From a375b9f7742fd0b6525b621211873f5bbdf9f222 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Fri, 13 Jun 2025 12:07:51 +0200 Subject: [PATCH] est_client: add reenroll support Fixes: WIFI-14694 Signed-off-by: John Crispin --- .../cloud_discovery/files/usr/bin/est_client | 71 +++++++++++++------ 1 file changed, 49 insertions(+), 22 deletions(-) diff --git a/feeds/tip/cloud_discovery/files/usr/bin/est_client b/feeds/tip/cloud_discovery/files/usr/bin/est_client index bad630118..041ee496c 100755 --- a/feeds/tip/cloud_discovery/files/usr/bin/est_client +++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client @@ -8,9 +8,9 @@ import * as fs from 'fs'; ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client"); -function generate_csr() { +function generate_csr(cert) { if (!fs.stat('/rmp/csr.nohdr.p10')) { - let pipe = fs.popen('openssl x509 -in /etc/ucentral/cert.pem -noout -subject'); + let pipe = fs.popen(`openssl x509 -in ${cert} -noout -subject`); let subject = pipe.read("all"); pipe.close(); subject = rtrim(subject); @@ -39,9 +39,11 @@ function generate_csr() { return 0; } -function store_operational_cert(path) { +function store_operational_cert(path, target) { system('mount_certs'); - system(`cp ${path} /certificates/`); + system(`cp ${path} /certificates/${target}`); + + ulog(LOG_INFO, `Persistently stored ${target}\n`); } function p7_too_pem(src, dst) { @@ -56,16 +58,14 @@ function p7_too_pem(src, dst) { ulog(LOG_INFO, 'Failed to convert P7 to PEM\n'); return 1; } + + ulog(LOG_INFO, 'Converted P7 to PEM\n'); + return 0; } -function discover_operational_cert() { - if (fs.stat('/etc/ucentral/operational.pem')) { - ulog(LOG_INFO, 'Operational certificate is present\n'); - return 0; - } - - if (generate_csr()) +function call_est_server(cert, target) { + if (generate_csr(cert)) return 1; let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7'); @@ -75,17 +75,40 @@ function discover_operational_cert() { } ulog(LOG_INFO, 'EST succeeded\n'); - ret = p7_too_pem('/tmp/operational.nohdr.p7', '/etc/ucentral/operational.pem'); - if (ret) { - ulog(LOG_INFO, 'Failed to convert P7 to PEM\n'); - return 1; + return p7_too_pem('/tmp/operational.nohdr.p7', target); +} + + +function simpleenroll() { + if (fs.stat('/etc/ucentral/operational.pem')) { + ulog(LOG_INFO, 'Operational certificate is present\n'); + return 0; } - ulog(LOG_INFO, 'Converted P7 to PEM\n'); - store_operational_cert('/etc/ucentral/operational.pem'); + + if (call_est_server('/etc/ucentral/cert.pem', '/etc/ucentral/operational.pem')) + return 1; + + ulog(LOG_INFO, 'Operational cert acquired\n'); + store_operational_cert('/etc/ucentral/operational.pem', 'operational.pem'); return 0; } -function discover_operational_ca() { +function simplereenroll() { + if (!fs.stat('/etc/ucentral/operational.pem')) { + ulog(LOG_INFO, 'Operational certificate was not found\n'); + return 0; + } + + if (call_est_server('/etc/ucentral/operational.pem', '/tmp/operational.pem')) + return 1; + + ulog(LOG_INFO, 'Operational cert updated\n'); + store_operational_cert('/tmp/operational.pem', 'operational.pem'); + + return 0; +} + +function load_operational_ca() { if (fs.stat('/etc/ucentral/operational.ca')) { ulog(LOG_INFO, 'Operational CA is present\n'); return 0; @@ -99,18 +122,22 @@ function discover_operational_ca() { } system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca'); ulog(LOG_INFO, 'Acquired CA\n'); - store_operational_cert('/etc/ucentral/operational.ca'); + store_operational_cert('/etc/ucentral/operational.ca', 'operational.ca'); return 0; } switch(ARGV[0]) { case 'enroll': - if (discover_operational_cert()) + if (simpleenroll()) exit(1); - if (discover_operational_ca()) + if (load_operational_ca()) exit(1); exit(0); - break; + +case 'reenroll': + if (simplereenroll()) + exit(1); + exit(0); }