diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-05-30 17:18:26 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-30 17:18:26 +0200 |
| commit | e26fcfb0bb254deea26d9cf3c9707552eafcafe9 (patch) | |
| tree | 68b97748dbcb2a3c3afa763c8036617717fb61a2 | |
| parent | 94ee1d8f1f7f0c539c64f3f1e72e8fa8040a5a97 (diff) | |
| parent | 55ae2ca0b17fa1d4cd19563289466c5e8dbbcf84 (diff) | |
| download | vyos-1x-e26fcfb0bb254deea26d9cf3c9707552eafcafe9.tar.gz vyos-1x-e26fcfb0bb254deea26d9cf3c9707552eafcafe9.zip | |
Merge pull request #3556 from vyos/mergify/bp/sagitta/pr-3552
op-mode: ipsec: T6407: fix profile generation (backport #3552)
| -rw-r--r-- | data/templates/ipsec/ios_profile.j2 | 11 | ||||
| -rwxr-xr-x | src/op_mode/ikev2_profile_generator.py | 19 |
2 files changed, 21 insertions, 9 deletions
diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 index eb74924b8..a9ae1c7a9 100644 --- a/data/templates/ipsec/ios_profile.j2 +++ b/data/templates/ipsec/ios_profile.j2 @@ -83,12 +83,15 @@ </dict> </dict> </dict> +{% if certs is vyos_defined %} <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration --> +{% for cert in certs %} + <!-- Payload for: {{ cert.ca_cn }} --> <dict> <key>PayloadIdentifier</key> - <string>org.example.ca</string> + <string>org.{{ cert.ca_cn | lower | replace(' ', '.') | replace('_', '.') }}</string> <key>PayloadUUID</key> - <string>{{ '' | get_uuid }}</string> + <string>{{ cert.ca_cn | generate_uuid4 }}</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> @@ -96,9 +99,11 @@ <!-- This is the Base64 (PEM) encoded CA certificate --> <key>PayloadContent</key> <data> - {{ ca_cert }} + {{ cert.ca_cert }} </data> </dict> +{% endfor %} +{% endif %} </array> </dict> </plist> diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py index 2b29f94bf..4ac4fb14a 100755 --- a/src/op_mode/ikev2_profile_generator.py +++ b/src/op_mode/ikev2_profile_generator.py @@ -144,15 +144,22 @@ tmp = reversed(tmp) data['rfqdn'] = '.'.join(tmp) pki = conf.get_config_dict(pki_base, get_first_key=True) -ca_name = data['authentication']['x509']['ca_certificate'] cert_name = data['authentication']['x509']['certificate'] -ca_cert = load_certificate(pki['ca'][ca_name]['certificate']) -cert = load_certificate(pki['certificate'][cert_name]['certificate']) +data['certs'] = [] + +for ca_name in data['authentication']['x509']['ca_certificate']: + tmp = {} + ca_cert = load_certificate(pki['ca'][ca_name]['certificate']) + cert = load_certificate(pki['certificate'][cert_name]['certificate']) + + + tmp['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value + tmp['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value + tmp['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate']) + + data['certs'].append(tmp) -data['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value -data['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value -data['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate']) esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'], key_mangling=('-', '_'), get_first_key=True) |