Skip to content

[master] Make error checking of x509 compatible with cryptography >= 43.0.0 #66818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dwoz merged 3 commits into from
Dec 31, 2025
Merged

[master] Make error checking of x509 compatible with cryptography >= 43.0.0 #66818

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
719e973
Make error checking of x509 more flexible
vzhestkov Aug 20, 2024
c1e22d3
Add test for different exception value on loading private key
vzhestkov Aug 20, 2024
6a199f5
Add changelog entry
vzhestkov Aug 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog/66818.fixed.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Make x509 module compatible with `cryptography` module newer than `43.0.0`
3 changes: 2 additions & 1 deletion salt/utils/x509.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -701,7 +701,8 @@ def load_privkey(pk, passphrase=None, get_encoding=False):
return pk, "pem", None
return pk
except ValueError as err:
if "Bad decrypt" in str(err):
str_err = str(err)
if "Bad decrypt" in str_err or "Could not deserialize key data" in str_err:
raise SaltInvocationError(
"Bad decrypt - is the password correct?"
) from err
Expand Down
29 changes: 29 additions & 0 deletions tests/pytests/functional/states/test_x509_v2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

import pytest

from tests.support.mock import patch

try:
import cryptography
import cryptography.x509 as cx509
Expand Down Expand Up @@ -2890,3 +2892,30 @@ def _get_privkey(pk, encoding="pem", passphrase=None):
pk = base64.b64decode(pk)
return pkcs12.load_pkcs12(pk, passphrase).key
raise ValueError("Need correct encoding")


@pytest.mark.usefixtures("existing_pk")
@pytest.mark.parametrize("existing_pk", [{"passphrase": "password"}], indirect=True)
def test_exceptions_on_calling_load_pem_private_key(x509, pk_args):
pk_args["passphrase"] = "hunter1"
pk_args["overwrite"] = True

with patch(
"cryptography.hazmat.primitives.serialization.load_pem_private_key",
side_effect=ValueError("Bad decrypt. Incorrect password?"),
):
ret = x509.private_key_managed(**pk_args)
_assert_pk_basic(ret, "rsa", passphrase="hunter1")

with patch(
"cryptography.hazmat.primitives.serialization.load_pem_private_key",
side_effect=ValueError(
"Could not deserialize key data. The data may be in an incorrect format, "
"the provided password may be incorrect, "
"it may be encrypted with an unsupported algorithm, "
"or it may be an unsupported key type "
"(e.g. EC curves with explicit parameters)."
),
):
ret = x509.private_key_managed(**pk_args)
_assert_pk_basic(ret, "rsa", passphrase="hunter1")