Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x509.certificate_managed certificate is mangled on process under py3 m2crypto #49027

Open
lachlanmunro opened this issue Aug 9, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@lachlanmunro
Copy link

commented Aug 9, 2018

Description of Issue/Question

Having problems with the x509 certificate managed state under m2crypto/py3 on windows. We believe that the issue is not windows specific and is related to the charset changes in py3.

The below example is the passthrough of a certificate resulting in invalid encoding.

Although the demo state is a little contrite, we use pem_managed (we could just as easily just use file.managed?) to put ca certificates in place via the mine. The below reproduces the certificate correctly on the py2 minions that currently use states like the below.

Setup

/testy.crt:
  x509.pem_managed:
    - text: |
        -----BEGIN CERTIFICATE-----
        MIIHjzCCBnegAwIBAgIIBzL2FMQfSVYwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
        BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
        R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODA3MjQxNjA4MjVaFw0x
        ODEwMDIxNjAwMDBaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
        MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRUw
        EwYDVQQDDAwqLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASs
        8tMhHKTNkKBHuyC9u0qbTibi9ZkpyvkFSPhBziOsLn7uDkU/PSKjHnSCswip07o9
        F0kYWilWXKKxB5w2QQ0qo4IFHDCCBRgwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYD
        VR0PAQH/BAQDAgeAMIID4QYDVR0RBIID2DCCA9SCDCouZ29vZ2xlLmNvbYINKi5h
        bmRyb2lkLmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29n
        bGUuY29tghQqLmRiODMzOTUzLmdvb2dsZS5jboIGKi5nLmNvgg4qLmdjcC5ndnQy
        LmNvbYIWKi5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29v
        Z2xlLmNsgg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xl
        LmNvLnVrgg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29n
        bGUuY29tLmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5n
        b29nbGUuY29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdv
        b2dsZS5lc4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIIL
        Ki5nb29nbGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVh
        ZGFwaXMuY29tgg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29t
        ghEqLmdvb2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29t
        ggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIM
        Ki51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29r
        aWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggcq
        Lnl0LmJlggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5jb22C
        C2FuZHJvaWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26CHGRldmVs
        b3BlcnMuYW5kcm9pZC5nb29nbGUuY26CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFu
        YWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIYc291
        cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29vLmdsggh5
        b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tggV5dC5i
        ZTBoBggrBgEFBQcBAQRcMFowLQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29vZy9n
        c3IyL0dUU0dJQUczLmNydDApBggrBgEFBQcwAYYdaHR0cDovL29jc3AucGtpLmdv
        b2cvR1RTR0lBRzMwHQYDVR0OBBYEFK/WqypxoW4KZ4D8CDU5lyVLJXPNMAwGA1Ud
        EwEB/wQCMAAwHwYDVR0jBBgwFoAUd8K4UJpndnaxLcKG0IOgfqZ+ukswIQYDVR0g
        BBowGDAMBgorBgEEAdZ5AgUDMAgGBmeBDAECAjAxBgNVHR8EKjAoMCagJKAihiBo
        dHRwOi8vY3JsLnBraS5nb29nL0dUU0dJQUczLmNybDANBgkqhkiG9w0BAQsFAAOC
        AQEAbi8VuaNKx/otlEsrZ8+A0VbNvjOaQqqYodBbcu+/0MjGPLn4H9TKGVjsFtbY
        piod3iX72Pg7X1WoQIoJUcybmZk64jocUBZOdZkZe2bjTAf6JQg9v7jh1pXgsEvv
        UJ/86PBm6HsWAM2oMcIEOYO1e0/X0wJc1TogJn5/jTMA6u6JF4aQCLe1izgCSTeY
        1efJiOYjVLfh/24+72yNpbS1z7whRVEHreXe2j2CrSiXnk60Wp7SZ88Ws1G7YPqa
        Xqs1gJBb41sPz2dnR1vVIurciU6AD5nROQhhVWRF789Qf92gotfvvQDGrIcX2igm
        j+CcQEW13qYWL+H8gReGc+vsvg==
        -----END CERTIFICATE-----

Steps to Reproduce Issue

Run the above state.

State runs to completion:

  ----------
  ID: c:/restic/ca2.crt
    Function: x509.pem_managed
      Result: True
     Comment: File c:/restic/ca2.crt updated
     Started: 09:45:58.204917
    Duration: 65.625 ms
     Changes:
              ----------
              diff:
                  New file

The new "certificate" is something like (... trimmed for brevity):

45
45
45
45
45
66
69
71
73
78
32
...
65
84
69
45
45
45
45
45
10

Versions Report

Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: 1.10.0
       cherrypy: 10.2.1
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: 2.0.3
      gitpython: 2.1.3
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.30.1
           Mako: 1.0.6
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.5.3 (v3.5.3:1880cb95a742, Jan 16 2017, 16:02:32) [MSC v.1900 64 bit (AMD64)]
   python-gnupg: 0.4.1
         PyYAML: 3.12
          PyZMQ: 16.0.3
           RAET: Not Installed
          smmap: 2.0.3
        timelib: 0.2.4
        Tornado: 4.5.1
            ZMQ: 4.1.6

System Versions:
           dist:
         locale: cp1252
        machine: AMD64
        release: 10
         system: Windows
        version: 10 10.0.17134 SP0 Multiprocessor Free
@gtmanfred

This comment has been minimized.

Copy link
Contributor

commented Aug 10, 2018

@dwoz can you try this one as well when you get to #49008

Thanks,
Daniel

@gtmanfred gtmanfred added this to the Blocked milestone Aug 10, 2018

@dwoz dwoz self-assigned this Aug 24, 2018

This was referenced Sep 1, 2018

@lachlanmunro

This comment has been minimized.

Copy link
Author

commented Oct 2, 2018

Thanks, will try to schedule some time to test the fixes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.