scottk/wlan-ap
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-10-31 18:38:10 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

cloud_discovery: split EST code out into its own tool

Browse Source 
Fixes: WIFI-14694
Signed-off-by: John Crispin <john@phrozen.org>
This commit is contained in:
John Crispin
2025-06-13 09:33:48 +02:00
parent f166bd64bd
commit 5b655a5ca9
2 changed files with 117 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
View File

@@ -154,101 +154,6 @@ function discover_dhcp() {
return !dhcp?.lease; return !dhcp?.lease;
} }
function generate_csr() {
if (!fs.stat('/rmp/csr.nohdr.p10')) {
let pipe = fs.popen('openssl x509 -in /etc/ucentral/cert.pem -noout -subject');
let subject = pipe.read("all");
pipe.close();
subject = rtrim(subject);
subject = replace(subject, 'subject=', '/');
subject = replace(subject, ' = ', '=');
subject = replace(subject, ', ', '/');
let ret = system(`openssl req -subj "${subject}" -new -key /etc/ucentral/key.pem -out /tmp/csr.p10`);
if (ret) {
ulog(LOG_INFO, 'Failed to generate CSR\n');
return 1;
}
let input = fs.open('/tmp/csr.p10', 'r');
let output = fs.open('/tmp/csr.nohdr.p10', 'w');
let line;
while (line = input.read('line')) {
if (substr(line, 0, 4) == '----')
continue;
output.write(line);
}
input.close();
output.close();
ulog(LOG_INFO, 'Generated CSR\n');
}
return 0;
}
function store_operational_cert(path) {
system('mount_certs');
system(`cp ${path} /certificates/`);
}
function p7_too_pem(src, dst) {
let input = fs.readfile(src);
let output = fs.open('/tmp/convert.p7', 'w');
output.write('-----BEGIN PKCS #7 SIGNED DATA-----\n');
output.write(`${input}\n-----END PKCS #7 SIGNED DATA-----`);
output.close();
let ret = system(`openssl pkcs7 -outform PEM -print_certs -in /tmp/convert.p7 -out ${dst}`);
if (ret) {
ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
return 1;
}
return 0;
}
function discover_operational_cert() {
if (fs.stat('/etc/ucentral/operational.pem')) {
ulog(LOG_INFO, 'Operational certificate is present\n');
return 0;
}
if (generate_csr())
return 1;
let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
if (ret) {
ulog(LOG_INFO, 'Failed to request operational certificate\n');
return 1;
}
ulog(LOG_INFO, 'EST succeeded\n');
ret = p7_too_pem('/tmp/operational.nohdr.p7', '/etc/ucentral/operational.pem');
if (ret) {
ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
return 1;
}
ulog(LOG_INFO, 'Converted P7 to PEM\n');
store_operational_cert('/etc/ucentral/operational.pem');
return 0;
}
function discover_operational_ca() {
if (fs.stat('/etc/ucentral/operational.ca')) {
ulog(LOG_INFO, 'Operational CA is present\n');
return 0;
}
let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
if (!ret)
ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
if (ret) {
ulog(LOG_INFO, 'Failed to load CA\n');
return 1;
}
system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
ulog(LOG_INFO, 'Acquired CA\n');
store_operational_cert('/etc/ucentral/operational.ca');
return 0;
}
function redirector_lookup() { function redirector_lookup() {
const path = '/tmp/ucentral.redirector'; const path = '/tmp/ucentral.redirector';
ulog(LOG_INFO, 'Contact redirector service\n'); ulog(LOG_INFO, 'Contact redirector service\n');
@@ -308,10 +213,7 @@ function interval_handler() {
if (discover_dhcp()) if (discover_dhcp())
return; return;
if (discover_operational_cert()) if (system('/usr/bin/est_client enroll'))
return;
if (discover_operational_ca())
return; return;
if (!discover_flash()) if (!discover_flash())

116
feeds/tip/cloud_discovery/files/usr/bin/est_client Executable file
View File

@@ -0,0 +1,116 @@
#!/usr/bin/ucode
'use strict';
import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
import * as fs from 'fs';
ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client");
function generate_csr() {
if (!fs.stat('/rmp/csr.nohdr.p10')) {
let pipe = fs.popen('openssl x509 -in /etc/ucentral/cert.pem -noout -subject');
let subject = pipe.read("all");
pipe.close();
subject = rtrim(subject);
subject = replace(subject, 'subject=', '/');
subject = replace(subject, ' = ', '=');
subject = replace(subject, ', ', '/');
let ret = system(`openssl req -subj "${subject}" -new -key /etc/ucentral/key.pem -out /tmp/csr.p10`);
if (ret) {
ulog(LOG_INFO, 'Failed to generate CSR\n');
return 1;
}
let input = fs.open('/tmp/csr.p10', 'r');
let output = fs.open('/tmp/csr.nohdr.p10', 'w');
let line;
while (line = input.read('line')) {
if (substr(line, 0, 4) == '----')
continue;
output.write(line);
}
input.close();
output.close();
ulog(LOG_INFO, 'Generated CSR\n');
}
return 0;
}
function store_operational_cert(path) {
system('mount_certs');
system(`cp ${path} /certificates/`);
}
function p7_too_pem(src, dst) {
let input = fs.readfile(src);
let output = fs.open('/tmp/convert.p7', 'w');
output.write('-----BEGIN PKCS #7 SIGNED DATA-----\n');
output.write(`${input}\n-----END PKCS #7 SIGNED DATA-----`);
output.close();
let ret = system(`openssl pkcs7 -outform PEM -print_certs -in /tmp/convert.p7 -out ${dst}`);
if (ret) {
ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
return 1;
}
return 0;
}
function discover_operational_cert() {
if (fs.stat('/etc/ucentral/operational.pem')) {
ulog(LOG_INFO, 'Operational certificate is present\n');
return 0;
}
if (generate_csr())
return 1;
let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
if (ret) {
ulog(LOG_INFO, 'Failed to request operational certificate\n');
return 1;
}
ulog(LOG_INFO, 'EST succeeded\n');
ret = p7_too_pem('/tmp/operational.nohdr.p7', '/etc/ucentral/operational.pem');
if (ret) {
ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
return 1;
}
ulog(LOG_INFO, 'Converted P7 to PEM\n');
store_operational_cert('/etc/ucentral/operational.pem');
return 0;
}
function discover_operational_ca() {
if (fs.stat('/etc/ucentral/operational.ca')) {
ulog(LOG_INFO, 'Operational CA is present\n');
return 0;
}
let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
if (!ret)
ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
if (ret) {
ulog(LOG_INFO, 'Failed to load CA\n');
return 1;
}
system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
ulog(LOG_INFO, 'Acquired CA\n');
store_operational_cert('/etc/ucentral/operational.ca');
return 0;
}
switch(ARGV[0]) {
case 'enroll':
if (discover_operational_cert())
exit(1);
if (discover_operational_ca())
exit(1);
exit(0);
break;
}