diff options
author | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-06-17 19:25:44 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-17 19:25:44 +0300 |
commit | c7313efaf12d88c637281604abbf5aff063ed8bd (patch) | |
tree | b7c499352104f5a40b933d78fedf72b9063358e0 | |
parent | 249fb1362490b961e0c0031fb29defb654fbaf3f (diff) | |
download | vyos-1x-c7313efaf12d88c637281604abbf5aff063ed8bd.tar.gz vyos-1x-c7313efaf12d88c637281604abbf5aff063ed8bd.zip |
pki: T4026: Only emit private keys when available (#3669)
* install_certificate() code path handles private_key=None &
key_passphrase=None OK already
* file and console output paths will error trying to encode None as a key
* This is only an issue for a couple of the generate_*_sign() functions,
where having a null private key is possible
* Self-signing and CA creation always generate a private key
* Certreqs will generate a private key if not already provided
* Do not prompt for a private key passphrase if we aren't giving back a
private key
(cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37)
Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
-rwxr-xr-x | src/op_mode/pki.py | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index 361b60e0e..9ce166c7d 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -426,11 +426,15 @@ def generate_ca_certificate_sign(name, ca_name, install=False, file=False): return None cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=True, is_sub_ca=True) - passphrase = ask_passphrase() + + passphrase = None + if private_key is not None: + passphrase = ask_passphrase() if not install and not file: print(encode_certificate(cert)) - print(encode_private_key(private_key, passphrase=passphrase)) + if private_key is not None: + print(encode_private_key(private_key, passphrase=passphrase)) return None if install: @@ -438,7 +442,8 @@ def generate_ca_certificate_sign(name, ca_name, install=False, file=False): if file: write_file(f'{name}.pem', encode_certificate(cert)) - write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + if private_key is not None: + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) def generate_certificate_sign(name, ca_name, install=False, file=False): ca_dict = get_config_ca_certificate(ca_name) @@ -492,11 +497,15 @@ def generate_certificate_sign(name, ca_name, install=False, file=False): return None cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=False) - passphrase = ask_passphrase() + + passphrase = None + if private_key is not None: + passphrase = ask_passphrase() if not install and not file: print(encode_certificate(cert)) - print(encode_private_key(private_key, passphrase=passphrase)) + if private_key is not None: + print(encode_private_key(private_key, passphrase=passphrase)) return None if install: @@ -504,7 +513,8 @@ def generate_certificate_sign(name, ca_name, install=False, file=False): if file: write_file(f'{name}.pem', encode_certificate(cert)) - write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + if private_key is not None: + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) def generate_certificate_selfsign(name, install=False, file=False): private_key, key_type = generate_private_key() |