From 16d029f10fa1816095f49045f5aeb6efa63a3bdf Mon Sep 17 00:00:00 2001
From: John Crispin <john@phrozen.org>
Date: Fri, 13 Jun 2025 09:33:48 +0200
Subject: [PATCH] cloud_discovery: split EST code out into its own tool

Fixes: WIFI-14694
Signed-off-by: John Crispin <john@phrozen.org>
---
 .../files/usr/bin/cloud_discovery             | 100 +--------------
 .../cloud_discovery/files/usr/bin/est_client  | 116 ++++++++++++++++++
 2 files changed, 117 insertions(+), 99 deletions(-)
 create mode 100755 feeds/tip/cloud_discovery/files/usr/bin/est_client

diff --git a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
index 608b15c95..a1626a2e7 100755
--- a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
+++ b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
@@ -154,101 +154,6 @@ function discover_dhcp() {
 	return !dhcp?.lease;
 }
 
-function generate_csr() {
-	if (!fs.stat('/rmp/csr.nohdr.p10')) {
-		let pipe = fs.popen('openssl x509 -in /etc/ucentral/cert.pem -noout -subject');
-		let subject = pipe.read("all");
-		pipe.close();
-		subject = rtrim(subject);
-		subject = replace(subject, 'subject=', '/');
-		subject = replace(subject, ' = ', '=');
-		subject = replace(subject, ', ', '/');
-
-		let ret = system(`openssl req -subj "${subject}" -new -key /etc/ucentral/key.pem -out /tmp/csr.p10`);
-		if (ret) {
-			ulog(LOG_INFO, 'Failed to generate CSR\n');
-			return 1;
-		}
-
-		let input = fs.open('/tmp/csr.p10', 'r');
-		let output = fs.open('/tmp/csr.nohdr.p10', 'w');
-		let line;
-		while (line = input.read('line')) {
-		        if (substr(line, 0, 4) == '----')
-		                continue;
-			output.write(line);
-		}
-		input.close();
-		output.close();
-		ulog(LOG_INFO, 'Generated CSR\n');
-	}
-	return 0;
-}
-
-function store_operational_cert(path) {
-	system('mount_certs');
-	system(`cp ${path} /certificates/`);
-}
-
-function p7_too_pem(src, dst) {
-	let input = fs.readfile(src);
-	let output = fs.open('/tmp/convert.p7', 'w');
-	output.write('-----BEGIN PKCS #7 SIGNED DATA-----\n');
-	output.write(`${input}\n-----END PKCS #7 SIGNED DATA-----`);
-	output.close();
-
-	let ret = system(`openssl pkcs7 -outform PEM -print_certs -in /tmp/convert.p7 -out ${dst}`);
-	if (ret) {
-		ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
-		return 1;
-	}
-	return 0;
-}
-
-function discover_operational_cert() {
-	if (fs.stat('/etc/ucentral/operational.pem')) {
-		ulog(LOG_INFO, 'Operational certificate is present\n');
-		return 0;
-	}
-
-	if (generate_csr())
-		return 1;
-
-	let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
-	if (ret) {
-		ulog(LOG_INFO, 'Failed to request operational certificate\n');
-		return 1;
-	}
-	ulog(LOG_INFO, 'EST succeeded\n');
-
-	ret = p7_too_pem('/tmp/operational.nohdr.p7', '/etc/ucentral/operational.pem');
-	if (ret) {
-		ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
-		return 1;
-	}
-	ulog(LOG_INFO, 'Converted P7 to PEM\n');
-	store_operational_cert('/etc/ucentral/operational.pem');
-	return 0;
-}
-
-function discover_operational_ca() {
-	if (fs.stat('/etc/ucentral/operational.ca')) {
-		ulog(LOG_INFO, 'Operational CA is present\n');
-		return 0;
-	}
-	let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
-	if (!ret)
-		ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
-	if (ret) {
-		ulog(LOG_INFO, 'Failed to load CA\n');
-		return 1;
-	}
-	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
-	ulog(LOG_INFO, 'Acquired CA\n');
-	store_operational_cert('/etc/ucentral/operational.ca');
-	return 0;
-}
-
 function redirector_lookup() {
 	const path = '/tmp/ucentral.redirector';
 	ulog(LOG_INFO, 'Contact redirector service\n');
@@ -308,10 +213,7 @@ function interval_handler() {
 		if (discover_dhcp())
 			return;
 
-		if (discover_operational_cert())
-			return;
-
-		if (discover_operational_ca())
+		if (system('/usr/bin/est_client enroll'))
 			return;
 
 		if (!discover_flash())
diff --git a/feeds/tip/cloud_discovery/files/usr/bin/est_client b/feeds/tip/cloud_discovery/files/usr/bin/est_client
new file mode 100755
index 000000000..bad630118
--- /dev/null
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -0,0 +1,116 @@
+#!/usr/bin/ucode
+
+'use strict';
+
+import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
+import * as fs from 'fs';
+
+
+ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client");
+
+function generate_csr() {
+	if (!fs.stat('/rmp/csr.nohdr.p10')) {
+		let pipe = fs.popen('openssl x509 -in /etc/ucentral/cert.pem -noout -subject');
+		let subject = pipe.read("all");
+		pipe.close();
+		subject = rtrim(subject);
+		subject = replace(subject, 'subject=', '/');
+		subject = replace(subject, ' = ', '=');
+		subject = replace(subject, ', ', '/');
+
+		let ret = system(`openssl req -subj "${subject}" -new -key /etc/ucentral/key.pem -out /tmp/csr.p10`);
+		if (ret) {
+			ulog(LOG_INFO, 'Failed to generate CSR\n');
+			return 1;
+		}
+
+		let input = fs.open('/tmp/csr.p10', 'r');
+		let output = fs.open('/tmp/csr.nohdr.p10', 'w');
+		let line;
+		while (line = input.read('line')) {
+		        if (substr(line, 0, 4) == '----')
+		                continue;
+			output.write(line);
+		}
+		input.close();
+		output.close();
+		ulog(LOG_INFO, 'Generated CSR\n');
+	}
+	return 0;
+}
+
+function store_operational_cert(path) {
+	system('mount_certs');
+	system(`cp ${path} /certificates/`);
+}
+
+function p7_too_pem(src, dst) {
+	let input = fs.readfile(src);
+	let output = fs.open('/tmp/convert.p7', 'w');
+	output.write('-----BEGIN PKCS #7 SIGNED DATA-----\n');
+	output.write(`${input}\n-----END PKCS #7 SIGNED DATA-----`);
+	output.close();
+
+	let ret = system(`openssl pkcs7 -outform PEM -print_certs -in /tmp/convert.p7 -out ${dst}`);
+	if (ret) {
+		ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
+		return 1;
+	}
+	return 0;
+}
+
+function discover_operational_cert() {
+	if (fs.stat('/etc/ucentral/operational.pem')) {
+		ulog(LOG_INFO, 'Operational certificate is present\n');
+		return 0;
+	}
+
+	if (generate_csr())
+		return 1;
+
+	let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
+	if (ret) {
+		ulog(LOG_INFO, 'Failed to request operational certificate\n');
+		return 1;
+	}
+	ulog(LOG_INFO, 'EST succeeded\n');
+
+	ret = p7_too_pem('/tmp/operational.nohdr.p7', '/etc/ucentral/operational.pem');
+	if (ret) {
+		ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
+		return 1;
+	}
+	ulog(LOG_INFO, 'Converted P7 to PEM\n');
+	store_operational_cert('/etc/ucentral/operational.pem');
+	return 0;
+}
+
+function discover_operational_ca() {
+	if (fs.stat('/etc/ucentral/operational.ca')) {
+		ulog(LOG_INFO, 'Operational CA is present\n');
+		return 0;
+	}
+	let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
+	if (!ret)
+		ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
+	if (ret) {
+		ulog(LOG_INFO, 'Failed to load CA\n');
+		return 1;
+	}
+	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
+	ulog(LOG_INFO, 'Acquired CA\n');
+	store_operational_cert('/etc/ucentral/operational.ca');
+	return 0;
+}
+
+switch(ARGV[0]) {
+case 'enroll':
+	if (discover_operational_cert())
+		exit(1);
+
+	if (discover_operational_ca())
+		exit(1);
+
+	exit(0);
+	break;
+}