CertificateType instead of str

api/kiwi_vpn_api/easyrsa.py

@@ -6,6 +6,7 @@ from __future__ import annotations
 
 import subprocess
 from datetime import datetime
+from enum import Enum, auto
 from pathlib import Path
 
 from OpenSSL import crypto
@@ -97,6 +98,19 @@ class DistinguishedName(BaseModel):
         ]
 
 
+class CertificateType(Enum):
+    """
+    Possible types of certificates
+    """
+
+    ca = auto()
+    client = auto()
+    server = auto()
+
+    def __str__(self) -> str:
+        return self._name_
+
+
 class EasyRSA:
     """
     Represents an EasyRSA PKI.
@@ -225,6 +239,7 @@ class EasyRSA:
             Path("ca.crt"),
             Config._.crypto.ca_expiry_days,
 
+            "--dn-mode=cn_only",
             "--req-cn=kiwi-vpn-ca",
 
             "build-ca",
@@ -236,13 +251,17 @@ class EasyRSA:
 
     def issue(
         self,
-        cert_type: str = "client",
+        cert_type: CertificateType = CertificateType.client,
         dn: DistinguishedName = DistinguishedName.build(),
-    ) -> crypto.X509:
+    ) -> crypto.X509 | None:
         """
         Issue a client or server certificate
         """
 
+        if not (cert_type is CertificateType.client
+                or cert_type is CertificateType.server):
+            return None
+
         return self.__build_cert(
             Path(f"issued/{dn.common_name}.crt"),
             Config._.crypto.cert_expiry_days,
@@ -262,7 +281,7 @@ if __name__ == "__main__":
     easy_rsa.init_pki()
 
     ca = easy_rsa.build_ca()
-    server = easy_rsa.issue("server")
+    server = easy_rsa.issue(CertificateType.server)
     client = None
 
     # check if configured
@@ -275,7 +294,7 @@ if __name__ == "__main__":
                 db.add(device)
                 dn = DistinguishedName.build(device)
 
-            client = easy_rsa.issue("client", dn)
+            client = easy_rsa.issue(dn=dn)
 
     date_format, encoding = "%Y%m%d%H%M%SZ", "ascii"