nchevsky/systemrescue-zfs
1
0
Fork 0
mirror of https://github.com/nchevsky/systemrescue-zfs.git synced 2025-12-06 07:12:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Support for adding Certification Authorities (CAs) via YAML config

Browse source 
This allows to add additional CAs as trust anchors via the root key
"ca-trust" in the YAML config files.

Why is this helpful and can't be done for example with SRMs?

After the CA files are copied, "update-ca-trust" must be called. This
updates *all* ca trust files. This means your SRM will override all
trust files with the ones used when creating the SRM.

When you then use the SRM with a newer version of SystemRescue, you will
still use the old ca trust files from when the SRM was built.
This commit is contained in:
Gerd v. Egidy 2022-01-16 17:54:29 +01:00
parent edd7b702af
commit 0a9b3250cf
2 changed files with 27 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
ChangeLog
View file

@ -1,6 +1,11 @@
SystemRescue ChangeLog
======================
-------------------------------------------------------------------------------
9.01 (YYYY-MM-DD):
-------------------------------------------------------------------------------
* Support for adding Certification Authorities (CAs) via YAML config (Gerd v. Egidy)
-------------------------------------------------------------------------------
9.00 (2022-01-16):
-------------------------------------------------------------------------------

22
airootfs/etc/systemd/scripts/sysrescue-initialize.py
View file

@ -30,6 +30,8 @@ config_global = {
'vncpass': None,
}
config_ca_trust = { }
# ==============================================================================
# Load configuration from the yaml files
# ==============================================================================
@ -46,6 +48,10 @@ def parse_config_file(yamlfile):
for entry in config_global:
if entry in curglobal:
config_global[entry] = curglobal[entry]
if 'ca-trust' in curconfig:
# later yaml files take precedence, overwrite if existing
for key, value in curconfig['ca-trust'].items():
config_ca_trust[key] = value
return True
except yaml.YAMLError as err:
print(err)
@ -227,6 +233,22 @@ if config_global['dovnc'] == True:
file.write("""x11vnc $pwopt -nevershared -forever -logfile /var/log/x11vnc.log &\n""")
file.close()
# ==============================================================================
# Configure custom CA certificates
# ==============================================================================
ca_anchor_path = "/etc/ca-certificates/trust-source/anchors/"
if config_ca_trust:
print(f"====> Adding trusted CA certificates ...")
for name, cert in sorted(config_ca_trust.items()):
print (f"Adding certificate '{name}' ...")
with open(os.path.join(ca_anchor_path, name + ".pem"), "w") as certfile:
certfile.write(cert)
print(f"Updating CA trust configuration ...")
p = subprocess.run(["update-ca-trust"], text=True)
# ==============================================================================
# End of the script
# ==============================================================================