Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] salt-call x509.read_certificate error out when reading a Microsoft CA issued certificate #57535

Closed
ssiuhk opened this issue Jun 3, 2020 · 4 comments · Fixed by #63099
Closed

[BUG] salt-call x509.read_certificate error out when reading a Microsoft CA issued certificate #57535

ssiuhk opened this issue Jun 3, 2020 · 4 comments · Fixed by #63099
Assignees
@dwoz
Labels
Bug broken, incorrect, or confusing behavior severity-high 2nd top severity, seen by most users, causes major problems
Milestone
Chlorine v3007.0

Comments

@ssiuhk
Copy link
Contributor

ssiuhk commented Jun 3, 2020

Description
When using salt-call x509.read_certificate to read a Microsoft CA issued certificate, it will error out due to an exception raised in m2crypto library for unsupported format.
I've also raised https://gitlab.com/m2crypto/m2crypto/-/issues/276 to address the issue

Setup

[root@localhost ~]# openssl s_client -showcerts -connect www.microsoft.com:443 < /dev/null | openssl x509 -outform PEM > /tmp/microsoft_cert.pem
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 5
verify return:1
depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, OU = Microsoft Corporation, CN = www.microsoft.com
verify return:1
DONE
[root@localhost ~]# cat /tmp/microsoft_cert.pem 
-----BEGIN CERTIFICATE-----
MIIJHzCCBwegAwIBAgITLQAMNxVixB2TlAh/aAAAAAw3FTANBgkqhkiG9w0BAQsF
ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE
CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDUw
HhcNMTkxMDIxMjIwNDA0WhcNMjExMDIxMjIwNDA0WjCBiDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv
ZnQgQ29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEa
MBgGA1UEAxMRd3d3Lm1pY3Jvc29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDTEK1CzUwdArEOb/vDOqds7/vQ1yGQtAYaZYNBch27Kw3/XKnf
td3NVj7tYe7MhI1U+bknxhSx7m4ti7Pzt6mxQiTZ/KegYhxosd3sOEikXgJVzECv
h0Mvd6adrvi00cUeQz0dlkUkuxMAjiFs+FX7Ogf4xt8ub4hKZPGB85vDnQQ0OHVh
L9IuUbYHhmh8EoDEdR+og+lj7u5OKt3YEWntgbnfV1d66U59kfp5Dg4T/zFjqz/l
U3KGBWgj0YoxH8KGfuq2YfFQsm7Q4MDJnR2PNUbwwrK5JldcRn27o5SVZxaB55bs
dyHWL0GbG5JoIIWg8pGJXKYGfARDEVjWijBPAgMBAAGjggR7MIIEdzCCAXwGCisG
AQQB1nkCBAIEggFsBIIBaAFmAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyAL
zE7xZOMAAAFt8GJxcQAABAMARzBFAiEAldKDzhaLTJ1PpTpE7TmrRp+nDwoEZbW5
JOfrPKoR6PsCIBOqc6bzu7MnferBbxkUKwS67LpFTJgxYk6RV98m5fK2AHUAVYHU
whaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFt8GJyzQAABAMARjBEAiBa
JqHGYrk+yh3ccuelsJxqLbhE3DJuSBZxe+xEpiabhQIgRdcckht/x8uG6tSrRKg5
0GdwnWlFKMBDT50rQjIPflMAdQB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZ
fiLw1wAAAW3wYnG7AAAEAwBGMEQCIGToqXolvHTes1f0QwV9RSvEE5HVwX6jn70+
KaExl0+BAiBosObeHSU867FO1Aw5dw+R01ZZ1fudHxDwuXgLvqFmQzAnBgkrBgEE
AYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMD4GCSsGAQQBgjcVBwQx
MC8GJysGAQQBgjcVCIfahnWD7tkBgsmFG4G1nmGF9OtggV2E0t9CgueTegIBZAIB
HTCBhQYIKwYBBQUHAQEEeTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3Lm1pY3Jv
c29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIw
NS5jcnQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20wHQYDVR0O
BBYEFParvwUeQbdw6ZH4GpVu9gwrCfuVMAsGA1UdDwQEAwIEsDCBmQYDVR0RBIGR
MIGOghN3d3dxYS5taWNyb3NvZnQuY29tghF3d3cubWljcm9zb2Z0LmNvbYIYc3Rh
dGljdmlldy5taWNyb3NvZnQuY29tghFpLnMtbWljcm9zb2Z0LmNvbYINbWljcm9z
b2Z0LmNvbYIRYy5zLW1pY3Jvc29mdC5jb22CFXByaXZhY3kubWljcm9zb2Z0LmNv
bTCBrAYDVR0fBIGkMIGhMIGeoIGboIGYhktodHRwOi8vbXNjcmwubWljcm9zb2Z0
LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIw
NS5jcmyGSWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9N
aWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwNS5jcmwwTQYDVR0gBEYwRDBCBgkr
BgEEAYI3KgEwNTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
L3BraS9tc2NvcnAvY3BzMB8GA1UdIwQYMBaAFAj+JZ906ocEwry7jqg4XzPG0Wxl
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
AgEAdWMaW3NOP5Yr47Sow1UZNLMmDlxNjz+8DcHiflQfKsImOvs/UflUrMGXG7rH
57NbJZ9nYpSTHWxSJfKsGPc3pgc5R1sxZxDb6lBuXEN9NvhJMmPwBkyKJAAnjYN6
yCNZP4X6dBOONW8uopknF+CRHDZdSiMaFiE4fVCe0LrO90b4ROPsRV8zHn57i1B1
69n1cqsLXrMHvK0Xnu7rwrvvd5BbOaqm7DrgwJYUk0UciNEfcyN2dNRcCxofWQdV
GQqvagqtjyDCm/EJ6DJ2kWllGHjauc8IkMaUeCedTYphChEckXoRBZikZtyL0oZj
67iKht6mm4fST+x0Zuu5wdzUoCTQsNTHV0GSbcVIRcgmaNiwP+0+lrRocUrj2h/7
2IQN8Pe/+CrDeVJNlKA9gWNl+t1F/r3CKWnkENyNUCTggiCSojdY9Rkj1rTieP6M
SBUZBWf3MB5XIuaLOTO0/whM831krxNG/k0mdCpDtdKvCKIcARrkKM9A3TxtVpOd
8f9kifcGaPqTQYr8fxhrNB864qsCG17o8ZckBKW8FY5H/jSQAZb1qbwsTbBMXJIr
0lAPwH7LIAHJJyslG0X3Mp0ARumGWqVwiHOCaLXO1iSQX0wW4yo+lGxWONvOIoad
2Ned/fxM675fEVC+r+DI6BKbt9ChfIXiXeULqOZC3yp2Fo8=
-----END CERTIFICATE-----
[root@localhost ~]# openssl x509 -in /tmp/microsoft_cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2d:00:0c:37:15:62:c4:1d:93:94:08:7f:68:00:00:00:0c:37:15
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5
        Validity
            Not Before: Oct 21 22:04:04 2019 GMT
            Not After : Oct 21 22:04:04 2021 GMT
        Subject: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=www.microsoft.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:10:ad:42:cd:4c:1d:02:b1:0e:6f:fb:c3:3a:
                    a7:6c:ef:fb:d0:d7:21:90:b4:06:1a:65:83:41:72:
                    1d:bb:2b:0d:ff:5c:a9:df:b5:dd:cd:56:3e:ed:61:
                    ee:cc:84:8d:54:f9:b9:27:c6:14:b1:ee:6e:2d:8b:
                    b3:f3:b7:a9:b1:42:24:d9:fc:a7:a0:62:1c:68:b1:
                    dd:ec:38:48:a4:5e:02:55:cc:40:af:87:43:2f:77:
                    a6:9d:ae:f8:b4:d1:c5:1e:43:3d:1d:96:45:24:bb:
                    13:00:8e:21:6c:f8:55:fb:3a:07:f8:c6:df:2e:6f:
                    88:4a:64:f1:81:f3:9b:c3:9d:04:34:38:75:61:2f:
                    d2:2e:51:b6:07:86:68:7c:12:80:c4:75:1f:a8:83:
                    e9:63:ee:ee:4e:2a:dd:d8:11:69:ed:81:b9:df:57:
                    57:7a:e9:4e:7d:91:fa:79:0e:0e:13:ff:31:63:ab:
                    3f:e5:53:72:86:05:68:23:d1:8a:31:1f:c2:86:7e:
                    ea:b6:61:f1:50:b2:6e:d0:e0:c0:c9:9d:1d:8f:35:
                    46:f0:c2:b2:b9:26:57:5c:46:7d:bb:a3:94:95:67:
                    16:81:e7:96:ec:77:21:d6:2f:41:9b:1b:92:68:20:
                    85:a0:f2:91:89:5c:a6:06:7c:04:43:11:58:d6:8a:
                    30:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                                E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
                    Timestamp : Oct 21 22:14:06.449 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:95:D2:83:CE:16:8B:4C:9D:4F:A5:3A:
                                44:ED:39:AB:46:9F:A7:0F:0A:04:65:B5:B9:24:E7:EB:
                                3C:AA:11:E8:FB:02:20:13:AA:73:A6:F3:BB:B3:27:7D:
                                EA:C1:6F:19:14:2B:04:BA:EC:BA:45:4C:98:31:62:4E:
                                91:57:DF:26:E5:F2:B6
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
                                C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
                    Timestamp : Oct 21 22:14:06.797 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:5A:26:A1:C6:62:B9:3E:CA:1D:DC:72:E7:
                                A5:B0:9C:6A:2D:B8:44:DC:32:6E:48:16:71:7B:EC:44:
                                A6:26:9B:85:02:20:45:D7:1C:92:1B:7F:C7:CB:86:EA:
                                D4:AB:44:A8:39:D0:67:70:9D:69:45:28:C0:43:4F:9D:
                                2B:42:32:0F:7E:53
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89:
                                79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7
                    Timestamp : Oct 21 22:14:06.523 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:64:E8:A9:7A:25:BC:74:DE:B3:57:F4:43:
                                05:7D:45:2B:C4:13:91:D5:C1:7E:A3:9F:BD:3E:29:A1:
                                31:97:4F:81:02:20:68:B0:E6:DE:1D:25:3C:EB:B1:4E:
                                D4:0C:39:77:0F:91:D3:56:59:D5:FB:9D:1F:10:F0:B9:
                                78:0B:BE:A1:66:43
            1.3.6.1.4.1.311.21.10: 
                0.0
..+.......0
..+.......
            1.3.6.1.4.1.311.21.7: 
                0/.'+.....7.....u...........a...`.]...B...z..d...
            Authority Information Access: 
                CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt
                OCSP - URI:http://ocsp.msocsp.com

            X509v3 Subject Key Identifier: 
                F6:AB:BF:05:1E:41:B7:70:E9:91:F8:1A:95:6E:F6:0C:2B:09:FB:95
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:wwwqa.microsoft.com, DNS:www.microsoft.com, DNS:staticview.microsoft.com, DNS:i.s-microsoft.com, DNS:microsoft.com, DNS:c.s-microsoft.com, DNS:privacy.microsoft.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl
                  URI:http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.311.42.1
                  CPS: http://www.microsoft.com/pki/mscorp/cps

            X509v3 Authority Key Identifier: 
                keyid:08:FE:25:9F:74:EA:87:04:C2:BC:BB:8E:A8:38:5F:33:C6:D1:6C:65

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         75:63:1a:5b:73:4e:3f:96:2b:e3:b4:a8:c3:55:19:34:b3:26:
         0e:5c:4d:8f:3f:bc:0d:c1:e2:7e:54:1f:2a:c2:26:3a:fb:3f:
         51:f9:54:ac:c1:97:1b:ba:c7:e7:b3:5b:25:9f:67:62:94:93:
         1d:6c:52:25:f2:ac:18:f7:37:a6:07:39:47:5b:31:67:10:db:
         ea:50:6e:5c:43:7d:36:f8:49:32:63:f0:06:4c:8a:24:00:27:
         8d:83:7a:c8:23:59:3f:85:fa:74:13:8e:35:6f:2e:a2:99:27:
         17:e0:91:1c:36:5d:4a:23:1a:16:21:38:7d:50:9e:d0:ba:ce:
         f7:46:f8:44:e3:ec:45:5f:33:1e:7e:7b:8b:50:75:eb:d9:f5:
         72:ab:0b:5e:b3:07:bc:ad:17:9e:ee:eb:c2:bb:ef:77:90:5b:
         39:aa:a6:ec:3a:e0:c0:96:14:93:45:1c:88:d1:1f:73:23:76:
         74:d4:5c:0b:1a:1f:59:07:55:19:0a:af:6a:0a:ad:8f:20:c2:
         9b:f1:09:e8:32:76:91:69:65:18:78:da:b9:cf:08:90:c6:94:
         78:27:9d:4d:8a:61:0a:11:1c:91:7a:11:05:98:a4:66:dc:8b:
         d2:86:63:eb:b8:8a:86:de:a6:9b:87:d2:4f:ec:74:66:eb:b9:
         c1:dc:d4:a0:24:d0:b0:d4:c7:57:41:92:6d:c5:48:45:c8:26:
         68:d8:b0:3f:ed:3e:96:b4:68:71:4a:e3:da:1f:fb:d8:84:0d:
         f0:f7:bf:f8:2a:c3:79:52:4d:94:a0:3d:81:63:65:fa:dd:45:
         fe:bd:c2:29:69:e4:10:dc:8d:50:24:e0:82:20:92:a2:37:58:
         f5:19:23:d6:b4:e2:78:fe:8c:48:15:19:05:67:f7:30:1e:57:
         22:e6:8b:39:33:b4:ff:08:4c:f3:7d:64:af:13:46:fe:4d:26:
         74:2a:43:b5:d2:af:08:a2:1c:01:1a:e4:28:cf:40:dd:3c:6d:
         56:93:9d:f1:ff:64:89:f7:06:68:fa:93:41:8a:fc:7f:18:6b:
         34:1f:3a:e2:ab:02:1b:5e:e8:f1:97:24:04:a5:bc:15:8e:47:
         fe:34:90:01:96:f5:a9:bc:2c:4d:b0:4c:5c:92:2b:d2:50:0f:
         c0:7e:cb:20:01:c9:27:2b:25:1b:45:f7:32:9d:00:46:e9:86:
         5a:a5:70:88:73:82:68:b5:ce:d6:24:90:5f:4c:16:e3:2a:3e:
         94:6c:56:38:db:ce:22:86:9d:d8:d7:9d:fd:fc:4c:eb:be:5f:
         11:50:be:af:e0:c8:e8:12:9b:b7:d0:a1:7c:85:e2:5d:e5:0b:
         a8:e6:42:df:2a:76:16:8f

Steps to Reproduce the behavior

[root@localhost ~]# salt-call --local --log-level debug x509.read_certificate /tmp/microsoft_cert.pem
[DEBUG   ] Reading configuration from /etc/salt/minion
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: admin.int.proedge.hk
[DEBUG   ] Configuration file path: /etc/salt/minion
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG   ] Grains refresh requested. Refreshing grains.
[DEBUG   ] Reading configuration from /etc/salt/minion
[DEBUG   ] LazyLoaded zfs.is_supported
[DEBUG   ] Determining pillar cache
[DEBUG   ] LazyLoaded jinja.render
[DEBUG   ] LazyLoaded yaml.render
[DEBUG   ] LazyLoaded jinja.render
[DEBUG   ] LazyLoaded yaml.render
[DEBUG   ] LazyLoaded x509.read_certificate
[DEBUG   ] LazyLoaded direct_call.execute
Index: 0
Index: 1

Passed invalid arguments: not expecting type '<type 'NoneType'>'.

Usage:

    Returns a dict containing details of a certificate. Input can be a PEM
    string or file path.

    certificate:
        The certificate to be read. Can be a path to a certificate file, or
        a string containing the PEM formatted text of the certificate.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.read_certificate /etc/pki/mycert.crt

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/salt/cli/caller.py", line 218, in call
    ret['return'] = self.minion.executors[fname](self.opts, data, func, args, kwargs)
  File "/usr/lib/python2.7/site-packages/salt/executors/direct_call.py", line 12, in execute
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/salt/modules/x509.py", line 587, in read_certificate
    val = ext.get_value()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/X509.py", line 117, in get_value
    return six.ensure_text(buf.read_all())
  File "/usr/lib64/python2.7/site-packages/M2Crypto/six.py", line 906, in ensure_text
    raise TypeError("not expecting type '%s'" % type(s))
TypeError: not expecting type '<type 'NoneType'>'

Expected behavior
To print out decodable content of the certificate and display out

Screenshots
If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
[root@localhost ~]# salt-call --versions-report
Salt Version:
           Salt: 3000.3

Dependency Versions:
           cffi: 1.6.0
       cherrypy: Not Installed
       dateutil: 1.5
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
       M2Crypto: 0.31.0
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.6.2
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.5 (default, Aug  7 2019, 00:51:29)
   python-gnupg: Not Installed
         PyYAML: 3.10
          PyZMQ: 15.3.0
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.1.4

System Versions:
           dist: centos 7.7.1908 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-1062.9.1.el7.x86_64
         system: Linux
        version: CentOS Linux 7.7.1908 Core

Additional context
Can add a try catch exception at https://github.com/saltstack/salt/blob/master/salt/modules/x509.py#L607, as some elements in the list is empty(not decodable by m2crypt) and cause an exception

The code to use M2Crypto module

    text = get_pem_entry(text, pem_type='CERTIFICATE')
    cert = M2Crypto.X509.load_cert_string(text)

    for ext_index in range(0, cert.get_ext_count()):
    print ("Index: {0}".format(ext_index))
    ext = cert.get_ext_at(ext_index)
    try:
        name = ext.get_name()
        val = ext.get_value()
    except TypeError as type_err:
        print ("Error: {0}".format(type_err))
        val = None
    print ("Ext Name: {0}, Ext Value: {1}".format(name, val))

Run result

Index: 0
Ext Name: ct_precert_scts, Ext Value: Signed Certificate Timestamp:
    Version   : v1(0)
    Log ID    : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
    Timestamp : Oct 21 22:14:06.449 2019 GMT
    Extensions: none
    Signature : ecdsa-with-SHA256
                30:45:02:21:00:95:D2:83:CE:16:8B:4C:9D:4F:A5:3A:
                44:ED:39:AB:46:9F:A7:0F:0A:04:65:B5:B9:24:E7:EB:
                3C:AA:11:E8:FB:02:20:13:AA:73:A6:F3:BB:B3:27:7D:
                EA:C1:6F:19:14:2B:04:BA:EC:BA:45:4C:98:31:62:4E:
                91:57:DF:26:E5:F2:B6
Signed Certificate Timestamp:
    Version   : v1(0)
    Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
                C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
    Timestamp : Oct 21 22:14:06.797 2019 GMT
    Extensions: none
    Signature : ecdsa-with-SHA256
                30:44:02:20:5A:26:A1:C6:62:B9:3E:CA:1D:DC:72:E7:
                A5:B0:9C:6A:2D:B8:44:DC:32:6E:48:16:71:7B:EC:44:
                A6:26:9B:85:02:20:45:D7:1C:92:1B:7F:C7:CB:86:EA:
                D4:AB:44:A8:39:D0:67:70:9D:69:45:28:C0:43:4F:9D:
                2B:42:32:0F:7E:53
Signed Certificate Timestamp:
    Version   : v1(0)
    Log ID    : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89:
                79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7
    Timestamp : Oct 21 22:14:06.523 2019 GMT
    Extensions: none
    Signature : ecdsa-with-SHA256
                30:44:02:20:64:E8:A9:7A:25:BC:74:DE:B3:57:F4:43:
                05:7D:45:2B:C4:13:91:D5:C1:7E:A3:9F:BD:3E:29:A1:
                31:97:4F:81:02:20:68:B0:E6:DE:1D:25:3C:EB:B1:4E:
                D4:0C:39:77:0F:91:D3:56:59:D5:FB:9D:1F:10:F0:B9:
                78:0B:BE:A1:66:43
Index: 1
Error: not expecting type '<type 'NoneType'>'
Ext Name: UNDEF, Ext Value: None
Index: 2
Error: not expecting type '<type 'NoneType'>'
Ext Name: UNDEF, Ext Value: None
Index: 3
Ext Name: authorityInfoAccess, Ext Value: CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt
OCSP - URI:http://ocsp.msocsp.com

Index: 4
Ext Name: subjectKeyIdentifier, Ext Value: F6:AB:BF:05:1E:41:B7:70:E9:91:F8:1A:95:6E:F6:0C:2B:09:FB:95
Index: 5
Ext Name: keyUsage, Ext Value: Digital Signature, Key Encipherment, Data Encipherment
Index: 6
Ext Name: subjectAltName, Ext Value: DNS:wwwqa.microsoft.com, DNS:www.microsoft.com, DNS:staticview.microsoft.com, DNS:i.s-microsoft.com, DNS:microsoft.com, DNS:c.s-microsoft.com, DNS:privacy.microsoft.com
Index: 7
Ext Name: crlDistributionPoints, Ext Value: 
Full Name:
  URI:http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl
  URI:http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl

Index: 8
Ext Name: certificatePolicies, Ext Value: Policy: 1.3.6.1.4.1.311.42.1
  CPS: http://www.microsoft.com/pki/mscorp/cps

Index: 9
Ext Name: authorityKeyIdentifier, Ext Value: keyid:08:FE:25:9F:74:EA:87:04:C2:BC:BB:8E:A8:38:5F:33:C6:D1:6C:65

Index: 10
Ext Name: extendedKeyUsage, Ext Value: TLS Web Client Authentication, TLS Web Server Authentication
@ssiuhk ssiuhk added the Bug broken, incorrect, or confusing behavior label Jun 3, 2020
@dmurphy18 dmurphy18 added this to the Approved milestone Jun 4, 2020
@dmurphy18
Copy link
Contributor

dmurphy18 commented Jun 4, 2020
edited
Loading

There is a PR in with m2crypto that builds wheels, but it hasn't been merged. Hopefully that will resolve this issue. see https://gitlab.com/m2crypto/m2crypto/-/merge_requests/245

@sagetherage
Copy link
Contributor

@dmurphy18 can you reference the PR?

@sagetherage sagetherage added the severity-high 2nd top severity, seen by most users, causes major problems label Jul 6, 2020
@sagetherage sagetherage modified the milestones: Approved, Aluminium Jul 29, 2020
@sagetherage sagetherage added the Aluminium Release Post Mg and Pre Si label Jul 29, 2020
@ssiuhk
Copy link
Contributor Author

ssiuhk commented Feb 2, 2021

Tried with latest Saltstack release and latest m2crypto, the issue still persists.

$ salt-call --local x509.read_certificate /root/ms.crt

Passed invalid arguments: not expecting type '<class 'NoneType'>'.

Usage:

    Returns a dict containing details of a certificate. Input can be a PEM
    string or file path.

    certificate:
        The certificate to be read. Can be a path to a certificate file, or
        a string containing the PEM formatted text of the certificate.

    CLI Example:

    .. code-block:: bash

        salt '*' x509.read_certificate /etc/pki/mycert.crt

$ salt-call --versions-report
Salt Version:
          Salt: 3002.2

Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: Not Installed
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 2.8.1
       libgit2: Not Installed
      M2Crypto: 0.37.1  <============= installed manually by pip3
          Mako: Not Installed
       msgpack: 0.6.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: Not Installed
        pygit2: Not Installed
        Python: 3.6.8 (default, Nov 16 2020, 16:55:22)
  python-gnupg: Not Installed
        PyYAML: 3.11
         PyZMQ: 17.0.0
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.1.4

System Versions:
          dist: centos 7 Core
        locale: ANSI_X3.4-1968
       machine: x86_64
       release: 4.18.0-240.10.1.el8_3.x86_64
        system: Linux
       version: CentOS Linux 7 Core

Is there a plan to workaround this from Saltstack side?

@sagetherage sagetherage removed Aluminium Release Post Mg and Pre Si phase-plan labels Mar 22, 2021
@sagetherage sagetherage modified the milestones: Aluminium, Silicon Mar 22, 2021
@sagetherage sagetherage added the Silicon v3004.0 Release code name label Mar 22, 2021
@sagetherage
Copy link
Contributor

The Core Team will not be able to get this in this release cycle and moving this back into planning.

@sagetherage sagetherage modified the milestones: Silicon, Approved Aug 12, 2021
@dwoz dwoz added Phosphorus v3005.0 Release code name and version and removed Silicon v3004.0 Release code name labels Aug 30, 2021
@Ch3LL Ch3LL added Sulfur v3006.0 release code name and version and removed Phosphorus v3005.0 Release code name and version labels Oct 25, 2021
@Ch3LL Ch3LL modified the milestones: Approved, Sulphur v3006.0 Oct 25, 2021
@lkubb lkubb mentioned this issue Nov 22, 2022
Merged
7 tasks
@waynew waynew removed this from the Sulphur v3006.0 milestone Dec 16, 2022
@waynew waynew added this to the Chlorine v3007.0 milestone Dec 16, 2022
@waynew waynew removed the Sulfur v3006.0 release code name and version label Dec 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwoz dwoz

Labels
Bug broken, incorrect, or confusing behavior severity-high 2nd top severity, seen by most users, causes major problems
Projects
None yet
Milestone
Chlorine v3007.0
Development

Successfully merging a pull request may close this issue.

Rewrite x509 modules using cryptography (v2 with breaking changes) lkubb/salt
6 participants
@waynew @dwoz @Ch3LL @dmurphy18 @ssiuhk @sagetherage