Merge pull request #911 from sarthurdev/pki_san

pki: ipsec: T3642: T1210: T2816: Add SANs to generated certificates, more IPSec remote-access features and fixes

2 files changed, 30 insertions, 7 deletions

diff --git a/python/vyos/pki.py b/python/vyos/pki.py
index a575ac16a..1c6282d84 100644
--- a/python/vyos/pki.py
+++ b/python/vyos/pki.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import datetime
+import ipaddress
 
 from cryptography import x509
 from cryptography.exceptions import InvalidSignature
@@ -112,7 +113,7 @@ def create_private_key(key_type, key_size=None):
         private_key = ec.generate_private_key(curve)
     return private_key
 
-def create_certificate_request(subject, private_key):
+def create_certificate_request(subject, private_key, subject_alt_names=[]):
     subject_obj = x509.Name([
         x509.NameAttribute(NameOID.COUNTRY_NAME, subject['country']),
         x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, subject['state']),
@@ -120,9 +121,20 @@ def create_certificate_request(subject, private_key):
         x509.NameAttribute(NameOID.ORGANIZATION_NAME, subject['organization']),
         x509.NameAttribute(NameOID.COMMON_NAME, subject['common_name'])])
 
-    return x509.CertificateSigningRequestBuilder() \
-        .subject_name(subject_obj) \
-        .sign(private_key, hashes.SHA256())
+    builder = x509.CertificateSigningRequestBuilder() \
+        .subject_name(subject_obj)
+
+    if subject_alt_names:
+        alt_names = []
+        for obj in subject_alt_names:
+            if isinstance(obj, ipaddress.IPv4Address) or isinstance(obj, ipaddress.IPv6Address):
+                alt_names.append(x509.IPAddress(obj))
+            elif isinstance(obj, str):
+                alt_names.append(x509.DNSName(obj))
+        if alt_names:
+            builder = builder.add_extension(x509.SubjectAlternativeName(alt_names), critical=False)
+
+    return builder.sign(private_key, hashes.SHA256())
 
 def add_key_identifier(ca_cert):
     try:
@@ -166,7 +178,7 @@ def create_certificate(cert_req, ca_cert, ca_private_key, valid_days=365, cert_t
         builder = builder.add_extension(add_key_identifier(ca_cert), critical=False)
 
     for ext in cert_req.extensions:
-        builder = builder.add_extension(ext, critical=False)
+        builder = builder.add_extension(ext.value, critical=False)
 
     return builder.sign(ca_private_key, hashes.SHA256())
 
diff --git a/python/vyos/util.py b/python/vyos/util.py
index 8247ccb2d..171ab397f 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -440,7 +440,6 @@ def process_running(pid_file):
         pid = f.read().strip()
     return pid_exists(int(pid))
 
-
 def process_named_running(name):
     """ Checks if process with given name is running and returns its PID.
     If Process is not running, return None
@@ -451,7 +450,6 @@ def process_named_running(name):
             return p.pid
     return None
 
-
 def seconds_to_human(s, separator=""):
     """ Converts number of seconds passed to a human-readable
     interval such as 1w4d18h35m59s
@@ -705,6 +703,19 @@ def dict_search(path, my_dict):
         c = c.get(p, {})
     return c.get(parts[-1], None)
 
+def dict_search_args(dict_object, *path):
+    # Traverse dictionary using variable arguments
+    # Added due to above function not allowing for '.' in the key names
+    # Example: dict_search_args(some_dict, 'key', 'subkey', 'subsubkey', ...)
+    if not isinstance(dict_object, dict) or not path:
+        return None
+
+    for item in path:
+        if item not in dict_object:
+            return None
+        dict_object = dict_object[item]
+    return dict_object
+
 def get_interface_config(interface):
     """ Returns the used encapsulation protocol for given interface.
         If interface does not exist, None is returned.