From ab2a5087611ef24261f1aa9ea1b4a3a232db4a57 Mon Sep 17 00:00:00 2001 From: jeanluc Date: Wed, 5 Jul 2023 12:20:09 +0200 Subject: [PATCH] Fix `x509_v2` privkey handling/reporting, correct docs --- changelog/64597.fixed.md | 1 + salt/modules/x509_v2.py | 38 ++++++++++++++++++++++++++++++-------- salt/states/x509_v2.py | 6 +++--- 3 files changed, 34 insertions(+), 11 deletions(-) create mode 100644 changelog/64597.fixed.md diff --git a/changelog/64597.fixed.md b/changelog/64597.fixed.md new file mode 100644 index 00000000000..1810ce5ebb8 --- /dev/null +++ b/changelog/64597.fixed.md @@ -0,0 +1 @@ +Fixed some issues in x509_v2 execution module private key functions diff --git a/salt/modules/x509_v2.py b/salt/modules/x509_v2.py index 0725b1b5624..ba26d7b6b2e 100644 --- a/salt/modules/x509_v2.py +++ b/salt/modules/x509_v2.py @@ -255,8 +255,8 @@ def create_certificate( Instead of returning the certificate, write it to this file path. overwrite - If ``path`` is specified and the file exists, do not overwrite it. - Defaults to false. + If ``path`` is specified and the file exists, overwrite it. + Defaults to true. raw Return the encoded raw bytes instead of a string. Defaults to false. @@ -614,7 +614,7 @@ def _create_certificate_local( path=os.path.join(copypath, f"{prepend}{cert.serial_number:x}.crt"), pem_type="CERTIFICATE", ) - return builder.sign(signing_private_key, algorithm=algorithm), private_key_loaded + return cert, private_key_loaded def encode_certificate( @@ -1196,7 +1196,7 @@ def create_private_key( keysize For ``rsa``, specifies the bitlength of the private key (2048, 3072, 4096). For ``ec``, specifies the NIST curve to use (256, 384, 521). - Irrelevant for Edwards-curve schemes (`ed25519``, ``ed448``). + Irrelevant for Edwards-curve schemes (``ed25519``, ``ed448``). Defaults to 2048 for RSA and 256 for EC. passphrase @@ -1246,6 +1246,7 @@ def create_private_key( raise CommandExecutionError( f"Invalid value '{encoding}' for encoding. Valid: der, pem, pkcs12" ) + out = encode_private_key( _generate_pk(algo=algo, keysize=keysize), encoding=encoding, @@ -1258,7 +1259,9 @@ def create_private_key( return out if encoding == "pem": - return write_pem(out.decode(), path, pem_type="(?:RSA )?PRIVATE KEY") + return write_pem( + out.decode(), path, pem_type="(?:(RSA|ENCRYPTED) )?PRIVATE KEY" + ) with salt.utils.files.fopen(path, "wb") as fp_: fp_.write(out) return @@ -1268,6 +1271,7 @@ def encode_private_key( private_key, encoding="pem", passphrase=None, + private_key_passphrase=None, pkcs12_encryption_compat=False, raw=False, ): @@ -1280,7 +1284,7 @@ def encode_private_key( salt '*' x509.encode_private_key /etc/pki/my.key der - csr + private_key The private key to encode. encoding @@ -1288,6 +1292,23 @@ def encode_private_key( as a ``pem`` string, base64-encoded ``der`` and base64-encoded ``pkcs12``. Defaults to ``pem``. + passphrase + If this is specified, the private key will be encrypted using this + passphrase. The encryption algorithm cannot be selected, it will be + determined automatically as the best available one. + + private_key_passphrase + .. versionadded:: 3006.2 + + If the current ``private_key`` is encrypted, the passphrase to + decrypt it. + + pkcs12_encryption_compat + Some operating systems are incompatible with the encryption defaults + for PKCS12 used since OpenSSL v3. This switch triggers a fallback to + ``PBESv1SHA1And3KeyTripleDESCBC``. + Please consider the `notes on PKCS12 encryption `_. + raw Return the encoded raw bytes instead of a string. Defaults to false. """ @@ -1295,6 +1316,7 @@ def encode_private_key( raise CommandExecutionError( f"Invalid value '{encoding}' for encoding. Valid: der, pem, pkcs12" ) + private_key = x509util.load_privkey(private_key, passphrase=private_key_passphrase) if passphrase is None: cipher = serialization.NoEncryption() else: @@ -1553,7 +1575,7 @@ def get_public_key(key, passphrase=None, asObj=None): except SaltInvocationError: pass raise CommandExecutionError( - "Could not load key as certificate, public key, private key, CSR or CRL" + "Could not load key as certificate, public key, private key or CSR" ) @@ -1940,7 +1962,7 @@ def verify_private_key(private_key, public_key, passphrase=None): passphrase If ``private_key`` is encrypted, the passphrase to decrypt it. """ - privkey = x509util.load_privkey(private_key, passphrase=None) + privkey = x509util.load_privkey(private_key, passphrase=passphrase) pubkey = x509util.load_pubkey(get_public_key(public_key)) return x509util.is_pair(pubkey, privkey) diff --git a/salt/states/x509_v2.py b/salt/states/x509_v2.py index 35790fff24a..ee04eba610a 100644 --- a/salt/states/x509_v2.py +++ b/salt/states/x509_v2.py @@ -82,7 +82,7 @@ the certificate to the mine, where it can be easily retrieved by other minions. - keysize: 4096 - backup: true - require: - - file: /etc/pki + - file: /etc/pki/issued_certs Create self-signed CA certificate: x509.certificate_managed: @@ -1274,7 +1274,7 @@ def private_key_managed( keysize For ``rsa``, specifies the bitlength of the private key (2048, 3072, 4096). For ``ec``, specifies the NIST curve to use (256, 384, 521). - Irrelevant for Edwards-curve schemes (`ed25519``, ``ed448``). + Irrelevant for Edwards-curve schemes (``ed25519``, ``ed448``). Defaults to 2048 for RSA and 256 for EC. passphrase @@ -1450,7 +1450,7 @@ def private_key_managed( and algo in ("rsa", "ec") and current.key_size != check_keysize ): - changes["keysize"] = keysize + changes["keysize"] = check_keysize if encoding != current_encoding: changes["encoding"] = encoding elif file_exists and new: