summaryrefslogtreecommitdiff
path: root/src/conf_mode/service_https.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-04-02 18:52:29 +0200
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-04-02 17:01:41 +0000
commit7cf3f42f5ee8e1d8ecfe5da338ba3fe5bd5c55e2 (patch)
treef9a3559fc9b5549ba04404928d157fcd7e0fea52 /src/conf_mode/service_https.py
parent2831bec9c1d94f5382140e937ccae11fb345eefd (diff)
downloadvyos-1x-7cf3f42f5ee8e1d8ecfe5da338ba3fe5bd5c55e2.tar.gz
vyos-1x-7cf3f42f5ee8e1d8ecfe5da338ba3fe5bd5c55e2.zip
configverify: T6198: add common helper for PKI certificate validation
The next evolutional step after adding get_config_dict(..., with_pki=True) is to add a common verification function for the recurring task of validating SSL certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS. (cherry picked from commit 3b758d870449e92fece9e29c791b950b332e6e65)
Diffstat (limited to 'src/conf_mode/service_https.py')
-rwxr-xr-xsrc/conf_mode/service_https.py39
1 files changed, 11 insertions, 28 deletions
diff --git a/src/conf_mode/service_https.py b/src/conf_mode/service_https.py
index 46efc3c93..9e58b4c72 100755
--- a/src/conf_mode/service_https.py
+++ b/src/conf_mode/service_https.py
@@ -24,13 +24,14 @@ from time import sleep
from vyos.base import Warning
from vyos.config import Config
from vyos.config import config_dict_merge
-from vyos.configdiff import get_config_diff
from vyos.configverify import verify_vrf
+from vyos.configverify import verify_pki_certificate
+from vyos.configverify import verify_pki_ca_certificate
+from vyos.configverify import verify_pki_dh_parameters
from vyos.defaults import api_config_state
from vyos.pki import wrap_certificate
from vyos.pki import wrap_private_key
from vyos.pki import wrap_dh_parameters
-from vyos.pki import load_dh_parameters
from vyos.template import render
from vyos.utils.dict import dict_search
from vyos.utils.process import call
@@ -84,33 +85,14 @@ def verify(https):
if https is None:
return None
- if 'certificates' in https and 'certificate' in https['certificates']:
- cert_name = https['certificates']['certificate']
- if 'pki' not in https:
- raise ConfigError('PKI is not configured!')
-
- if cert_name not in https['pki']['certificate']:
- raise ConfigError('Invalid certificate in configuration!')
+ if dict_search('certificates.certificate', https) != None:
+ verify_pki_certificate(https, https['certificates']['certificate'])
- pki_cert = https['pki']['certificate'][cert_name]
-
- if 'certificate' not in pki_cert:
- raise ConfigError('Missing certificate in configuration!')
+ tmp = dict_search('certificates.ca_certificate', https)
+ if tmp != None: verify_pki_ca_certificate(https, tmp)
- if 'private' not in pki_cert or 'key' not in pki_cert['private']:
- raise ConfigError('Missing certificate private key in configuration!')
-
- if 'dh_params' in https['certificates']:
- dh_name = https['certificates']['dh_params']
- if dh_name not in https['pki']['dh']:
- raise ConfigError('Invalid DH parameter in configuration!')
-
- pki_dh = https['pki']['dh'][dh_name]
- dh_params = load_dh_parameters(pki_dh['parameters'])
- dh_numbers = dh_params.parameter_numbers()
- dh_bits = dh_numbers.p.bit_length()
- if dh_bits < 2048:
- raise ConfigError(f'Minimum DH key-size is 2048 bits')
+ tmp = dict_search('certificates.dh_params', https)
+ if tmp != None: verify_pki_dh_parameters(https, tmp, 2048)
else:
Warning('No certificate specified, using build-in self-signed certificates. '\
@@ -214,7 +196,8 @@ def apply(https):
https_service_name = 'nginx.service'
if https is None:
- call(f'systemctl stop {http_api_service_name}')
+ if is_systemd_service_active(http_api_service_name):
+ call(f'systemctl stop {http_api_service_name}')
call(f'systemctl stop {https_service_name}')
return