Merge "Add Intermediate CA support to IPsec configuration"
This commit is contained in:
commit
a1aa5b93fb
|
@ -144,6 +144,7 @@ class Client(object):
|
|||
self.ots_token = msg['token']
|
||||
self.hostname = msg['hostname']
|
||||
key = base64.b64decode(msg['pub_key'])
|
||||
root_ca_cert = base64.b64decode(msg['root_ca_cert'])
|
||||
ca_cert = base64.b64decode(msg['ca_cert'])
|
||||
digest = base64.b64decode(msg['hash'])
|
||||
|
||||
|
@ -154,8 +155,10 @@ class Client(object):
|
|||
return False
|
||||
|
||||
utils.save_data(constants.TMP_PUK1_FILE, key)
|
||||
utils.save_data(constants.TRUSTED_ROOT_CA_CERT_1_PATH, root_ca_cert)
|
||||
utils.save_data(constants.TRUSTED_CA_CERT_1_PATH, ca_cert)
|
||||
if self.op_code == constants.OP_CODE_INITIAL_AUTH:
|
||||
utils.save_data(constants.TRUSTED_ROOT_CA_CERT_0_PATH, root_ca_cert)
|
||||
utils.save_data(constants.TRUSTED_CA_CERT_0_PATH, ca_cert)
|
||||
|
||||
if self.state == State.STAGE_4:
|
||||
|
|
|
@ -29,10 +29,14 @@ SECRET_SYSTEM_LOCAL_CA = 'system-local-ca'
|
|||
# the last tls certificate associated with system-local-ca,
|
||||
# while system-local-ca-1.crt file is the current certificate
|
||||
# associated with system-local-ca.
|
||||
TRUSTED_ROOT_CA_CERT_FILE_0 = 'system-root-ca-0.crt'
|
||||
TRUSTED_ROOT_CA_CERT_FILE_1 = 'system-root-ca-1.crt'
|
||||
TRUSTED_CA_CERT_FILE_0 = 'system-local-ca-0.crt'
|
||||
TRUSTED_CA_CERT_FILE_1 = 'system-local-ca-1.crt'
|
||||
TRUSTED_CA_CERT_FILES = TRUSTED_CA_CERT_FILE_0 + ',' + TRUSTED_CA_CERT_FILE_1
|
||||
TRUSTED_CA_CERT_DIR = '/etc/swanctl/x509ca/'
|
||||
TRUSTED_ROOT_CA_CERT_0_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_ROOT_CA_CERT_FILE_0
|
||||
TRUSTED_ROOT_CA_CERT_1_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_ROOT_CA_CERT_FILE_1
|
||||
TRUSTED_CA_CERT_0_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_0
|
||||
TRUSTED_CA_CERT_1_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_1
|
||||
|
||||
|
|
|
@ -88,6 +88,7 @@ class IPsecConnection(object):
|
|||
kubeapi = kubernetes.KubeOperator()
|
||||
CA_KEY = 'tls.key'
|
||||
CA_CRT = 'tls.crt'
|
||||
ROOT_CA_CRT = 'ca.crt'
|
||||
|
||||
def __init__(self):
|
||||
self.op_code = None
|
||||
|
@ -102,6 +103,7 @@ class IPsecConnection(object):
|
|||
self.ots_token = Token()
|
||||
self.ca_key = self._get_system_local_ca_secret_info(self.CA_KEY)
|
||||
self.ca_crt = self._get_system_local_ca_secret_info(self.CA_CRT)
|
||||
self.root_ca_crt = self._get_system_local_ca_secret_info(self.ROOT_CA_CRT)
|
||||
self.state = State.STAGE_1
|
||||
|
||||
def handle_messaging(self, sock, sel):
|
||||
|
@ -144,7 +146,7 @@ class IPsecConnection(object):
|
|||
data = json.loads(recv_message.decode('utf-8'))
|
||||
payload = {}
|
||||
|
||||
if not self.ca_key or not self.ca_crt:
|
||||
if not self.ca_key or not self.ca_crt or not self.root_ca_crt:
|
||||
raise ValueError('Failed to retrieve system-local-ca information')
|
||||
|
||||
if self.state == State.STAGE_2:
|
||||
|
@ -169,6 +171,7 @@ class IPsecConnection(object):
|
|||
payload["hostname"] = self.hostname
|
||||
payload["pub_key"] = pub_key.decode("utf-8")
|
||||
payload["ca_cert"] = self.ca_crt.decode("utf-8")
|
||||
payload["root_ca_cert"] = self.root_ca_crt.decode("utf-8")
|
||||
payload["hash"] = hash_payload.decode("utf-8")
|
||||
|
||||
LOG.info("Sending IPSec Auth Response")
|
||||
|
|
Loading…
Reference in New Issue