wlan-ap/feeds/tip/cloud_discovery/files/usr/bin/est_client

#!/usr/bin/ucode

'use strict';

import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
import * as fs from 'fs';


ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client");

function generate_csr(cert) {
	if (!fs.stat('/tmp/csr.nohdr.p10')) {
		let pipe = fs.popen(`openssl x509 -in ${cert} -noout -subject`);
		let subject = pipe.read("all");
		pipe.close();
		subject = rtrim(subject);
		subject = replace(subject, 'subject=', '/');
		subject = replace(subject, ' = ', '=');
		subject = replace(subject, ', ', '/');

		let ret = system(`openssl req -subj "${subject}" -new -key /etc/ucentral/key.pem -out /tmp/csr.p10`);
		if (ret) {
			ulog(LOG_INFO, 'Failed to generate CSR\n');
			return 1;
		}

		let input = fs.open('/tmp/csr.p10', 'r');
		let output = fs.open('/tmp/csr.nohdr.p10', 'w');
		let line;
		while (line = input.read('line')) {
		        if (substr(line, 0, 4) == '----')
		                continue;
			output.write(line);
		}
		input.close();
		output.close();
		ulog(LOG_INFO, 'Generated CSR\n');
	}
	return 0;
}

function store_operational_cert(path, target) {
	system('mount_certs');
	system(`cp ${path} /certificates/${target}`);
	system('store_certs');

	ulog(LOG_INFO, `Persistently stored ${target}\n`);
}

function p7_too_pem(src, dst) {
	let input = fs.readfile(src);
	let output = fs.open('/tmp/convert.p7', 'w');
	output.write('-----BEGIN PKCS #7 SIGNED DATA-----\n');
	output.write(`${input}\n-----END PKCS #7 SIGNED DATA-----`);
	output.close();

	let ret = system(`openssl pkcs7 -outform PEM -print_certs -in /tmp/convert.p7 -out ${dst}`);
	if (ret) {
		ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
		return 1;
	}
	
	ulog(LOG_INFO, 'Converted P7 to PEM\n');
	
	return 0;
}

function call_est_server(path, cert, target) {
	if (generate_csr(cert))
		return 1;

	let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
	if (ret) {
		ulog(LOG_INFO, 'Failed to request operational certificate\n');
		return 1;
	}
	ulog(LOG_INFO, 'EST succeeded\n');

	return p7_too_pem('/tmp/operational.nohdr.p7', target);
}


function simpleenroll() {
	if (fs.stat('/etc/ucentral/operational.pem')) {
		ulog(LOG_INFO, 'Operational certificate is present\n');
		return 0;
	}

	if (call_est_server('simpleenroll', '/etc/ucentral/cert.pem', '/etc/ucentral/operational.pem'))
		return 1; 
	
	ulog(LOG_INFO, 'Operational cert acquired\n');
	store_operational_cert('/etc/ucentral/operational.pem', 'operational.pem');
	return 0;
}

function simplereenroll() {
	if (!fs.stat('/etc/ucentral/operational.pem')) {
		ulog(LOG_INFO, 'Operational certificate was not found\n');
		return 0;
	}

	if (call_est_server('simplereenroll', '/etc/ucentral/operational.pem', '/tmp/operational.pem'))
		return 1;
	
	ulog(LOG_INFO, 'Operational cert updated\n');
	store_operational_cert('/tmp/operational.pem', 'operational.pem');

	return 0;
}

function load_operational_ca() {
	if (fs.stat('/etc/ucentral/operational.ca')) {
		ulog(LOG_INFO, 'Operational CA is present\n');
		return 0;
	}
	let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
	if (!ret)
		ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
	if (ret) {
		ulog(LOG_INFO, 'Failed to load CA\n');
		return 1;
	}
	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
	ulog(LOG_INFO, 'Acquired CA\n');
	store_operational_cert('/etc/ucentral/operational.ca', 'operational.ca');
	return 0;
}

function fwtool() {
	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
	let issuer = pipe.read("all");
	pipe.close();

	if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth CA/)))
		return 0;

	ulog(LOG_INFO, 'The issuer is insta\n');

	let metadata = fs.readfile('/tmp/sysupgrade.meta');
	if (metadata)
		metadata = json(metadata);
	if (!metadata)
		return 0;

	if (!metadata.est_supported) {
		ulog(LOG_INFO, 'The image does not support EST\n');
		return 1;
	}
	ulog(LOG_INFO, 'The image supports EST\n');

	return 0;
}

switch(ARGV[0]) {
case 'enroll':
	if (simpleenroll())
		exit(1);

	if (load_operational_ca())
		exit(1);

	exit(0);

case 'reenroll':
	if (simplereenroll())
		exit(1);
	exit(0);

case 'fwtool':
	exit(fwtool());
}