Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pki: T4026: Only emit private keys when available (backport #3655) #3669

Merged
merged 1 commit into from
Jun 17, 2024
Merged

pki: T4026: Only emit private keys when available (backport #3655) #3669

merged 1 commit into from
Jun 17, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Jun 17, 2024

Change Summary

Adding a simple check before printing out the private key to a file or console output that it exists, where the code path permits a None private_key.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

  • pki

Proposed changes

  • install_certificate() code path handles private_key=None & key_passphrase=None OK already
  • file and console output paths will error trying to encode None as a key
  • This is only an issue for a couple of the generate_*_sign() functions, where having a null private key is possible
    • Self-signing and CA creation always generate a private key
    • Certreqs will generate a private key if not already provided
  • Do not prompt for a private key passphrase if we aren't giving back a private key

How to test

# run generate pki certificate sign test-ca 
Do you already have a certificate request? [y/N] y
Paste certificate request and press enter:
[...snip...]
Enter how many days certificate will be valid: (Default: 365) 
Enter certificate type: (client, server) (Default: server) 
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
-----BEGIN CERTIFICATE-----
[...snip, but valid...]
-----END CERTIFICATE-----

[edit]

Also ran through ca_cert and install combinations successfully.

Smoketest result

$ python3 /usr/libexec/vyos/tests/smoke/cli/test_pki.py 
test_certificate_eapol_update (__main__.TestPKI.test_certificate_eapol_update) ... PKI: Updating config: interfaces ethernet eth1 eapol certificate eapol
ok
test_certificate_https_update (__main__.TestPKI.test_certificate_https_update) ... PKI: Updating config: service https certificates certificate smoke-test_foo

WARNING: No certificate specified, using build-in self-signed
certificates. Do not use them in a production environment!

ok
test_certificate_in_use (__main__.TestPKI.test_certificate_in_use) ... 
PKI object "smoketest" still in use by "service https certificates
certificate"


WARNING: No certificate specified, using build-in self-signed
certificates. Do not use them in a production environment!

ok
test_invalid_ca_valid_certificate (__main__.TestPKI.test_invalid_ca_valid_certificate) ... 
Invalid certificate on CA certificate "invalid-ca"

ok
test_valid_pki (__main__.TestPKI.test_valid_pki) ... ok

----------------------------------------------------------------------
Ran 5 tests in 38.449s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly
This is an automatic backport of pull request #3655 done by [Mergify](https://mergify.com).

@talmakion @mergify
pki: T4026: Only emit private keys when available
b1fead2 
* install_certificate() code path handles private_key=None &
  key_passphrase=None OK already
* file and console output paths will error trying to encode None as a key
* This is only an issue for a couple of the generate_*_sign() functions,
  where having a null private key is possible
  * Self-signing and CA creation always generate a private key
  * Certreqs will generate a private key if not already provided
* Do not prompt for a private key passphrase if we aren't giving back a
  private key

(cherry picked from commit d2cf8ee)
@mergify mergify bot requested a review from a team as a code owner June 17, 2024 15:38
@mergify mergify bot requested review from dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team June 17, 2024 15:38
@mergify mergify bot mentioned this pull request Jun 17, 2024
Merged
12 tasks
@sever-sever sever-sever merged commit c7313ef into circinus-stream Jun 17, 2024
3 checks passed
@mergify mergify bot deleted the mergify/bp/circinus-stream/pr-3655 branch June 17, 2024 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sever-sever sever-sever sever-sever approved these changes

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po was automatically assigned from vyos/reviewers

Assignees
No one assigned
Labels
circinus
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dmbaturin @sever-sever @talmakion