| Dir : /proc/self/root/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/ |
| Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 IP: 209.182.202.254 |
| Dir : //proc/self/root/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/x509_v2.py |
"""
Manage X.509 certificates
=========================
:depends: cryptography
.. versionadded:: 3006.0
This module represents a complete rewrite of the original ``x509`` modules
and is named ``x509_v2`` since it introduces breaking changes.
.. note::
* PKCS12-related operations require at least cryptography release 36.
* PKCS12-related operations with Edwards-curve keys require at least cryptography release 37.
* PKCS7-related operations require at least cryptography release 37.
Configuration
-------------
Explicit activation
~~~~~~~~~~~~~~~~~~~
Since this module uses the same virtualname as the previous ``x509`` modules,
but is incompatible with them, it needs to be explicitly activated on each
minion by including the following line in the minion configuration:
.. code-block:: yaml
# /etc/salt/minion.d/x509.conf
features:
x509_v2: true
Peer communication
~~~~~~~~~~~~~~~~~~
To be able to remotely sign certificates, it is required to configure the Salt
master to allow :term:`Peer Communication`:
.. code-block:: yaml
# /etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
In order for the :term:`Compound Matcher` to work with restricting signing
policies to a subset of minions, in addition calls to
:py:func:`match.compound_matches <salt.runners.match.compound_matches>`
by the minion acting as the CA must be permitted:
.. code-block:: yaml
# /etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
peer_run:
ca_server:
- match.compound_matches
.. note::
When compound match expressions are employed, pillar values can only be matched
literally. This is a barrier to enumeration attacks by the CA server.
Also note that compound matching requires a minion data cache on the master.
Any certificate signing request will be denied if :conf_master:`minion_data_cache` is
disabled (it is enabled by default).
.. note::
Since grain values are controlled by minions, you should avoid using them
to restrict certificate issuance.
See :ref:`Is Targeting using Grain Data Secure? <faq-grain-security>`.
.. versionchanged:: 3007.0
Previously, a compound expression match was validated by the requesting minion
itself via peer publishing, which did not protect from compromised minions.
The new match validation takes place on the master using peer running.
Signing policies
~~~~~~~~~~~~~~~~
In addition, the minion representing the CA needs to have at least one
signing policy configured, remote calls not referencing one are always
rejected.
The parameters specified in this signing policy override any
parameters passed from the minion requesting the certificate. It can be
configured in the CA minion's pillar, which takes precedence, or any
location :py:func:`config.get <salt.modules.config.get>` looks up in.
Signing policies are defined under ``x509_signing_policies``.
You can restrict which minions can request a certificate under a configured
signing policy by specifying a matcher in ``minions``. This can be a glob
or compound matcher (for the latter, see the notes above).
.. code-block:: yaml
x509_signing_policies:
www:
- minions: 'www*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical, CA:false"
- keyUsage: "critical, cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 90
- copypath: /etc/pki/issued_certs/
.. note::
The following semantics are applied regarding the order of preference
for specifying the subject name:
* If neither ``subject`` nor any name attributes (like ``CN``) are part of the policy,
issued certificates can contain any requested ones.
* If any name attributes are specified in the signing policy, ``subject`` contained
in requests is ignored.
* If ``subject`` is specified in the signing policy, any name attributes are ignored.
If the request contains the same data type for ``subject`` as the signing policy
(for dicts and lists, and only then), merging is performed, otherwise ``subject``
is taken from the signing policy. Dicts are merged and list items are appended,
with the items taken from the signing policy having priority.
Breaking changes versus the previous ``x509`` modules
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The output format has changed for all ``read_*`` functions as well as the state return dict.
* The formatting of some extension definitions might have changed, but should
be stable for most basic use cases.
* The default ordering of RDNs/Name Attributes in the subject's Distinguished Name
has been adapted to industry standards. This might cause a reissuance
during the first state run.
* For ``x509.private_key_managed``, the file mode defaults to ``0400``. This should
be considered a bug fix because writing private keys with world-readable
permissions by default is a security issue.
* Restricting signing policies using compound match expressions requires peer run
permissions instead of peer publishing permissions:
.. code-block:: yaml
# x509, x509_v2 in 3006.*
peer:
ca_server:
- match.compound
# x509_v2 from 3007.0 onwards
peer_run:
ca_server:
- match.compound_matches
Note that when a ``ca_server`` is involved, both peers must use the updated module version.
.. _x509-setup:
"""
import base64
import copy
import glob
import logging
import os.path
import re
import sys
from datetime import datetime, timedelta, timezone
try:
import cryptography.x509 as cx509
from cryptography.hazmat.primitives import hashes, serialization
import salt.utils.x509 as x509util
HAS_CRYPTOGRAPHY = True
except ImportError:
HAS_CRYPTOGRAPHY = False
import salt.utils.dictupdate
import salt.utils.files
import salt.utils.stringutils
from salt.exceptions import CommandExecutionError, SaltInvocationError
from salt.utils.odict import OrderedDict
log = logging.getLogger(__name__)
__virtualname__ = "x509"
def __virtual__():
if not HAS_CRYPTOGRAPHY:
return (False, "Could not load cryptography")
# salt.features appears to not be setup when invoked via peer publishing
if not __opts__.get("features", {}).get("x509_v2"):
return (
False,
"x509_v2 needs to be explicitly enabled by setting `x509_v2: true` "
"in the minion configuration value `features` until Salt 3008 (Argon).",
)
return __virtualname__
def create_certificate(
ca_server=None,
signing_policy=None,
encoding="pem",
append_certs=None,
pkcs12_passphrase=None,
pkcs12_encryption_compat=False,
pkcs12_friendlyname=None,
path=None,
overwrite=True,
raw=False,
**kwargs,
):
"""
Create an X.509 certificate and return an encoded version of it.
.. note::
All parameters that take a public key, private key or certificate
can be specified either as a PEM/hex/base64 string or a path to a
local file encoded in all supported formats for the type.
CLI Example:
.. code-block:: bash
salt '*' x509.create_certificate signing_private_key='/etc/pki/myca.key' csr='/etc/pki/my.csr'
ca_server
Request a remotely signed certificate from ca_server. For this to
work, a ``signing_policy`` must be specified, and that same policy
must be configured on the ca_server. See `Signing policies`_ for
details. Also, the Salt master must permit peers to call the
``sign_remote_certificate`` function, see `Peer communication`_.
signing_policy
The name of a configured signing policy. Parameters specified in there
are hardcoded and cannot be overridden. This is required for remote signing,
otherwise optional. See `Signing policies`_ for details.
encoding
Specify the encoding of the resulting certificate. It can be returned
as a ``pem`` (or ``pkcs7_pem``) string or several (base64-encoded)
binary formats (``der``, ``pkcs7_der``, ``pkcs12``). Defaults to ``pem``.
append_certs
A list of additional certificates to append to the new one, e.g. to create a CA chain.
.. note::
Mind that when ``der`` encoding is in use, appending certificatees is prohibited.
copypath
Create a copy of the issued certificate in PEM format in this directory.
The file will be named ``<serial_number>.crt`` if prepend_cn is False.
prepend_cn
When ``copypath`` is set, prepend the common name of the certificate to
the file name like so: ``<CN>-<serial_number>.crt``. Defaults to false.
pkcs12_passphrase
When encoding a certificate as ``pkcs12``, encrypt it with this passphrase.
.. note::
PKCS12 encryption is very weak and `should not be relied on for security <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
pkcs12_encryption_compat
OpenSSL 3 and cryptography v37 switched to a much more secure default
encryption for PKCS12, which might be incompatible with some systems.
This forces the legacy encryption. Defaults to False.
pkcs12_friendlyname
When encoding a certificate as ``pkcs12``, a name for the certificate can be included.
path
Instead of returning the certificate, write it to this file path.
overwrite
If ``path`` is specified and the file exists, overwrite it.
Defaults to true.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
private_key
The private key corresponding to the public key the certificate should
be issued for. This is one way of specifying the public key that will
be included in the certificate, the other ones being ``public_key`` and ``csr``.
private_key_passphrase
If ``private_key`` is specified and encrypted, the passphrase to decrypt it.
public_key
The public key the certificate should be issued for. Other ways of passing
the required information are ``private_key`` and ``csr``. If neither are set,
the public key of the ``signing_private_key`` will be included, i.e.
a self-signed certificate is generated.
csr
A certificate signing request to use as a base for generating the certificate.
The following information will be respected, depending on configuration:
* public key
* extensions, if not otherwise specified (arguments, signing_policy)
signing_cert
The CA certificate to be used for signing the issued certificate.
signing_private_key
The private key corresponding to the public key in ``signing_cert``. Required.
signing_private_key_passphrase
If ``signing_private_key`` is encrypted, the passphrase to decrypt it.
serial_number
A serial number to be embedded in the certificate. If unspecified, will
autogenerate one. This should be an integer, either in decimal or
hexadecimal notation.
not_before
Set a specific date the certificate should not be valid before.
The format should follow ``%Y-%m-%d %H:%M:%S`` and will be interpreted as GMT/UTC.
Defaults to the time of issuance.
not_after
Set a specific date the certificate should not be valid after.
The format should follow ``%Y-%m-%d %H:%M:%S`` and will be interpreted as GMT/UTC.
If unspecified, defaults to the current time plus ``days_valid`` days.
days_valid
If ``not_after`` is unspecified, the number of days from the time of issuance
the certificate should be valid for. Defaults to ``30``.
subject
The subject's distinguished name embedded in the certificate. This is one way of
passing this information (see ``kwargs`` below for the other).
This argument will be preferred and allows to control the order of RDNs in the DN
as well as to embed RDNs with multiple attributes.
This can be specified as an RFC4514-encoded string (``CN=example.com,O=Example Inc,C=US``,
mind that the rendered order is reversed from what is embedded), a list
of RDNs encoded as in RFC4514 (``["C=US", "O=Example Inc", "CN=example.com"]``)
or a dictionary (``{"CN": "example.com", "C": "US", "O": "Example Inc"}``,
default ordering).
Multiple name attributes per RDN are concatenated with a ``+``.
.. note::
Parsing of RFC4514 strings requires at least cryptography release 37.
kwargs
Embedded X.509v3 extensions and the subject's distinguished name can be
controlled via supplemental keyword arguments. See the following for an overview.
Subject properties in kwargs
C, ST, L, STREET, O, OU, CN, MAIL, SN, GN, UID, SERIALNUMBER
X.509v3 extensions in kwargs
Most extensions can be configured using the same string format as OpenSSL,
while some require adjustments. In general, since the strings are
parsed to dicts/lists, you can always use the latter formats directly.
Marking an extension as critical is done by including it at the beginning
of the configuration string, in the list or as a key in the dictionary
with the value ``true``.
Examples (some showcase dict/list correspondance):
basicConstraints
``critical, CA:TRUE, pathlen:1`` or
.. code-block:: yaml
- basicConstraints:
critical: true
ca: true
pathlen: 1
keyUsage
``critical, cRLSign, keyCertSign`` or
.. code-block:: yaml
- keyUsage:
- critical
- cRLSign
- keyCertSign
subjectKeyIdentifier
This can be an explicit value or ``hash``, in which case the value
will be set to the SHA1 hash of some encoding of the associated public key,
depending on the underlying algorithm (RSA/ECDSA/EdDSA).
authorityKeyIdentifier
``keyid:always, issuer``
subjectAltName
There is support for all OpenSSL-defined types except ``otherName``.
``email:me@example.com,DNS:example.com`` or
.. code-block:: yaml
# mind this being a list, not a dict
- subjectAltName:
- email:me@example.com
- DNS:example.com
issuerAltName
The syntax is the same as for ``subjectAltName``, except that the additional
value ``issuer:copy`` is supported, which will copy the values of
``subjectAltName`` in the issuer's certificate.
authorityInfoAccess
``OCSP;URI:http://ocsp.example.com/,caIssuers;URI:http://myca.example.com/ca.cer``
crlDistributionPoints
When set to a string value, items are interpreted as fullnames:
``URI:http://example.com/myca.crl, URI:http://example.org/my.crl``
There is also support for more attributes using the full form:
.. code-block:: yaml
- crlDistributionPoints:
- fullname: URI:http://example.com/myca.crl
crlissuer: DNS:example.org
reasons:
- keyCompromise
- URI:http://example.org/my.crl
certificatePolicies
``critical, 1.2.4.5, 1.1.3.4``
Again, there is support for more attributes using the full form:
.. code-block:: yaml
- certificatePolicies:
critical: true
1.2.3.4.5: https://my.ca.com/pratice_statement
1.2.4.5.6:
- https://my.ca.com/pratice_statement
- organization: myorg
noticeNumbers: [1, 2, 3]
text: mytext
policyConstraints
``requireExplicitPolicy:3,inhibitPolicyMapping:1``
inhibitAnyPolicy
The value is just an integer: ``- inhibitAnyPolicy: 1``
nameConstraints
``critical,permitted;IP:192.168.0.0/255.255.0.0,permitted;email:.example.com,excluded;email:.com``
.. code-block:: yaml
- nameConstraints:
critical: true
permitted:
- IP:192.168.0.0/24
- email:.example.com
excluded:
- email:.com
noCheck
This extension does not take any values, except ``critical``. Just the presence
in the keyword args will include it.
tlsfeature
``status_request``
For more information, visit the `OpenSSL docs <https://www.openssl.org/docs/man3.0/man5/x509v3_config.html>`_.
"""
# Deprecation checks vs the old x509 module
if "algorithm" in kwargs:
salt.utils.versions.warn_until(
3009,
"`algorithm` has been renamed to `digest`. Please update your code.",
)
kwargs["digest"] = kwargs.pop("algorithm")
ignored_params = {"text", "version", "serial_bits"}.intersection(
kwargs
) # path, overwrite
if ignored_params:
salt.utils.versions.kwargs_warn_until(ignored_params, "Potassium")
kwargs = x509util.ensure_cert_kwargs_compat(kwargs)
if "days_valid" not in kwargs and "not_after" not in kwargs:
try:
salt.utils.versions.warn_until(
3009,
"The default value for `days_valid` will change to 30. Please adapt your code accordingly.",
)
kwargs["days_valid"] = 365
except RuntimeError:
pass
if encoding not in ["der", "pem", "pkcs7_der", "pkcs7_pem", "pkcs12"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: "
"der, pem, pkcs7_der, pkcs7_pem, pkcs12"
)
if kwargs.get("digest", "sha256").lower() not in [
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512_224",
"sha512_256",
"sha3_224",
"sha3_256",
"sha3_384",
"sha3_512",
]:
raise CommandExecutionError(
f"Invalid value '{kwargs['digest']}' for digest. Valid: sha1, sha224, "
"sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, "
"sha3_384, sha3_512"
)
if encoding == "der" and append_certs:
raise SaltInvocationError("Cannot encode a certificate chain in DER")
if encoding == "pkcs12" and "private_key" not in kwargs:
# The creation will work, but it will be listed in additional certs, not
# as the main certificate. This might confuse other parts of the code.
raise SaltInvocationError(
"Creating a PKCS12-encoded certificate without embedded private key "
"is unsupported"
)
if "signing_private_key" not in kwargs and not ca_server:
raise SaltInvocationError(
"Creating a certificate locally at least requires a signing private key."
)
if path and not overwrite and __salt__["file.file_exists"](path):
return f"The file at {path} exists and overwrite was set to false"
if ca_server:
if signing_policy is None:
raise SaltInvocationError(
"signing_policy must be specified to request a certificate from "
"a remote ca_server"
)
cert, private_key_loaded = _create_certificate_remote(
ca_server, signing_policy, **kwargs
)
else:
x509util.merge_signing_policy(_get_signing_policy(signing_policy), kwargs)
cert, private_key_loaded = _create_certificate_local(**kwargs)
if encoding == "pkcs12":
out = encode_certificate(
cert,
append_certs=append_certs,
encoding=encoding,
private_key=private_key_loaded,
pkcs12_passphrase=pkcs12_passphrase,
pkcs12_encryption_compat=pkcs12_encryption_compat,
pkcs12_friendlyname=pkcs12_friendlyname,
raw=bool(path) or raw,
)
else:
out = encode_certificate(
cert, append_certs=append_certs, encoding=encoding, raw=bool(path) or raw
)
if path is None:
return out
if encoding == "pem":
return write_pem(
out.decode(), path, overwrite=overwrite, pem_type="CERTIFICATE"
)
with salt.utils.files.fopen(path, "wb") as fp_:
fp_.write(out)
return f"Certificate written to {path}"
def _create_certificate_remote(
ca_server, signing_policy, private_key=None, private_key_passphrase=None, **kwargs
):
private_key_loaded = None
if private_key:
private_key_loaded = x509util.load_privkey(
private_key, passphrase=private_key_passphrase
)
kwargs["public_key"] = x509util.to_der(private_key_loaded.public_key())
elif kwargs.get("public_key"):
kwargs["public_key"] = x509util.to_der(
x509util.load_pubkey(kwargs["public_key"])
)
if kwargs.get("csr"):
kwargs["csr"] = x509util.to_der(x509util.load_csr(kwargs["csr"]))
result = _query_remote(ca_server, signing_policy, kwargs)
try:
return x509util.load_cert(result), private_key_loaded
except (CommandExecutionError, SaltInvocationError) as err:
raise CommandExecutionError(
f"ca_server did not return a certificate: {result}"
) from err
def _create_certificate_local(
digest="sha256", copypath=None, prepend_cn=False, **kwargs
):
builder, signing_private_key, private_key_loaded, _ = x509util.build_crt(**kwargs)
algorithm = None
if x509util.get_key_type(signing_private_key) not in [
x509util.KEY_TYPE.ED25519,
x509util.KEY_TYPE.ED448,
]:
algorithm = x509util.get_hashing_algorithm(digest)
cert = builder.sign(signing_private_key, algorithm=algorithm)
if copypath:
prepend = ""
if prepend_cn:
try:
prepend = (
cert.subject.get_attributes_for_oid(x509util.NAME_ATTRS_OID["CN"])[
0
].value
+ "-"
)
except IndexError:
pass
write_pem(
text=x509util.to_pem(cert),
path=os.path.join(copypath, f"{prepend}{cert.serial_number:x}.crt"),
pem_type="CERTIFICATE",
)
return cert, private_key_loaded
def encode_certificate(
certificate,
encoding="pem",
append_certs=None,
private_key=None,
private_key_passphrase=None,
pkcs12_passphrase=None,
pkcs12_encryption_compat=False,
pkcs12_friendlyname=None,
raw=False,
):
"""
Create an encoded representation of a certificate, optionally including
other structures. This can be used to create certificate chains, convert
a certificate into a different encoding or embed the corresponding
private key (for ``pkcs12``).
CLI Example:
.. code-block:: bash
salt '*' x509.encode_certificate /etc/pki/my.crt pem /etc/pki/ca.crt
certificate
The certificate to encode.
encoding
Specify the encoding of the resulting certificate. It can be returned
as a ``pem`` (or ``pkcs7_pem``) string or several (base64-encoded)
binary formats (``der``, ``pkcs7_der``, ``pkcs12``). Defaults to ``pem``.
append_certs
A list of additional certificates to encode with the new one, e.g. to create a CA chain.
.. note::
Mind that when ``der`` encoding is in use, appending certificatees is prohibited.
private_key
For ``pkcs12``, the private key corresponding to the public key of the ``certificate``
to be embedded.
private_key_passphrase
For ``pkcs12``, if the private key to embed is encrypted, specify the corresponding
passphrase.
pkcs12_passphrase
For ``pkcs12``, the container can be encrypted. Specify the passphrase to use here.
Mind that PKCS12 encryption should not be relied on for security purposes, see
note above in :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
pkcs12_encryption_compat
OpenSSL 3 and cryptography v37 switched to a much more secure default
encryption for PKCS12, which might be incompatible with some systems.
This forces the legacy encryption. Defaults to False.
pkcs12_friendlyname
When encoding a certificate as ``pkcs12``, a name for the certificate can be included.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
"""
if encoding not in ["der", "pem", "pkcs7_der", "pkcs7_pem", "pkcs12"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: "
"der, pem, pkcs7_der, pkcs7_pem, pkcs12"
)
if encoding == "der" and append_certs:
raise SaltInvocationError("Cannot encode a certificate chain in DER")
if encoding != "pkcs12" and private_key:
raise SaltInvocationError(
"Embedding private keys is only supported for pkcs12 encoding"
)
if encoding == "pkcs12" and not private_key:
# The creation will work, but it will be listed in additional certs, not
# as the main certificate. This might confuse other parts of the code.
raise SaltInvocationError(
"Creating a PKCS12-encoded certificate without embedded private key "
"is unsupported"
)
append_certs = append_certs or []
if not isinstance(append_certs, list):
append_certs = [append_certs]
cert = x509util.load_cert(certificate)
append_certs = [x509util.load_cert(x) for x in append_certs]
if encoding in ["der", "pem"]:
crt_encoding = getattr(serialization.Encoding, encoding.upper())
crt_bytes = cert.public_bytes(crt_encoding)
for append_cert in append_certs:
# this can only happen for PEM, checked in the beginning
crt_bytes += b"\n" + append_cert.public_bytes(crt_encoding)
elif encoding == "pkcs12":
private_key = x509util.load_privkey(
private_key, passphrase=private_key_passphrase
)
if pkcs12_passphrase is None:
cipher = serialization.NoEncryption()
else:
if isinstance(pkcs12_passphrase, str):
pkcs12_passphrase = pkcs12_passphrase.encode()
if pkcs12_encryption_compat:
cipher = (
serialization.PrivateFormat.PKCS12.encryption_builder()
.kdf_rounds(50000)
.key_cert_algorithm(
serialization.pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC
)
.hmac_hash(hashes.SHA1())
.build(pkcs12_passphrase)
)
else:
cipher = serialization.BestAvailableEncryption(pkcs12_passphrase)
crt_bytes = serialization.pkcs12.serialize_key_and_certificates(
name=(
salt.utils.stringutils.to_bytes(pkcs12_friendlyname)
if pkcs12_friendlyname
else None
),
key=private_key,
cert=cert,
cas=append_certs,
encryption_algorithm=cipher,
)
else: # pkcs7, requires cryptography v37
try:
crt_bytes = serialization.pkcs7.serialize_certificates(
[cert] + append_certs,
encoding=getattr(
serialization.Encoding, "PEM" if encoding == "pkcs7_pem" else "DER"
),
)
except AttributeError as err:
raise CommandExecutionError(
"Serialization to pkcs7 requires at least cryptography release 37."
) from err
if raw:
return crt_bytes
if encoding in ["pem", "pkcs7_pem"]:
return crt_bytes.decode()
return base64.b64encode(crt_bytes).decode()
def create_crl(
signing_private_key,
revoked,
signing_cert=None,
signing_private_key_passphrase=None,
include_expired=False,
days_valid=None,
digest="sha256",
encoding="pem",
extensions=None,
path=None,
raw=False,
**kwargs,
):
"""
Create a certificate revocation list.
CLI Example:
.. code-block:: bash
salt '*' x509.create_crl signing_cert=/etc/pki/ca.crt \
signing_private_key=/etc/pki/ca.key \
revoked="[{'certificate': '/etc/pki/certs/www1.crt', 'revocation_date': '2015-03-01 00:00:00'}]"
signing_private_key
Your certificate authority's private key. It will be used to sign
the CRL. Required.
revoked
A list of dicts containing all the certificates to revoke. Each dict
represents one certificate. A dict must contain either the key
``serial_number`` with the value of the serial number to revoke, or
``certificate`` with some reference to the certificate to revoke.
The dict can optionally contain the ``revocation_date`` key. If this
key is omitted, the revocation date will be set to now. It should be a
string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the ``not_after`` key. This is
redundant if the ``certificate`` key is included, since it will be
sourced from the certificate. If the ``certificate`` key is not included,
this can be used for the logic behind the ``include_expired`` parameter.
It should be a string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the ``extensions`` key, which
allows to set CRL entry-specific extensions. The following extensions
are supported:
certificateIssuer
Identifies the certificate issuer associated with an entry in an
indirect CRL. The format is the same as for subjectAltName.
CRLReason
Identifies the reason for certificate revocation.
Available choices are ``unspecified``, ``keyCompromise``, ``CACompromise``,
``affiliationChanged``, ``superseded``, ``cessationOfOperation``,
``certificateHold``, ``privilegeWithdrawn``, ``aACompromise`` and
``removeFromCRL``.
invalidityDate
Provides the date on which the certificate likely became invalid.
The value should be a string in the same format as ``revocation_date``.
signing_cert
The CA certificate to be used for signing the CRL.
signing_private_key_passphrase
If ``signing_private_key`` is encrypted, the passphrase to decrypt it.
include_expired
Also include already expired certificates in the CRL. Defaults to false.
days_valid
The number of days the CRL should be valid for. This sets the ``Next Update``
field. Defaults to ``100`` (until v3009) or ``7`` (from v3009 onwards).
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
encoding
Specify the encoding of the resulting certificate revocation list.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
extensions
Add CRL extensions. The following are available:
authorityKeyIdentifier
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
authorityInfoAccess
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
cRLNumber
Specifies a sequential number for each CRL issued by a CA.
Values must be integers.
deltaCRLIndicator
If the CRL is a delta CRL, this value points to the cRLNumber
of the base cRL. Values must be integers.
freshestCRL
Identifies how delta CRL information is obtained. The format
is the same as ``crlDistributionPoints``.
issuerAltName
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
issuingDistributionPoint
Identifies the CRL distribution point for a particular CRL and
indicates what kinds of revocation it covers. The format is
comparable to ``crlDistributionPoints``. Specify as follows:
.. code-block:: yaml
issuingDistributionPoint:
fullname: # or relativename with RDN
- URI:http://example.com/myca.crl
onlysomereasons:
- keyCompromise
onlyuser: true
onlyCA: true
onlyAA: true
indirectCRL: false
path
Instead of returning the CRL, write it to this file path.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
"""
# Deprecation checks vs the old x509 module
if kwargs:
if "text" in kwargs:
salt.utils.versions.kwargs_warn_until(["text"], "Potassium")
kwargs.pop("text")
unknown = [kwarg for kwarg in kwargs if not kwarg.startswith("_")]
if unknown:
raise SaltInvocationError(
f"Unrecognized keyword arguments: {list(unknown)}"
)
if days_valid is None:
try:
salt.utils.versions.warn_until(
3009,
"The default value for `days_valid` will change to 7. Please adapt your code accordingly.",
)
days_valid = 100
except RuntimeError:
days_valid = 7
revoked_parsed = []
for rev in revoked:
parsed = {}
if len(rev) == 1 and isinstance(rev[next(iter(rev))], list):
salt.utils.versions.warn_until(
3009,
"Revoked certificates should be specified as a simple list of dicts.",
)
for val in rev[next(iter(rev))]:
parsed.update(val)
if "reason" in (parsed or rev):
salt.utils.versions.warn_until(
3009,
"The `reason` parameter for revoked certificates should be specified in extensions:CRLReason.",
)
salt.utils.dictupdate.set_dict_key_value(
(parsed or rev), "extensions:CRLReason", (parsed or rev).pop("reason")
)
revoked_parsed.append(parsed or rev)
revoked = revoked_parsed
if encoding not in ["der", "pem"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: der, pem"
)
if digest.lower() not in [
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512_224",
"sha512_256",
"sha3_224",
"sha3_256",
"sha3_384",
"sha3_512",
]:
raise CommandExecutionError(
f"Invalid value '{digest}' for digest. Valid: sha1, sha224, sha256, "
"sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, "
"sha3_512"
)
builder, signing_private_key = x509util.build_crl(
signing_private_key,
revoked,
signing_cert=signing_cert,
signing_private_key_passphrase=signing_private_key_passphrase,
include_expired=include_expired,
days_valid=days_valid,
extensions=extensions,
)
algorithm = None
if x509util.get_key_type(signing_private_key) not in [
x509util.KEY_TYPE.ED25519,
x509util.KEY_TYPE.ED448,
]:
algorithm = x509util.get_hashing_algorithm(digest)
crl = builder.sign(signing_private_key, algorithm=algorithm)
out = encode_crl(crl, encoding=encoding, raw=bool(path) or raw)
if path is None:
return out
if encoding == "pem":
return write_pem(out.decode(), path, pem_type="X509 CRL")
with salt.utils.files.fopen(path, "wb") as fp_:
fp_.write(out)
return f"CRL written to {path}"
def encode_crl(crl, encoding="pem", raw=False):
"""
Create an encoded representation of a certificate revocation list.
CLI Example:
.. code-block:: bash
salt '*' x509.encode_crl /etc/pki/my.crl der
crl
The certificate revocation list to encode.
encoding
Specify the encoding of the resulting certificate revocation list.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
"""
if encoding not in ["der", "pem"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: der, pem"
)
crl = x509util.load_crl(crl)
crl_encoding = getattr(serialization.Encoding, encoding.upper())
crl_bytes = crl.public_bytes(crl_encoding)
if raw:
return crl_bytes
if encoding == "pem":
return crl_bytes.decode()
return base64.b64encode(crl_bytes).decode()
def create_csr(
private_key,
private_key_passphrase=None,
digest="sha256",
encoding="pem",
path=None,
raw=False,
**kwargs,
):
"""
Create a certificate signing request.
CLI Example:
.. code-block:: bash
salt '*' x509.create_csr private_key='/etc/pki/myca.key' CN='My Cert'
private_key
The private key corresponding to the public key the certificate should
be issued for. The CSR will be signed by it. Required.
private_key_passphrase
If ``private_key`` is encrypted, the passphrase to decrypt it.
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
encoding
Specify the encoding of the resulting certificate signing request.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
path
Instead of returning the CSR, write it to this file path.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
kwargs
Embedded X.509v3 extensions and the subject's distinguished name can be
controlled via supplemental keyword arguments.
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`
for an overview. Mind that some extensions are not available for CSR
(``authorityInfoAccess``, ``authorityKeyIdentifier``,
``issuerAltName``, ``crlDistributionPoints``).
"""
# Deprecation checks vs the old x509 module
if "algorithm" in kwargs:
salt.utils.versions.warn_until(
3009,
"`algorithm` has been renamed to `digest`. Please update your code.",
)
digest = kwargs.pop("algorithm")
ignored_params = {"text", "version"}.intersection(kwargs) # path, overwrite
if ignored_params:
salt.utils.versions.kwargs_warn_until(ignored_params, "Potassium")
kwargs = x509util.ensure_cert_kwargs_compat(kwargs)
if encoding not in ["der", "pem"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: der, pem"
)
if digest.lower() not in [
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512_224",
"sha512_256",
"sha3_224",
"sha3_256",
"sha3_384",
"sha3_512",
]:
raise CommandExecutionError(
f"Invalid value '{digest}' for digest. Valid: sha1, sha224, sha256, "
"sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, "
"sha3_512"
)
builder, private_key = x509util.build_csr(
private_key, private_key_passphrase=private_key_passphrase, **kwargs
)
algorithm = None
if x509util.get_key_type(private_key) not in [
x509util.KEY_TYPE.ED25519,
x509util.KEY_TYPE.ED448,
]:
algorithm = x509util.get_hashing_algorithm(digest)
csr = builder.sign(private_key, algorithm=algorithm)
out = encode_csr(csr, encoding=encoding, raw=bool(path) or raw)
if path is None:
return out
if encoding == "pem":
return write_pem(out.decode(), path, pem_type="CERTIFICATE REQUEST")
with salt.utils.files.fopen(path, "wb") as fp_:
fp_.write(out)
return f"CSR written to {path}"
def encode_csr(csr, encoding="pem", raw=False):
"""
Create an encoded representation of a certificate signing request.
CLI Example:
.. code-block:: bash
salt '*' x509.encode_csr /etc/pki/my.csr der
csr
The certificate signing request to encode.
encoding
Specify the encoding of the resulting certificate signing request.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
"""
if encoding not in ["der", "pem"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: der, pem"
)
csr = x509util.load_csr(csr)
csr_encoding = getattr(serialization.Encoding, encoding.upper())
csr_bytes = csr.public_bytes(csr_encoding)
if raw:
return csr_bytes
if encoding == "pem":
return csr_bytes.decode()
return base64.b64encode(csr_bytes).decode()
def create_private_key(
algo="rsa",
keysize=None,
passphrase=None,
encoding="pem",
pkcs12_encryption_compat=False,
path=None,
raw=False,
**kwargs,
):
"""
Create a private key.
CLI Example:
.. code-block:: bash
salt '*' x509.create_private_key algo=ec keysize=384
algo
The digital signature scheme the private key should be based on.
Available: ``rsa``, ``ec``, ``ed25519``, ``ed448``. Defaults to ``rsa``.
keysize
For ``rsa``, specifies the bitlength of the private key (2048, 3072, 4096).
For ``ec``, specifies the NIST curve to use (256, 384, 521).
Irrelevant for Edwards-curve schemes (``ed25519``, ``ed448``).
Defaults to 2048 for RSA and 256 for EC.
passphrase
If this is specified, the private key will be encrypted using this
passphrase. The encryption algorithm cannot be selected, it will be
determined automatically as the best available one.
encoding
Specify the encoding of the resulting private key. It can be returned
as a ``pem`` string, base64-encoded ``der`` or base64-encoded ``pkcs12``.
Defaults to ``pem``.
pkcs12_encryption_compat
Some operating systems are incompatible with the encryption defaults
for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
``PBESv1SHA1And3KeyTripleDESCBC``.
Please consider the `notes on PKCS12 encryption <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
path
Instead of returning the private key, write it to this file path.
Note that this does not use safe permissions and should be avoided.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
"""
# Deprecation checks vs the old x509 module
if "bits" in kwargs:
salt.utils.versions.warn_until(
3009,
"`bits` has been renamed to `keysize`. Please update your code.",
)
keysize = kwargs.pop("bits")
ignored_params = {"cipher", "verbose", "text"}.intersection(
kwargs
) # path, overwrite
if ignored_params:
salt.utils.versions.kwargs_warn_until(ignored_params, "Potassium")
for x in ignored_params:
kwargs.pop(x)
unknown = [kwarg for kwarg in kwargs if not kwarg.startswith("_")]
if unknown:
raise SaltInvocationError(f"Unrecognized keyword arguments: {list(unknown)}")
if encoding not in ["der", "pem", "pkcs12"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: der, pem, pkcs12"
)
out = encode_private_key(
_generate_pk(algo=algo, keysize=keysize),
encoding=encoding,
passphrase=passphrase,
pkcs12_encryption_compat=pkcs12_encryption_compat,
raw=bool(path) or raw,
)
if path is None:
return out
if encoding == "pem":
return write_pem(
out.decode(), path, pem_type="(?:(RSA|ENCRYPTED) )?PRIVATE KEY"
)
with salt.utils.files.fopen(path, "wb") as fp_:
fp_.write(out)
return
def encode_private_key(
private_key,
encoding="pem",
passphrase=None,
private_key_passphrase=None,
pkcs12_encryption_compat=False,
raw=False,
):
"""
Create an encoded representation of a private key.
CLI Example:
.. code-block:: bash
salt '*' x509.encode_private_key /etc/pki/my.key der
private_key
The private key to encode.
encoding
Specify the encoding of the resulting private key. It can be returned
as a ``pem`` string, base64-encoded ``der`` and base64-encoded ``pkcs12``.
Defaults to ``pem``.
passphrase
If this is specified, the private key will be encrypted using this
passphrase. The encryption algorithm cannot be selected, it will be
determined automatically as the best available one.
private_key_passphrase
.. versionadded:: 3006.2
If the current ``private_key`` is encrypted, the passphrase to
decrypt it.
pkcs12_encryption_compat
Some operating systems are incompatible with the encryption defaults
for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
``PBESv1SHA1And3KeyTripleDESCBC``.
Please consider the `notes on PKCS12 encryption <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
"""
if encoding not in ["der", "pem", "pkcs12"]:
raise CommandExecutionError(
f"Invalid value '{encoding}' for encoding. Valid: der, pem, pkcs12"
)
private_key = x509util.load_privkey(private_key, passphrase=private_key_passphrase)
if passphrase is None:
cipher = serialization.NoEncryption()
else:
if isinstance(passphrase, str):
passphrase = passphrase.encode()
if encoding == "pkcs12" and pkcs12_encryption_compat:
cipher = (
serialization.PrivateFormat.PKCS12.encryption_builder()
.kdf_rounds(50000)
.key_cert_algorithm(
serialization.pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC
)
.hmac_hash(hashes.SHA1())
.build(passphrase)
)
else:
cipher = serialization.BestAvailableEncryption(passphrase)
if encoding in ["der", "pem"]:
pk_encoding = getattr(serialization.Encoding, encoding.upper())
pk_bytes = private_key.private_bytes(
encoding=pk_encoding,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=cipher,
)
else:
pk_bytes = serialization.pkcs12.serialize_key_and_certificates(
name=None, key=private_key, cert=None, cas=None, encryption_algorithm=cipher
)
if raw:
return pk_bytes
if encoding == "pem":
return pk_bytes.decode()
return base64.b64encode(pk_bytes).decode()
def expires(certificate, days=0):
"""
Determine whether a certificate will expire or has expired already.
Returns a boolean only.
CLI Example:
.. code-block:: bash
salt '*' x509.expires /etc/pki/my.crt days=7
certificate
The certificate to check.
days
If specified, determine expiration x days in the future.
Defaults to ``0``, which checks for the current time.
"""
cert = x509util.load_cert(certificate)
try:
not_after = cert.not_valid_after_utc
except AttributeError:
# naive datetime object, release <42 (it's always UTC)
not_after = cert.not_valid_after.replace(tzinfo=timezone.utc)
return not_after <= datetime.now(tz=timezone.utc) + timedelta(days=days)
def expired(certificate):
"""
Returns a dict containing limited details of a
certificate and whether the certificate has expired.
CLI Example:
.. code-block:: bash
salt '*' x509.expired /etc/pki/mycert.crt
certificate
The certificate to check.
"""
ret = {}
if x509util.isfile(certificate):
ret["path"] = certificate
cert = x509util.load_cert(certificate)
try:
ret["cn"] = cert.subject.get_attributes_for_oid(x509util.NAME_ATTRS_OID["CN"])[
0
].value
except IndexError:
pass
ret["expired"] = expires(certificate)
return ret
def get_pem_entries(glob_path):
"""
Returns a dict containing PEM entries in files matching a glob.
CLI Example:
.. code-block:: bash
salt '*' x509.get_pem_entries "/etc/pki/*.crt"
glob_path
A path representing certificates to be read and returned.
"""
ret = {}
for path in glob.glob(glob_path):
if os.path.isfile(path):
try:
ret[path] = get_pem_entry(text=path)
except ValueError:
pass
return ret
def get_pem_entry(text, pem_type=None):
"""
Returns a properly formatted PEM string from the input text,
fixing any whitespace or line-break issues.
CLI Example:
.. code-block:: bash
salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST"
text
Text containing the X509 PEM entry to be returned or path to
a file containing the text.
pem_type
If specified, this function will only return a pem of a certain type,
for example 'CERTIFICATE' or 'CERTIFICATE REQUEST'.
"""
text = x509util.load_file_or_bytes(text).decode()
# Replace encoded newlines
text = text.replace("\\n", "\n")
if (
len(text.splitlines()) == 1
and text.startswith("-----")
and text.endswith("-----")
):
# mine.get returns the PEM on a single line, we fix this
pem_fixed = []
pem_temp = text
while len(pem_temp) > 0:
if pem_temp.startswith("-----"):
# Grab ----(.*)---- blocks
pem_fixed.append(pem_temp[: pem_temp.index("-----", 5) + 5])
pem_temp = pem_temp[pem_temp.index("-----", 5) + 5 :]
else:
# grab base64 chunks
if pem_temp[:64].count("-") == 0:
pem_fixed.append(pem_temp[:64])
pem_temp = pem_temp[64:]
else:
pem_fixed.append(pem_temp[: pem_temp.index("-")])
pem_temp = pem_temp[pem_temp.index("-") :]
text = "\n".join(pem_fixed)
errmsg = f"PEM text not valid:\n{text}"
if pem_type:
errmsg = f"PEM does not contain a single entry of type {pem_type}:\n{text}"
_match = _valid_pem(text, pem_type)
if not _match:
raise SaltInvocationError(errmsg)
_match_dict = _match.groupdict()
pem_header = _match_dict["pem_header"]
proc_type = _match_dict["proc_type"]
dek_info = _match_dict["dek_info"]
pem_footer = _match_dict["pem_footer"]
pem_body = _match_dict["pem_body"]
# Remove all whitespace from body
pem_body = "".join(pem_body.split())
# Generate correctly formatted pem
ret = pem_header + "\n"
if proc_type:
ret += proc_type + "\n"
if dek_info:
ret += dek_info + "\n" + "\n"
for i in range(0, len(pem_body), 64):
ret += pem_body[i : i + 64] + "\n"
ret += pem_footer + "\n"
return salt.utils.stringutils.to_bytes(ret, encoding="ascii")
def get_private_key_size(private_key, passphrase=None):
"""
Return information about the keysize of a private key (RSA/EC).
CLI Example:
.. code-block:: bash
salt '*' x509.get_private_key_size /etc/pki/my.key
private_key
The private key to check.
passphrase
If ``private_key`` is encrypted, the passphrase to decrypt it.
"""
privkey = x509util.load_privkey(private_key, passphrase=passphrase)
if not hasattr(privkey, "key_size"):
# Edwards-curve keys
return None
return privkey.key_size
def get_public_key(key, passphrase=None, asObj=None):
"""
Returns a PEM-encoded public key derived from some reference.
The reference should be a public key, certificate, private key or CSR.
CLI Example:
.. code-block:: bash
salt '*' x509.get_public_key /etc/pki/my.key
key
A reference to the structure to look the public key up for.
passphrase
If ``key`` is encrypted, the passphrase to decrypt it.
"""
# Deprecation checks vs the old x509 module
if asObj is not None:
salt.utils.versions.kwargs_warn_until(["asObj"], "Potassium")
try:
return x509util.to_pem(x509util.load_pubkey(key)).decode()
except (CommandExecutionError, SaltInvocationError):
pass
try:
return x509util.to_pem(
x509util.load_cert(key, passphrase=passphrase).public_key()
).decode()
except (CommandExecutionError, SaltInvocationError):
pass
try:
return x509util.to_pem(
x509util.load_privkey(key, passphrase=passphrase).public_key()
).decode()
except (CommandExecutionError, SaltInvocationError):
pass
try:
return x509util.to_pem(x509util.load_csr(key).public_key()).decode()
except SaltInvocationError:
pass
raise CommandExecutionError(
"Could not load key as certificate, public key, private key or CSR"
)
def get_signing_policy(signing_policy, ca_server=None):
"""
Returns the specified named signing policy.
CLI Example:
.. code-block:: bash
salt '*' x509.get_signing_policy www
signing_policy
The name of the signing policy to return.
ca_server
If this is set, the CA server will be queried for the
signing policy instead of looking it up locally.
"""
if ca_server is None:
policy = _get_signing_policy(signing_policy)
else:
# Cache signing policies from remote during this run
# to reduce unnecessary resource usage.
ckey = "_x509_policies"
if ckey not in __context__:
__context__[ckey] = {}
if ca_server not in __context__[ckey]:
__context__[ckey][ca_server] = {}
if signing_policy not in __context__[ckey][ca_server]:
policy_ = _query_remote(
ca_server, signing_policy, {}, get_signing_policy_only=True
)
if "signing_cert" in policy_:
policy_["signing_cert"] = x509util.to_pem(
x509util.load_cert(policy_["signing_cert"])
).decode()
__context__[ckey][ca_server][signing_policy] = policy_
# only hand out copies of the cached policy
policy = copy.deepcopy(__context__[ckey][ca_server][signing_policy])
# Don't immediately break for the long form of name attributes
for name, long_names in x509util.NAME_ATTRS_ALT_NAMES.items():
for long_name in long_names:
if long_name in policy:
salt.utils.versions.warn_until(
3009,
f"Found {long_name} in {signing_policy}. Please migrate to the short name: {name}",
)
policy[name] = policy.pop(long_name)
# Don't immediately break for the long form of extensions
for extname, long_names in x509util.EXTENSIONS_ALT_NAMES.items():
for long_name in long_names:
if long_name in policy:
salt.utils.versions.warn_until(
3009,
f"Found {long_name} in {signing_policy}. Please migrate to the short name: {extname}",
)
policy[extname] = policy.pop(long_name)
return policy
def read_certificate(certificate):
"""
Returns a dict containing details of a certificate.
CLI Example:
.. code-block:: bash
salt '*' x509.read_certificate /etc/pki/mycert.crt
certificate
The certificate to read.
"""
cert = x509util.load_cert(certificate)
key_type = x509util.get_key_type(cert.public_key(), as_string=True)
try:
not_before = cert.not_valid_before_utc
not_after = cert.not_valid_after_utc
except AttributeError:
# naive datetime object, release <42 (it's always UTC)
not_before = cert.not_valid_before.replace(tzinfo=timezone.utc)
not_after = cert.not_valid_after.replace(tzinfo=timezone.utc)
ret = {
"version": cert.version.value + 1, # 0-indexed
"key_size": cert.public_key().key_size if key_type in ["ec", "rsa"] else None,
"key_type": key_type,
"serial_number": x509util.dec2hex(cert.serial_number),
"fingerprints": {
"sha1": x509util.pretty_hex(cert.fingerprint(algorithm=hashes.SHA1())),
"sha256": x509util.pretty_hex(cert.fingerprint(algorithm=hashes.SHA256())),
},
"subject": _parse_dn(cert.subject),
"subject_hash": x509util.pretty_hex(_get_name_hash(cert.subject)),
"subject_str": cert.subject.rfc4514_string(),
"issuer": _parse_dn(cert.issuer),
"issuer_hash": x509util.pretty_hex(_get_name_hash(cert.issuer)),
"issuer_str": cert.issuer.rfc4514_string(),
"not_before": not_before.strftime(x509util.TIME_FMT),
"not_after": not_after.strftime(x509util.TIME_FMT),
"public_key": get_public_key(cert),
"extensions": _parse_extensions(cert.extensions),
}
try:
ret["signature_algorithm"] = cert.signature_algorithm_oid._name
except AttributeError:
try:
for name, oid in cx509.SignatureAlgorithmOID.items():
if oid == cert.signature_algorithm_oid:
ret["signature_algorithm"] = name
break
except AttributeError:
pass
if "signature_algorithm" not in ret:
ret["signature_algorithm"] = cert.signature_algorithm_oid.dotted_string
if __opts__["fips_mode"] is False:
ret["fingerprints"]["md5"] = x509util.pretty_hex(
cert.fingerprint(algorithm=hashes.MD5())
)
return ret
def read_certificates(glob_path):
"""
Returns a dict containing details of all certificates matching a glob.
CLI Example:
.. code-block:: bash
salt '*' x509.read_certificates "/etc/pki/*.crt"
glob_path
A path to certificates to be read and returned.
"""
ret = {}
for path in glob.glob(glob_path):
if os.path.isfile(path):
try:
ret[path] = read_certificate(certificate=path)
except ValueError:
pass
return ret
def read_crl(crl):
"""
Returns a dict containing details of a certificate revocation list.
CLI Example:
.. code-block:: bash
salt '*' x509.read_crl /etc/pki/my.crl
crl
The certificate revocation list to read.
"""
crl = x509util.load_crl(crl)
try:
last_update = crl.last_update_utc
next_update = crl.next_update_utc
except AttributeError:
last_update = crl.last_update.replace(tzinfo=timezone.utc)
next_update = crl.next_update.replace(tzinfo=timezone.utc)
ret = {
"issuer": _parse_dn(crl.issuer),
"last_update": last_update.strftime(x509util.TIME_FMT),
"next_update": next_update.strftime(x509util.TIME_FMT),
"revoked_certificates": {},
"extensions": _parse_extensions(crl.extensions),
}
try:
ret["signature_algorithm"] = crl.signature_algorithm_oid._name
except AttributeError:
try:
for name, oid in cx509.SignatureAlgorithmOID.items():
if oid == crl.signature_algorithm_oid:
ret["signature_algorithm"] = name
break
except AttributeError:
pass
if "signature_algorithm" not in ret:
ret["signature_algorithm"] = crl.signature_algorithm_oid.dotted_string
for revoked in crl:
try:
revocation_date = revoked.revocation_date_utc
except AttributeError:
# naive datetime object, release <42 (it's always UTC)
revocation_date = revoked.revocation_date.replace(tzinfo=timezone.utc)
ret["revoked_certificates"].update(
{
x509util.dec2hex(revoked.serial_number).replace(":", ""): {
"revocation_date": revocation_date.strftime(x509util.TIME_FMT),
"extensions": _parse_crl_entry_extensions(revoked.extensions),
}
}
)
return ret
def read_csr(csr):
"""
Returns a dict containing details of a certificate signing request.
CLI Example:
.. code-block:: bash
salt '*' x509.read_csr /etc/pki/mycert.csr
csr
The certificate signing request to read.
"""
csr = x509util.load_csr(csr)
key_type = x509util.get_key_type(csr.public_key(), as_string=True)
return {
"key_size": csr.public_key().key_size if key_type in ["ec", "rsa"] else None,
"key_type": key_type,
"subject": _parse_dn(csr.subject),
"subject_hash": x509util.pretty_hex(_get_name_hash(csr.subject)),
"subject_str": csr.subject.rfc4514_string(),
"public_key_hash": x509util.pretty_hex(
cx509.SubjectKeyIdentifier.from_public_key(csr.public_key()).digest
),
"extensions": _parse_extensions(csr.extensions),
}
def sign_remote_certificate(
signing_policy, kwargs, get_signing_policy_only=False, **more_kwargs
):
"""
Request a certificate to be remotely signed according to a signing policy.
This is mostly for internal use and does not make much sense on the CLI.
CLI Example:
.. code-block:: bash
salt '*' x509.sign_remote_certificate www kwargs="{'public_key': '/etc/pki/www.key'}"
signing_policy
The name of the signing policy to use. Required.
kwargs
A dict containing all the arguments to be passed into the
:py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>` function.
get_signing_policy_only
Only return the named signing policy. Defaults to false.
"""
ret = {"data": None, "errors": []}
try:
signing_policy = _get_signing_policy(signing_policy)
if not signing_policy:
ret["errors"].append(
"signing_policy must be specified and defined on signing minion"
)
return ret
if "minions" in signing_policy:
if "__pub_id" not in more_kwargs:
ret["errors"].append(
"minion sending this request could not be identified"
)
return ret
# also pop "minions" to avoid leaking more details than necessary
if not _match_minions(
signing_policy.pop("minions"), more_kwargs["__pub_id"]
):
ret["errors"].append(
"minion not permitted to use specified signing policy"
)
return ret
if get_signing_policy_only:
# This is relevant for the state module to be able to check for changes
# without generating and signing a new certificate every time.
# remove unnecessary sensitive information
signing_policy.pop("signing_private_key", None)
signing_policy.pop("signing_private_key_passphrase", None)
# ensure to deliver the signing cert as well, not a file path
if "signing_cert" in signing_policy:
try:
signing_policy["signing_cert"] = x509util.to_der(
x509util.load_cert(signing_policy["signing_cert"])
)
except (CommandExecutionError, SaltInvocationError) as err:
ret["data"] = None
ret["errors"].append(str(err))
return ret
ret["data"] = signing_policy
return ret
x509util.merge_signing_policy(signing_policy, kwargs)
# ensure the certificate will be issued from this minion
kwargs.pop("ca_server", None)
except Exception as err: # pylint: disable=broad-except
log.error(str(err))
return {
"data": None,
"errors": [
"Failed building the signing policy. See CA server log for details."
],
}
try:
cert, _ = _create_certificate_local(**kwargs)
ret["data"] = x509util.to_der(cert)
return ret
except Exception as err: # pylint: disable=broad-except
ret["data"] = None
ret["errors"].append(str(err))
return ret
err_message = "Internal error. This is most likely a bug."
log.error(err_message)
return {"data": None, "errors": [err_message]}
def _query_remote(ca_server, signing_policy, kwargs, get_signing_policy_only=False):
result = __salt__["publish.publish"](
ca_server,
"x509.sign_remote_certificate",
arg=[signing_policy, kwargs, get_signing_policy_only],
)
if not result:
raise SaltInvocationError(
"ca_server did not respond."
" Salt master must permit peers to"
" call the sign_remote_certificate function."
)
result = result[next(iter(result))]
if not isinstance(result, dict) or "data" not in result:
log.error("Received invalid return value from ca_server: %s", result)
raise CommandExecutionError(
"Received invalid return value from ca_server. See minion log for details"
)
if result.get("errors"):
raise CommandExecutionError(
"ca_server reported errors:\n" + "\n".join(result["errors"])
)
return result["data"]
def verify_crl(crl, cert):
"""
Verify that a signature on a certificate revocation list was made
by the private key corresponding to the public key associated
with the specified certificate.
CLI Example:
.. code-block:: bash
salt '*' x509.verify_crl /etc/pki/my.crl /etc/pki/my.crt
crl
The certificate revocation list to check the signature on.
cert
The certificate (or any reference that can be passed
to ``get_public_key``) to retrieve the public key from.
"""
crl = x509util.load_crl(crl)
pubkey = x509util.load_pubkey(get_public_key(cert))
return crl.is_signature_valid(pubkey)
def verify_private_key(private_key, public_key, passphrase=None):
"""
Verify that a private key belongs to the specified public key.
CLI Example:
.. code-block:: bash
salt '*' x509.verify_private_key /etc/pki/my.key /etc/pki/my.crt
private_key
The private key to check.
public_key
The certificate (or any reference that can be passed
to ``get_public_key``) to retrieve the public key from.
passphrase
If ``private_key`` is encrypted, the passphrase to decrypt it.
"""
privkey = x509util.load_privkey(private_key, passphrase=passphrase)
pubkey = x509util.load_pubkey(get_public_key(public_key))
return x509util.is_pair(pubkey, privkey)
def verify_signature(
certificate, signing_pub_key=None, signing_pub_key_passphrase=None
):
"""
Verify that a signature on a certificate was made
by the private key corresponding to the public key associated
with the specified certificate.
CLI Example:
.. code-block:: bash
salt '*' x509.verify_signature /etc/pki/my.key /etc/pki/my.crt
certificate
The certificate to check the signature on.
signing_pub_key
Any reference that can be passed to ``get_public_key`` to retrieve
the public key of the signing entity from. If unspecified, will
take the public key of ``certificate``, i.e. verify a self-signed
certificate.
signing_pub_key_passphrase
If ``signing_pub_key`` is encrypted, the passphrase to decrypt it.
"""
cert = x509util.load_cert(certificate)
pubkey = x509util.load_pubkey(
get_public_key(
signing_pub_key or certificate, passphrase=signing_pub_key_passphrase
)
)
return x509util.verify_signature(cert, pubkey)
def will_expire(certificate, days):
"""
Returns a dict containing details of a certificate and whether
the certificate will expire in the specified number of days.
CLI Example:
.. code-block:: bash
salt '*' x509.will_expire "/etc/pki/mycert.crt" days=30
certificate
The certificate to check.
days
The number of days in the future to check the validity for.
"""
ret = {"check_days": days}
if x509util.isfile(certificate):
ret["path"] = certificate
cert = x509util.load_cert(certificate)
try:
ret["cn"] = cert.subject.get_attributes_for_oid(x509util.NAME_ATTRS_OID["CN"])[
0
].value
except IndexError:
pass
ret["will_expire"] = expires(certificate, days)
return ret
def write_pem(text, path, overwrite=True, pem_type=None):
"""
Writes out a PEM string, fixing any formatting or whitespace
issues before writing.
CLI Example:
.. code-block:: bash
salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt
text
PEM string input to be written out.
path
Path of the file to write the PEM out to.
overwrite
If ``True`` (default), write_pem will overwrite the entire PEM file.
Set to ``False`` to preserve existing private keys and DH params that may
exist in the PEM file.
pem_type
The PEM type to be saved, for example ``CERTIFICATE`` or
``PUBLIC KEY``. Adding this will allow the function to take
input that may contain multiple PEM types.
"""
text = get_pem_entry(text, pem_type=pem_type)
with salt.utils.files.set_umask(0o077):
_dhparams = ""
_private_key = ""
if (
pem_type
and pem_type == "CERTIFICATE"
and os.path.isfile(path)
and not overwrite
):
_filecontents = x509util.load_file_or_bytes(path).decode()
try:
_dhparams = get_pem_entry(_filecontents, "DH PARAMETERS")
except SaltInvocationError as err:
log.debug("Error while retrieving DH PARAMETERS: %s", err)
log.trace(err, exc_info=err)
try:
_private_key = get_pem_entry(_filecontents, "(?:RSA )?PRIVATE KEY")
except SaltInvocationError as err:
log.debug("Error while retrieving PRIVATE KEY: %s", err)
log.trace(err, exc_info=err)
with salt.utils.files.fopen(path, "w") as _fp:
if pem_type and pem_type == "CERTIFICATE" and _private_key:
_fp.write(salt.utils.stringutils.to_str(_private_key))
_fp.write(salt.utils.stringutils.to_str(text))
if pem_type and pem_type == "CERTIFICATE" and _dhparams:
_fp.write(salt.utils.stringutils.to_str(_dhparams))
return f"PEM written to {path}"
def _make_pem_regex(pem_type):
"""
Dynamically generate a regex to match pem_type
"""
return re.compile(
rf"\s*(?P<pem_header>-----BEGIN {pem_type}-----)\s+"
r"(?:(?P<proc_type>Proc-Type: 4,ENCRYPTED)\s*)?"
r"(?:(?P<dek_info>DEK-Info:"
r" (?:DES-[3A-Z\-]+,[0-9A-F]{{16}}|[0-9A-Z\-]+,[0-9A-F]{{32}}))\s*)?"
r"(?P<pem_body>.+?)\s+(?P<pem_footer>"
rf"-----END {pem_type}-----)\s*",
re.DOTALL,
)
def _valid_pem(pem, pem_type=None):
pem_type = "[0-9A-Z ]+" if pem_type is None else pem_type
_dregex = _make_pem_regex(pem_type)
for _match in _dregex.finditer(pem):
if _match:
return _match
return None
def _generate_pk(algo="rsa", keysize=None):
if algo == "rsa":
return x509util.generate_rsa_privkey(keysize=keysize or 2048)
if algo == "ec":
return x509util.generate_ec_privkey(keysize=keysize or 256)
if algo == "ed25519":
return x509util.generate_ed25519_privkey()
if algo == "ed448":
return x509util.generate_ed448_privkey()
raise SaltInvocationError(
f"Invalid algorithm specified for generating private key: {algo}. Valid: "
"rsa, ec, ed25519, ed448"
)
def _get_signing_policy(name):
if name is None:
return {}
policies = __salt__["pillar.get"]("x509_signing_policies", {}).get(name)
policies = policies or __salt__["config.get"]("x509_signing_policies", {}).get(name)
if isinstance(policies, list):
dict_ = {}
for item in policies:
dict_.update(item)
policies = dict_
return policies or {}
def _parse_dn(subject):
"""
Returns a dict containing all values in an X509 Subject
"""
ret = OrderedDict()
for nid_name, oid in x509util.NAME_ATTRS_OID.items():
try:
ret[nid_name] = subject.get_attributes_for_oid(oid)[0].value
except IndexError:
continue
return ret
def _get_name_hash(name, digest="sha1"):
"""
Returns the OpenSSL name hash.
This is the first four bytes of the SHA1 (pre v1: MD5) hash
of the DER-encoded form of name. On little-endian systems,
OpenSSL inverts the bytes.
"""
if digest.lower() not in ["sha1", "md5"]:
raise ValueError(
f"Invalid hashing algorithm for name hash: {digest}. "
"Only SHA1 and MD5 are allowed"
)
hsh = hashes.Hash(x509util.get_hashing_algorithm(digest))
hsh.update(name.public_bytes())
res = hsh.finalize()[:4]
if sys.byteorder == "little":
res = res[::-1]
return res
def _parse_extensions(extensions):
ret = {}
for extname, oid in x509util.EXTENSIONS_OID.items():
try:
ext = extensions.get_extension_for_oid(oid)
except cx509.ExtensionNotFound:
continue
ret[extname] = x509util.render_extension(ext)
return ret
def _parse_crl_entry_extensions(extensions):
ret = {}
for extname, oid in x509util.EXTENSIONS_CRL_ENTRY_OID.items():
try:
ext = extensions.get_extension_for_oid(oid)
except cx509.ExtensionNotFound:
continue
ret[extname] = x509util.render_extension(ext)
return ret
def _match_minions(test, minion):
if "@" in test:
# Ask the master if the requesting minion matches a compound expression.
match = __salt__["publish.runner"]("match.compound_matches", arg=[test, minion])
if match is None:
raise CommandExecutionError(
"Could not check minion match for compound expression. "
"Is this minion allowed to run `match.compound_matches` on the master?"
)
try:
return match["res"] == minion
except (KeyError, TypeError) as err:
raise CommandExecutionError(
"Invalid return value of match.compound_matches."
) from err
# The following line should never be reached.
return False
return __salt__["match.glob"](test, minion)