From 3cd4da1b41a9044088068973dc50079d1c8407ae Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 11 Jul 2023 22:58:04 +0200 Subject: pki: T5275: Add op-mode output options for PEM format --- op-mode-definitions/pki.xml.in | 33 +++++++++++++++++++++++++++++++++ src/op_mode/pki.py | 29 +++++++++++++++++++++++------ 2 files changed, 56 insertions(+), 6 deletions(-) diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in index 346febec0..c5abf86cd 100644 --- a/op-mode-definitions/pki.xml.in +++ b/op-mode-definitions/pki.xml.in @@ -505,6 +505,14 @@ sudo ${vyos_op_scripts_dir}/pki.py --action show --ca "$4" + + + + Show x509 CA certificate in PEM format + + sudo ${vyos_op_scripts_dir}/pki.py --action show --ca "$4" --pem + + @@ -520,6 +528,14 @@ sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" + + + + Show x509 certificate in PEM format + + sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --pem + + @@ -527,6 +543,23 @@ sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "all" + + + Show x509 certificate revocation lists by CA name + + pki ca + + + sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "$4" + + + + Show x509 certificate revocation lists by CA name in PEM format + + sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "$4" --pem + + + sudo ${vyos_op_scripts_dir}/pki.py --action show diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index b054690b0..7ea295ff1 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -840,7 +840,7 @@ def import_openvpn_secret(name, path): install_openvpn_key(name, key_data, key_version) # Show functions -def show_certificate_authority(name=None): +def show_certificate_authority(name=None, pem=False): headers = ['Name', 'Subject', 'Issuer CN', 'Issued', 'Expiry', 'Private Key', 'Parent'] data = [] certs = get_config_ca_certificate() @@ -852,6 +852,11 @@ def show_certificate_authority(name=None): continue cert = load_certificate(cert_dict['certificate']) + + if name and pem: + print(encode_certificate(cert)) + return + parent_ca_name = get_certificate_ca(cert, certs) cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] @@ -867,7 +872,7 @@ def show_certificate_authority(name=None): print("Certificate Authorities:") print(tabulate.tabulate(data, headers)) -def show_certificate(name=None): +def show_certificate(name=None, pem=False): headers = ['Name', 'Type', 'Subject CN', 'Issuer CN', 'Issued', 'Expiry', 'Revoked', 'Private Key', 'CA Present'] data = [] certs = get_config_certificate() @@ -885,6 +890,10 @@ def show_certificate(name=None): if not cert: continue + if name and pem: + print(encode_certificate(cert)) + return + ca_name = get_certificate_ca(cert, ca_certs) cert_subject_cn = cert.subject.rfc4514_string().split(",")[0] cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] @@ -906,7 +915,7 @@ def show_certificate(name=None): print("Certificates:") print(tabulate.tabulate(data, headers)) -def show_crl(name=None): +def show_crl(name=None, pem=False): headers = ['CA Name', 'Updated', 'Revokes'] data = [] certs = get_config_ca_certificate() @@ -927,9 +936,16 @@ def show_crl(name=None): if not crl: continue + if name and pem: + print(encode_certificate(crl)) + continue + certs = get_revoked_by_serial_numbers([revoked.serial_number for revoked in crl]) data.append([cert_name, crl.last_update, ", ".join(certs)]) + if name and pem: + return + print("Certificate Revocation Lists:") print(tabulate.tabulate(data, headers)) @@ -943,6 +959,7 @@ if __name__ == '__main__': parser.add_argument('--crl', help='Certificate Revocation List', required=False) parser.add_argument('--sign', help='Sign certificate with specified CA', required=False) parser.add_argument('--self-sign', help='Self-sign the certificate', action='store_true') + parser.add_argument('--pem', help='Output using PEM encoding', action='store_true') # SSH parser.add_argument('--ssh', help='SSH Key', required=False) @@ -1032,16 +1049,16 @@ if __name__ == '__main__': if not conf.exists(['pki', 'ca', ca_name]): print(f'CA "{ca_name}" does not exist!') exit(1) - show_certificate_authority(ca_name) + show_certificate_authority(ca_name, args.pem) elif args.certificate: cert_name = None if args.certificate == 'all' else args.certificate if cert_name: if not conf.exists(['pki', 'certificate', cert_name]): print(f'Certificate "{cert_name}" does not exist!') exit(1) - show_certificate(None if args.certificate == 'all' else args.certificate) + show_certificate(None if args.certificate == 'all' else args.certificate, args.pem) elif args.crl: - show_crl(None if args.crl == 'all' else args.crl) + show_crl(None if args.crl == 'all' else args.crl, args.pem) else: show_certificate_authority() show_certificate() -- cgit v1.2.3