summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2021-07-20 12:05:50 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2021-07-20 14:49:10 +0200
commit70785300b0dbd11bcd805f7d2906e77fc826f4a7 (patch)
tree36d0090231779a272e03718e1ccc9d6c906f1220 /src/conf_mode
parent2bb8817348a6df639ec9959298422b7e7b923823 (diff)
downloadvyos-1x-70785300b0dbd11bcd805f7d2906e77fc826f4a7.tar.gz
vyos-1x-70785300b0dbd11bcd805f7d2906e77fc826f4a7.zip
pki: sstp: T3642: Migrate SSTP to PKI configuration
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py72
1 files changed, 54 insertions, 18 deletions
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 47367f125..d1a71a5ad 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -21,6 +21,8 @@ from sys import exit
from vyos.config import Config
from vyos.configdict import get_accel_dict
from vyos.configverify import verify_accel_ppp_base_service
+from vyos.pki import wrap_certificate
+from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
@@ -28,6 +30,7 @@ from vyos import ConfigError
from vyos import airbag
airbag.enable()
+cfg_dir = '/run/accel-pppd'
sstp_conf = '/run/accel-pppd/sstp.conf'
sstp_chap_secrets = '/run/accel-pppd/sstp.chap-secrets'
@@ -42,6 +45,11 @@ def get_config(config=None):
# retrieve common dictionary keys
sstp = get_accel_dict(conf, base, sstp_chap_secrets)
+
+ if sstp:
+ sstp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+ get_first_key=True, no_tag_node_value_mangle=True)
+
return sstp
def verify(sstp):
@@ -56,31 +64,59 @@ def verify(sstp):
#
# SSL certificate checks
#
- tmp = dict_search('ssl.ca_cert_file', sstp)
- if not tmp:
- raise ConfigError(f'SSL CA certificate file required!')
- else:
- if not os.path.isfile(tmp):
- raise ConfigError(f'SSL CA certificate "{tmp}" does not exist!')
+ if not sstp['pki']:
+ raise ConfigError('PKI is not configured')
- tmp = dict_search('ssl.cert_file', sstp)
- if not tmp:
- raise ConfigError(f'SSL public key file required!')
- else:
- if not os.path.isfile(tmp):
- raise ConfigError(f'SSL public key "{tmp}" does not exist!')
+ if 'ssl' not in sstp:
+ raise ConfigError('SSL missing on SSTP config')
- tmp = dict_search('ssl.key_file', sstp)
- if not tmp:
- raise ConfigError(f'SSL private key file required!')
- else:
- if not os.path.isfile(tmp):
- raise ConfigError(f'SSL private key "{tmp}" does not exist!')
+ ssl = sstp['ssl']
+
+ if 'ca_certificate' not in ssl:
+ raise ConfigError('SSL CA certificate missing on SSTP config')
+
+ if 'certificate' not in ssl:
+ raise ConfigError('SSL certificate missing on SSTP config')
+
+ cert_name = ssl['certificate']
+
+ if ssl['ca_certificate'] not in sstp['pki']['ca']:
+ raise ConfigError('Invalid CA certificate on SSTP config')
+
+ if cert_name not in sstp['pki']['certificate']:
+ raise ConfigError('Invalid certificate on SSTP config')
+
+ pki_cert = sstp['pki']['certificate'][cert_name]
+
+ if 'private' not in pki_cert or 'key' not in pki_cert['private']:
+ raise ConfigError('Missing private key for certificate on SSTP config')
+
+ if 'password_protected' in pki_cert['private']:
+ raise ConfigError('Encrypted private key is not supported on SSTP config')
def generate(sstp):
if not sstp:
return None
+ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem')
+ cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key')
+ ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem')
+
+ cert_name = sstp['ssl']['certificate']
+ pki_cert = sstp['pki']['certificate'][cert_name]
+
+ with open(cert_file_path, 'w') as f:
+ f.write(wrap_certificate(pki_cert['certificate']))
+
+ with open(cert_key_path, 'w') as f:
+ f.write(wrap_private_key(pki_cert['private']['key']))
+
+ ca_cert_name = sstp['ssl']['ca_certificate']
+ pki_ca = sstp['pki']['ca'][ca_cert_name]
+
+ with open(ca_cert_file_path, 'w') as f:
+ f.write(wrap_certificate(pki_ca['certificate']))
+
# accel-cmd reload doesn't work so any change results in a restart of the daemon
render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp)