Merge pull request #3552 from c-po/ipsec-profile

op-mode: ipsec: T6407: fix profile generation
vyos · May 30, 2024 · 9859440 · 9859440
2 parents 5978273 + e6fe6e5
commit 9859440
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 9 deletions.
diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2
@@ -83,22 +83,27 @@
                 </dict>
             </dict>
         </dict>
+{% if certs is vyos_defined %}
         <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
+{%     for cert in certs %}
+        <!-- Payload for: {{ cert.ca_cn }} -->
         <dict>
             <key>PayloadIdentifier</key>
-            <string>org.example.ca</string>
+            <string>org.{{ cert.ca_cn | lower | replace(' ', '.') | replace('_', '.') }}</string>
             <key>PayloadUUID</key>
-            <string>{{ '' | get_uuid }}</string>
+            <string>{{ cert.ca_cn | generate_uuid4 }}</string>
             <key>PayloadType</key>
             <string>com.apple.security.root</string>
             <key>PayloadVersion</key>
             <integer>1</integer>
             <!-- This is the Base64 (PEM) encoded CA certificate -->
             <key>PayloadContent</key>
             <data>
-            {{ ca_cert }}
+            {{ cert.ca_cert }}
             </data>
         </dict>
+{%     endfor %}
+{% endif %}
     </array>
 </dict>
 </plist>
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
@@ -144,15 +144,22 @@
 data['rfqdn'] = '.'.join(tmp)
 
 pki = conf.get_config_dict(pki_base, get_first_key=True)
-ca_name = data['authentication']['x509']['ca_certificate']
 cert_name = data['authentication']['x509']['certificate']
 
-ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
-cert = load_certificate(pki['certificate'][cert_name]['certificate'])
+data['certs'] = []
+
+for ca_name in data['authentication']['x509']['ca_certificate']:
+    tmp = {}
+    ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
+    cert = load_certificate(pki['certificate'][cert_name]['certificate'])
+
+
+    tmp['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    tmp['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    tmp['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate'])
+
+    data['certs'].append(tmp)
 
-data['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate'])
 
 esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'],
                                      key_mangling=('-', '_'), get_first_key=True)