summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-06-14 13:28:56 +0200
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-06-14 20:53:20 +0000
commit015bd0c7597030d91cfcb4523f91ee3a57ed0d65 (patch)
tree26201dd060f609b83363f69f6cba3c348ea94d51
parent95b62fbc35b3da0cb7e7fea0b02b3d16fa0368b3 (diff)
downloadvyos-1x-015bd0c7597030d91cfcb4523f91ee3a57ed0d65.tar.gz
vyos-1x-015bd0c7597030d91cfcb4523f91ee3a57ed0d65.zip
op-mode: T6407: "generate pki" missed to mangle in ACME certificates when required
If the requested certificate to generate an Apple IOS profile was based on an ACME certificate, we also need to mangle in the ACME certs content to retrieve the certificates issuer name. (cherry picked from commit 1bc67d498c4d71da78aa46d1d2f9fe9752f59860)
-rw-r--r--op-mode-definitions/generate-ipsec-profile.xml.in10
-rwxr-xr-xsrc/op_mode/ikev2_profile_generator.py57
2 files changed, 38 insertions, 29 deletions
diff --git a/op-mode-definitions/generate-ipsec-profile.xml.in b/op-mode-definitions/generate-ipsec-profile.xml.in
index b7203d7d1..afa299da2 100644
--- a/op-mode-definitions/generate-ipsec-profile.xml.in
+++ b/op-mode-definitions/generate-ipsec-profile.xml.in
@@ -28,7 +28,7 @@
<script>${vyos_completion_dir}/list_local_ips.sh --both</script>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7"</command>
+ <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7"</command>
<children>
<tagNode name="name">
<properties>
@@ -37,7 +37,7 @@
<list>&lt;name&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9"</command>
+ <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9"</command>
<children>
<tagNode name="profile">
<properties>
@@ -46,7 +46,7 @@
<list>&lt;name&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command>
</tagNode>
</children>
</tagNode>
@@ -57,7 +57,7 @@
<list>&lt;name&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9"</command>
+ <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9"</command>
<children>
<tagNode name="name">
<properties>
@@ -66,7 +66,7 @@
<list>&lt;name&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command>
</tagNode>
</children>
</tagNode>
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
index 169a15840..b193d8109 100755
--- a/src/op_mode/ikev2_profile_generator.py
+++ b/src/op_mode/ikev2_profile_generator.py
@@ -21,6 +21,7 @@ from socket import getfqdn
from cryptography.x509.oid import NameOID
from vyos.configquery import ConfigTreeQuery
+from vyos.config import config_dict_mangle_acme
from vyos.pki import CERT_BEGIN
from vyos.pki import CERT_END
from vyos.pki import find_chain
@@ -123,6 +124,8 @@ pki_base = ['pki']
conf = ConfigTreeQuery()
if not conf.exists(config_base):
exit('IPsec remote-access is not configured!')
+if not conf.exists(pki_base):
+ exit('PKI is not configured!')
profile_name = 'VyOS IKEv2 Profile'
if args.profile:
@@ -147,30 +150,36 @@ tmp = getfqdn().split('.')
tmp = reversed(tmp)
data['rfqdn'] = '.'.join(tmp)
-pki = conf.get_config_dict(pki_base, get_first_key=True)
-cert_name = data['authentication']['x509']['certificate']
-
-cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
-data['cert_common_name'] = cert_data.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_common_name'] = cert_data.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_certificates'] = []
-
-loaded_ca_certs = {load_certificate(c['certificate'])
- for c in pki['ca'].values()} if 'ca' in pki else {}
-
-for ca_name in data['authentication']['x509']['ca_certificate']:
- loaded_ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
- ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
- for ca in ca_full_chain:
- tmp = {
- 'ca_name' : ca.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
- 'ca_chain' : encode_certificate(ca).replace(CERT_BEGIN, '').replace(CERT_END, '').replace('\n', ''),
- }
- data['ca_certificates'].append(tmp)
-
-# Remove duplicate list entries for CA certificates, as they are added by their common name
-# https://stackoverflow.com/a/9427216
-data['ca_certificates'] = [dict(t) for t in {tuple(d.items()) for d in data['ca_certificates']}]
+if args.os == 'ios':
+ pki = conf.get_config_dict(pki_base, get_first_key=True)
+ if 'certificate' in pki:
+ for certificate in pki['certificate']:
+ pki['certificate'][certificate] = config_dict_mangle_acme(certificate, pki['certificate'][certificate])
+
+ cert_name = data['authentication']['x509']['certificate']
+
+
+ cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
+ data['cert_common_name'] = cert_data.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+ data['ca_common_name'] = cert_data.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+ data['ca_certificates'] = []
+
+ loaded_ca_certs = {load_certificate(c['certificate'])
+ for c in pki['ca'].values()} if 'ca' in pki else {}
+
+ for ca_name in data['authentication']['x509']['ca_certificate']:
+ loaded_ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
+ ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+ for ca in ca_full_chain:
+ tmp = {
+ 'ca_name' : ca.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
+ 'ca_chain' : encode_certificate(ca).replace(CERT_BEGIN, '').replace(CERT_END, '').replace('\n', ''),
+ }
+ data['ca_certificates'].append(tmp)
+
+ # Remove duplicate list entries for CA certificates, as they are added by their common name
+ # https://stackoverflow.com/a/9427216
+ data['ca_certificates'] = [dict(t) for t in {tuple(d.items()) for d in data['ca_certificates']}]
esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'],
key_mangling=('-', '_'), get_first_key=True)