Page MenuHomeVyOS Platform

Create common crypto library for creation/verification/management of RSA/EC/SSH keys, certificates, requests, etc.
In progress, HighPublicFEATURE REQUEST

Description

There are many places in VyOS where certificates and keys are used of various types: VPN (OpenVPN, IPsec, L2TP, SSTP, Wireguard), HTTP API. These user-supplied certificates need to be verified for the proper format before they are applied to the configuration. Currently each script does its own checking, and some don't check the files at all.

To prevent duplication of code, a common crypto library should be created that uses either the python cryptography package or standalone CLI tools called through subprocess. cryptography package should be preferred since it natively offers all operations that openssl does, and openssl wasn't designed to be called in batch mode, so sometimes hacks are required to prevent it from asking for passphrases on stdin.

Op-mode commands to generate keys, CSRs, CAs and certificates could be implemented using this library. This is currently possible through manual use of openssl or downloading easyrsa. (some very limited op-mode tools are already available, but aren't useful in many circumstances)

Some scripts (OpenVPN) also need to modify behavior depending on which key type is used (RSA or EC) so a way to check which type is supplied is needed.

It should include:

-key generation functions of various types (RSA, EC, SSH) and sizes
-CSR generation
-certificate type checking (whether it's RSA, EC, ...)
-encrypted key checking (if a given key is encrypted with a passphrase or not)
-self signed and externally signed CA creation (where the user doesn't want to host his CA on a more isolated system - this should be discouraged)
-SSH private and public key generation of various sized
-SSH private key checking for encryption (if it's encrypted with a passphrase or not)
-DH parameter generation of various sizes
-OpenVPN-specific TLS key generation (as generated by openvpn --genkey --secret)
-Wireguard key generation and checking

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Internal change (not visible to end users)

Event Timeline

jjakob created this task.
jjakob created this object in space S1 VyOS Public.
syncer changed the task status from Open to In progress.Aug 15 2020, 10:04 AM
syncer claimed this task.
syncer raised the priority of this task from Low to High.
syncer changed the subtype of this task from "Task" to "Feature Request".
erkin set Issue type to Internal change (not visible to end users).Aug 30 2021, 7:50 AM
erkin removed a subscriber: Active contributors.