Store IPSec cert and keys in LUKS filesystem
Change-Id: Ifccd747bd1db8f565d4744d99d94a61a22d5890e Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
This commit is contained in:
parent
69e075e250
commit
5b1e4a6bdd
|
@ -69,8 +69,9 @@ def main():
|
|||
|
||||
logging.setup(CONF, 'ipsec-client')
|
||||
|
||||
if not os.path.exists(constants.TMP_DIR_IPSEC_KEYS):
|
||||
os.makedirs(constants.TMP_DIR_IPSEC_KEYS)
|
||||
if not os.path.exists(constants.LUKS_DIR_IPSEC_KEYS):
|
||||
os.makedirs(constants.LUKS_DIR_IPSEC_KEYS)
|
||||
os.makedirs(constants.LUKS_DIR_IPSEC_CERTS)
|
||||
|
||||
client = Client(host, port, opcode)
|
||||
client.run()
|
||||
|
|
|
@ -68,8 +68,12 @@ class Client(object):
|
|||
# TODO: Save PRK2 in LUKS Filesystem
|
||||
prk2_file = constants.CERT_NAME_PREFIX + \
|
||||
self.hostname[constants.UNIT_HOSTNAME] + '.key'
|
||||
|
||||
prk2_luks_path = constants.LUKS_DIR_IPSEC_KEYS + prk2_file
|
||||
prk2_path = constants.CERT_SYSTEM_LOCAL_PRIVATE_DIR + prk2_file
|
||||
utils.save_data(prk2_path, prk2_bytes)
|
||||
|
||||
utils.save_data(prk2_luks_path, prk2_bytes)
|
||||
utils.create_symlink(prk2_luks_path, prk2_path)
|
||||
|
||||
return prk2
|
||||
|
||||
|
@ -77,8 +81,8 @@ class Client(object):
|
|||
def _generate_ak1(self, puk1_data):
|
||||
ak1 = os.urandom(32)
|
||||
|
||||
# TODO: Save AK1 in LUKS Filesystem
|
||||
utils.save_data(constants.TMP_AK1_FILE, ak1)
|
||||
# Save AK1 in LUKS Filesystem
|
||||
utils.save_data(constants.LUKS_AK1_FILE, ak1)
|
||||
|
||||
return ak1
|
||||
|
||||
|
@ -97,7 +101,7 @@ class Client(object):
|
|||
def _generate_message_3(self):
|
||||
message = {}
|
||||
|
||||
puk1_data = utils.load_data(constants.TMP_PUK1_FILE)
|
||||
puk1_data = utils.load_data(constants.LUKS_PUK1_FILE)
|
||||
puc_data = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)
|
||||
|
||||
LOG.info("Generate RSA Private Key (PRK2).")
|
||||
|
@ -154,7 +158,7 @@ class Client(object):
|
|||
LOG.exception("%s" % msg)
|
||||
return False
|
||||
|
||||
utils.save_data(constants.TMP_PUK1_FILE, key)
|
||||
utils.save_data(constants.LUKS_PUK1_FILE, key)
|
||||
utils.save_data(constants.TRUSTED_ROOT_CA_CERT_1_PATH, root_ca_cert)
|
||||
utils.save_data(constants.TRUSTED_CA_CERT_1_PATH, ca_cert)
|
||||
if self.op_code == constants.OP_CODE_INITIAL_AUTH:
|
||||
|
@ -183,8 +187,11 @@ class Client(object):
|
|||
cert_file = constants.CERT_NAME_PREFIX + \
|
||||
self.hostname[constants.UNIT_HOSTNAME] + '.crt'
|
||||
|
||||
cert_luks_path = constants.LUKS_DIR_IPSEC_CERTS + cert_file
|
||||
cert_path = constants.CERT_SYSTEM_LOCAL_DIR + cert_file
|
||||
utils.save_data(cert_path, cert)
|
||||
|
||||
utils.save_data(cert_luks_path, cert)
|
||||
utils.create_symlink(cert_luks_path, cert_path)
|
||||
|
||||
if self.op_code == constants.OP_CODE_INITIAL_AUTH:
|
||||
if self.personality == constants.CONTROLLER:
|
||||
|
|
|
@ -43,12 +43,13 @@ CERT_SYSTEM_LOCAL_DIR = '/etc/swanctl/x509/'
|
|||
CERT_SYSTEM_LOCAL_PRIVATE_DIR = '/etc/swanctl/private/'
|
||||
CERT_NAME_PREFIX = 'system-ipsec-certificate-'
|
||||
|
||||
TMP_DIR_IPSEC = '/tmp/ipsec/'
|
||||
TMP_DIR_IPSEC_KEYS = TMP_DIR_IPSEC + 'keys/'
|
||||
TMP_FILE_IPSEC_PUK1 = 'puk1.crt'
|
||||
TMP_FILE_IPSEC_AK1_KEY = 'ak1.key'
|
||||
TMP_PUK1_FILE = TMP_DIR_IPSEC + TMP_FILE_IPSEC_PUK1
|
||||
TMP_AK1_FILE = TMP_DIR_IPSEC_KEYS + TMP_FILE_IPSEC_AK1_KEY
|
||||
LUKS_DIR_IPSEC = '/var/luks/stx/luks_fs/ipsec/'
|
||||
LUKS_DIR_IPSEC_KEYS = LUKS_DIR_IPSEC + 'keys/'
|
||||
LUKS_DIR_IPSEC_CERTS = LUKS_DIR_IPSEC + 'certs/'
|
||||
LUKS_FILE_IPSEC_PUK1 = 'puk1.key'
|
||||
LUKS_FILE_IPSEC_AK1_KEY = 'ak1.key'
|
||||
LUKS_PUK1_FILE = LUKS_DIR_IPSEC_KEYS + LUKS_FILE_IPSEC_PUK1
|
||||
LUKS_AK1_FILE = LUKS_DIR_IPSEC_KEYS + LUKS_FILE_IPSEC_AK1_KEY
|
||||
|
||||
UNIT_HOSTNAME = 'unit_hostname'
|
||||
FLOATING_UNIT_HOSTNAME = 'floating_unit_hostname'
|
||||
|
|
|
@ -304,3 +304,11 @@ def kube_apply_certificate_request(body):
|
|||
return None
|
||||
|
||||
return signed_cert.stdout.decode("utf-8").strip("'")
|
||||
|
||||
|
||||
def create_symlink(src, dst):
|
||||
if os.path.exists(dst):
|
||||
if os.path.realpath(src) == dst:
|
||||
return
|
||||
os.unlink(dst)
|
||||
os.symlink(src, dst)
|
||||
|
|
Loading…
Reference in New Issue