Fix x509_v2 privkey handling/reporting, correct docs

changelog/64597.fixed.md

@@ -0,0 +1 @@
+Fixed some issues in x509_v2 execution module private key functions

salt/modules/x509_v2.py

@@ -255,8 +255,8 @@ def create_certificate(
         Instead of returning the certificate, write it to this file path.
 
     overwrite
-        If ``path`` is specified and the file exists, do not overwrite it.
-        Defaults to false.
+        If ``path`` is specified and the file exists, overwrite it.
+        Defaults to true.
 
     raw
         Return the encoded raw bytes instead of a string. Defaults to false.
@@ -614,7 +614,7 @@ def _create_certificate_local(
             path=os.path.join(copypath, f"{prepend}{cert.serial_number:x}.crt"),
             pem_type="CERTIFICATE",
         )
-    return builder.sign(signing_private_key, algorithm=algorithm), private_key_loaded
+    return cert, private_key_loaded
 
 
 def encode_certificate(
@@ -1196,7 +1196,7 @@ def create_private_key(
     keysize
         For ``rsa``, specifies the bitlength of the private key (2048, 3072, 4096).
         For ``ec``, specifies the NIST curve to use (256, 384, 521).
-        Irrelevant for Edwards-curve schemes (`ed25519``, ``ed448``).
+        Irrelevant for Edwards-curve schemes (``ed25519``, ``ed448``).
         Defaults to 2048 for RSA and 256 for EC.
 
     passphrase
@@ -1246,6 +1246,7 @@ def create_private_key(
         raise CommandExecutionError(
             f"Invalid value '{encoding}' for encoding. Valid: der, pem, pkcs12"
         )
+
     out = encode_private_key(
         _generate_pk(algo=algo, keysize=keysize),
         encoding=encoding,
@@ -1258,7 +1259,9 @@ def create_private_key(
         return out
 
     if encoding == "pem":
-        return write_pem(out.decode(), path, pem_type="(?:RSA )?PRIVATE KEY")
+        return write_pem(
+            out.decode(), path, pem_type="(?:(RSA|ENCRYPTED) )?PRIVATE KEY"
+        )
     with salt.utils.files.fopen(path, "wb") as fp_:
         fp_.write(out)
     return
@@ -1268,6 +1271,7 @@ def encode_private_key(
     private_key,
     encoding="pem",
     passphrase=None,
+    private_key_passphrase=None,
     pkcs12_encryption_compat=False,
     raw=False,
 ):
@@ -1280,7 +1284,7 @@ def encode_private_key(
 
         salt '*' x509.encode_private_key /etc/pki/my.key der
 
-    csr
+    private_key
         The private key to encode.
 
     encoding
@@ -1288,6 +1292,23 @@ def encode_private_key(
         as a ``pem`` string, base64-encoded ``der`` and base64-encoded ``pkcs12``.
         Defaults to ``pem``.
 
+    passphrase
+        If this is specified, the private key will be encrypted using this
+        passphrase. The encryption algorithm cannot be selected, it will be
+        determined automatically as the best available one.
+
+    private_key_passphrase
+        .. versionadded:: 3006.2
+
+        If the current ``private_key`` is encrypted, the passphrase to
+        decrypt it.
+
+    pkcs12_encryption_compat
+        Some operating systems are incompatible with the encryption defaults
+        for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
+        ``PBESv1SHA1And3KeyTripleDESCBC``.
+        Please consider the `notes on PKCS12 encryption <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
+
     raw
         Return the encoded raw bytes instead of a string. Defaults to false.
     """
@@ -1295,6 +1316,7 @@ def encode_private_key(
         raise CommandExecutionError(
             f"Invalid value '{encoding}' for encoding. Valid: der, pem, pkcs12"
         )
+    private_key = x509util.load_privkey(private_key, passphrase=private_key_passphrase)
     if passphrase is None:
         cipher = serialization.NoEncryption()
     else:
@@ -1553,7 +1575,7 @@ def get_public_key(key, passphrase=None, asObj=None):
     except SaltInvocationError:
         pass
     raise CommandExecutionError(
-        "Could not load key as certificate, public key, private key, CSR or CRL"
+        "Could not load key as certificate, public key, private key or CSR"
     )
 
 
@@ -1940,7 +1962,7 @@ def verify_private_key(private_key, public_key, passphrase=None):
     passphrase
         If ``private_key`` is encrypted, the passphrase to decrypt it.
     """
-    privkey = x509util.load_privkey(private_key, passphrase=None)
+    privkey = x509util.load_privkey(private_key, passphrase=passphrase)
     pubkey = x509util.load_pubkey(get_public_key(public_key))
     return x509util.is_pair(pubkey, privkey)
 

salt/states/x509_v2.py

@@ -82,7 +82,7 @@ the certificate to the mine, where it can be easily retrieved by other minions.
         - keysize: 4096
         - backup: true
         - require:
-          - file: /etc/pki
+          - file: /etc/pki/issued_certs
 
     Create self-signed CA certificate:
       x509.certificate_managed:
@@ -1274,7 +1274,7 @@ def private_key_managed(
     keysize
         For ``rsa``, specifies the bitlength of the private key (2048, 3072, 4096).
         For ``ec``, specifies the NIST curve to use (256, 384, 521).
-        Irrelevant for Edwards-curve schemes (`ed25519``, ``ed448``).
+        Irrelevant for Edwards-curve schemes (``ed25519``, ``ed448``).
         Defaults to 2048 for RSA and 256 for EC.
 
     passphrase
@@ -1450,7 +1450,7 @@ def private_key_managed(
                 and algo in ("rsa", "ec")
                 and current.key_size != check_keysize
             ):
-                changes["keysize"] = keysize
+                changes["keysize"] = check_keysize
             if encoding != current_encoding:
                 changes["encoding"] = encoding
         elif file_exists and new: