pki: T4026: Only emit private keys when available

* install_certificate() code path handles private_key=None OK already * file and console output paths will error trying to encode None as a key * This is only an issue for a couple of the generate_*_sign() functions, where having a null private key is possible * Self-signing and CA creation always generate a private key * Certreqs will generate a private key if not already provided
vyos · Jun 15, 2024 · 0ec8f9a · 0ec8f9a
1 parent f3d3b0f
commit 0ec8f9a
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
@@ -430,15 +430,17 @@ def generate_ca_certificate_sign(name, ca_name, install=False, file=False):
 
     if not install and not file:
         print(encode_certificate(cert))
-        print(encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            print(encode_private_key(private_key, passphrase=passphrase))
         return None
 
     if install:
         install_certificate(name, cert, private_key, key_type, key_passphrase=passphrase, is_ca=True)
 
     if file:
         write_file(f'{name}.pem', encode_certificate(cert))
-        write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
 
 def generate_certificate_sign(name, ca_name, install=False, file=False):
     ca_dict = get_config_ca_certificate(ca_name)
@@ -496,15 +498,17 @@ def generate_certificate_sign(name, ca_name, install=False, file=False):
 
     if not install and not file:
         print(encode_certificate(cert))
-        print(encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            print(encode_private_key(private_key, passphrase=passphrase))
         return None
 
     if install:
         install_certificate(name, cert, private_key, key_type, key_passphrase=passphrase, is_ca=False)
 
     if file:
         write_file(f'{name}.pem', encode_certificate(cert))
-        write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
+        if private_key is not None:
+            write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase))
 
 def generate_certificate_selfsign(name, install=False, file=False):
     private_key, key_type = generate_private_key()