starlingx
/
config
Code Issues Proposed changes

Store IPSec cert and keys in LUKS filesystem 

Change-Id: Ifccd747bd1db8f565d4744d99d94a61a22d5890e
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
This commit is contained in:
Leonardo Mendes 2024-05-09 10:34:03 -03:00
parent 69e075e250
commit 5b1e4a6bdd
4 changed files with 31 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sysinv/sysinv/sysinv/sysinv/cmd/ipsec_client.py
View File

@ -69,8 +69,9 @@ def main():
logging.setup(CONF, 'ipsec-client')
if not os.path.exists(constants.TMP_DIR_IPSEC_KEYS):
os.makedirs(constants.TMP_DIR_IPSEC_KEYS)
if not os.path.exists(constants.LUKS_DIR_IPSEC_KEYS):
os.makedirs(constants.LUKS_DIR_IPSEC_KEYS)
os.makedirs(constants.LUKS_DIR_IPSEC_CERTS)
client = Client(host, port, opcode)
client.run()

19
sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
View File

@ -68,8 +68,12 @@ class Client(object):
# TODO: Save PRK2 in LUKS Filesystem
prk2_file = constants.CERT_NAME_PREFIX + \
self.hostname[constants.UNIT_HOSTNAME] + '.key'
prk2_luks_path = constants.LUKS_DIR_IPSEC_KEYS + prk2_file
prk2_path = constants.CERT_SYSTEM_LOCAL_PRIVATE_DIR + prk2_file
utils.save_data(prk2_path, prk2_bytes)
utils.save_data(prk2_luks_path, prk2_bytes)
utils.create_symlink(prk2_luks_path, prk2_path)
return prk2
@ -77,8 +81,8 @@ class Client(object):
def _generate_ak1(self, puk1_data):
ak1 = os.urandom(32)
# TODO: Save AK1 in LUKS Filesystem
utils.save_data(constants.TMP_AK1_FILE, ak1)
# Save AK1 in LUKS Filesystem
utils.save_data(constants.LUKS_AK1_FILE, ak1)
return ak1
@ -97,7 +101,7 @@ class Client(object):
def _generate_message_3(self):
message = {}
puk1_data = utils.load_data(constants.TMP_PUK1_FILE)
puk1_data = utils.load_data(constants.LUKS_PUK1_FILE)
puc_data = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)
LOG.info("Generate RSA Private Key (PRK2).")
@ -154,7 +158,7 @@ class Client(object):
LOG.exception("%s" % msg)
return False
utils.save_data(constants.TMP_PUK1_FILE, key)
utils.save_data(constants.LUKS_PUK1_FILE, key)
utils.save_data(constants.TRUSTED_ROOT_CA_CERT_1_PATH, root_ca_cert)
utils.save_data(constants.TRUSTED_CA_CERT_1_PATH, ca_cert)
if self.op_code == constants.OP_CODE_INITIAL_AUTH:
@ -183,8 +187,11 @@ class Client(object):
cert_file = constants.CERT_NAME_PREFIX + \
self.hostname[constants.UNIT_HOSTNAME] + '.crt'
cert_luks_path = constants.LUKS_DIR_IPSEC_CERTS + cert_file
cert_path = constants.CERT_SYSTEM_LOCAL_DIR + cert_file
utils.save_data(cert_path, cert)
utils.save_data(cert_luks_path, cert)
utils.create_symlink(cert_luks_path, cert_path)
if self.op_code == constants.OP_CODE_INITIAL_AUTH:
if self.personality == constants.CONTROLLER:

13
sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py
View File

@ -43,12 +43,13 @@ CERT_SYSTEM_LOCAL_DIR = '/etc/swanctl/x509/'
CERT_SYSTEM_LOCAL_PRIVATE_DIR = '/etc/swanctl/private/'
CERT_NAME_PREFIX = 'system-ipsec-certificate-'
TMP_DIR_IPSEC = '/tmp/ipsec/'
TMP_DIR_IPSEC_KEYS = TMP_DIR_IPSEC + 'keys/'
TMP_FILE_IPSEC_PUK1 = 'puk1.crt'
TMP_FILE_IPSEC_AK1_KEY = 'ak1.key'
TMP_PUK1_FILE = TMP_DIR_IPSEC + TMP_FILE_IPSEC_PUK1
TMP_AK1_FILE = TMP_DIR_IPSEC_KEYS + TMP_FILE_IPSEC_AK1_KEY
LUKS_DIR_IPSEC = '/var/luks/stx/luks_fs/ipsec/'
LUKS_DIR_IPSEC_KEYS = LUKS_DIR_IPSEC + 'keys/'
LUKS_DIR_IPSEC_CERTS = LUKS_DIR_IPSEC + 'certs/'
LUKS_FILE_IPSEC_PUK1 = 'puk1.key'
LUKS_FILE_IPSEC_AK1_KEY = 'ak1.key'
LUKS_PUK1_FILE = LUKS_DIR_IPSEC_KEYS + LUKS_FILE_IPSEC_PUK1
LUKS_AK1_FILE = LUKS_DIR_IPSEC_KEYS + LUKS_FILE_IPSEC_AK1_KEY
UNIT_HOSTNAME = 'unit_hostname'
FLOATING_UNIT_HOSTNAME = 'floating_unit_hostname'

8
sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/utils.py
View File

@ -304,3 +304,11 @@ def kube_apply_certificate_request(body):
return None
return signed_cert.stdout.decode("utf-8").strip("'")
def create_symlink(src, dst):
if os.path.exists(dst):
if os.path.realpath(src) == dst:
return
os.unlink(dst)
os.symlink(src, dst)