diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-02-19 10:35:55 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-19 10:35:55 +0100 |
| commit | ae65ff7cc62959608d190923737283480398277d (patch) | |
| tree | 88a6fee64eec7e677f88181af19bab4295c73845 /src/conf_mode/interfaces-ethernet.py | |
| parent | 4829307f01c1a90c90173b2c2c6e538aec82c6f0 (diff) | |
| parent | 3d1b34bf715e594aa4a013d409bfcc5a4c4ad99c (diff) | |
| download | vyos-1x-ae65ff7cc62959608d190923737283480398277d.tar.gz vyos-1x-ae65ff7cc62959608d190923737283480398277d.zip | |
Merge pull request #1227 from chenxiaolong/T4245
pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM files
Diffstat (limited to 'src/conf_mode/interfaces-ethernet.py')
| -rwxr-xr-x | src/conf_mode/interfaces-ethernet.py | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index ab8d58f81..2a8a126f2 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -32,7 +32,9 @@ from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ethtool import Ethtool from vyos.ifconfig import EthernetIf -from vyos.pki import wrap_certificate +from vyos.pki import find_chain +from vyos.pki import encode_certificate +from vyos.pki import load_certificate from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call @@ -159,7 +161,14 @@ def generate(ethernet): cert_name = ethernet['eapol']['certificate'] pki_cert = ethernet['pki']['certificate'][cert_name] - write_file(cert_file_path, wrap_certificate(pki_cert['certificate'])) + loaded_pki_cert = load_certificate(pki_cert['certificate']) + loaded_ca_certs = {load_certificate(c['certificate']) + for c in ethernet['pki']['ca'].values()} + + cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs) + + write_file(cert_file_path, + '\n'.join(encode_certificate(c) for c in cert_full_chain)) write_file(cert_key_path, wrap_private_key(pki_cert['private']['key'])) if 'ca_certificate' in ethernet['eapol']: @@ -167,8 +176,11 @@ def generate(ethernet): ca_cert_name = ethernet['eapol']['ca_certificate'] pki_ca_cert = ethernet['pki']['ca'][ca_cert_name] + loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) + ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) + write_file(ca_cert_file_path, - wrap_certificate(pki_ca_cert['certificate'])) + '\n'.join(encode_certificate(c) for c in ca_full_chain)) else: # delete configuration on interface removal if os.path.isfile(wpa_suppl_conf.format(**ethernet)): |