Convert easyroam Open Network Config to NetworkManager connection profile

onc-to-nm.py

#!/usr/bin/env python3

# Usage:
# - go to easyroam.de
# - select manual options -> Open Network Config (ChromeOS)
# - run this script as root: sudo python3 path/to/onc-to-nm.py path/to/easyroam_[...].onc
# - connect to wifi (via gui or on console: nmcli conn up eduroam)
# - optionally: enable autoconnect (via gui or on console: nmcli conn modify eduroam connection.autoconnect on)

import json
import sys
import os
import base64
import hashlib
import cryptography.hazmat.primitives.serialization
import cryptography.hazmat.primitives.serialization.pkcs12
import uuid
import subprocess

if len(sys.argv) < 2:
    print(f"Usage: {sys.argv[0]} path/to/profile.onc")
    exit(1)

onc = json.load(open(sys.argv[1]))

wifi_devices = list(line for line in subprocess.check_output(["nmcli", "--terse", "--fields", "DEVICE,TYPE", "dev", "status"]).decode().splitlines() if line.endswith(":wifi"))
if len(wifi_devices) != 1:
    print("Found multiple wifi devices, can't work.")
    exit(1)
wifi_device = wifi_devices[0].split(":")[0]
wifi_device_mac = open(f"/sys/class/net/{wifi_device}/address").read().upper()

p12_raw = base64.b64decode(onc["Certificates"][0]["PKCS12"])
p12 = cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12(p12_raw, b"")

key = p12.key.private_bytes(cryptography.hazmat.primitives.serialization.Encoding.PEM, cryptography.hazmat.primitives.serialization.PrivateFormat.TraditionalOpenSSL, cryptography.hazmat.primitives.serialization.NoEncryption())
cert = p12.cert.certificate.public_bytes(cryptography.hazmat.primitives.serialization.Encoding.PEM)

identity = onc["NetworkConfigurations"][0]["WiFi"]["EAP"]["Identity"]
domain = onc["NetworkConfigurations"][0]["WiFi"]["EAP"]["SubjectAlternativeNameMatch"][0]["Value"]
ssid = onc["NetworkConfigurations"][0]["WiFi"]["SSID"]

key_sha1 = hashlib.sha1(key).hexdigest()
cert_sha1 = hashlib.sha1(cert).hexdigest()

os.umask(0o077)
if not os.path.exists("/etc/NetworkManager/keys"):
    os.mkdir("/etc/NetworkManager/keys")
print(f"Storing private key in /etc/NetworkManager/keys/{key_sha1}.pem")
open(f"/etc/NetworkManager/keys/{key_sha1}.pem", "wb").write(key)
print(f"Storing certificate in /etc/NetworkManager/keys/{cert_sha1}.pem")
open(f"/etc/NetworkManager/keys/{cert_sha1}.pem", "wb").write(cert)

nmconnection = f"""[connection]
id={ssid}
uuid={uuid.uuid4()}
type=wifi
autoconnect=false
interface-name={wifi_device}

[wifi]
mac-address={wifi_device_mac}
mode=infrastructure
ssid={ssid}

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
private-key=/etc/NetworkManager/keys/{key_sha1}.pem
private-key-password=""
client-cert=/etc/NetworkManager/keys/{cert_sha1}.pem
domain-suffix-match={domain}
eap=tls;
identity={identity}

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]"""

print(f"Storing connection profile in /etc/NetworkManager/system-connections/{ssid}.nmconnection")
open(f"/etc/NetworkManager/system-connections/{ssid}.nmconnection", "w").write(nmconnection)

print("")
print("All done!")
print(f"Enable the new connection using `nmcli conn up {ssid}`")
print(f"Use `nmcli conn modify {ssid} connection.autoconnect on` to enable automatic connection to this network.")