Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve error handling with different OpenSSL versions #672

Merged
merged 3 commits into from
Aug 30, 2024
Merged

Improve error handling with different OpenSSL versions #672

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9990dbd
Make error checking of x509 more flexible
vzhestkov Aug 20, 2024
1e89217
Add test for different exception value on loading private key
vzhestkov Aug 20, 2024
f0a69e9
Add fix for test_privkey_new_with_prereq on old OpenSSL
vzhestkov Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion salt/utils/x509.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -695,7 +695,8 @@ def load_privkey(pk, passphrase=None, get_encoding=False):
return pk, "pem", None
return pk
except ValueError as err:
if "Bad decrypt" in str(err):
str_err = str(err)
if "Bad decrypt" in str_err or "Could not deserialize key data" in str_err:
raise SaltInvocationError(
"Bad decrypt - is the password correct?"
) from err
Expand Down
29 changes: 29 additions & 0 deletions tests/pytests/functional/states/test_x509_v2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@

import pytest

from tests.support.mock import patch

try:
import cryptography
import cryptography.x509 as cx509
Expand Down Expand Up @@ -2826,3 +2828,30 @@ def _get_privkey(pk, encoding="pem", passphrase=None):
pk = base64.b64decode(pk)
return pkcs12.load_pkcs12(pk, passphrase).key
raise ValueError("Need correct encoding")


@pytest.mark.usefixtures("existing_pk")
@pytest.mark.parametrize("existing_pk", [{"passphrase": "password"}], indirect=True)
def test_exceptions_on_calling_load_pem_private_key(x509, pk_args):
pk_args["passphrase"] = "hunter1"
pk_args["overwrite"] = True

with patch(
"cryptography.hazmat.primitives.serialization.load_pem_private_key",
side_effect=ValueError("Bad decrypt. Incorrect password?"),
):
ret = x509.private_key_managed(**pk_args)
_assert_pk_basic(ret, "rsa", passphrase="hunter1")

with patch(
"cryptography.hazmat.primitives.serialization.load_pem_private_key",
side_effect=ValueError(
"Could not deserialize key data. The data may be in an incorrect format, "
"the provided password may be incorrect, "
"it may be encrypted with an unsupported algorithm, "
"or it may be an unsupported key type "
"(e.g. EC curves with explicit parameters)."
),
):
ret = x509.private_key_managed(**pk_args)
_assert_pk_basic(ret, "rsa", passphrase="hunter1")
7 changes: 7 additions & 0 deletions tests/pytests/integration/states/test_x509_v2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,13 @@ def privkey_new(x509_salt_master, tmp_path, ca_minion_id, x509_salt_call_cli):
"""
with x509_salt_master.state_tree.base.temp_file("manage_cert.sls", state):
ret = x509_salt_call_cli.run("state.apply", "manage_cert")
if (
ret.returncode == 1
and "NotImplementedError: ECDSA keys with unnamed curves" in ret.stdout
):
pytest.skip(
"The version of OpenSSL doesn't support ECDSA keys with unnamed curves"
)
assert ret.returncode == 0
assert ret.data[next(iter(ret.data))]["changes"]
assert (tmp_path / "priv.key").exists()
Expand Down