diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-06 23:19:48 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2021-07-07 00:53:27 +0200 |
commit | 5a7c46016a23387312b2c9e18528ad7bb20e8366 (patch) | |
tree | 8bde3ac286bc552bea9322efcdda33e05e3a86e9 /src/conf_mode/vpn_rsa-keys.py | |
parent | 511253635a9b67396788d24bacafd237594e0e12 (diff) | |
download | vyos-1x-5a7c46016a23387312b2c9e18528ad7bb20e8366.tar.gz vyos-1x-5a7c46016a23387312b2c9e18528ad7bb20e8366.zip |
pki: T3642: Migrate rsa-keys to PKI configuration
Diffstat (limited to 'src/conf_mode/vpn_rsa-keys.py')
-rwxr-xr-x | src/conf_mode/vpn_rsa-keys.py | 113 |
1 files changed, 0 insertions, 113 deletions
diff --git a/src/conf_mode/vpn_rsa-keys.py b/src/conf_mode/vpn_rsa-keys.py deleted file mode 100755 index 83de93088..000000000 --- a/src/conf_mode/vpn_rsa-keys.py +++ /dev/null @@ -1,113 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import base64 -import os -import struct - -from sys import exit - -from vyos.config import Config -from vyos.util import call -from vyos import ConfigError -from vyos import airbag -from Cryptodome.PublicKey.RSA import construct - -airbag.enable() - -LOCAL_KEY_PATHS = ['/config/auth/', '/config/ipsec.d/rsa-keys/'] -LOCAL_OUTPUT = '/etc/swanctl/pubkey/localhost.pub' -LOCAL_KEY_OUTPUT = '/etc/swanctl/private/localhost.key' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['vpn', 'rsa-keys'] - if not conf.exists(base): - return None - - return conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - -def verify(conf): - if not conf: - return - - if 'local_key' in conf and 'file' in conf['local_key']: - local_key = conf['local_key']['file'] - if not local_key: - raise ConfigError(f'Invalid local-key') - - if not get_local_key(local_key): - raise ConfigError(f'File not found for local-key: {local_key}') - -def get_local_key(local_key): - for path in LOCAL_KEY_PATHS: - full_path = os.path.join(path, local_key) - if os.path.exists(full_path): - return full_path - return False - -def generate(conf): - if not conf: - return - - if 'local_key' in conf and 'file' in conf['local_key']: - local_key = conf['local_key']['file'] - local_key_path = get_local_key(local_key) - call(f'sudo cp -f {local_key_path} {LOCAL_KEY_OUTPUT}') - call(f'sudo /usr/bin/openssl rsa -in {local_key_path} -pubout -out {LOCAL_OUTPUT}') - - if 'rsa_key_name' in conf: - for key_name, key_conf in conf['rsa_key_name'].items(): - if 'rsa_key' not in key_conf: - continue - - remote_key = key_conf['rsa_key'] - - if remote_key[:2] == "0s": # Vyatta format - remote_key = migrate_from_vyatta_key(remote_key) - else: - remote_key = bytes('-----BEGIN PUBLIC KEY-----\n' + remote_key + '\n-----END PUBLIC KEY-----\n', 'utf-8') - - with open(f'/etc/swanctl/pubkey/{key_name}.pub', 'wb') as f: - f.write(remote_key) - -def migrate_from_vyatta_key(data): - data = base64.b64decode(data[2:]) - length = struct.unpack('B', data[:1])[0] - e = int.from_bytes(data[1:1+length], 'big') - n = int.from_bytes(data[1+length:], 'big') - pubkey = construct((n, e)) - return pubkey.exportKey(format='PEM') - -def apply(conf): - if not conf: - return - - call('sudo /usr/sbin/ipsec rereadall') - call('sudo /usr/sbin/ipsec reload') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) |