From 5a7c46016a23387312b2c9e18528ad7bb20e8366 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 6 Jul 2021 23:19:48 +0200
Subject: pki: T3642: Migrate rsa-keys to PKI configuration

---
 src/op_mode/vpn_ipsec.py | 94 ++----------------------------------------------
 1 file changed, 3 insertions(+), 91 deletions(-)

(limited to 'src/op_mode')

diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py
index ad7efbf2d..06e227ccf 100755
--- a/src/op_mode/vpn_ipsec.py
+++ b/src/op_mode/vpn_ipsec.py
@@ -14,91 +14,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import base64
-import os
 import re
-import struct
-import sys
 import argparse
 from subprocess import TimeoutExpired
 
-from vyos.util import ask_yes_no, call, cmd, process_named_running
-from Cryptodome.PublicKey.RSA import importKey
+from vyos.util import call
 
-RSA_LOCAL_KEY_PATH = '/config/ipsec.d/rsa-keys/localhost.key'
-RSA_LOCAL_PUB_PATH = '/etc/ipsec.d/certs/localhost.pub'
-RSA_KEY_PATHS = ['/config/auth', '/config/ipsec.d/rsa-keys']
-
-X509_CONFIG_PATH = '/etc/ipsec.d/key-pair.template'
-X509_PATH = '/config/auth/'
-
-IPSEC_CONF = '/etc/ipsec.conf'
 SWANCTL_CONF = '/etc/swanctl/swanctl.conf'
 
-def migrate_to_vyatta_key(path):
-    with open(path, 'r') as f:
-        key = importKey(f.read())
-        e = key.e.to_bytes((key.e.bit_length() + 7) // 8, 'big')
-        n = key.n.to_bytes((key.n.bit_length() + 7) // 8, 'big')
-        return '0s' + str(base64.b64encode(struct.pack('B', len(e)) + e + n), 'ascii')
-    return None
-
-def find_rsa_keys():
-    keys = []
-    for path in RSA_KEY_PATHS:
-        if not os.path.exists(path):
-            continue
-        for filename in os.listdir(path):
-            full_path = os.path.join(path, filename)
-            if os.path.isfile(full_path) and full_path.endswith(".key"):
-                keys.append(full_path)
-    return keys
-
-def show_rsa_keys():
-    for key_path in find_rsa_keys():
-        print('Private key: ' + os.path.basename(key_path))
-        print('Public key: ' + migrate_to_vyatta_key(key_path) + '\n')
-
-def generate_rsa_key(bits = 2192):
-    if (bits < 16 or bits > 4096) or bits % 16 != 0:
-        print('Invalid bit length')
-        return
-
-    if os.path.exists(RSA_LOCAL_KEY_PATH):
-        if not ask_yes_no("A local RSA key file already exists and will be overwritten. Continue?"):
-            return
-
-    print(f'Generating rsa-key to {RSA_LOCAL_KEY_PATH}')
-
-    directory = os.path.dirname(RSA_LOCAL_KEY_PATH)
-    call(f'sudo mkdir -p {directory}')
-    result = call(f'sudo /usr/bin/openssl genrsa -out {RSA_LOCAL_KEY_PATH} {bits}')
-
-    if result != 0:
-        print(f'Could not generate RSA key: {result}')
-        return
-
-    call(f'sudo /usr/bin/openssl rsa -inform PEM -in {RSA_LOCAL_KEY_PATH} -pubout -out {RSA_LOCAL_PUB_PATH}')
-
-    print('Your new local RSA key has been generated')
-    print('The public portion of the key is:\n')
-    print(migrate_to_vyatta_key(RSA_LOCAL_KEY_PATH))
-
-def generate_x509_pair(name):
-    if os.path.exists(X509_PATH + name):
-        if not ask_yes_no("A certificate request with this name already exists and will be overwritten. Continue?"):
-            return
-
-    result = os.system(f'openssl req -new -nodes -keyout {X509_PATH}{name}.key -out {X509_PATH}{name}.csr -config {X509_CONFIG_PATH}')
-    
-    if result != 0:
-        print(f'Could not generate x509 key-pair: {result}')
-        return
-
-    print('Private key and certificate request has been generated')
-    print(f'CSR: {X509_PATH}{name}.csr')
-    print(f'Private key: {X509_PATH}{name}.key')
-
 def get_peer_connections(peer, tunnel, return_all = False):
     search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*'
     matches = []
@@ -183,23 +106,12 @@ def debug_peer(peer, tunnel):
 if __name__ == '__main__':
     parser = argparse.ArgumentParser()
     parser.add_argument('--action', help='Control action', required=True)
-    parser.add_argument('--bits', help='Bits for rsa-key', required=False)
-    parser.add_argument('--name', help='Name for x509 key-pair, peer for reset', required=False)
+    parser.add_argument('--name', help='Name for peer reset', required=False)
     parser.add_argument('--tunnel', help='Specific tunnel of peer', required=False)
 
     args = parser.parse_args()
 
-    if args.action == 'rsa-key':
-        bits = int(args.bits) if args.bits else 2192
-        generate_rsa_key(bits)
-    elif args.action == 'rsa-key-show':
-        show_rsa_keys()
-    elif args.action == 'x509':
-        if not args.name:
-            print('Invalid name for key-pair, aborting.')
-            sys.exit(0)
-        generate_x509_pair(args.name)
-    elif args.action == 'reset-peer':
+    if args.action == 'reset-peer':
         reset_peer(args.name, args.tunnel)
     elif args.action == "reset-profile":
         reset_profile(args.name, args.tunnel)
-- 
cgit v1.2.3