File improve-error-handling-with-different-openssl-versio.patch of Package salt
From 825ab5883277cca4497a9c0cbbc7b33820f87357 Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <vzhestkov@suse.com>
Date: Fri, 30 Aug 2024 14:33:51 +0200
Subject: [PATCH] Improve error handling with different OpenSSL
versions
* Make error checking of x509 more flexible
for most recent cryptography and openSSL versions
* Add test for different exception value on loading private key
* Add fix for test_privkey_new_with_prereq on old OpenSSL
---
salt/utils/x509.py | 3 +-
.../pytests/functional/states/test_x509_v2.py | 29 +++++++++++++++++++
.../integration/states/test_x509_v2.py | 7 +++++
3 files changed, 38 insertions(+), 1 deletion(-)
diff --git a/salt/utils/x509.py b/salt/utils/x509.py
index 893756ed6c..edd9fb42d5 100644
--- a/salt/utils/x509.py
+++ b/salt/utils/x509.py
@@ -701,7 +701,8 @@ def load_privkey(pk, passphrase=None, get_encoding=False):
return pk, "pem", None
return pk
except ValueError as err:
- if "Bad decrypt" in str(err):
+ str_err = str(err)
+ if "Bad decrypt" in str_err or "Could not deserialize key data" in str_err:
raise SaltInvocationError(
"Bad decrypt - is the password correct?"
) from err
diff --git a/tests/pytests/functional/states/test_x509_v2.py b/tests/pytests/functional/states/test_x509_v2.py
index 2232eee159..e19497d584 100644
--- a/tests/pytests/functional/states/test_x509_v2.py
+++ b/tests/pytests/functional/states/test_x509_v2.py
@@ -4,6 +4,8 @@ import shutil
import pytest
+from tests.support.mock import patch
+
try:
import cryptography
import cryptography.x509 as cx509
@@ -2899,3 +2901,30 @@ def _get_privkey(pk, encoding="pem", passphrase=None):
pk = base64.b64decode(pk)
return pkcs12.load_pkcs12(pk, passphrase).key
raise ValueError("Need correct encoding")
+
+
+@pytest.mark.usefixtures("existing_pk")
+@pytest.mark.parametrize("existing_pk", [{"passphrase": "password"}], indirect=True)
+def test_exceptions_on_calling_load_pem_private_key(x509, pk_args):
+ pk_args["passphrase"] = "hunter1"
+ pk_args["overwrite"] = True
+
+ with patch(
+ "cryptography.hazmat.primitives.serialization.load_pem_private_key",
+ side_effect=ValueError("Bad decrypt. Incorrect password?"),
+ ):
+ ret = x509.private_key_managed(**pk_args)
+ _assert_pk_basic(ret, "rsa", passphrase="hunter1")
+
+ with patch(
+ "cryptography.hazmat.primitives.serialization.load_pem_private_key",
+ side_effect=ValueError(
+ "Could not deserialize key data. The data may be in an incorrect format, "
+ "the provided password may be incorrect, "
+ "it may be encrypted with an unsupported algorithm, "
+ "or it may be an unsupported key type "
+ "(e.g. EC curves with explicit parameters)."
+ ),
+ ):
+ ret = x509.private_key_managed(**pk_args)
+ _assert_pk_basic(ret, "rsa", passphrase="hunter1")
diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py
index eaded27610..9d70c66740 100644
--- a/tests/pytests/integration/states/test_x509_v2.py
+++ b/tests/pytests/integration/states/test_x509_v2.py
@@ -272,6 +272,13 @@ Certificate:
"""
with x509_salt_master.state_tree.base.temp_file("manage_cert.sls", state):
ret = x509_salt_call_cli.run("state.apply", "manage_cert")
+ if (
+ ret.returncode == 1
+ and "NotImplementedError: ECDSA keys with unnamed curves" in ret.stdout
+ ):
+ pytest.skip(
+ "The version of OpenSSL doesn't support ECDSA keys with unnamed curves"
+ )
assert ret.returncode == 0
assert ret.data[next(iter(ret.data))]["changes"]
assert (tmp_path / "priv.key").exists()
--
2.47.0
