Skip to content

Comments

[master] Migrate the digicert runner from M2Crypto to PyCA/cryptography#66166

Closed
facutuesca wants to merge 2 commits intosaltstack:masterfrom
trail-of-forks:digicert-cryptography
Closed

[master] Migrate the digicert runner from M2Crypto to PyCA/cryptography#66166
facutuesca wants to merge 2 commits intosaltstack:masterfrom
trail-of-forks:digicert-cryptography

Conversation

@facutuesca
Copy link

What does this PR do?

This PR migrates the digicert runner to use the cryptographic library PyCA/cryptography, instead of the older libraries M2Crypto, PyCryptodome and PyCrypto. In particular, it migrates the generation of RSA keys used to create Certificate Signing Requests.

What issues does this PR fix or reference?

Part of #66149, which tracks the migration from M2Crypto to newer cryptographic libraries.

Previous Behavior

The RSA key used to sign CSRs (Certificate Signing Request) in the digicert runner was generated using M2Crypto, or alternatively PyCryptodome or PyCrypto if the former was not installed.

The generated key was saved in the cache in PKCS#1 format and encrypted with DES-EDE3-CBC.

The generated key was used by the command openssl req -new to sign a new CSR.

New Behavior

The RSA key is generated using PyCA/cryptography, a library that is already a Salt dependency and is newer and better maintained compared to the ones used before.

The generated key is saved in the cache in PKCS#8 format and encrypted with the best available algorithm, as decided by the library.

The generated key is used by the command openssl req -new to sign a new CSR.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Commits signed with GPG?

Yes

This change migrates the digicert runner to use the cryptographic library
PyCA/cryptography, instead of the older libraries M2Crypto, PyCryptodome
and PyCrypto.
@facutuesca facutuesca requested a review from a team as a code owner March 1, 2024 15:33
@facutuesca facutuesca requested review from dwoz and removed request for a team March 1, 2024 15:33
@welcome
Copy link

welcome bot commented Mar 1, 2024

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title Migrate the digicert runner from M2Crypto to PyCA/cryptography [master] Migrate the digicert runner from M2Crypto to PyCA/cryptography Mar 1, 2024
@dwoz dwoz added the needs-testcase PR needs test cases written, or the issue is about a bug/feature that needs test cases label Mar 4, 2024
@dwoz dwoz requested a review from a team as a code owner March 16, 2025 22:09
@twangboy
Copy link
Contributor

This module and its associated states and tests have been transitioned to community support and are no longer maintained by the Salt Core team. The code has been removed from the Salt code-base and can be found in this repository: https://github.com/salt-extensions/community-extensions-holding/

There is currently discussion and work being done on the salt-extensions Discord channel (https://discordapp.com/channels/1200072194781368340/1208165123240370197) to document and build the infrastructure for community-supported salt extensions. There is also a Salt-Extensions Working Group that takes place on the 1st and 3rd Thursday of every month to coordinate salt-extension efforts.

@twangboy twangboy closed this Apr 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-testcase PR needs test cases written, or the issue is about a bug/feature that needs test cases

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants