summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-20 15:43:43 +0200
committerGitHub <noreply@github.com>2021-07-20 15:43:43 +0200
commit4ff379d18a750314fda2b2fec5a1e285bd92f15c (patch)
tree36d0090231779a272e03718e1ccc9d6c906f1220 /src
parent2975c5e835fd323ef5d47bebec27e4d08e04dd7a (diff)
parent70785300b0dbd11bcd805f7d2906e77fc826f4a7 (diff)
downloadvyos-1x-4ff379d18a750314fda2b2fec5a1e285bd92f15c.tar.gz
vyos-1x-4ff379d18a750314fda2b2fec5a1e285bd92f15c.zip
Merge pull request #930 from sarthurdev/pki_migration
pki: openconnect: sstp: T3642: Migrate OpenConnect and SSTP to PKI configuration
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vpn_openconnect.py65
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py72
-rwxr-xr-xsrc/migration-scripts/openconnect/0-to-1136
-rwxr-xr-xsrc/migration-scripts/sstp/3-to-4136
4 files changed, 384 insertions, 25 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 2986c3458..f6db196dc 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -19,9 +19,11 @@ from sys import exit
from vyos.config import Config
from vyos.configdict import dict_merge
-from vyos.xml import defaults
+from vyos.pki import wrap_certificate
+from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.util import call
+from vyos.xml import defaults
from vyos import ConfigError
from crypt import crypt, mksalt, METHOD_SHA512
@@ -50,6 +52,10 @@ def get_config():
default_values = defaults(base)
ocserv = dict_merge(default_values, ocserv)
+ if ocserv:
+ ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+ get_first_key=True, no_tag_node_value_mangle=True)
+
return ocserv
def verify(ocserv):
@@ -72,14 +78,36 @@ def verify(ocserv):
raise ConfigError('openconnect authentication credentials required')
# Check ssl
- if "ssl" in ocserv:
- req_cert = ['cert_file', 'key_file']
- for cert in req_cert:
- if not cert in ocserv["ssl"]:
- raise ConfigError('openconnect ssl {0} required'.format(cert.replace('_', '-')))
- else:
+ if 'ssl' not in ocserv:
raise ConfigError('openconnect ssl required')
+ if not ocserv['pki'] or 'certificate' not in ocserv['pki']:
+ raise ConfigError('PKI not configured')
+
+ ssl = ocserv['ssl']
+ if 'certificate' not in ssl:
+ raise ConfigError('openconnect ssl certificate required')
+
+ cert_name = ssl['certificate']
+
+ if cert_name not in ocserv['pki']['certificate']:
+ raise ConfigError('Invalid openconnect ssl certificate')
+
+ cert = ocserv['pki']['certificate'][cert_name]
+
+ if 'certificate' not in cert:
+ raise ConfigError('Missing certificate in PKI')
+
+ if 'private' not in cert or 'key' not in cert['private']:
+ raise ConfigError('Missing private key in PKI')
+
+ if 'ca_certificate' in ssl:
+ if 'ca' not in ocserv['pki']:
+ raise ConfigError('PKI not configured')
+
+ if ssl['ca_certificate'] not in ocserv['pki']['ca']:
+ raise ConfigError('Invalid openconnect ssl CA certificate')
+
# Check network settings
if "network_settings" in ocserv:
if "push_route" in ocserv["network_settings"]:
@@ -109,6 +137,29 @@ def generate(ocserv):
# Render local users
render(ocserv_passwd, 'ocserv/ocserv_passwd.tmpl', ocserv["authentication"]["local_users"])
+ if "ssl" in ocserv:
+ cert_file_path = os.path.join(cfg_dir, 'cert.pem')
+ cert_key_path = os.path.join(cfg_dir, 'cert.key')
+ ca_cert_file_path = os.path.join(cfg_dir, 'ca.pem')
+
+ if 'certificate' in ocserv['ssl']:
+ cert_name = ocserv['ssl']['certificate']
+ pki_cert = ocserv['pki']['certificate'][cert_name]
+
+ with open(cert_file_path, 'w') as f:
+ f.write(wrap_certificate(pki_cert['certificate']))
+
+ if 'private' in pki_cert and 'key' in pki_cert['private']:
+ with open(cert_key_path, 'w') as f:
+ f.write(wrap_private_key(pki_cert['private']['key']))
+
+ if 'ca_certificate' in ocserv['ssl']:
+ ca_name = ocserv['ssl']['ca_certificate']
+ pki_ca_cert = ocserv['pki']['ca'][ca_name]
+
+ with open(ca_cert_file_path, 'w') as f:
+ f.write(wrap_certificate(pki_ca_cert['certificate']))
+
# Render config
render(ocserv_conf, 'ocserv/ocserv_config.tmpl', ocserv)
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 47367f125..d1a71a5ad 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -21,6 +21,8 @@ from sys import exit
from vyos.config import Config
from vyos.configdict import get_accel_dict
from vyos.configverify import verify_accel_ppp_base_service
+from vyos.pki import wrap_certificate
+from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
@@ -28,6 +30,7 @@ from vyos import ConfigError
from vyos import airbag
airbag.enable()
+cfg_dir = '/run/accel-pppd'
sstp_conf = '/run/accel-pppd/sstp.conf'
sstp_chap_secrets = '/run/accel-pppd/sstp.chap-secrets'
@@ -42,6 +45,11 @@ def get_config(config=None):
# retrieve common dictionary keys
sstp = get_accel_dict(conf, base, sstp_chap_secrets)
+
+ if sstp:
+ sstp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+ get_first_key=True, no_tag_node_value_mangle=True)
+
return sstp
def verify(sstp):
@@ -56,31 +64,59 @@ def verify(sstp):
#
# SSL certificate checks
#
- tmp = dict_search('ssl.ca_cert_file', sstp)
- if not tmp:
- raise ConfigError(f'SSL CA certificate file required!')
- else:
- if not os.path.isfile(tmp):
- raise ConfigError(f'SSL CA certificate "{tmp}" does not exist!')
+ if not sstp['pki']:
+ raise ConfigError('PKI is not configured')
- tmp = dict_search('ssl.cert_file', sstp)
- if not tmp:
- raise ConfigError(f'SSL public key file required!')
- else:
- if not os.path.isfile(tmp):
- raise ConfigError(f'SSL public key "{tmp}" does not exist!')
+ if 'ssl' not in sstp:
+ raise ConfigError('SSL missing on SSTP config')
- tmp = dict_search('ssl.key_file', sstp)
- if not tmp:
- raise ConfigError(f'SSL private key file required!')
- else:
- if not os.path.isfile(tmp):
- raise ConfigError(f'SSL private key "{tmp}" does not exist!')
+ ssl = sstp['ssl']
+
+ if 'ca_certificate' not in ssl:
+ raise ConfigError('SSL CA certificate missing on SSTP config')
+
+ if 'certificate' not in ssl:
+ raise ConfigError('SSL certificate missing on SSTP config')
+
+ cert_name = ssl['certificate']
+
+ if ssl['ca_certificate'] not in sstp['pki']['ca']:
+ raise ConfigError('Invalid CA certificate on SSTP config')
+
+ if cert_name not in sstp['pki']['certificate']:
+ raise ConfigError('Invalid certificate on SSTP config')
+
+ pki_cert = sstp['pki']['certificate'][cert_name]
+
+ if 'private' not in pki_cert or 'key' not in pki_cert['private']:
+ raise ConfigError('Missing private key for certificate on SSTP config')
+
+ if 'password_protected' in pki_cert['private']:
+ raise ConfigError('Encrypted private key is not supported on SSTP config')
def generate(sstp):
if not sstp:
return None
+ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem')
+ cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key')
+ ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem')
+
+ cert_name = sstp['ssl']['certificate']
+ pki_cert = sstp['pki']['certificate'][cert_name]
+
+ with open(cert_file_path, 'w') as f:
+ f.write(wrap_certificate(pki_cert['certificate']))
+
+ with open(cert_key_path, 'w') as f:
+ f.write(wrap_private_key(pki_cert['private']['key']))
+
+ ca_cert_name = sstp['ssl']['ca_certificate']
+ pki_ca = sstp['pki']['ca'][ca_cert_name]
+
+ with open(ca_cert_file_path, 'w') as f:
+ f.write(wrap_certificate(pki_ca['certificate']))
+
# accel-cmd reload doesn't work so any change results in a restart of the daemon
render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp)
diff --git a/src/migration-scripts/openconnect/0-to-1 b/src/migration-scripts/openconnect/0-to-1
new file mode 100755
index 000000000..83cd09143
--- /dev/null
+++ b/src/migration-scripts/openconnect/0-to-1
@@ -0,0 +1,136 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# - Update SSL to use PKI configuration
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+from vyos.pki import load_certificate
+from vyos.pki import load_crl
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
+from vyos.util import run
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'openconnect']
+pki_base = ['pki']
+
+if not config.exists(base):
+ exit(0)
+
+AUTH_DIR = '/config/auth'
+
+def wrapped_pem_to_config_value(pem):
+ return "".join(pem.strip().split("\n")[1:-1])
+
+if not config.exists(base + ['ssl']):
+ exit(0)
+
+x509_base = base + ['ssl']
+pki_name = 'openconnect'
+
+if not config.exists(pki_base + ['ca']):
+ config.set(pki_base + ['ca'])
+ config.set_tag(pki_base + ['ca'])
+
+if not config.exists(pki_base + ['certificate']):
+ config.set(pki_base + ['certificate'])
+ config.set_tag(pki_base + ['certificate'])
+
+if config.exists(x509_base + ['ca-cert-file']):
+ cert_file = config.return_value(x509_base + ['ca-cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['ca-certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate CA certificate on openconnect config')
+
+ config.delete(x509_base + ['ca-cert-file'])
+
+if config.exists(x509_base + ['cert-file']):
+ cert_file = config.return_value(x509_base + ['cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate certificate on openconnect config')
+
+ config.delete(x509_base + ['cert-file'])
+
+if config.exists(x509_base + ['key-file']):
+ key_file = config.return_value(x509_base + ['key-file'])
+ key_path = os.path.join(AUTH_DIR, key_file)
+ key = None
+
+ if os.path.isfile(key_path):
+ if not os.access(key_path, os.R_OK):
+ run(f'sudo chmod 644 {key_path}')
+
+ with open(key_path, 'r') as f:
+ key_data = f.read()
+ key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+ if key:
+ key_pem = encode_private_key(key, passphrase=None)
+ config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+ else:
+ print(f'Failed to migrate private key on openconnect config')
+
+ config.delete(x509_base + ['key-file'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/sstp/3-to-4 b/src/migration-scripts/sstp/3-to-4
new file mode 100755
index 000000000..0568f043f
--- /dev/null
+++ b/src/migration-scripts/sstp/3-to-4
@@ -0,0 +1,136 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# - Update SSL to use PKI configuration
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+from vyos.pki import load_certificate
+from vyos.pki import load_crl
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
+from vyos.util import run
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'sstp']
+pki_base = ['pki']
+
+if not config.exists(base):
+ exit(0)
+
+AUTH_DIR = '/config/auth'
+
+def wrapped_pem_to_config_value(pem):
+ return "".join(pem.strip().split("\n")[1:-1])
+
+if not config.exists(base + ['ssl']):
+ exit(0)
+
+x509_base = base + ['ssl']
+pki_name = 'sstp'
+
+if not config.exists(pki_base + ['ca']):
+ config.set(pki_base + ['ca'])
+ config.set_tag(pki_base + ['ca'])
+
+if not config.exists(pki_base + ['certificate']):
+ config.set(pki_base + ['certificate'])
+ config.set_tag(pki_base + ['certificate'])
+
+if config.exists(x509_base + ['ca-cert-file']):
+ cert_file = config.return_value(x509_base + ['ca-cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['ca-certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate CA certificate on sstp config')
+
+ config.delete(x509_base + ['ca-cert-file'])
+
+if config.exists(x509_base + ['cert-file']):
+ cert_file = config.return_value(x509_base + ['cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate certificate on sstp config')
+
+ config.delete(x509_base + ['cert-file'])
+
+if config.exists(x509_base + ['key-file']):
+ key_file = config.return_value(x509_base + ['key-file'])
+ key_path = os.path.join(AUTH_DIR, key_file)
+ key = None
+
+ if os.path.isfile(key_path):
+ if not os.access(key_path, os.R_OK):
+ run(f'sudo chmod 644 {key_path}')
+
+ with open(key_path, 'r') as f:
+ key_data = f.read()
+ key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+ if key:
+ key_pem = encode_private_key(key, passphrase=None)
+ config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+ else:
+ print(f'Failed to migrate private key on sstp config')
+
+ config.delete(x509_base + ['key-file'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)