3ebbc3cd7b
- Improve error handling with different OpenSSL versions - Remove redundant run_func from salt.master.MWorker._handle_aes - Added: * avoid-crash-on-wrong-output-of-systemctl-version-bsc.patch * improve-error-handling-with-different-openssl-versio.patch * remove-redundant-run_func-from-salt.master.mworker._.patch OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=254
99 lines
3.9 KiB
Diff
99 lines
3.9 KiB
Diff
From 4e226426d0897f2d9dc64891ced78487b181d40e Mon Sep 17 00:00:00 2001
|
|
From: Victor Zhestkov <vzhestkov@suse.com>
|
|
Date: Fri, 30 Aug 2024 14:33:51 +0200
|
|
Subject: [PATCH] Improve error handling with different OpenSSL
|
|
versions
|
|
|
|
* Make error checking of x509 more flexible
|
|
|
|
for most recent cryptography and openSSL versions
|
|
|
|
* Add test for different exception value on loading private key
|
|
|
|
* Add fix for test_privkey_new_with_prereq on old OpenSSL
|
|
---
|
|
salt/utils/x509.py | 3 +-
|
|
.../pytests/functional/states/test_x509_v2.py | 29 +++++++++++++++++++
|
|
.../integration/states/test_x509_v2.py | 7 +++++
|
|
3 files changed, 38 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/salt/utils/x509.py b/salt/utils/x509.py
|
|
index 5b2ae15882..f9fdca64d9 100644
|
|
--- a/salt/utils/x509.py
|
|
+++ b/salt/utils/x509.py
|
|
@@ -695,7 +695,8 @@ def load_privkey(pk, passphrase=None, get_encoding=False):
|
|
return pk, "pem", None
|
|
return pk
|
|
except ValueError as err:
|
|
- if "Bad decrypt" in str(err):
|
|
+ str_err = str(err)
|
|
+ if "Bad decrypt" in str_err or "Could not deserialize key data" in str_err:
|
|
raise SaltInvocationError(
|
|
"Bad decrypt - is the password correct?"
|
|
) from err
|
|
diff --git a/tests/pytests/functional/states/test_x509_v2.py b/tests/pytests/functional/states/test_x509_v2.py
|
|
index 929be014cd..47a1c555f8 100644
|
|
--- a/tests/pytests/functional/states/test_x509_v2.py
|
|
+++ b/tests/pytests/functional/states/test_x509_v2.py
|
|
@@ -3,6 +3,8 @@ from pathlib import Path
|
|
|
|
import pytest
|
|
|
|
+from tests.support.mock import patch
|
|
+
|
|
try:
|
|
import cryptography
|
|
import cryptography.x509 as cx509
|
|
@@ -2826,3 +2828,30 @@ def _get_privkey(pk, encoding="pem", passphrase=None):
|
|
pk = base64.b64decode(pk)
|
|
return pkcs12.load_pkcs12(pk, passphrase).key
|
|
raise ValueError("Need correct encoding")
|
|
+
|
|
+
|
|
+@pytest.mark.usefixtures("existing_pk")
|
|
+@pytest.mark.parametrize("existing_pk", [{"passphrase": "password"}], indirect=True)
|
|
+def test_exceptions_on_calling_load_pem_private_key(x509, pk_args):
|
|
+ pk_args["passphrase"] = "hunter1"
|
|
+ pk_args["overwrite"] = True
|
|
+
|
|
+ with patch(
|
|
+ "cryptography.hazmat.primitives.serialization.load_pem_private_key",
|
|
+ side_effect=ValueError("Bad decrypt. Incorrect password?"),
|
|
+ ):
|
|
+ ret = x509.private_key_managed(**pk_args)
|
|
+ _assert_pk_basic(ret, "rsa", passphrase="hunter1")
|
|
+
|
|
+ with patch(
|
|
+ "cryptography.hazmat.primitives.serialization.load_pem_private_key",
|
|
+ side_effect=ValueError(
|
|
+ "Could not deserialize key data. The data may be in an incorrect format, "
|
|
+ "the provided password may be incorrect, "
|
|
+ "it may be encrypted with an unsupported algorithm, "
|
|
+ "or it may be an unsupported key type "
|
|
+ "(e.g. EC curves with explicit parameters)."
|
|
+ ),
|
|
+ ):
|
|
+ ret = x509.private_key_managed(**pk_args)
|
|
+ _assert_pk_basic(ret, "rsa", passphrase="hunter1")
|
|
diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py
|
|
index 4f94341295..ad8d904c92 100644
|
|
--- a/tests/pytests/integration/states/test_x509_v2.py
|
|
+++ b/tests/pytests/integration/states/test_x509_v2.py
|
|
@@ -195,6 +195,13 @@ Certificate:
|
|
"""
|
|
with x509_salt_master.state_tree.base.temp_file("manage_cert.sls", state):
|
|
ret = x509_salt_call_cli.run("state.apply", "manage_cert")
|
|
+ if (
|
|
+ ret.returncode == 1
|
|
+ and "NotImplementedError: ECDSA keys with unnamed curves" in ret.stdout
|
|
+ ):
|
|
+ pytest.skip(
|
|
+ "The version of OpenSSL doesn't support ECDSA keys with unnamed curves"
|
|
+ )
|
|
assert ret.returncode == 0
|
|
assert ret.data[next(iter(ret.data))]["changes"]
|
|
assert (tmp_path / "priv.key").exists()
|
|
--
|
|
2.46.0
|
|
|