scottk/wlan-ap
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-10-29 17:42:41 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

est_client: add reenroll support

Browse Source 
Fixes: WIFI-14694
Signed-off-by: John Crispin <john@phrozen.org>
This commit is contained in:
John Crispin
2025-06-13 12:07:51 +02:00
parent 16d029f10f
commit a375b9f774
1 changed files with 49 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
feeds/tip/cloud_discovery/files/usr/bin/est_client
View File

@@ -8,9 +8,9 @@ import * as fs from 'fs';
ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client"); ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client");
function generate_csr() { function generate_csr(cert) {
if (!fs.stat('/rmp/csr.nohdr.p10')) { if (!fs.stat('/rmp/csr.nohdr.p10')) {
let pipe = fs.popen('openssl x509 -in /etc/ucentral/cert.pem -noout -subject'); let pipe = fs.popen(`openssl x509 -in ${cert} -noout -subject`);
let subject = pipe.read("all"); let subject = pipe.read("all");
pipe.close(); pipe.close();
subject = rtrim(subject); subject = rtrim(subject);
@@ -39,9 +39,11 @@ function generate_csr() {
return 0; return 0;
} }
function store_operational_cert(path) { function store_operational_cert(path, target) {
system('mount_certs'); system('mount_certs');
system(`cp ${path} /certificates/`); system(`cp ${path} /certificates/${target}`);
ulog(LOG_INFO, `Persistently stored ${target}\n`);
} }
function p7_too_pem(src, dst) { function p7_too_pem(src, dst) {
@@ -56,16 +58,14 @@ function p7_too_pem(src, dst) {
ulog(LOG_INFO, 'Failed to convert P7 to PEM\n'); ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
return 1; return 1;
} }
ulog(LOG_INFO, 'Converted P7 to PEM\n');
return 0; return 0;
} }
function discover_operational_cert() { function call_est_server(cert, target) {
if (fs.stat('/etc/ucentral/operational.pem')) { if (generate_csr(cert))
ulog(LOG_INFO, 'Operational certificate is present\n');
return 0;
}
if (generate_csr())
return 1; return 1;
let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7'); let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
@@ -75,17 +75,40 @@ function discover_operational_cert() {
} }
ulog(LOG_INFO, 'EST succeeded\n'); ulog(LOG_INFO, 'EST succeeded\n');
ret = p7_too_pem('/tmp/operational.nohdr.p7', '/etc/ucentral/operational.pem'); return p7_too_pem('/tmp/operational.nohdr.p7', target);
if (ret) { }
ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
return 1;
function simpleenroll() {
if (fs.stat('/etc/ucentral/operational.pem')) {
ulog(LOG_INFO, 'Operational certificate is present\n');
return 0;
} }
ulog(LOG_INFO, 'Converted P7 to PEM\n');
store_operational_cert('/etc/ucentral/operational.pem'); if (call_est_server('/etc/ucentral/cert.pem', '/etc/ucentral/operational.pem'))
return 1;
ulog(LOG_INFO, 'Operational cert acquired\n');
store_operational_cert('/etc/ucentral/operational.pem', 'operational.pem');
return 0; return 0;
} }
function discover_operational_ca() { function simplereenroll() {
if (!fs.stat('/etc/ucentral/operational.pem')) {
ulog(LOG_INFO, 'Operational certificate was not found\n');
return 0;
}
if (call_est_server('/etc/ucentral/operational.pem', '/tmp/operational.pem'))
return 1;
ulog(LOG_INFO, 'Operational cert updated\n');
store_operational_cert('/tmp/operational.pem', 'operational.pem');
return 0;
}
function load_operational_ca() {
if (fs.stat('/etc/ucentral/operational.ca')) { if (fs.stat('/etc/ucentral/operational.ca')) {
ulog(LOG_INFO, 'Operational CA is present\n'); ulog(LOG_INFO, 'Operational CA is present\n');
return 0; return 0;
@@ -99,18 +122,22 @@ function discover_operational_ca() {
} }
system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca'); system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
ulog(LOG_INFO, 'Acquired CA\n'); ulog(LOG_INFO, 'Acquired CA\n');
store_operational_cert('/etc/ucentral/operational.ca'); store_operational_cert('/etc/ucentral/operational.ca', 'operational.ca');
return 0; return 0;
} }
switch(ARGV[0]) { switch(ARGV[0]) {
case 'enroll': case 'enroll':
if (discover_operational_cert()) if (simpleenroll())
exit(1); exit(1);
if (discover_operational_ca()) if (load_operational_ca())
exit(1); exit(1);
exit(0); exit(0);
break;
case 'reenroll':
if (simplereenroll())
exit(1);
exit(0);
} }