diff --git a/api/kiwi_vpn_api/easyrsa.py b/api/kiwi_vpn_api/easyrsa.py index d242757..3f464c2 100644 --- a/api/kiwi_vpn_api/easyrsa.py +++ b/api/kiwi_vpn_api/easyrsa.py @@ -6,6 +6,7 @@ from __future__ import annotations import subprocess from datetime import datetime +from enum import Enum, auto from pathlib import Path from OpenSSL import crypto @@ -97,6 +98,19 @@ class DistinguishedName(BaseModel): ] +class CertificateType(Enum): + """ + Possible types of certificates + """ + + ca = auto() + client = auto() + server = auto() + + def __str__(self) -> str: + return self._name_ + + class EasyRSA: """ Represents an EasyRSA PKI. @@ -225,6 +239,7 @@ class EasyRSA: Path("ca.crt"), Config._.crypto.ca_expiry_days, + "--dn-mode=cn_only", "--req-cn=kiwi-vpn-ca", "build-ca", @@ -236,13 +251,17 @@ class EasyRSA: def issue( self, - cert_type: str = "client", + cert_type: CertificateType = CertificateType.client, dn: DistinguishedName = DistinguishedName.build(), - ) -> crypto.X509: + ) -> crypto.X509 | None: """ Issue a client or server certificate """ + if not (cert_type is CertificateType.client + or cert_type is CertificateType.server): + return None + return self.__build_cert( Path(f"issued/{dn.common_name}.crt"), Config._.crypto.cert_expiry_days, @@ -262,7 +281,7 @@ if __name__ == "__main__": easy_rsa.init_pki() ca = easy_rsa.build_ca() - server = easy_rsa.issue("server") + server = easy_rsa.issue(CertificateType.server) client = None # check if configured @@ -275,7 +294,7 @@ if __name__ == "__main__": db.add(device) dn = DistinguishedName.build(device) - client = easy_rsa.issue("client", dn) + client = easy_rsa.issue(dn=dn) date_format, encoding = "%Y%m%d%H%M%SZ", "ascii"