Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[master] Make error checking of x509 compatible with cryptography >= 43.0.0 #66818

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[master] Make error checking of x509 compatible with cryptography >= 43.0.0 #66818

wants to merge 3 commits into from

Conversation

vzhestkov
Copy link
Contributor

What does this PR do?

With the most recent versions of cryptography module the exception value which is checked here

salt/salt/utils/x509.py

Line 704 in 246d066

if "Bad decrypt" in str(err):
is different.
The latest version of cryptography is returning https://github.com/pyca/cryptography/blob/932b8a3f67810140a6e178f7b676e1cb9c3585b1/src/rust/src/backend/utils.rs#L463

It could also be returned with the lower version of cryptography depending on the combination with the OpenSSL version it's used with.

What issues does this PR fix or reference?

Tracks: https://github.com/SUSE/spacewalk/issues/24859

Previous Behavior

x509.private_key_managed state function could fail with the comment Could not load PEM-encoded private key
The following tests could fail as well:

tests/pytests/functional/states/test_x509_v2.py::test_private_key_managed_passphrase_changed_overwrite
tests/pytests/functional/states/test_x509_v2.py::test_private_key_managed_passphrase_changed_not_overwrite

New Behavior

No test fails and x509.private_key_managed state with most recent cryptography or some other OpenSSL versions which can produce different errors on such cases.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Commits signed with GPG?

Yes/No

Please review Salt's Contributing Guide for best practices, including the
PR Guidelines.

See GitHub's page on GPG signing for more information about signing commits with GPG.

@vzhestkov
Make error checking of x509 more flexible
e7f5473 
for most recent cryptography and openSSL versions
@vzhestkov vzhestkov requested a review from a team as a code owner August 20, 2024 13:15
@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title Make error checking of x509 compatible with cryptography >= 43.0.0 [master] Make error checking of x509 compatible with cryptography >= 43.0.0 Aug 20, 2024
@vzhestkov vzhestkov mentioned this pull request Aug 21, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twangboy twangboy twangboy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vzhestkov @twangboy