5 files changed, 56 insertions, 37 deletions

diff --git a/src/conf_mode/interfaces_macsec.py b/src/conf_mode/interfaces_macsec.py
index eb0ca9a8b..3ede4377a 100755
--- a/src/conf_mode/interfaces_macsec.py
+++ b/src/conf_mode/interfaces_macsec.py
@@ -103,9 +103,9 @@ def verify(macsec):
 
         # Logic to check static configuration
         if dict_search('security.static', macsec) != None:
-            # tx-key must be defined
+            # key must be defined
             if dict_search('security.static.key', macsec) == None:
-                raise ConfigError('Static MACsec tx-key must be defined.')
+                raise ConfigError('Static MACsec key must be defined.')
 
             tx_len = len(dict_search('security.static.key', macsec))
 
@@ -119,12 +119,12 @@ def verify(macsec):
             if 'peer' not in macsec['security']['static']:
                 raise ConfigError('Must have at least one peer defined for static MACsec')
 
-            # For every enabled peer, make sure a MAC and rx-key is defined
+            # For every enabled peer, make sure a MAC and key is defined
             for peer, peer_config in macsec['security']['static']['peer'].items():
                 if 'disable' not in peer_config and ('mac' not in peer_config or 'key' not in peer_config):
-                    raise ConfigError('Every enabled MACsec static peer must have a MAC address and rx-key defined.')
+                    raise ConfigError('Every enabled MACsec static peer must have a MAC address and key defined!')
 
-                # check rx-key length against cipher suite
+                # check key length against cipher suite
                 rx_len = len(peer_config['key'])
 
                 if dict_search('security.cipher', macsec) == 'gcm-aes-128' and rx_len != GCM_AES_128_LEN:
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index f37cac524..4a0e86f32 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -232,7 +232,7 @@ def get_config(config=None):
 
                         path = search['path']
                         path_str = ' '.join(path + found_path)
-                        print(f'PKI: Updating config: {path_str} {item_name}')
+                        #print(f'PKI: Updating config: {path_str} {item_name}')
 
                         if path[0] == 'interfaces':
                             ifname = found_path[0]
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
index 169a15840..b193d8109 100755
--- a/src/op_mode/ikev2_profile_generator.py
+++ b/src/op_mode/ikev2_profile_generator.py
@@ -21,6 +21,7 @@ from socket import getfqdn
 from cryptography.x509.oid import NameOID
 
 from vyos.configquery import ConfigTreeQuery
+from vyos.config import config_dict_mangle_acme
 from vyos.pki import CERT_BEGIN
 from vyos.pki import CERT_END
 from vyos.pki import find_chain
@@ -123,6 +124,8 @@ pki_base = ['pki']
 conf = ConfigTreeQuery()
 if not conf.exists(config_base):
     exit('IPsec remote-access is not configured!')
+if not conf.exists(pki_base):
+    exit('PKI is not configured!')
 
 profile_name = 'VyOS IKEv2 Profile'
 if args.profile:
@@ -147,30 +150,36 @@ tmp = getfqdn().split('.')
 tmp = reversed(tmp)
 data['rfqdn'] = '.'.join(tmp)
 
-pki = conf.get_config_dict(pki_base, get_first_key=True)
-cert_name = data['authentication']['x509']['certificate']
-
-cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
-data['cert_common_name'] = cert_data.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_common_name'] = cert_data.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_certificates'] = []
-
-loaded_ca_certs = {load_certificate(c['certificate'])
-    for c in pki['ca'].values()} if 'ca' in pki else {}
-
-for ca_name in data['authentication']['x509']['ca_certificate']:
-    loaded_ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
-    ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
-    for ca in ca_full_chain:
-        tmp = {
-            'ca_name' : ca.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
-            'ca_chain' : encode_certificate(ca).replace(CERT_BEGIN, '').replace(CERT_END, '').replace('\n', ''),
-        }
-        data['ca_certificates'].append(tmp)
-
-# Remove duplicate list entries for CA certificates, as they are added by their common name
-# https://stackoverflow.com/a/9427216
-data['ca_certificates'] = [dict(t) for t in {tuple(d.items()) for d in data['ca_certificates']}]
+if args.os == 'ios':
+    pki = conf.get_config_dict(pki_base, get_first_key=True)
+    if 'certificate' in pki:
+        for certificate in pki['certificate']:
+            pki['certificate'][certificate] = config_dict_mangle_acme(certificate, pki['certificate'][certificate])
+
+    cert_name = data['authentication']['x509']['certificate']
+
+
+    cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
+    data['cert_common_name'] = cert_data.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    data['ca_common_name'] = cert_data.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+    data['ca_certificates'] = []
+
+    loaded_ca_certs = {load_certificate(c['certificate'])
+        for c in pki['ca'].values()} if 'ca' in pki else {}
+
+    for ca_name in data['authentication']['x509']['ca_certificate']:
+        loaded_ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
+        ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+        for ca in ca_full_chain:
+            tmp = {
+                'ca_name' : ca.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value,
+                'ca_chain' : encode_certificate(ca).replace(CERT_BEGIN, '').replace(CERT_END, '').replace('\n', ''),
+            }
+            data['ca_certificates'].append(tmp)
+
+    # Remove duplicate list entries for CA certificates, as they are added by their common name
+    # https://stackoverflow.com/a/9427216
+    data['ca_certificates'] = [dict(t) for t in {tuple(d.items()) for d in data['ca_certificates']}]
 
 esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'],
                                      key_mangling=('-', '_'), get_first_key=True)
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 4490e609c..57b97a47d 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -426,11 +426,15 @@ def generate_ca_certificate_sign(name, ca_name, install=False, file=False):
         return None
 
     cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=True, is_sub_ca=True)
-    passphrase = ask_passphrase()
+
+    passphrase = None
+    if private_key is not None:
+        passphrase = ask_passphrase()
 
     if not install and not file:
         print(encode_certificate(cert))
-        print(encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            print(encode_private_key(private_key, passphrase=passphrase))
         return None
 
     if install:
@@ -438,7 +442,8 @@ def generate_ca_certificate_sign(name, ca_name, install=False, file=False):
 
     if file:
         write_file(f'{name}.pem', encode_certificate(cert))
-        write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
 
 def generate_certificate_sign(name, ca_name, install=False, file=False):
     ca_dict = get_config_ca_certificate(ca_name)
@@ -492,11 +497,15 @@ def generate_certificate_sign(name, ca_name, install=False, file=False):
         return None
 
     cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=False)
-    passphrase = ask_passphrase()
+    
+    passphrase = None
+    if private_key is not None:
+        passphrase = ask_passphrase()
 
     if not install and not file:
         print(encode_certificate(cert))
-        print(encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            print(encode_private_key(private_key, passphrase=passphrase))
         return None
 
     if install:
@@ -504,7 +513,8 @@ def generate_certificate_sign(name, ca_name, install=False, file=False):
 
     if file:
         write_file(f'{name}.pem', encode_certificate(cert))
-        write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
 
 def generate_certificate_selfsign(name, install=False, file=False):
     private_key, key_type = generate_private_key()
diff --git a/src/op_mode/powerctrl.py b/src/op_mode/powerctrl.py
index 6c8f802b5..cb4a175dd 100755
--- a/src/op_mode/powerctrl.py
+++ b/src/op_mode/powerctrl.py
@@ -110,7 +110,7 @@ def check_unsaved_config():
     from vyos.config_mgmt import unsaved_commits
     from vyos.utils.boot import boot_configuration_success
 
-    if unsaved_commits() and boot_configuration_success():
+    if unsaved_commits(allow_missing_config=True) and boot_configuration_success():
         print("Warning: there are unsaved configuration changes!")
         print("Run 'save' command if you do not want to lose those changes after reboot/shutdown.")
     else: