Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] crypto modules: invalid file handling #53222

Open
wants to merge 1 commit into
base: devel
from

Conversation

Projects
None yet
2 participants
@felixfontein
Copy link
Contributor

felixfontein commented Mar 3, 2019

SUMMARY

In the wake of #36738, I wanted to find out what happens if the various crypto_* modules are presented with invalid input (for idempotency checking).

Current findings:

  • openssh_cert returns an error, though somewhat convoluted:
    fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/usr/bin/ssh-keygen -s output-6dabffd3/id_key_broken -I '' -P '' /tmp/tmpmtua18gy/id_key_broken.pub", "msg": "Load key \"output-6dabffd3/id_key_broken\": invalid format", "rc": 255, "stderr": "Load key \"output-6dabffd3/id_key_broken\": invalid format\r\n", "stderr_lines": ["Load key \"output-6dabffd3/id_key_broken\": invalid format"], "stdout": "", "stdout_lines": []}
  • openssh_keypair returns a not very helpful error:
    fatal: [localhost]: FAILED! => {"changed": false, "msg": "list index out of range"}
  • openssl_certificate crashes:
    fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/home/felix/.ansible/tmp/ansible-tmp-1551612045.0003505-89376799709255/AnsiballZ_openssl_certificate.py:18: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses\n import imp\nTraceback (most recent call last):\n File \"/home/felix/.ansible/tmp/ansible-tmp-1551612045.0003505-89376799709255/AnsiballZ_openssl_certificate.py\", line 114, in <module>\n _ansiballz_main()\n File \"/home/felix/.ansible/tmp/ansible-tmp-1551612045.0003505-89376799709255/AnsiballZ_openssl_certificate.py\", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/felix/.ansible/tmp/ansible-tmp-1551612045.0003505-89376799709255/AnsiballZ_openssl_certificate.py\", line 49, in invoke_module\n imp.load_module('__main__', mod, module, MOD_DESC)\n File \"/usr/lib/python3.7/imp.py\", line 234, in load_module\n return load_source(name, filename, file)\n File \"/usr/lib/python3.7/imp.py\", line 169, in load_source\n module = _exec(spec, sys.modules[name])\n File \"<frozen importlib._bootstrap>\", line 630, in _exec\n File \"<frozen importlib._bootstrap_external>\", line 728, in exec_module\n File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed\n File \"/tmp/ansible_openssl_certificate_payload_o44_kf7z/__main__.py\", line 1173, in <module>\n File \"/tmp/ansible_openssl_certificate_payload_o44_kf7z/__main__.py\", line 1152, in main\n File \"/tmp/ansible_openssl_certificate_payload_o44_kf7z/__main__.py\", line 608, in generate\n File \"/tmp/ansible_openssl_certificate_payload_o44_kf7z/__main__.py\", line 564, in check\n File \"/tmp/ansible_openssl_certificate_payload_o44_kf7z/ansible_openssl_certificate_payload.zip/ansible/module_utils/crypto.py\", line 105, in load_certificate\n File \"/usr/lib/python3.7/site-packages/OpenSSL/crypto.py\", line 1825, in load_certificate\n _raise_current_error()\n File \"/usr/lib/python3.7/site-packages/OpenSSL/_util.py\", line 54, in exception_from_error_queue\n raise exception_type(errors)\nOpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')]\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
  • openssl_csr crashes: fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/home/felix/.ansible/tmp/ansible-tmp-1551612113.785685-202158316249600/AnsiballZ_openssl_csr.py:18: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses\n import imp\nTraceback (most recent call last):\n File \"/home/felix/.ansible/tmp/ansible-tmp-1551612113.785685-202158316249600/AnsiballZ_openssl_csr.py\", line 114, in <module>\n _ansiballz_main()\n File \"/home/felix/.ansible/tmp/ansible-tmp-1551612113.785685-202158316249600/AnsiballZ_openssl_csr.py\", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/felix/.ansible/tmp/ansible-tmp-1551612113.785685-202158316249600/AnsiballZ_openssl_csr.py\", line 49, in invoke_module\n imp.load_module('__main__', mod, module, MOD_DESC)\n File \"/usr/lib/python3.7/imp.py\", line 234, in load_module\n return load_source(name, filename, file)\n File \"/usr/lib/python3.7/imp.py\", line 169, in load_source\n module = _exec(spec, sys.modules[name])\n File \"<frozen importlib._bootstrap>\", line 630, in _exec\n File \"<frozen importlib._bootstrap_external>\", line 728, in exec_module\n File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed\n File \"/tmp/ansible_openssl_csr_payload_v9bfv_c1/__main__.py\", line 1039, in <module>\n File \"/tmp/ansible_openssl_csr_payload_v9bfv_c1/__main__.py\", line 1017, in main\n File \"/tmp/ansible_openssl_csr_payload_v9bfv_c1/__main__.py\", line 421, in generate\n File \"/tmp/ansible_openssl_csr_payload_v9bfv_c1/__main__.py\", line 454, in check\n File \"/tmp/ansible_openssl_csr_payload_v9bfv_c1/__main__.py\", line 598, in _check_csr\n File \"/tmp/ansible_openssl_csr_payload_v9bfv_c1/ansible_openssl_csr_payload.zip/ansible/module_utils/crypto.py\", line 116, in load_certificate_request\n File \"/usr/lib/python3.7/site-packages/OpenSSL/crypto.py\", line 2854, in load_certificate_request\n _openssl_assert(req != _ffi.NULL)\n File \"/usr/lib/python3.7/site-packages/OpenSSL/_util.py\", line 67, in openssl_assert\n exception_from_error_queue(error)\n File \"/usr/lib/python3.7/site-packages/OpenSSL/_util.py\", line 54, in exception_from_error_queue\n raise exception_type(errors)\nOpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')]\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
  • openssl_dhparam simply recreates the DH params
  • openssl_pkcs12 simply recreates the PKCS#12 file (not surprising considering #53221)
  • openssl_privatekey simply recreates the private key

Let's continue the discussion on what to do in #36738.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

openssh_cert
openssh_keypair
openssl_certificate
openssl_csr
openssl_dhparam
openssl_pkcs12
openssl_privatekey
openssl_publickey

@felixfontein felixfontein force-pushed the felixfontein:crypto-invalid-file-handling branch from 29f9d20 to e8fa280 Mar 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.