From 9990dbd4f96dd2dfee620ae7d24049ebc8db34fc Mon Sep 17 00:00:00 2001 From: vzhestkov Date: Tue, 20 Aug 2024 12:02:10 +0200 Subject: [PATCH 1/3] Make error checking of x509 more flexible for most recent cryptography and openSSL versions --- salt/utils/x509.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/utils/x509.py b/salt/utils/x509.py index 5b2ae15882..f9fdca64d9 100644 --- a/salt/utils/x509.py +++ b/salt/utils/x509.py @@ -695,7 +695,8 @@ def load_privkey(pk, passphrase=None, get_encoding=False): return pk, "pem", None return pk except ValueError as err: - if "Bad decrypt" in str(err): + str_err = str(err) + if "Bad decrypt" in str_err or "Could not deserialize key data" in str_err: raise SaltInvocationError( "Bad decrypt - is the password correct?" ) from err From 1e892173d7c5f928e64881ce5375ebecb1c59538 Mon Sep 17 00:00:00 2001 From: vzhestkov Date: Tue, 20 Aug 2024 16:05:11 +0200 Subject: [PATCH 2/3] Add test for different exception value on loading private key --- .../pytests/functional/states/test_x509_v2.py | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/pytests/functional/states/test_x509_v2.py b/tests/pytests/functional/states/test_x509_v2.py index 929be014cd..47a1c555f8 100644 --- a/tests/pytests/functional/states/test_x509_v2.py +++ b/tests/pytests/functional/states/test_x509_v2.py @@ -3,6 +3,8 @@ import pytest +from tests.support.mock import patch + try: import cryptography import cryptography.x509 as cx509 @@ -2826,3 +2828,30 @@ def _get_privkey(pk, encoding="pem", passphrase=None): pk = base64.b64decode(pk) return pkcs12.load_pkcs12(pk, passphrase).key raise ValueError("Need correct encoding") + + +@pytest.mark.usefixtures("existing_pk") +@pytest.mark.parametrize("existing_pk", [{"passphrase": "password"}], indirect=True) +def test_exceptions_on_calling_load_pem_private_key(x509, pk_args): + pk_args["passphrase"] = "hunter1" + pk_args["overwrite"] = True + + with patch( + "cryptography.hazmat.primitives.serialization.load_pem_private_key", + side_effect=ValueError("Bad decrypt. Incorrect password?"), + ): + ret = x509.private_key_managed(**pk_args) + _assert_pk_basic(ret, "rsa", passphrase="hunter1") + + with patch( + "cryptography.hazmat.primitives.serialization.load_pem_private_key", + side_effect=ValueError( + "Could not deserialize key data. The data may be in an incorrect format, " + "the provided password may be incorrect, " + "it may be encrypted with an unsupported algorithm, " + "or it may be an unsupported key type " + "(e.g. EC curves with explicit parameters)." + ), + ): + ret = x509.private_key_managed(**pk_args) + _assert_pk_basic(ret, "rsa", passphrase="hunter1") From f0a69e927103ae793a41fc6da90fedc08466b10b Mon Sep 17 00:00:00 2001 From: vzhestkov Date: Tue, 27 Aug 2024 11:36:56 +0200 Subject: [PATCH 3/3] Add fix for test_privkey_new_with_prereq on old OpenSSL --- tests/pytests/integration/states/test_x509_v2.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py index 4f94341295..ad8d904c92 100644 --- a/tests/pytests/integration/states/test_x509_v2.py +++ b/tests/pytests/integration/states/test_x509_v2.py @@ -195,6 +195,13 @@ def privkey_new(x509_salt_master, tmp_path, ca_minion_id, x509_salt_call_cli): """ with x509_salt_master.state_tree.base.temp_file("manage_cert.sls", state): ret = x509_salt_call_cli.run("state.apply", "manage_cert") + if ( + ret.returncode == 1 + and "NotImplementedError: ECDSA keys with unnamed curves" in ret.stdout + ): + pytest.skip( + "The version of OpenSSL doesn't support ECDSA keys with unnamed curves" + ) assert ret.returncode == 0 assert ret.data[next(iter(ret.data))]["changes"] assert (tmp_path / "priv.key").exists()