validate minion crypto config

2025-04-17 10:10:20 +00:00 · 2024-05-25 15:51:16 -07:00 · 2024-05-25 15:51:16 -07:00 · 7d35efe5b9
commit 7d35efe5b9
parent 277e56b113
2 changed files with 20 additions and 0 deletions
--- a/salt/config/init.py
+++ b/salt/config/init.py
@ -13,6 +13,7 @@ import types
 import urllib.parse
 from copy import deepcopy

+import salt.crypt
 import salt.defaults.exitcodes
 import salt.exceptions
 import salt.features
@ -3855,6 +3856,17 @@ def apply_minion_config(
    _update_ssl_config(opts)
    _update_discovery_config(opts)

+    if opts["encryption_algorithm"] not in salt.crypt.VALID_ENCRYPTION_ALGORITHMS:
+        raise salt.exceptions.SaltConfigurationError(
+            f"The encryption algorithm '{opts['encryption_algorithm']}' is not valid. "
+            f"Please specify one of {','.join(salt.crypt.VALID_ENCRYPTION_ALGORITHMS)}."
+        )
+    if opts["signing_algorithm"] not in salt.crypt.VALID_SIGNING_ALGORITHMS:
+        raise salt.exceptions.SaltConfigurationError(
+            f"The signging algorithm '{opts['signing_algorithm']}' is not valid. "
+            f"Please specify one of {','.join(salt.crypt.VALID_SIGNING_ALGORITHMS)}."
+        )
+
    return opts


--- a/salt/crypt.py
+++ b/salt/crypt.py
@ -75,6 +75,14 @@ VALID_HASHES = (

 VALID_PADDING_FOR_SIGNING = (PKCS1v15,)
 VALID_PADDING_FOR_ENCRYPTION = (OAEP,)
+VALID_ENCRYPTION_ALGORITHMS = (
+    OAEP_SHA1,
+    OAEP_SHA224,
+)
+VALID_SIGNING_ALGORITHMS = (
+    PKCS1v15_SHA1,
+    PKCS1v15_SHA224,
+)


 def fips_enabled():