Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509.create_csr creates invalid CSR #36814

Closed
martin-helmich opened this issue Oct 6, 2016 · 7 comments
Closed

x509.create_csr creates invalid CSR #36814

martin-helmich opened this issue Oct 6, 2016 · 7 comments
Labels
Bug broken, incorrect, or confusing behavior Execution-Module fixed-pls-verify fix is linked, bug author to confirm fix P3 Priority 3 Platform Relates to OS, containers, platform-based utilities like FS, system based apps severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Milestone
Approved

Comments

@martin-helmich
Copy link
Contributor

martin-helmich commented Oct 6, 2016
edited
Loading

Steps to Reproduce Issue

  1. Create CSR using x509.create_csr:

    $ salt-call x509.create_csr CN=test public_key=/path/to/key.pem path=/tmp/csr version=3

  2. Try to read CSR using x509.read_csr:

    $ salt-call x509.read_csr csr=/tmp/csr

  3. Observe:

    [WARNING ] /usr/lib/python2.7/dist-packages/salt/grains/core.py:1493: DeprecationWarning: The "osmajorrelease" will be a type of an integer.

[ERROR   ] An un-handled exception was caught by salt's global exception handler:
X509Error: 140503767979776:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
140503767979776:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
140503767979776:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
140503767979776:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

Traceback (most recent call last):
File "/usr/bin/salt-call", line 11, in <module>
  salt_call()
File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 352, in salt_call
  client.run()
File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 58, in run
  caller.run()
File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 134, in run
  ret = self.call()
File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 197, in call
  ret['return'] = func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 500, in read_csr
  csr = _get_request_obj(csr)
File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 321, in _get_request_obj
  return M2Crypto.X509.load_request_string(text)
File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1040, in load_request_string
  return load_request_bio(bio, format)
File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1024, in load_request_bio
  raise X509Error(Err.get_error())
X509Error: 140503767979776:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
140503767979776:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
140503767979776:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
140503767979776:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
Traceback (most recent call last):
File "/usr/bin/salt-call", line 11, in <module>
  salt_call()
File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 352, in salt_call
  client.run()
File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 58, in run
  caller.run()
File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 134, in run
  ret = self.call()
File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 197, in call
  ret['return'] = func(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 500, in read_csr
  csr = _get_request_obj(csr)
File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 321, in _get_request_obj
  return M2Crypto.X509.load_request_string(text)
File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1040, in load_request_string
  return load_request_bio(bio, format)
File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1024, in load_request_bio
  raise X509Error(Err.get_error())
M2Crypto.X509.X509Error: 140503767979776:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
140503767979776:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
140503767979776:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
140503767979776:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

  4. Cross-check salt-generated CSR with openssl:

    $ openssl req -verify -in /tmp/csr -noout -text
unable to load X509 request
139833282913944:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
139833282913944:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
139833282913944:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
139833282913944:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

  5. Cross-check with manually created CSR:

    $ openssl req -new -key /path/to/key.pem -out /tmp/csr2 -subj /CN=test
$ salt-call x509.read_csr csr=/tmp/csr2
[WARNING ] /usr/lib/python2.7/dist-packages/salt/grains/core.py:1493: DeprecationWarning: The "osmajorrelease" will be a type of an integer.

local:
----------
Subject:
    ----------
    CN:
        test
Subject Hash:
    84:F5:1F:95
Version:
    1
X509v3 Extensions:
    ----------

Versions Report

Salt Version:
           Salt: 2016.3.3

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.4.2
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.21.1
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.12 (default, Jul  1 2016, 15:12:24)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: Ubuntu 16.04 xenial
        machine: x86_64
        release: 4.4.0-38-generic
         system: Linux
        version: Ubuntu 16.04 xenial
@Ch3LL
Copy link
Contributor

Ch3LL commented Oct 7, 2016

@martin-helmich how did you create your public_key? Were you also using the x509 module or openssl?

@Ch3LL Ch3LL added the info-needed waiting for more info label Oct 7, 2016
@Ch3LL Ch3LL added this to the Blocked milestone Oct 7, 2016
@martin-helmich
Copy link
Contributor Author

@Ch3LL, I created it using the x509.create_private_key module.

@clinta
Copy link
Contributor

clinta commented Oct 10, 2016

Seeing the same thing, trying to get to the bottom of it.

clinta added a commit to clinta/salt that referenced this issue Oct 10, 2016
@clinta
fix saltstack#36814
dd50705
@clinta clinta mentioned this issue Oct 10, 2016
Merged
@Ch3LL
Copy link
Contributor

Ch3LL commented Oct 10, 2016

Perfect thanks @clinta ! @martin-helmich can you give his fix a try and report whether that works for you as well?

@Ch3LL Ch3LL added Execution-Module Bug broken, incorrect, or confusing behavior P3 Priority 3 Platform Relates to OS, containers, platform-based utilities like FS, system based apps and removed info-needed waiting for more info labels Oct 10, 2016
@Ch3LL Ch3LL modified the milestones: Approved, Blocked Oct 10, 2016
@Ch3LL Ch3LL added fixed-pls-verify fix is linked, bug author to confirm fix severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around labels Oct 10, 2016
@martin-helmich
Copy link
Contributor Author

martin-helmich commented Oct 11, 2016
edited
Loading

First of all, thanks for the quick reaction! 👍 Unfortunately, the patch proposed in #36898 does not solve the issue for me.

root@some-box:/usr/lib/python2.7/dist-packages# curl https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/36898.diff | patch -p1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6532    0  6532    0     0   8828      0 --:--:-- --:--:-- --:--:--  8827
patching file salt/modules/x509.py
Hunk #7 succeeded at 1237 (offset 6 lines).
Hunk #8 succeeded at 1258 (offset 6 lines).
Hunk #9 succeeded at 1283 (offset 6 lines).
Hunk #10 succeeded at 1303 (offset 6 lines).
Hunk #11 succeeded at 1389 (offset 6 lines).
patching file salt/states/x509.py

Attempt 1: Reading previously created CSR

For previously created CSR's, this does not have any effect for me (understandable, as the create_csr module was patched, not read_csr):

root@some-box:/usr/lib/python2.7/dist-packages# salt-call x509.read_csr csr=/tmp/csr2
[WARNING ] /usr/lib/python2.7/dist-packages/salt/grains/core.py:1493: DeprecationWarning: The "osmajorrelease" will be a type of an integer.

[ERROR   ] An un-handled exception was caught by salt's global exception handler:
X509Error: 140513190975232:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
140513190975232:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
140513190975232:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
140513190975232:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 352, in salt_call
    client.run()
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 58, in run
    caller.run()
  File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 134, in run
    ret = self.call()
  File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 197, in call
    ret['return'] = func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 501, in read_csr
    csr = _get_request_obj(csr)
  File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 322, in _get_request_obj
    return M2Crypto.X509.load_request_string(text)
  File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1040, in load_request_string
    return load_request_bio(bio, format)
  File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1024, in load_request_bio
    raise X509Error(Err.get_error())
X509Error: 140513190975232:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
140513190975232:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
140513190975232:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
140513190975232:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 352, in salt_call
    client.run()
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 58, in run
    caller.run()
  File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 134, in run
    ret = self.call()
  File "/usr/lib/python2.7/dist-packages/salt/cli/caller.py", line 197, in call
    ret['return'] = func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 501, in read_csr
    csr = _get_request_obj(csr)
  File "/usr/lib/python2.7/dist-packages/salt/modules/x509.py", line 322, in _get_request_obj
    return M2Crypto.X509.load_request_string(text)
  File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1040, in load_request_string
    return load_request_bio(bio, format)
  File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 1024, in load_request_bio
    raise X509Error(Err.get_error())
M2Crypto.X509.X509Error: 140513190975232:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
140513190975232:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=algorithm, Type=X509_ALGOR
140513190975232:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=sig_alg, Type=X509_REQ
140513190975232:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

Attempt 2: Creating a new CSR

Using x509.create_csr to create a new CSR results in a different error message:

root@some-box:/usr/lib/python2.7/dist-packages# salt-call x509.create_csr CN=test2 public_key=/path/to/key.pem path=/tmp/csr3 version=1
[WARNING ] /usr/lib/python2.7/dist-packages/salt/grains/core.py:1493: DeprecationWarning: The "osmajorrelease" will be a type of an integer.

[WARNING ] OpenSSL no longer allows working with non-signed CSRs. A private_key must be specified. Attempting to use public_key as private_key
local:
    PEM written to /tmp/csr3
root@some-box:/usr/lib/python2.7/dist-packages# salt-call x509.read_csr csr=/tmp/csr3
[WARNING ] /usr/lib/python2.7/dist-packages/salt/grains/core.py:1493: DeprecationWarning: The "osmajorrelease" will be a type of an integer.


Passed invalid arguments: argument of type 'NoneType' is not iterable.

Usage:

    Returns a dict containing details of a certificate request.

    :depends:   - OpenSSL command line tool

    csr:
        A path or PEM encoded string containing the CSR to read.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.read_csr /etc/pki/mycert.csr

@clinta
Copy link
Contributor

clinta commented Oct 11, 2016

Please try the latest fix in eb4433d.

Also the bug which caused you to have to specify a version is now fixed as well, so you can omit that if you want to.

@cachedout
Copy link
Contributor

We've got this fix in and there has been no reply for a request to verify this fix so I am going to go ahead and close this. Thanks all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior Execution-Module fixed-pls-verify fix is linked, bug author to confirm fix P3 Priority 3 Platform Relates to OS, containers, platform-based utilities like FS, system based apps severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Projects
None yet
Milestone
Approved
Development

No branches or pull requests
4 participants
@cachedout @martin-helmich @clinta @Ch3LL