Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610) #3619

Merged
merged 2 commits into from
Jun 10, 2024
Merged

op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610) #3619

merged 2 commits into from
Jun 10, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Jun 10, 2024

Change Summary

In e6fe6e5 ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles.

This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

Proposed changes

How to test

A resulting profile would look like this:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    
    <key>PayloadDisplayName</key>
    <string>VyOS IKEv2 Profile</string>
    
    <key>PayloadIdentifier</key>
    <string>wue3.LR1</string>
    
    <key>PayloadUUID</key>
    <string>f735996a-265d-11ef-9e65-f2422b8b73f7</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadContent</key>
    <array>
        
        <dict>
            <dict>
                <key>ServerCertificateIssuerCommonName</key>
                <string>CAcert Class 3 Root</string>
                <key>ServerCertificateCommonName</key>
                <string>ipsec.vyos.net</string>
                 ...
            </dict>
        </dict>
        
        
        <dict>
            <key>PayloadIdentifier</key>
            <string>org.cacert.class.3.root</string>
            <key>PayloadUUID</key>
            <string>158483b0-8df8-8146-e725-42d6ee51ba69</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            
            <key>PayloadContent</key>
            <data>MIIGPTCCB,,,</data>
        </dict>
        
        <dict>
            <key>PayloadIdentifier</key>
            <string>org.ca.cert.signing.authority</string>
            <key>PayloadUUID</key>
            <string>ead21fee-8172-7060-e9b7-921b7c270556</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            
            <key>PayloadContent</key>
            <data>MIIG7jCC...</data>
        </dict>
    </array>
</dict>
</plist>

Smoketest result

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly
This is an automatic backport of pull request #3610 done by [Mergify](https://mergify.com).

c-po added 2 commits June 10, 2024 08:28
@c-po @mergify
op-mode: T6424: ipsec: honor certificate CN and CA chain during profi…
4485aa5 
…le generation

In e6fe6e5 ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.

This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.

(cherry picked from commit d65f435)
@c-po @mergify
op-mode: T6424: ipsec: filter out duplicate CA certificates in Apple …
92bea91 
…IOS profile

(cherry picked from commit 4e51569)
@mergify mergify bot requested a review from a team as a code owner June 10, 2024 08:29
@mergify mergify bot mentioned this pull request Jun 10, 2024
Merged
12 tasks
@github-actions github-actions bot added the sagitta VyOS 1.4 LTS label Jun 10, 2024
@github-actions GitHub Actions
Copy link

👍
No issues in PR Title / Commit Title

@c-po c-po enabled auto-merge June 10, 2024 08:55
@c-po c-po merged commit 4a974f7 into sagitta Jun 10, 2024
7 checks passed
@mergify mergify bot deleted the mergify/bp/sagitta/pr-3610 branch June 10, 2024 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@c-po c-po c-po approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

Assignees
No one assigned
Labels
sagitta VyOS 1.4 LTS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dmbaturin @c-po