Merge "Add Intermediate CA support to IPsec configuration"

sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py

@@ -144,6 +144,7 @@ class Client(object):
             self.ots_token = msg['token']
             self.hostname = msg['hostname']
             key = base64.b64decode(msg['pub_key'])
+            root_ca_cert = base64.b64decode(msg['root_ca_cert'])
             ca_cert = base64.b64decode(msg['ca_cert'])
             digest = base64.b64decode(msg['hash'])
 
@@ -154,8 +155,10 @@ class Client(object):
                 return False
 
             utils.save_data(constants.TMP_PUK1_FILE, key)
+            utils.save_data(constants.TRUSTED_ROOT_CA_CERT_1_PATH, root_ca_cert)
             utils.save_data(constants.TRUSTED_CA_CERT_1_PATH, ca_cert)
             if self.op_code == constants.OP_CODE_INITIAL_AUTH:
+                utils.save_data(constants.TRUSTED_ROOT_CA_CERT_0_PATH, root_ca_cert)
                 utils.save_data(constants.TRUSTED_CA_CERT_0_PATH, ca_cert)
 
         if self.state == State.STAGE_4:

sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py

@@ -29,10 +29,14 @@ SECRET_SYSTEM_LOCAL_CA = 'system-local-ca'
 # the last tls certificate associated with system-local-ca,
 # while system-local-ca-1.crt file is the current certificate
 # associated with system-local-ca.
+TRUSTED_ROOT_CA_CERT_FILE_0 = 'system-root-ca-0.crt'
+TRUSTED_ROOT_CA_CERT_FILE_1 = 'system-root-ca-1.crt'
 TRUSTED_CA_CERT_FILE_0 = 'system-local-ca-0.crt'
 TRUSTED_CA_CERT_FILE_1 = 'system-local-ca-1.crt'
 TRUSTED_CA_CERT_FILES = TRUSTED_CA_CERT_FILE_0 + ',' + TRUSTED_CA_CERT_FILE_1
 TRUSTED_CA_CERT_DIR = '/etc/swanctl/x509ca/'
+TRUSTED_ROOT_CA_CERT_0_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_ROOT_CA_CERT_FILE_0
+TRUSTED_ROOT_CA_CERT_1_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_ROOT_CA_CERT_FILE_1
 TRUSTED_CA_CERT_0_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_0
 TRUSTED_CA_CERT_1_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_1
 

sysinv/sysinv/sysinv/sysinv/ipsec_auth/server/server.py

@@ -88,6 +88,7 @@ class IPsecConnection(object):
     kubeapi = kubernetes.KubeOperator()
     CA_KEY = 'tls.key'
     CA_CRT = 'tls.crt'
+    ROOT_CA_CRT = 'ca.crt'
 
     def __init__(self):
         self.op_code = None
@@ -102,6 +103,7 @@ class IPsecConnection(object):
         self.ots_token = Token()
         self.ca_key = self._get_system_local_ca_secret_info(self.CA_KEY)
         self.ca_crt = self._get_system_local_ca_secret_info(self.CA_CRT)
+        self.root_ca_crt = self._get_system_local_ca_secret_info(self.ROOT_CA_CRT)
         self.state = State.STAGE_1
 
     def handle_messaging(self, sock, sel):
@@ -144,7 +146,7 @@ class IPsecConnection(object):
             data = json.loads(recv_message.decode('utf-8'))
             payload = {}
 
-            if not self.ca_key or not self.ca_crt:
+            if not self.ca_key or not self.ca_crt or not self.root_ca_crt:
                 raise ValueError('Failed to retrieve system-local-ca information')
 
             if self.state == State.STAGE_2:
@@ -169,6 +171,7 @@ class IPsecConnection(object):
                 payload["hostname"] = self.hostname
                 payload["pub_key"] = pub_key.decode("utf-8")
                 payload["ca_cert"] = self.ca_crt.decode("utf-8")
+                payload["root_ca_cert"] = self.root_ca_crt.decode("utf-8")
                 payload["hash"] = hash_payload.decode("utf-8")
 
                 LOG.info("Sending IPSec Auth Response")