X509 fixes #36898
X509 fixes #36898
Conversation
| @@ -19,6 +19,7 @@ | |||
| import re | |||
| import datetime | |||
| import ast | |||
| import pkg_resources | |||
There was a problem hiding this comment.
IIRC, this is a part of setuptools, which is not a dependency of Salt.
| @@ -670,7 +674,7 @@ def create_private_key(path=None, text=False, bits=2048): | |||
|
|
|||
| def create_crl(path=None, text=False, signing_private_key=None, | |||
| signing_cert=None, revoked=None, include_expired=False, | |||
| days_valid=100): | |||
| days_valid=100, digest=""): | |||
There was a problem hiding this comment.
Single quotes here please
| @@ -774,7 +780,10 @@ def create_crl(path=None, text=False, signing_private_key=None, | |||
| key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, | |||
| get_pem_entry(signing_private_key)) | |||
|
|
|||
| crltext = crl.export(cert, key, OpenSSL.crypto.FILETYPE_PEM, days=days_valid) | |||
| if digest and pkg_resources.get_distribution("pyopenssl").version >= '0.15': | |||
| kwargs['private_key'] = kwargs['public_key'] | ||
| log.warning("OpenSSL no longer allows working with non-signed CSRs. A private_key must be specified. Attempting to use public_key as private_key") | ||
|
|
||
| if 'private_key' not in kwargs not in kwargs: |
There was a problem hiding this comment.
Could you please clarify the intention here? I'm having a little trouble parsing this.
There was a problem hiding this comment.
Previous versions of the OpenSSL API would allow working with CSRs that were not signed. I now suspect that this was not intended behavior, but because it worked I did not require the private key to generate a CSR, only the public key. Now because the CSR needs to be signed the private key must be included, which is why the private_key kwarg was added to the module.
Throughout this module anywhere that a public key is specified, a private key can be passed in in. This works because the public key can always be derived easily from the private key, and allowing this means that users of the module have fewer files to manage on disk and keep track of.
Because of that it is quite possible that the user actually provided a private key via the public_key kwarg. Instead of just erroring out and requiring the user to rewrite their states, I'll first try and see if the public_key kwarg actually does contain a private key, and issue a warning so that they know they need to update their states.
|
Many thanks as always @clinta. We're grateful for all of your help! |
What does this PR do?
Fixes #36814 as well as a bug reading CRLs and allows customizing CRL digest.
What issues does this PR fix or reference?
#36814
Previous Behavior
Generating CSR's fails on newer versions of OpenSSL. Comparing CRL's fails. And digest for CRLs is only MD5.
New Behavior
CRL digest can be specified if M2Crypto is new enough. CSRs and CRLs work as expected.
Tests written?
No
Please review Salt's Contributing Guide for best practices.