Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pki: T4026: Only emit private keys when available #3655

Merged
merged 1 commit into from
Jun 17, 2024
Merged

pki: T4026: Only emit private keys when available #3655

merged 1 commit into from
Jun 17, 2024

Conversation

talmakion
Copy link
Contributor

@talmakion talmakion commented Jun 15, 2024
edited
Loading

Change Summary

Adding a simple check before printing out the private key to a file or console output that it exists, where the code path permits a None private_key.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

  • pki

Proposed changes

  • install_certificate() code path handles private_key=None & key_passphrase=None OK already
  • file and console output paths will error trying to encode None as a key
  • This is only an issue for a couple of the generate_*_sign() functions, where having a null private key is possible
    • Self-signing and CA creation always generate a private key
    • Certreqs will generate a private key if not already provided
  • Do not prompt for a private key passphrase if we aren't giving back a private key

How to test

# run generate pki certificate sign test-ca 
Do you already have a certificate request? [y/N] y
Paste certificate request and press enter:
[...snip...]
Enter how many days certificate will be valid: (Default: 365) 
Enter certificate type: (client, server) (Default: server) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
-----BEGIN CERTIFICATE-----
[...snip, but valid...]
-----END CERTIFICATE-----

[edit]

Also ran through ca_cert and install combinations successfully.

Smoketest result

$ python3 /usr/libexec/vyos/tests/smoke/cli/test_pki.py 
test_certificate_eapol_update (__main__.TestPKI.test_certificate_eapol_update) ... PKI: Updating config: interfaces ethernet eth1 eapol certificate eapol
ok
test_certificate_https_update (__main__.TestPKI.test_certificate_https_update) ... PKI: Updating config: service https certificates certificate smoke-test_foo

WARNING: No certificate specified, using build-in self-signed
certificates. Do not use them in a production environment!

ok
test_certificate_in_use (__main__.TestPKI.test_certificate_in_use) ... 
PKI object "smoketest" still in use by "service https certificates
certificate"


WARNING: No certificate specified, using build-in self-signed
certificates. Do not use them in a production environment!

ok
test_invalid_ca_valid_certificate (__main__.TestPKI.test_invalid_ca_valid_certificate) ... 
Invalid certificate on CA certificate "invalid-ca"

ok
test_valid_pki (__main__.TestPKI.test_valid_pki) ... ok

----------------------------------------------------------------------
Ran 5 tests in 38.449s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@talmakion talmakion requested a review from a team as a code owner June 15, 2024 16:29
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 15, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@c-po
Copy link
Member

c-po commented Jun 15, 2024

Can you please share the before and after op-mode output?

@talmakion
Copy link
Contributor Author

talmakion commented Jun 16, 2024
edited
Loading

Before the fix is applied, if you try to run generate pki certificate with a certreq and without "install", it tries to decode None as a private key:

# run generate pki ca install test-ca 
Enter private key type: [rsa, dsa, ec] (Default: rsa) 
Enter private key bits: (Default: 2048) 
Enter country code: (Default: GB) 
Enter state: (Default: Some-State) 
Enter locality: (Default: Some-City) 
Enter organization name: (Default: VyOS) 
Enter common name: (Default: vyos.io) 
Enter how many days certificate will be valid: (Default: 1825) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] n
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
# commit
[edit]
# run generate pki certificate sign test-ca
Do you already have a certificate request? [y/N] y
Paste certificate request and press enter:
MIICsjCCAZoCAQAwXDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUx
EjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEVMBMGA1UEAwwMaXBz
ZWMtc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSVC5Gro
fn5rFPN6GBnKGtJjTi3oXIDHFy86NKEC5EUUyO8B0j9ytdGrib8HTC3QYmP8O4qv
+2oM9KwILk+dDOdFH9BzZUOWJ9z7LixBPdoMPMLxgqy5Rgz7pOBJfs9W9WZQJ7px
flUntyC1jFpAMLvWEtC3u5cIw6kC6V1b9q6Er6Z2aa5AGg3eoswYTaRyrBf7/0VS
GyWvui9EwjaNjvgtxcunRG0X/qJg4RRBCsXyEwsVqeBV1EBCeevk/F849K/cyh9S
qMr7o1cSaWTRwO2a9DrXJG8c+wayerJOFVppT9JN5iRhT04VuHyqQrFbPPyGcWBE
0WxeagxAH3G7tQIDAQABoBEwDwYJKoZIhvcNAQkOMQIwADANBgkqhkiG9w0BAQsF
AAOCAQEAukqy1h6xeM02w8r5wXxOLW82VFkUzhv8lVh3OCV1fa3fKuLgAVCJqdDq
O5BLVbovrhInjU5YJot+Yz85+pbcG4/05GH0rKPJkleuOFads4qSIQFAbiYq1wwr
iqTXDU7iLQDGZJvXAw26GuQ/OElqHGrY6Q6Cq4IG9a+bgdfLBOYKKBwKehwQ+Un7
/Ihp+5mhvezt+5cIdDlvYfoSFoxj87p13229ticALidBdnb660ZRqj6hao/VWBPR
HAvpWp2C+2w3nMpWYCFv8L/O8WzyGZ0BAbzIYxQfinqYaHZ8bHrfeQWS35g4tM4Y
3TZ5y945oD2+6Zj2VxMAII6HQvrPxw==

Enter how many days certificate will be valid: (Default: 365) 
Enter certificate type: (client, server) (Default: server) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIUVmHnZ3NIrUNLcFoBGaVYJ1S/a5IwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
NDA2MTYwMTE4MDBaFw0yNTA2MTYwMTE4MDBaMFwxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxFTATBgNVBAMMDGlwc2VjLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMElQuRq6H5+axTzehgZyhrSY04t6FyAxxcvOjShAuRFFMjvAdI/
crXRq4m/B0wt0GJj/DuKr/tqDPSsCC5PnQznRR/Qc2VDlifc+y4sQT3aDDzC8YKs
uUYM+6TgSX7PVvVmUCe6cX5VJ7cgtYxaQDC71hLQt7uXCMOpAuldW/auhK+mdmmu
QBoN3qLMGE2kcqwX+/9FUhslr7ovRMI2jY74LcXLp0RtF/6iYOEUQQrF8hMLFang
VdRAQnnr5PxfOPSv3MofUqjK+6NXEmlk0cDtmvQ61yRvHPsGsnqyThVaaU/STeYk
YU9OFbh8qkKxWzz8hnFgRNFsXmoMQB9xu7UCAwEAAaN1MHMwDAYDVR0TAQH/BAIw
ADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYE
FN3dCB5+W4JEIa9YxxqQxXBN7asgMB8GA1UdIwQYMBaAFNrS4LGnznzYe5kQPi89
+AjdhZm0MA0GCSqGSIb3DQEBCwUAA4IBAQB51d14/usKIUxvFHiHaJsNoZUvXPCC
tVkHUKH932v+gjJY32uhzBMBc3jbQ+RsqN5T8gqwNGDIAIKRpZkXW/nLuEuwAoIk
7Yxpnn+KaI6sZ+DaKLtM7Q+Nctnxu8qC1ag2i3saJBTynKx0YPqCmYk4BT8KqW8z
5kTj1nS8V1DVNVOlCt5opkVqKFRML8gfnuwAVLI06mH9zR8sFjiXcg0yLsGcNF2s
Y2/HyOdj1SuAJ7xBQWYkddXSmTGFunghmd20sD71mP7QnJbbNATvLBsmPY3vuB2d
BNe4z+bcZ+UNn/o4vlUH3HSvMCl9ta0wtMO2Q+WonDEnZQ2gt+HHU1DW
-----END CERTIFICATE-----

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 1017, in <module>
    generate_certificate_sign(args.certificate, args.sign, install=args.install, file=args.file)
  File "/usr/libexec/vyos/op_mode/pki.py", line 499, in generate_certificate_sign
    print(encode_private_key(private_key, passphrase=passphrase))
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 98, in encode_private_key
    return private_key.private_bytes(
           ^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'private_bytes'
[edit]
# run generate pki ca sign test-ca 
Do you already have a certificate request? [y/N] y
Paste certificate request and press enter:
MIICsjCCAZoCAQAwXDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUx
EjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEVMBMGA1UEAwwMaXBz
ZWMtc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSVC5Gro
fn5rFPN6GBnKGtJjTi3oXIDHFy86NKEC5EUUyO8B0j9ytdGrib8HTC3QYmP8O4qv
+2oM9KwILk+dDOdFH9BzZUOWJ9z7LixBPdoMPMLxgqy5Rgz7pOBJfs9W9WZQJ7px
flUntyC1jFpAMLvWEtC3u5cIw6kC6V1b9q6Er6Z2aa5AGg3eoswYTaRyrBf7/0VS
GyWvui9EwjaNjvgtxcunRG0X/qJg4RRBCsXyEwsVqeBV1EBCeevk/F849K/cyh9S
qMr7o1cSaWTRwO2a9DrXJG8c+wayerJOFVppT9JN5iRhT04VuHyqQrFbPPyGcWBE
0WxeagxAH3G7tQIDAQABoBEwDwYJKoZIhvcNAQkOMQIwADANBgkqhkiG9w0BAQsF
AAOCAQEAukqy1h6xeM02w8r5wXxOLW82VFkUzhv8lVh3OCV1fa3fKuLgAVCJqdDq
O5BLVbovrhInjU5YJot+Yz85+pbcG4/05GH0rKPJkleuOFads4qSIQFAbiYq1wwr
iqTXDU7iLQDGZJvXAw26GuQ/OElqHGrY6Q6Cq4IG9a+bgdfLBOYKKBwKehwQ+Un7
/Ihp+5mhvezt+5cIdDlvYfoSFoxj87p13229ticALidBdnb660ZRqj6hao/VWBPR
HAvpWp2C+2w3nMpWYCFv8L/O8WzyGZ0BAbzIYxQfinqYaHZ8bHrfeQWS35g4tM4Y
3TZ5y945oD2+6Zj2VxMAII6HQvrPxw==

Enter how many days certificate will be valid: (Default: 1825) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIULkDvZp2Osa3jyWu2ifHxKKva/RMwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
NDA2MTYwMTE5NTJaFw0yOTA2MTUwMTE5NTJaMFwxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxFTATBgNVBAMMDGlwc2VjLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMElQuRq6H5+axTzehgZyhrSY04t6FyAxxcvOjShAuRFFMjvAdI/
crXRq4m/B0wt0GJj/DuKr/tqDPSsCC5PnQznRR/Qc2VDlifc+y4sQT3aDDzC8YKs
uUYM+6TgSX7PVvVmUCe6cX5VJ7cgtYxaQDC71hLQt7uXCMOpAuldW/auhK+mdmmu
QBoN3qLMGE2kcqwX+/9FUhslr7ovRMI2jY74LcXLp0RtF/6iYOEUQQrF8hMLFang
VdRAQnnr5PxfOPSv3MofUqjK+6NXEmlk0cDtmvQ61yRvHPsGsnqyThVaaU/STeYk
YU9OFbh8qkKxWzz8hnFgRNFsXmoMQB9xu7UCAwEAAaOBhjCBgzASBgNVHRMBAf8E
CDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
KwYBBQUHAwEwHQYDVR0OBBYEFN3dCB5+W4JEIa9YxxqQxXBN7asgMB8GA1UdIwQY
MBaAFNrS4LGnznzYe5kQPi89+AjdhZm0MA0GCSqGSIb3DQEBCwUAA4IBAQAE4h8m
BkgogmuOhnnvet6ej3qnK/A5c+E/oMZ9L4rwvbcltzxtL9LUkJvoyodqm4Tj83+c
ktQs9wusfLPU8kFecmgSt5hDRWLNXpYqFYM8pPKhySnMpe+XObGVEgIEkbidZKAM
V9Fl6YlqwWnpqtYEMQYhmFgSZDHddCJLBYYlRZsMHcGeGgg6kSaFsBKF8PN31lU/
JW/c7//Di2HtSrlcaEYKo0teIaXo2mMVRRL11kiI7eIo//byaNGT2kOBmrzrg/wk
nPqp0IPj45ZOyzELlJE9wR1vYLn2WtrHGcdrKO/Htc+oSc8q2HGkrhUY+5pbyfO8
nvXKNyDOYquhXYid
-----END CERTIFICATE-----

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 1012, in <module>
    generate_ca_certificate_sign(args.ca, args.sign, install=args.install, file=args.file)
  File "/usr/libexec/vyos/op_mode/pki.py", line 433, in generate_ca_certificate_sign
    print(encode_private_key(private_key, passphrase=passphrase))
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/pki.py", line 98, in encode_private_key
    return private_key.private_bytes(
           ^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'private_bytes'
[edit]

(I'm copying the certreq from the ticket so I didn't have to generate my own)

It's not a problem if the certificate request has been generated internally as well - we've already set the private key in those instances and the user needs to see it. If we're signing a request without knowledge of the private key (which shouldn't be a requirement for a CA), that's when there's a problem.

Self-signing and root CA creation always generate a private_key internally, so they're OK.

@talmakion
Copy link
Contributor Author

talmakion commented Jun 16, 2024
edited
Loading

With the fix applied, we get what we expect, just a signed certificate:

# run generate pki ca install test-ca
Enter private key type: [rsa, dsa, ec] (Default: rsa) 
Enter private key bits: (Default: 2048) 
Enter country code: (Default: GB) 
Enter state: (Default: Some-State) 
Enter locality: (Default: Some-City) 
Enter organization name: (Default: VyOS) 
Enter common name: (Default: vyos.io) 
Enter how many days certificate will be valid: (Default: 1825) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
# run generate pki certificate sign test-ca
Do you already have a certificate request? [y/N] y
Paste certificate request and press enter:
MIICsjCCAZoCAQAwXDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUx
EjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEVMBMGA1UEAwwMaXBz
ZWMtc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSVC5Gro
fn5rFPN6GBnKGtJjTi3oXIDHFy86NKEC5EUUyO8B0j9ytdGrib8HTC3QYmP8O4qv
+2oM9KwILk+dDOdFH9BzZUOWJ9z7LixBPdoMPMLxgqy5Rgz7pOBJfs9W9WZQJ7px
flUntyC1jFpAMLvWEtC3u5cIw6kC6V1b9q6Er6Z2aa5AGg3eoswYTaRyrBf7/0VS
GyWvui9EwjaNjvgtxcunRG0X/qJg4RRBCsXyEwsVqeBV1EBCeevk/F849K/cyh9S
qMr7o1cSaWTRwO2a9DrXJG8c+wayerJOFVppT9JN5iRhT04VuHyqQrFbPPyGcWBE
0WxeagxAH3G7tQIDAQABoBEwDwYJKoZIhvcNAQkOMQIwADANBgkqhkiG9w0BAQsF
AAOCAQEAukqy1h6xeM02w8r5wXxOLW82VFkUzhv8lVh3OCV1fa3fKuLgAVCJqdDq
O5BLVbovrhInjU5YJot+Yz85+pbcG4/05GH0rKPJkleuOFads4qSIQFAbiYq1wwr
iqTXDU7iLQDGZJvXAw26GuQ/OElqHGrY6Q6Cq4IG9a+bgdfLBOYKKBwKehwQ+Un7
/Ihp+5mhvezt+5cIdDlvYfoSFoxj87p13229ticALidBdnb660ZRqj6hao/VWBPR
HAvpWp2C+2w3nMpWYCFv8L/O8WzyGZ0BAbzIYxQfinqYaHZ8bHrfeQWS35g4tM4Y
3TZ5y945oD2+6Zj2VxMAII6HQvrPxw==

Enter how many days certificate will be valid: (Default: 365) 
Enter certificate type: (client, server) (Default: server) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIUM6efTlFKN3jEQyG1WqQ2mw97NRIwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
NDA2MTYwMjU3MjFaFw0yNTA2MTYwMjU3MjFaMFwxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxFTATBgNVBAMMDGlwc2VjLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMElQuRq6H5+axTzehgZyhrSY04t6FyAxxcvOjShAuRFFMjvAdI/
crXRq4m/B0wt0GJj/DuKr/tqDPSsCC5PnQznRR/Qc2VDlifc+y4sQT3aDDzC8YKs
uUYM+6TgSX7PVvVmUCe6cX5VJ7cgtYxaQDC71hLQt7uXCMOpAuldW/auhK+mdmmu
QBoN3qLMGE2kcqwX+/9FUhslr7ovRMI2jY74LcXLp0RtF/6iYOEUQQrF8hMLFang
VdRAQnnr5PxfOPSv3MofUqjK+6NXEmlk0cDtmvQ61yRvHPsGsnqyThVaaU/STeYk
YU9OFbh8qkKxWzz8hnFgRNFsXmoMQB9xu7UCAwEAAaN1MHMwDAYDVR0TAQH/BAIw
ADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYE
FN3dCB5+W4JEIa9YxxqQxXBN7asgMB8GA1UdIwQYMBaAFClrAGHwWfkrFyKnBTCw
3GCXsLaGMA0GCSqGSIb3DQEBCwUAA4IBAQBfeZ2mX8GvIW0DCbMNIbd+sxxhjyud
E0eJ+HL0KXFAE06OjskUq98LuVHDPiUE+TTCKBYR/0naq5l0G1hHVwhG6kSioK1y
zPLPEDQBHuyumcGKUJfDLUUQ/aJYtcdd2EDjANkpHjY7bWhwFQfUJMvjzHD5kAjh
Zqxpn6M4X7UZ2iE/K/ezuZ5sTVCbq/XihWhb8w+zw7/DBLTmFqkC3XsD72hLkgQu
qcJwFUSZvaR1MiBZBYN5SG5TXmOAYZ98rMFrITAtVsYfftunNjcejuBxobpOAeJQ
hC0SdntAH9ZdWTHQluhK/ba89mw9GSwVjHJYBjO/uzhddki/YfpYQTB0
-----END CERTIFICATE-----

[edit]

[...after dumping output certficate to test.crt...]
$ openssl x509 -noout -text -in test.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:a7:9f:4e:51:4a:37:78:c4:43:21:b5:5a:a4:36:9b:0f:7b:35:12
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Some-State, L = Some-City, O = VyOS, CN = vyos.io
        Validity
            Not Before: Jun 16 02:57:21 2024 GMT
            Not After : Jun 16 02:57:21 2025 GMT
        Subject: C = GB, ST = Some-State, L = Some-City, O = VyOS, CN = ipsec-server
[...everything as expected, ready to install back where the private key lives...]

@talmakion
Copy link
Contributor Author

talmakion commented Jun 16, 2024
edited
Loading

I just realised looking at the output, that the private key passphrase prompt is not relevant when private_key is None. I'll update the patch and re-run tests.

@talmakion
pki: T4026: Only emit private keys when available
d2cf8ee 
* install_certificate() code path handles private_key=None &
  key_passphrase=None OK already
* file and console output paths will error trying to encode None as a key
* This is only an issue for a couple of the generate_*_sign() functions,
  where having a null private key is possible
  * Self-signing and CA creation always generate a private key
  * Certreqs will generate a private key if not already provided
* Do not prompt for a private key passphrase if we aren't giving back a
  private key
@talmakion
Copy link
Contributor Author

Test scenarios work as expected, starting with a clean 1.5-rolling-202406130020, the patch applied:

  • generate pki ca install test-ca # and committed, for everything else to work
  • generate pki certificate install test-cert # without cert req
  • generate pki certificate sign test-ca install test-signed-cert # without cert req
  • generate pki certificate sign test-ca # without cert req
  • generate pki certificate sign test-ca # with cert req, where the problem was before

Passphrase prompt doesn't show up unless a private key is known. There's no more backtrace without a private key.

I can paste the full output if required but there's a lot of it, I'm hoping you get the gist.

@c-po
Copy link
Member

c-po commented Jun 16, 2024
edited by dmbaturin
Loading

@Mergifyio backport sagitta-stream

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 16, 2024
edited
Loading

backport sagitta

✅ Backports have been created

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 17, 2024
edited
Loading

backport sagitta-stream

✅ Backports have been created

@dmbaturin dmbaturin merged commit 290b51b into vyos:current Jun 17, 2024
11 checks passed
@dmbaturin
Copy link
Member

@Mergifyio backport circinus-stream

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 17, 2024
edited
Loading

backport circinus-stream

✅ Backports have been created

This was referenced Jun 17, 2024
Merged
Merged
Merged
@talmakion talmakion deleted the bugfix/T4026 branch June 21, 2024 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin was automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever was automatically assigned from vyos/reviewers

Assignees

@talmakion talmakion

Labels
backport current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@talmakion @c-po @dmbaturin