Fix x509 CRL creation (fixes #54867)

2025-04-16 09:40:20 +00:00 · 2020-08-24 00:10:14 +02:00 · 2020-08-24 00:10:14 +02:00 · a04d19e763
commit a04d19e763
parent 2fde8d19dd
4 changed files with 144 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -63,6 +63,7 @@ Fixed
 - Fixed bug with distro version breaking osrelease on Centos 7. (#57781)
 - Fixed macOS build scripts. (#57973)
 - Fixed Salt-API startup failure. (#57975)
+- Fixed CSR handling in x509 module (#54867)


 Added
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@ -675,7 +675,7 @@ def read_crl(crl):
    text = get_pem_entry(text, pem_type="X509 CRL")

    crltempfile = tempfile.NamedTemporaryFile(delete=True)
-    crltempfile.write(salt.utils.stringutils.to_str(text))
+    crltempfile.write(salt.utils.stringutils.to_bytes(text, encoding='ascii'))
    crltempfile.flush()
    crlparsed = _parse_openssl_crl(crltempfile.name)
    crltempfile.close()
@ -1004,7 +1004,7 @@ def create_crl(

        if "reason" in rev_item:
            # Same here for OpenSSL bindings and non-unicode strings
-            reason = salt.utils.stringutils.to_str(rev_item["reason"])
+            reason = salt.utils.stringutils.to_bytes(rev_item["reason"])
            rev.set_reason(reason)

        crl.add_revoked(rev)
@ -1892,13 +1892,13 @@ def verify_crl(crl, cert):
    crltext = _text_or_file(crl)
    crltext = get_pem_entry(crltext, pem_type="X509 CRL")
    crltempfile = tempfile.NamedTemporaryFile(delete=True)
-    crltempfile.write(salt.utils.stringutils.to_str(crltext))
+    crltempfile.write(salt.utils.stringutils.to_bytes(crltext, encoding='ascii'))
    crltempfile.flush()

    certtext = _text_or_file(cert)
    certtext = get_pem_entry(certtext, pem_type="CERTIFICATE")
    certtempfile = tempfile.NamedTemporaryFile(delete=True)
-    certtempfile.write(salt.utils.stringutils.to_str(certtext))
+    certtempfile.write(salt.utils.stringutils.to_bytes(certtext, encoding='ascii'))
    certtempfile.flush()

    cmd = "openssl crl -noout -in {0} -CAfile {1}".format(
--- a/tests/integration/files/file/base/x509/crl_managed.sls
+++ b/tests/integration/files/file/base/x509/crl_managed.sls
@ -0,0 +1,76 @@
+{% set tmp_dir = pillar['tmp_dir'] %}
+
+{{ tmp_dir }}/pki:
+  file.directory: []
+
+{{ tmp_dir }}/pki/issued_certs:
+  file.directory: []
+
+{{ tmp_dir }}/pki/ca.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - require:
+      - file: {{ tmp_dir }}/pki
+
+{{ tmp_dir }}/pki/ca.crt:
+  x509.certificate_managed:
+    - signing_private_key: {{ tmp_dir }}/pki/ca.key
+    - CN: ca.example.com
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+    - require:
+      - file: {{ tmp_dir }}/pki
+      - {{ tmp_dir }}/pki/ca.key
+
+{{ tmp_dir }}/pki/test.key:
+  x509.private_key_managed:
+    - bits: 1024
+    - backup: True
+
+test_crt:
+  x509.certificate_managed:
+    - name: {{ tmp_dir }}/pki/test.crt
+    - ca_server: minion
+    - signing_policy: ca_policy
+    - public_key: {{ tmp_dir }}/pki/test.key
+    - CN: minion
+    - days_remaining: 30
+    - backup: True
+    - require:
+        - {{ tmp_dir }}/pki/ca.crt
+        - {{ tmp_dir }}/pki/test.key
+
+#mine.send:
+#  module.run:
+#    - func: x509.get_pem_entries
+#    - kwargs:
+#        glob_path: {{ tmp_dir }}/pki/ca.crt
+#    - onchanges:
+#      - x509: {{ tmp_dir }}/pki/ca.crt
+
+{{ tmp_dir }}/pki/ca.crl:
+  x509.crl_managed:
+    - signing_private_key: {{ tmp_dir }}/pki/ca.key
+    - signing_cert: {{ tmp_dir }}/pki/ca.crt
+    - digest: sha512
+    - revoked:
+      - compromized_Web_key:
+        - certificate: {{ tmp_dir }}/pki/test.crt
+        - revocation_date: 2015-03-01 00:00:00
+        - reason: keyCompromise
+      #- terminated_vpn_user:
+      #  - serial_number: D6:D2:DC:D8:4D:5C:C0:F4
+      #  - not_after: 2016-01-01 00:00:00
+      #  - revocation_date: 2015-02-25 00:00:00
+      #  - reason: cessationOfOperation
+    - require:
+      - x509: {{ tmp_dir }}/pki/ca.crt
+      - x509: test_crt
--- a/tests/integration/states/test_x509.py
+++ b/tests/integration/states/test_x509.py
@ -153,6 +153,69 @@ class x509Test(ModuleCase, SaltReturnAssertsMixin):
        assert "Certificate" in ret[key]["changes"]
        assert "New" in ret[key]["changes"]["Certificate"]

+    @slowTest
+    def test_crl_managed(self):
+        ret = self.run_function(
+            "state.apply", ["x509.crl_managed"], pillar={"tmp_dir": RUNTIME_VARS.TMP}
+        )
+        key = "x509_|-{}/pki/ca.crl_|-{}/pki/ca.crl_|-crl_managed".format(
+            RUNTIME_VARS.TMP,
+            RUNTIME_VARS.TMP
+        )
+
+        # hints for easier debugging
+        #import json
+        #print(json.dumps(ret[key], indent=4, sort_keys=True))
+        #print(ret[key]['comment'])
+
+        assert key in ret
+        assert "changes" in ret[key]
+        self.assertEqual(ret[key]['result'], True)
+        assert "New" in ret[key]["changes"]
+        assert "Revoked Certificates" in ret[key]["changes"]["New"]
+        self.assertEqual(ret[key]['changes']['Old'], "{}/pki/ca.crl does not exist.".format(RUNTIME_VARS.TMP))
+
+    @slowTest
+    def test_crl_managed_replacing_existing_crl(self):
+        os.mkdir(os.path.join(RUNTIME_VARS.TMP, 'pki'))
+        with salt.utils.files.fopen(os.path.join(RUNTIME_VARS.TMP, 'pki/ca.crl'), 'wb') as crl_file:
+            crl_file.write(b"""-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls
+pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1
+2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB
+AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr
+yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH
+hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R
+3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7
+u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy
+kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj
+35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk
+TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK
+tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj
+c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
+-----END RSA PRIVATE KEY-----
+""")
+
+        ret = self.run_function(
+            "state.apply", ["x509.crl_managed"], pillar={"tmp_dir": RUNTIME_VARS.TMP}
+        )
+        key = "x509_|-{}/pki/ca.crl_|-{}/pki/ca.crl_|-crl_managed".format(
+            RUNTIME_VARS.TMP,
+            RUNTIME_VARS.TMP
+        )
+
+        # hints for easier debugging
+        #import json
+        #print(json.dumps(ret[key], indent=4, sort_keys=True))
+        #print(ret[key]['comment'])
+
+        assert key in ret
+        assert "changes" in ret[key]
+        self.assertEqual(ret[key]['result'], True)
+        assert "New" in ret[key]["changes"]
+        assert "Revoked Certificates" in ret[key]["changes"]["New"]
+        self.assertEqual(ret[key]['changes']['Old'], "{}/pki/ca.crl is not a valid CRL.".format(RUNTIME_VARS.TMP))
+
    def test_cert_issue_not_before_not_after(self):
        ret = self.run_function(
            "state.apply",