pki: sstp: T3642: Migrate SSTP to PKI configuration

author: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2021-07-20 12:05:50 +0200
committer: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2021-07-20 14:49:10 +0200
commit: 70785300b0dbd11bcd805f7d2906e77fc826f4a7 (patch)
tree: 36d0090231779a272e03718e1ccc9d6c906f1220 /src
parent: 2bb8817348a6df639ec9959298422b7e7b923823 (diff)
download: vyos-1x-70785300b0dbd11bcd805f7d2906e77fc826f4a7.tar.gz
vyos-1x-70785300b0dbd11bcd805f7d2906e77fc826f4a7.zip
2 files changed, 190 insertions, 18 deletions
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 47367f125..d1a71a5ad 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -21,6 +21,8 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_accel_dict
 from vyos.configverify import verify_accel_ppp_base_service
+from vyos.pki import wrap_certificate
+from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.util import call
 from vyos.util import dict_search
@@ -28,6 +30,7 @@ from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
+cfg_dir = '/run/accel-pppd'
 sstp_conf = '/run/accel-pppd/sstp.conf'
 sstp_chap_secrets = '/run/accel-pppd/sstp.chap-secrets'
 
@@ -42,6 +45,11 @@ def get_config(config=None):
 
     # retrieve common dictionary keys
     sstp = get_accel_dict(conf, base, sstp_chap_secrets)
+
+    if sstp:
+        sstp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+                                get_first_key=True, no_tag_node_value_mangle=True)
+
     return sstp
 
 def verify(sstp):
@@ -56,31 +64,59 @@ def verify(sstp):
     #
     # SSL certificate checks
     #
-    tmp = dict_search('ssl.ca_cert_file', sstp)
-    if not tmp:
-        raise ConfigError(f'SSL CA certificate file required!')
-    else:
-        if not os.path.isfile(tmp):
-            raise ConfigError(f'SSL CA certificate "{tmp}" does not exist!')
+    if not sstp['pki']:
+        raise ConfigError('PKI is not configured')
 
-    tmp = dict_search('ssl.cert_file', sstp)
-    if not tmp:
-        raise ConfigError(f'SSL public key file required!')
-    else:
-        if not os.path.isfile(tmp):
-            raise ConfigError(f'SSL public key "{tmp}" does not exist!')
+    if 'ssl' not in sstp:
+        raise ConfigError('SSL missing on SSTP config')
 
-    tmp = dict_search('ssl.key_file', sstp)
-    if not tmp:
-        raise ConfigError(f'SSL private key file required!')
-    else:
-        if not os.path.isfile(tmp):
-            raise ConfigError(f'SSL private key "{tmp}" does not exist!')
+    ssl = sstp['ssl']
+
+    if 'ca_certificate' not in ssl:
+        raise ConfigError('SSL CA certificate missing on SSTP config')
+
+    if 'certificate' not in ssl:
+        raise ConfigError('SSL certificate missing on SSTP config')
+
+    cert_name = ssl['certificate']
+
+    if ssl['ca_certificate'] not in sstp['pki']['ca']:
+        raise ConfigError('Invalid CA certificate on SSTP config')
+
+    if cert_name not in sstp['pki']['certificate']:
+        raise ConfigError('Invalid certificate on SSTP config')
+
+    pki_cert = sstp['pki']['certificate'][cert_name]
+
+    if 'private' not in pki_cert or 'key' not in pki_cert['private']:
+        raise ConfigError('Missing private key for certificate on SSTP config')
+
+    if 'password_protected' in pki_cert['private']:
+        raise ConfigError('Encrypted private key is not supported on SSTP config')
 
 def generate(sstp):
     if not sstp:
         return None
 
+    cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem')
+    cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key')
+    ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem')
+
+    cert_name = sstp['ssl']['certificate']
+    pki_cert = sstp['pki']['certificate'][cert_name]
+
+    with open(cert_file_path, 'w') as f:
+        f.write(wrap_certificate(pki_cert['certificate']))
+
+    with open(cert_key_path, 'w') as f:
+        f.write(wrap_private_key(pki_cert['private']['key']))
+
+    ca_cert_name = sstp['ssl']['ca_certificate']
+    pki_ca = sstp['pki']['ca'][ca_cert_name]
+
+    with open(ca_cert_file_path, 'w') as f:
+        f.write(wrap_certificate(pki_ca['certificate']))
+
     # accel-cmd reload doesn't work so any change results in a restart of the daemon
     render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp)
 
diff --git a/src/migration-scripts/sstp/3-to-4 b/src/migration-scripts/sstp/3-to-4
new file mode 100755
index 000000000..0568f043f
--- /dev/null
+++ b/src/migration-scripts/sstp/3-to-4
@@ -0,0 +1,136 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - Update SSL to use PKI configuration
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+from vyos.pki import load_certificate
+from vyos.pki import load_crl
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
+from vyos.util import run
+
+if (len(argv) < 1):
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'sstp']
+pki_base = ['pki']
+
+if not config.exists(base):
+    exit(0)
+
+AUTH_DIR = '/config/auth'
+
+def wrapped_pem_to_config_value(pem):
+    return "".join(pem.strip().split("\n")[1:-1])
+
+if not config.exists(base + ['ssl']):
+    exit(0)
+
+x509_base = base + ['ssl']
+pki_name = 'sstp'
+
+if not config.exists(pki_base + ['ca']):
+    config.set(pki_base + ['ca'])
+    config.set_tag(pki_base + ['ca'])
+
+if not config.exists(pki_base + ['certificate']):
+    config.set(pki_base + ['certificate'])
+    config.set_tag(pki_base + ['certificate'])
+
+if config.exists(x509_base + ['ca-cert-file']):
+    cert_file = config.return_value(x509_base + ['ca-cert-file'])
+    cert_path = os.path.join(AUTH_DIR, cert_file)
+    cert = None
+
+    if os.path.isfile(cert_path):
+        if not os.access(cert_path, os.R_OK):
+            run(f'sudo chmod 644 {cert_path}')
+
+        with open(cert_path, 'r') as f:
+            cert_data = f.read()
+            cert = load_certificate(cert_data, wrap_tags=False)
+
+    if cert:
+        cert_pem = encode_certificate(cert)
+        config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+        config.set(x509_base + ['ca-certificate'], value=pki_name)
+    else:
+        print(f'Failed to migrate CA certificate on sstp config')
+
+    config.delete(x509_base + ['ca-cert-file'])
+
+if config.exists(x509_base + ['cert-file']):
+    cert_file = config.return_value(x509_base + ['cert-file'])
+    cert_path = os.path.join(AUTH_DIR, cert_file)
+    cert = None
+
+    if os.path.isfile(cert_path):
+        if not os.access(cert_path, os.R_OK):
+            run(f'sudo chmod 644 {cert_path}')
+
+        with open(cert_path, 'r') as f:
+            cert_data = f.read()
+            cert = load_certificate(cert_data, wrap_tags=False)
+
+    if cert:
+        cert_pem = encode_certificate(cert)
+        config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+        config.set(x509_base + ['certificate'], value=pki_name)
+    else:
+        print(f'Failed to migrate certificate on sstp config')
+
+    config.delete(x509_base + ['cert-file'])
+
+if config.exists(x509_base + ['key-file']):
+    key_file = config.return_value(x509_base + ['key-file'])
+    key_path = os.path.join(AUTH_DIR, key_file)
+    key = None
+
+    if os.path.isfile(key_path):
+        if not os.access(key_path, os.R_OK):
+            run(f'sudo chmod 644 {key_path}')
+
+        with open(key_path, 'r') as f:
+            key_data = f.read()
+            key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+    if key:
+        key_pem = encode_private_key(key, passphrase=None)
+        config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+    else:
+        print(f'Failed to migrate private key on sstp config')
+        
+    config.delete(x509_base + ['key-file'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
author	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2021-07-20 12:05:50 +0200
committer	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2021-07-20 14:49:10 +0200
commit	70785300b0dbd11bcd805f7d2906e77fc826f4a7 (patch)
tree	36d0090231779a272e03718e1ccc9d6c906f1220 /src
parent	2bb8817348a6df639ec9959298422b7e7b923823 (diff)
download	vyos-1x-70785300b0dbd11bcd805f7d2906e77fc826f4a7.tar.gz vyos-1x-70785300b0dbd11bcd805f7d2906e77fc826f4a7.zip