From 015bd0c7597030d91cfcb4523f91ee3a57ed0d65 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 14 Jun 2024 13:28:56 +0200
Subject: op-mode: T6407: "generate pki" missed to mangle in ACME certificates
 when required

If the requested certificate to generate an Apple IOS profile was based on an
ACME certificate, we also need to mangle in the ACME certs content to retrieve
the certificates issuer name.

(cherry picked from commit 1bc67d498c4d71da78aa46d1d2f9fe9752f59860)
---
 op-mode-definitions/generate-ipsec-profile.xml.in | 10 ++--
 src/op_mode/ikev2_profile_generator.py            | 57 +++++++++++++----------
 2 files changed, 38 insertions(+), 29 deletions(-)

diff --git a/op-mode-definitions/generate-ipsec-profile.xml.in b/op-mode-definitions/generate-ipsec-profile.xml.in
index b7203d7d1..afa299da2 100644
--- a/op-mode-definitions/generate-ipsec-profile.xml.in
+++ b/op-mode-definitions/generate-ipsec-profile.xml.in
@@ -28,7 +28,7 @@
                         <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
                       </completionHelp>
                     </properties>
-                    <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7"</command>
+                    <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7"</command>
                     <children>
                       <tagNode name="name">
                         <properties>
@@ -37,7 +37,7 @@
                             <list>&lt;name&gt;</list>
                           </completionHelp>
                         </properties>
-                        <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9"</command>
+                        <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9"</command>
                         <children>
                           <tagNode name="profile">
                             <properties>
@@ -46,7 +46,7 @@
                                 <list>&lt;name&gt;</list>
                               </completionHelp>
                             </properties>
-                            <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command>
+                            <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command>
                           </tagNode>
                         </children>
                       </tagNode>
@@ -57,7 +57,7 @@
                             <list>&lt;name&gt;</list>
                           </completionHelp>
                         </properties>
-                        <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9"</command>
+                        <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9"</command>
                         <children>
                           <tagNode name="name">
                             <properties>
@@ -66,7 +66,7 @@
                                 <list>&lt;name&gt;</list>
                               </completionHelp>
                             </properties>
-                            <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command>
+                            <command>sudo ${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command>
                           </tagNode>
                         </children>
                       </tagNode>
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
index 169a15840..b193d8109 100755
--- a/src/op_mode/ikev2_profile_generator.py
+++ b/src/op_mode/ikev2_profile_generator.py
@@ -21,6 +21,7 @@ from socket import getfqdn
 from cryptography.x509.oid import NameOID
 
 from vyos.configquery import ConfigTreeQuery
+from vyos.config import config_dict_mangle_acme
 from vyos.pki import CERT_BEGIN
 from vyos.pki import CERT_END
 from vyos.pki import find_chain
@@ -123,6 +124,8 @@ pki_base = ['pki']
 conf = ConfigTreeQuery()
 if not conf.exists(config_base):
     exit('IPsec remote-access is not configured!')
+if not conf.exists(pki_base):
+    exit('PKI is not configured!')
 
 profile_name = 'VyOS IKEv2 Profile'
 if args.profile:
@@ -147,30 +150,36 @@ tmp = getfqdn().split('.')
 tmp = reversed(tmp)
 data['rfqdn'] = '.'.join(tmp)
 
-pki = conf.get_config_dict(pki_base, get_first_key=True)
-cert_name = data['authentication']['x509']['certificate']
-
-cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
-data['cert_common_name'] = cert_data.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_common_name'] = cert_data.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_certificates'] = []
-
-loaded_ca_certs = {load_certificate(c['certificate'])
-    for c in pki['ca'].values()} if 'ca' in pki else {}
-
-for ca_name in data['authentication']['x509']['ca_certificate']:
-    loaded_ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
-    ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
-    for ca in ca_full_chain:
-        tmp = {
-            'ca_name' : ca.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
-            'ca_chain' : encode_certificate(ca).replace(CERT_BEGIN, '').replace(CERT_END, '').replace('\n', ''),
-        }
-        data['ca_certificates'].append(tmp)
-
-# Remove duplicate list entries for CA certificates, as they are added by their common name
-# https://stackoverflow.com/a/9427216
-data['ca_certificates'] = [dict(t) for t in {tuple(d.items()) for d in data['ca_certificates']}]
+if args.os == 'ios':
+    pki = conf.get_config_dict(pki_base, get_first_key=True)
+    if 'certificate' in pki:
+        for certificate in pki['certificate']:
+            pki['certificate'][certificate] = config_dict_mangle_acme(certificate, pki['certificate'][certificate])
+
+    cert_name = data['authentication']['x509']['certificate']
+
+
+    cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
+    data['cert_common_name'] = cert_data.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    data['ca_common_name'] = cert_data.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    data['ca_certificates'] = []
+
+    loaded_ca_certs = {load_certificate(c['certificate'])
+        for c in pki['ca'].values()} if 'ca' in pki else {}
+
+    for ca_name in data['authentication']['x509']['ca_certificate']:
+        loaded_ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
+        ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+        for ca in ca_full_chain:
+            tmp = {
+                'ca_name' : ca.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
+                'ca_chain' : encode_certificate(ca).replace(CERT_BEGIN, '').replace(CERT_END, '').replace('\n', ''),
+            }
+            data['ca_certificates'].append(tmp)
+
+    # Remove duplicate list entries for CA certificates, as they are added by their common name
+    # https://stackoverflow.com/a/9427216
+    data['ca_certificates'] = [dict(t) for t in {tuple(d.items()) for d in data['ca_certificates']}]
 
 esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'],
                                      key_mangling=('-', '_'), get_first_key=True)
-- 
cgit v1.2.3