diff options
| -rw-r--r-- | op-mode-definitions/pki.xml.in | 33 | ||||
| -rwxr-xr-x | src/op_mode/pki.py | 29 |
2 files changed, 56 insertions, 6 deletions
diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in index 346febec0..c5abf86cd 100644 --- a/op-mode-definitions/pki.xml.in +++ b/op-mode-definitions/pki.xml.in @@ -505,6 +505,14 @@ </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --ca "$4"</command> + <children> + <leafNode name="pem"> + <properties> + <help>Show x509 CA certificate in PEM format</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --ca "$4" --pem</command> + </leafNode> + </children> </tagNode> <leafNode name="certificate"> <properties> @@ -520,6 +528,14 @@ </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4"</command> + <children> + <leafNode name="pem"> + <properties> + <help>Show x509 certificate in PEM format</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --pem</command> + </leafNode> + </children> </tagNode> <leafNode name="crl"> <properties> @@ -527,6 +543,23 @@ </properties> <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "all"</command> </leafNode> + <tagNode name="crl"> + <properties> + <help>Show x509 certificate revocation lists by CA name</help> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "$4"</command> + <children> + <leafNode name="pem"> + <properties> + <help>Show x509 certificate revocation lists by CA name in PEM format</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "$4" --pem</command> + </leafNode> + </children> + </tagNode> </children> <command>sudo ${vyos_op_scripts_dir}/pki.py --action show</command> </node> diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index b054690b0..7ea295ff1 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -840,7 +840,7 @@ def import_openvpn_secret(name, path): install_openvpn_key(name, key_data, key_version) # Show functions -def show_certificate_authority(name=None): +def show_certificate_authority(name=None, pem=False): headers = ['Name', 'Subject', 'Issuer CN', 'Issued', 'Expiry', 'Private Key', 'Parent'] data = [] certs = get_config_ca_certificate() @@ -852,6 +852,11 @@ def show_certificate_authority(name=None): continue cert = load_certificate(cert_dict['certificate']) + + if name and pem: + print(encode_certificate(cert)) + return + parent_ca_name = get_certificate_ca(cert, certs) cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] @@ -867,7 +872,7 @@ def show_certificate_authority(name=None): print("Certificate Authorities:") print(tabulate.tabulate(data, headers)) -def show_certificate(name=None): +def show_certificate(name=None, pem=False): headers = ['Name', 'Type', 'Subject CN', 'Issuer CN', 'Issued', 'Expiry', 'Revoked', 'Private Key', 'CA Present'] data = [] certs = get_config_certificate() @@ -885,6 +890,10 @@ def show_certificate(name=None): if not cert: continue + if name and pem: + print(encode_certificate(cert)) + return + ca_name = get_certificate_ca(cert, ca_certs) cert_subject_cn = cert.subject.rfc4514_string().split(",")[0] cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] @@ -906,7 +915,7 @@ def show_certificate(name=None): print("Certificates:") print(tabulate.tabulate(data, headers)) -def show_crl(name=None): +def show_crl(name=None, pem=False): headers = ['CA Name', 'Updated', 'Revokes'] data = [] certs = get_config_ca_certificate() @@ -927,9 +936,16 @@ def show_crl(name=None): if not crl: continue + if name and pem: + print(encode_certificate(crl)) + continue + certs = get_revoked_by_serial_numbers([revoked.serial_number for revoked in crl]) data.append([cert_name, crl.last_update, ", ".join(certs)]) + if name and pem: + return + print("Certificate Revocation Lists:") print(tabulate.tabulate(data, headers)) @@ -943,6 +959,7 @@ if __name__ == '__main__': parser.add_argument('--crl', help='Certificate Revocation List', required=False) parser.add_argument('--sign', help='Sign certificate with specified CA', required=False) parser.add_argument('--self-sign', help='Self-sign the certificate', action='store_true') + parser.add_argument('--pem', help='Output using PEM encoding', action='store_true') # SSH parser.add_argument('--ssh', help='SSH Key', required=False) @@ -1032,16 +1049,16 @@ if __name__ == '__main__': if not conf.exists(['pki', 'ca', ca_name]): print(f'CA "{ca_name}" does not exist!') exit(1) - show_certificate_authority(ca_name) + show_certificate_authority(ca_name, args.pem) elif args.certificate: cert_name = None if args.certificate == 'all' else args.certificate if cert_name: if not conf.exists(['pki', 'certificate', cert_name]): print(f'Certificate "{cert_name}" does not exist!') exit(1) - show_certificate(None if args.certificate == 'all' else args.certificate) + show_certificate(None if args.certificate == 'all' else args.certificate, args.pem) elif args.crl: - show_crl(None if args.crl == 'all' else args.crl) + show_crl(None if args.crl == 'all' else args.crl, args.pem) else: show_certificate_authority() show_certificate() |