Skip to content

[master] Make error checking of x509 compatible with cryptography >= 43.0.0 #66818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dwoz merged 3 commits into from
Dec 31, 2025
Merged

[master] Make error checking of x509 compatible with cryptography >= 43.0.0 #66818

dwoz merged 3 commits into from
Dec 31, 2025

Conversation

@vzhestkov
Copy link
Contributor

@vzhestkov vzhestkov commented Aug 20, 2024

What does this PR do?

With the most recent versions of cryptography module the exception value which is checked here

salt/salt/utils/x509.py

Line 704 in 246d066

if "Bad decrypt" in str(err):
is different.
The latest version of cryptography is returning https://github.com/pyca/cryptography/blob/932b8a3f67810140a6e178f7b676e1cb9c3585b1/src/rust/src/backend/utils.rs#L463

It could also be returned with the lower version of cryptography depending on the combination with the OpenSSL version it's used with.

What issues does this PR fix or reference?

Tracks: https://github.com/SUSE/spacewalk/issues/24859

Previous Behavior

x509.private_key_managed state function could fail with the comment Could not load PEM-encoded private key
The following tests could fail as well:

tests/pytests/functional/states/test_x509_v2.py::test_private_key_managed_passphrase_changed_overwrite
tests/pytests/functional/states/test_x509_v2.py::test_private_key_managed_passphrase_changed_not_overwrite

New Behavior

No test fails and x509.private_key_managed state with most recent cryptography or some other OpenSSL versions which can produce different errors on such cases.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Commits signed with GPG?

Yes/No

Please review Salt's Contributing Guide for best practices, including the
PR Guidelines.

See GitHub's page on GPG signing for more information about signing commits with GPG.

@vzhestkov vzhestkov requested a review from a team as a code owner August 20, 2024 13:15
@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title Make error checking of x509 compatible with cryptography >= 43.0.0 [master] Make error checking of x509 compatible with cryptography >= 43.0.0 Aug 20, 2024
@vzhestkov vzhestkov mentioned this pull request Aug 21, 2024
Merged
3 tasks
agraul pushed a commit to agraul/salt that referenced this pull request Jan 27, 2025
@vzhestkov @agraul
Improve error handling with different OpenSSL versions
7492457 
* Make error checking of x509 more flexible

for most recent cryptography and openSSL versions

* Add test for different exception value on loading private key

* Add fix for test_privkey_new_with_prereq on old OpenSSL

BACKPORT-UPSTREAM=saltstack#66818
@twangboy twangboy added this to the Argon v3008.0 milestone Feb 11, 2025
@dwoz dwoz added the test:full Run the full test suite label Jun 26, 2025
@dwoz dwoz force-pushed the better-error-handling-x509 branch from 2480d1b to 6a199f5 Compare July 8, 2025 01:31
@dwoz dwoz merged commit 16dfbdb into saltstack:master Dec 31, 2025
1385 of 1391 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwoz dwoz dwoz approved these changes

@Akm0d Akm0d Akm0d approved these changes

@twangboy twangboy twangboy approved these changes

Assignees

No one assigned

Labels

test:full Run the full test suite

Projects

None yet

Milestone

Argon v3008.0

Development

Successfully merging this pull request may close these issues.

4 participants

@vzhestkov @dwoz @Akm0d @twangboy