Fix interface encryption password helper call time

The _get_key_file_encryption_password helper needs to be called
after the passed or keyid-based filepath has been determined, i.e.
after key creation in the latter case, because it might be
displayed on the password prompt.

Plus remove obsolete quotes.

securesystemslib/interface.py

@@ -122,7 +122,7 @@ def _get_key_file_encryption_password(password, prompt, path):
   if prompt:
     password = get_password("enter password to encrypt private key file "
         "'" + TERM_RED + str(path) + TERM_RESET + "' (leave empty if key "
-        "should not be encrypted): '", confirm=True)
+        "should not be encrypted): ", confirm=True)
 
     # Treat empty password as no password. A user on the prompt can only
     # indicate the desire to not encrypt by entering no password.
@@ -158,7 +158,7 @@ def _get_key_file_decryption_password(password, prompt, path):
   if prompt:
     password = get_password("enter password to decrypt private key file "
         "'" + TERM_RED + str(path) + TERM_RESET + "' "
-        "(leave empty if key not encrypted): '", confirm=False)
+        "(leave empty if key not encrypted): ", confirm=False)
 
     # Treat empty password as no password. A user on the prompt can only
     # indicate the desire to not decrypt by entering no password.
@@ -213,8 +213,6 @@ def _generate_and_write_rsa_keypair(filepath=None, bits=DEFAULT_RSA_KEY_BITS,
   """
   securesystemslib.formats.RSAKEYBITS_SCHEMA.check_match(bits)
 
-  password = _get_key_file_encryption_password(password, prompt, filepath)
-
   # Generate private RSA key and extract public and private both in PEM
   rsa_key = securesystemslib.keys.generate_rsa_key(bits)
   public = rsa_key['keyval']['public']
@@ -226,6 +224,8 @@ def _generate_and_write_rsa_keypair(filepath=None, bits=DEFAULT_RSA_KEY_BITS,
 
   securesystemslib.formats.PATH_SCHEMA.check_match(filepath)
 
+  password = _get_key_file_encryption_password(password, prompt, filepath)
+
   # Encrypt the private key if a 'password' was passed or entered on the prompt
   if password is not None:
     private = securesystemslib.keys.create_rsa_encrypted_pem(private, password)
@@ -478,8 +478,6 @@ def _generate_and_write_ed25519_keypair(filepath=None, password=None,
     The private key filepath.
 
   """
-  password = _get_key_file_encryption_password(password, prompt, filepath)
-
   ed25519_key = securesystemslib.keys.generate_ed25519_key()
 
   # Use passed 'filepath' or keyid as file name
@@ -488,6 +486,8 @@ def _generate_and_write_ed25519_keypair(filepath=None, password=None,
 
   securesystemslib.formats.PATH_SCHEMA.check_match(filepath)
 
+  password = _get_key_file_encryption_password(password, prompt, filepath)
+
   # Create intermediate directories as required
   securesystemslib.util.ensure_parent_dir(filepath)
 
@@ -723,8 +723,6 @@ def _generate_and_write_ecdsa_keypair(filepath=None, password=None,
     The private key filepath.
 
   """
-  password = _get_key_file_encryption_password(password, prompt, filepath)
-
   ecdsa_key = securesystemslib.keys.generate_ecdsa_key()
 
   # Use passed 'filepath' or keyid as file name
@@ -733,6 +731,8 @@ def _generate_and_write_ecdsa_keypair(filepath=None, password=None,
 
   securesystemslib.formats.PATH_SCHEMA.check_match(filepath)
 
+  password = _get_key_file_encryption_password(password, prompt, filepath)
+
   # Create intermediate directories as required
   securesystemslib.util.ensure_parent_dir(filepath)