Merge pull request #36898 from clinta/x509-fixes

X509 fixes

salt/modules/x509.py

@@ -162,6 +162,9 @@ def _get_csr_extensions(csr):
     if csryaml and 'Requested Extensions' in csryaml['Certificate Request']['Data']:
         csrexts = csryaml['Certificate Request']['Data']['Requested Extensions']
 
+        if not csrexts:
+            return ret
+
         for short_name, long_name in six.iteritems(EXT_NAME_MAPPINGS):
             if long_name in csrexts:
                 ret[short_name] = csrexts[long_name]
@@ -670,7 +673,7 @@ def create_private_key(path=None, text=False, bits=2048):
 
 def create_crl(path=None, text=False, signing_private_key=None,
         signing_cert=None, revoked=None, include_expired=False,
-        days_valid=100):
+        days_valid=100, digest=''):
     '''
     Create a CRL
 
@@ -713,6 +716,9 @@ def create_crl(path=None, text=False, signing_private_key=None,
 
     days_valid:
         The number of days that the CRL should be valid. This sets the Next Update field in the CRL.
+    digest:
+        The digest to use for signing the CRL.
+        This has no effect on versions of pyOpenSSL less than 0.14
 
     .. note
 
@@ -730,7 +736,6 @@ def create_crl(path=None, text=False, signing_private_key=None,
     '''
     # pyOpenSSL is required for dealing with CSLs. Importing inside these functions because
     # Client operations like creating CRLs shouldn't require pyOpenSSL
-    # Note due to current limitations in pyOpenSSL it is impossible to specify a digest
     # For signing the CRL. This will hopefully be fixed soon: https://github.com/pyca/pyopenssl/pull/161
     import OpenSSL
     crl = OpenSSL.crypto.CRL()
@@ -774,7 +779,11 @@ def create_crl(path=None, text=False, signing_private_key=None,
     key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM,
             get_pem_entry(signing_private_key))
 
-    crltext = crl.export(cert, key, OpenSSL.crypto.FILETYPE_PEM, days=days_valid)
+    try:
+        crltext = crl.export(cert, key, OpenSSL.crypto.FILETYPE_PEM, days=days_valid, digest=bytes(digest))
+    except TypeError:
+        log.warning('Error signing crl with specified digest. Are you using pyopenssl 0.15 or newer? The default md5 digest will be used.')
+        crltext = crl.export(cert, key, OpenSSL.crypto.FILETYPE_PEM, days=days_valid)
 
     if text:
         return crltext
@@ -1090,7 +1099,7 @@ def create_certificate(path=None, text=False, ca_server=None, **kwargs):
         # Remove system entries in kwargs
         # Including listen_in and preqreuired because they are not included in STATE_INTERNAL_KEYWORDS
         # for salt 2014.7.2
-        for ignore in list(_STATE_INTERNAL_KEYWORDS) + ['listen_in', 'preqrequired']:
+        for ignore in list(_STATE_INTERNAL_KEYWORDS) + ['listen_in', 'preqrequired', '__prerequired__']:
             kwargs.pop(ignore, None)
 
         cert_txt = __salt__['publish.publish'](tgt=ca_server,
@@ -1225,6 +1234,9 @@ def create_csr(path=None, text=False, **kwargs):
     text:
         If ``True``, return the PEM text without writing to a file. Default ``False``.
 
+    algorithm:
+        The hashing algorithm to be used for signing this request. Defaults to sha256.
+
     kwargs:
         The subject, extension and version arguments from
         :mod:`x509.create_certificate <salt.modules.x509.create_certificate>` can be used.
@@ -1243,10 +1255,23 @@ def create_csr(path=None, text=False, **kwargs):
 
     csr = M2Crypto.X509.Request()
     subject = csr.get_subject()
+
+    for prop, default in six.iteritems(CERT_DEFAULTS):
+        if prop not in kwargs:
+            kwargs[prop] = default
+
     csr.set_version(kwargs['version'] - 1)
 
+    if 'private_key' not in kwargs and 'public_key' in kwargs:
+        kwargs['private_key'] = kwargs['public_key']
+        log.warning("OpenSSL no longer allows working with non-signed CSRs. A private_key must be specified. Attempting to use public_key as private_key")
+
+    if 'private_key' not in kwargs not in kwargs:
+        raise salt.exceptions.SaltInvocationError('private_key is required')
+
     if 'public_key' not in kwargs:
-        raise salt.exceptions.SaltInvocationError('public_key is required')
+        kwargs['public_key'] = kwargs['private_key']
+
     csr.set_pubkey(get_public_key(kwargs['public_key'], asObj=True))
 
     for entry, num in six.iteritems(subject.nid):                  # pylint: disable=unused-variable
@@ -1255,7 +1280,7 @@ def create_csr(path=None, text=False, **kwargs):
 
     extstack = M2Crypto.X509.X509_Extension_Stack()
     for extname, extlongname in six.iteritems(EXT_NAME_MAPPINGS):
-        if extname not in kwargs or extlongname not in kwargs:
+        if extname not in kwargs and extlongname not in kwargs:
             continue
 
         extval = kwargs[extname] or kwargs[extlongname]
@@ -1275,6 +1300,8 @@ def create_csr(path=None, text=False, **kwargs):
 
     csr.add_extensions(extstack)
 
+    csr.sign(_get_private_key_obj(kwargs['private_key']), kwargs['algorithm'])
+
     if path:
         return write_pem(text=csr.as_pem(), path=path,
                 pem_type='CERTIFICATE REQUEST')
@@ -1359,7 +1386,7 @@ def verify_crl(crl, cert):
 
     cmd = ('openssl crl -noout -in {0} -CAfile {1}'.format(crltempfile.name, certtempfile.name))
 
-    output = __salt__['cmd.run_stdout'](cmd)
+    output = __salt__['cmd.run_stderr'](cmd)
 
     crltempfile.close()
     certtempfile.close()

salt/states/x509.py

@@ -293,7 +293,7 @@ def csr_managed(name,
 
         /etc/pki/mycert.csr:
           x509.csr_managed:
-             - public_key: /etc/pki/mycert.key
+             - private_key: /etc/pki/mycert.key
              - CN: www.example.com
              - C: US
              - ST: Utah
@@ -483,6 +483,7 @@ def crl_managed(name,
                 signing_cert=None,
                 revoked=None,
                 days_valid=100,
+                digest="",
                 days_remaining=30,
                 include_expired=False,
                 backup=False,):
@@ -508,6 +509,10 @@ def crl_managed(name,
     days_valid:
         The number of days the certificate should be valid for. Default is 100.
 
+    digest:
+        The digest to use for signing the CRL.
+        This has no effect on versions of pyOpenSSL less than 0.14
+
     days_remaining:
         The crl should be automatically recreated if there are less than ``days_remaining``
         days until the crl expires. Set to 0 to disable automatic renewal. Default is 30.
@@ -564,7 +569,7 @@ def crl_managed(name,
         current = '{0} does not exist.'.format(name)
 
     new_crl = __salt__['x509.create_crl'](text=True, signing_private_key=signing_private_key,
-            signing_cert=signing_cert, revoked=revoked, days_valid=days_valid, include_expired=include_expired)
+            signing_cert=signing_cert, revoked=revoked, days_valid=days_valid, digest=digest, include_expired=include_expired)
 
     new = __salt__['x509.read_crl'](crl=new_crl)
     new_comp = new.copy()