki']['ca'][ca_cert_name] - if 'certificate' not in ca_cert: - raise ConfigError('Invalid CA certificate specified for EAPoL') + if 'certificate' not in ca_cert: + raise ConfigError('Invalid CA certificate specified for EAPoL') def verify_mirror_redirect(config): """ diff --git a/smoketest/scripts/cli/test_interfaces_ethernet.py b/smoketest/scripts/cli/test_interfaces_ethernet.py index 5ea21fea8..a39b81348 100755 --- a/smoketest/scripts/cli/test_interfaces_ethernet.py +++ b/smoketest/scripts/cli/test_interfaces_ethernet.py @@ -250,10 +250,19 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase): for interface in self._interfaces: # Enable EAPoL self.cli_set(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-server-ca-intermediate']) + self.cli_set(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-client-ca-intermediate']) self.cli_set(self._base_path + [interface, 'eapol', 'certificate', cert_name]) self.cli_commit() + # Test multiple CA chains + self.assertEqual(get_certificate_count(interface, 'ca'), 4) + + for interface in self._interfaces: + self.cli_delete(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-client-ca-intermediate']) + + self.cli_commit() + # Check for running process self.assertTrue(process_named_running('wpa_supplicant')) diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index b015bba88..f3e65ad5e 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -186,14 +186,15 @@ def generate(ethernet): if 'ca_certificate' in ethernet['eapol']: ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem') - ca_cert_name = ethernet['eapol']['ca_certificate'] - pki_ca_cert = ethernet['pki']['ca'][ca_cert_name] + ca_chains = [] - loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) - ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) + for ca_cert_name in ethernet['eapol']['ca_certificate']: + pki_ca_cert = ethernet['pki']['ca'][ca_cert_name] + loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) + ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) + ca_chains.append('\n'.join(encode_certificate(c) for c in ca_full_chain)) - write_file(ca_cert_file_path, - '\n'.join(encode_certificate(c) for c in ca_full_chain)) + write_file(ca_cert_file_path, '\n'.join(ca_chains)) return None |