Merge pull request #39159 from clinta/csr-crl-passphrase

Csr crl passphrase
2024-11-08 09:23:56 +00:00 · 2017-02-06 11:36:05 -07:00 · 2017-02-06 11:36:05 -07:00 · 7b5eb17cbe
commit 7b5eb17cbe
parent b240468525 cf548ac717
2 changed files with 51 additions and 9 deletions
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@ -848,6 +848,7 @@ def create_private_key(path=None,

 def create_crl(  # pylint: disable=too-many-arguments,too-many-locals
        path=None, text=False, signing_private_key=None,
+        signing_private_key_passphrase=None,
        signing_cert=None, revoked=None, include_expired=False,
        days_valid=100, digest=''):
    '''
@ -866,6 +867,9 @@ def create_crl(  # pylint: disable=too-many-arguments,too-many-locals
        A path or string of the private key in PEM format that will be used
        to sign this crl. This is required.

+    signing_private_key_passphrase:
+        Passphrase to decrypt the private key.
+
    signing_cert:
        A certificate matching the private key that will be used to sign
        this crl. This is required.
@ -969,7 +973,8 @@ def create_crl(  # pylint: disable=too-many-arguments,too-many-locals
    cert = OpenSSL.crypto.load_certificate(
        OpenSSL.crypto.FILETYPE_PEM,
        get_pem_entry(signing_cert, pem_type='CERTIFICATE'))
-    signing_private_key = _text_or_file(signing_private_key)
+    signing_private_key = _get_private_key_obj(signing_private_key,
+                                               passphrase=signing_private_key_passphrase).as_pem(cipher=None)
    key = OpenSSL.crypto.load_privatekey(
        OpenSSL.crypto.FILETYPE_PEM,
        get_pem_entry(signing_private_key))
@ -1584,8 +1589,17 @@ def create_csr(path=None, text=False, **kwargs):
    if 'public_key' not in kwargs:
        kwargs['public_key'] = kwargs['private_key']

+    if 'private_key_passphrase' not in kwargs:
+        kwargs['private_key_passphrase'] = None
    if 'public_key_passphrase' not in kwargs:
        kwargs['public_key_passphrase'] = None
+    if kwargs['public_key_passphrase'] and not kwargs[
+            'private_key_passphrase']:
+        kwargs['private_key_passphrase'] = kwargs['public_key_passphrase']
+    if kwargs['private_key_passphrase'] and not kwargs[
+            'public_key_passphrase']:
+        kwargs['public_key_passphrase'] = kwargs['private_key_passphrase']
+
    csr.set_pubkey(get_public_key(kwargs['public_key'],
                                  passphrase=kwargs['public_key_passphrase'], asObj=True))

@ -1607,6 +1621,9 @@ def create_csr(path=None, text=False, **kwargs):
            critical = True
            extval = extval[9:]

+        if extname == 'subjectKeyIdentifier' and 'hash' in extval:
+            extval = extval.replace('hash', _get_pubkey_hash(csr))
+
        if extname == 'subjectAltName':
            extval = extval.replace('IP Address', 'IP')

@ -1626,7 +1643,7 @@ def create_csr(path=None, text=False, **kwargs):
    csr.add_extensions(extstack)

    csr.sign(_get_private_key_obj(kwargs['private_key'],
-                                  passphrase=kwargs['public_key_passphrase']), kwargs['algorithm'])
+                                  passphrase=kwargs['private_key_passphrase']), kwargs['algorithm'])

    if path:
        return write_pem(
--- a/salt/states/x509.py
+++ b/salt/states/x509.py
@ -168,6 +168,11 @@ import salt.utils
 # Import 3rd-party libs
 import salt.ext.six as six

+try:
+    from M2Crypto.RSA import RSAError
+except ImportError:
+    pass
+

 def __virtual__():
    '''
@ -221,7 +226,8 @@ def _get_file_args(name, **kwargs):
    return file_args, extra_args


-def _check_private_key(name, bits=2048, passphrase=None, new=False):
+def _check_private_key(name, bits=2048, passphrase=None,
+                       new=False, overwrite=False):
    current_bits = 0
    if os.path.isfile(name):
        try:
@ -229,6 +235,10 @@ def _check_private_key(name, bits=2048, passphrase=None, new=False):
                private_key=name, passphrase=passphrase)
        except salt.exceptions.SaltInvocationError:
            pass
+        except RSAError:
+            if not overwrite:
+                raise salt.exceptions.CommandExecutionError(
+                    'The provided passphrase cannot decrypt the private key.')

    return current_bits == bits and not new

@ -238,6 +248,7 @@ def private_key_managed(name,
                        passphrase=None,
                        cipher='aes_128_cbc',
                        new=False,
+                        overwrite=False,
                        verbose=True,
                        **kwargs):
    '''
@ -259,6 +270,9 @@ def private_key_managed(name,
        Always create a new key. Defaults to False.
        Combining new with :mod:`prereq <salt.states.requsities.preqreq>`, or when used as part of a `managed_private_key` can allow key rotation whenever a new certificiate is generated.

+    overwrite:
+        Overwrite an existing private key if the provided passphrase cannot decrypt it.
+
    verbose:
        Provide visual feedback on stdout, dots while key is generated.
        Default is True.
@ -286,7 +300,8 @@ def private_key_managed(name,
    '''
    file_args, kwargs = _get_file_args(name, **kwargs)
    new_key = False
-    if _check_private_key(name, bits, passphrase, new):
+    if _check_private_key(
+            name, bits=bits, passphrase=passphrase, new=new, overwrite=overwrite):
        file_args['contents'] = __salt__['x509.get_pem_entry'](
            name, pem_type='RSA PRIVATE KEY')
    else:
@ -329,7 +344,11 @@ def csr_managed(name,
             - L: Salt Lake City
             - keyUsage: 'critical dataEncipherment'
    '''
-    old = __salt__['x509.read_csr'](name)
+    try:
+        old = __salt__['x509.read_csr'](name)
+    except salt.exceptions.SaltInvocationError:
+        old = '{0} is not a valid csr.'.format(name)
+
    file_args, kwargs = _get_file_args(name, **kwargs)
    file_args['contents'] = __salt__['x509.create_csr'](text=True, **kwargs)

@ -410,6 +429,7 @@ def certificate_managed(name,
        private_key_args = {
            'name': name,
            'new': False,
+            'overwrite': False,
            'bits': 2048,
            'passphrase': None,
            'cipher': 'aes_128_cbc',
@ -423,9 +443,10 @@ def certificate_managed(name,
            private_key_args['new'] = False

        if _check_private_key(private_key_args['name'],
-                              private_key_args['bits'],
-                              private_key_args['passphrase'],
-                              private_key_args['new']):
+                              bits=private_key_args['bits'],
+                              passphrase=private_key_args['passphrase'],
+                              new=private_key_args['new'],
+                              overwrite=private_key_args['overwrite']):
            private_key = __salt__['x509.get_pem_entry'](
                private_key_args['name'], pem_type='RSA PRIVATE KEY')
        else:
@ -551,6 +572,7 @@ def certificate_managed(name,

 def crl_managed(name,
                signing_private_key,
+                signing_private_key_passphrase=None,
                signing_cert=None,
                revoked=None,
                days_valid=100,
@ -568,6 +590,9 @@ def crl_managed(name,
        The private key that will be used to sign this crl. This is
        usually your CA's private key.

+    signing_private_key_passphrase:
+        Passphrase to decrypt the private key.
+
    signing_cert:
        The certificate of the authority that will be used to sign this crl.
        This is usually your CA's certificate.
@ -637,7 +662,7 @@ def crl_managed(name,
    else:
        current = '{0} does not exist.'.format(name)

-    new_crl = __salt__['x509.create_crl'](text=True, signing_private_key=signing_private_key,
+    new_crl = __salt__['x509.create_crl'](text=True, signing_private_key=signing_private_key, signing_private_key_passphrase=signing_private_key_passphrase,
                                          signing_cert=signing_cert, revoked=revoked, days_valid=days_valid, digest=digest, include_expired=include_expired)

    new = __salt__['x509.read_crl'](crl=new_crl)