# Copyright 2021-2024 VyOS maintainers and contributors # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License # along with this library. If not, see . # * Migrate system signed certificate to use PKI from vyos.configtree import ConfigTree from vyos.pki import create_certificate from vyos.pki import create_certificate_request from vyos.pki import create_private_key from vyos.pki import encode_certificate from vyos.pki import encode_private_key base = ['service', 'https', 'certificates'] pki_base = ['pki'] def wrapped_pem_to_config_value(pem): out = [] for line in pem.strip().split("\n"): if not line or line.startswith("-----") or line[0] == '#': continue out.append(line) return "".join(out) def migrate(config: ConfigTree) -> None: if not config.exists(base + ['system-generated-certificate']): return if not config.exists(pki_base + ['certificate']): config.set(pki_base + ['certificate']) config.set_tag(pki_base + ['certificate']) valid_days = 365 if config.exists(base + ['system-generated-certificate', 'lifetime']): valid_days = int(config.return_value(base + ['system-generated-certificate', 'lifetime'])) key = create_private_key('rsa', 2048) subject = {'country': 'GB', 'state': 'N/A', 'locality': 'N/A', 'organization': 'VyOS', 'common_name': 'vyos'} cert_req = create_certificate_request(subject, key, ['vyos']) cert = create_certificate(cert_req, cert_req, key, valid_days) if cert: cert_pem = encode_certificate(cert) config.set(pki_base + ['certificate', 'generated_https', 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) if key: key_pem = encode_private_key(key) config.set(pki_base + ['certificate', 'generated_https', 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) if cert and key: config.set(base + ['certificate'], value='generated_https') else: print('Failed to migrate system-generated-certificate from https service') config.delete(base + ['system-generated-certificate'])