Improve error handling with different OpenSSL versions

* Make error checking of x509 more flexible for most recent cryptography and openSSL versions * Add test for different exception value on loading private key * Add fix for test_privkey_new_with_prereq on old OpenSSL
openSUSE · Aug 30, 2024 · 4e22642 · 4e22642
1 parent ff789d8
commit 4e22642
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/salt/utils/x509.py b/salt/utils/x509.py
@@ -695,7 +695,8 @@ def load_privkey(pk, passphrase=None, get_encoding=False):
                 return pk, "pem", None
             return pk
         except ValueError as err:
-            if "Bad decrypt" in str(err):
+            str_err = str(err)
+            if "Bad decrypt" in str_err or "Could not deserialize key data" in str_err:
                 raise SaltInvocationError(
                     "Bad decrypt - is the password correct?"
                 ) from err

diff --git a/tests/pytests/functional/states/test_x509_v2.py b/tests/pytests/functional/states/test_x509_v2.py
@@ -3,6 +3,8 @@
 
 import pytest
 
+from tests.support.mock import patch
+
 try:
     import cryptography
     import cryptography.x509 as cx509
@@ -2826,3 +2828,30 @@ def _get_privkey(pk, encoding="pem", passphrase=None):
             pk = base64.b64decode(pk)
         return pkcs12.load_pkcs12(pk, passphrase).key
     raise ValueError("Need correct encoding")
+
+
+@pytest.mark.usefixtures("existing_pk")
+@pytest.mark.parametrize("existing_pk", [{"passphrase": "password"}], indirect=True)
+def test_exceptions_on_calling_load_pem_private_key(x509, pk_args):
+    pk_args["passphrase"] = "hunter1"
+    pk_args["overwrite"] = True
+
+    with patch(
+        "cryptography.hazmat.primitives.serialization.load_pem_private_key",
+        side_effect=ValueError("Bad decrypt. Incorrect password?"),
+    ):
+        ret = x509.private_key_managed(**pk_args)
+    _assert_pk_basic(ret, "rsa", passphrase="hunter1")
+
+    with patch(
+        "cryptography.hazmat.primitives.serialization.load_pem_private_key",
+        side_effect=ValueError(
+            "Could not deserialize key data. The data may be in an incorrect format, "
+            "the provided password may be incorrect, "
+            "it may be encrypted with an unsupported algorithm, "
+            "or it may be an unsupported key type "
+            "(e.g. EC curves with explicit parameters)."
+        ),
+    ):
+        ret = x509.private_key_managed(**pk_args)
+    _assert_pk_basic(ret, "rsa", passphrase="hunter1")
diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py
@@ -195,6 +195,13 @@ def privkey_new(x509_salt_master, tmp_path, ca_minion_id, x509_salt_call_cli):
     """
     with x509_salt_master.state_tree.base.temp_file("manage_cert.sls", state):
         ret = x509_salt_call_cli.run("state.apply", "manage_cert")
+        if (
+            ret.returncode == 1
+            and "NotImplementedError: ECDSA keys with unnamed curves" in ret.stdout
+        ):
+            pytest.skip(
+                "The version of OpenSSL doesn't support ECDSA keys with unnamed curves"
+            )
         assert ret.returncode == 0
         assert ret.data[next(iter(ret.data))]["changes"]
         assert (tmp_path / "priv.key").exists()