File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/__pycache__/x509_v2.cpython-310.pyc
o
�����N�gC,�����������������������@���s����d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l m Z m
Z
m�Z���z�d�d�l�m
Z���d�d�l�m�Z�m�Z���d�d�l�m�����m
Z���d�Z�W�n���e�yN������d�Z�Y�n�w�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�m�Z�m�Z���d�d�l�m�Z���e�� e!��Z"d Z#d
d���Z$ � � � � � � � � � �dZd
d���Z% �d[d�d���Z& �d\d�d���Z' � � � � � � � �d]d�d���Z( � � � � � � � � �d^d�d���Z)d_d�d���Z* � � � � �d`d�d���Z+d_d�d���Z, � � � � � � �dad�d ��Z- � � � � �dbd!d"��Z.dcd#d$��Z/d%d&��Z0d'd(��Z1ddd)d*��Z2ddd+d,��Z3d[d-d.��Z4ddd/d0��Z5d1d2��Z6d3d4��Z7d5d6��Z8d7d8��Z9 �ded9d:��Z:ded;d<��Z;d=d>��Z<ddd?d@��Z= �d[dAdB��Z>dCdD��Z?dfdEdF��Z@dGdH��ZAdddIdJ��ZBdgdKdL��ZCdMdN��ZDdOdP��ZEdhdRdS��ZFdTdU��ZGdVdW��ZHdXdY��ZId�S�)ia<���
Manage X.509 certificates
=========================
:depends: cryptography
.. versionadded:: 3006.0
This module represents a complete rewrite of the original ``x509`` modules
and is named ``x509_v2`` since it introduces breaking changes.
.. note::
* PKCS12-related operations require at least cryptography release 36.
* PKCS12-related operations with Edwards-curve keys require at least cryptography release 37.
* PKCS7-related operations require at least cryptography release 37.
Configuration
-------------
Explicit activation
~~~~~~~~~~~~~~~~~~~
Since this module uses the same virtualname as the previous ``x509`` modules,
but is incompatible with them, it needs to be explicitly activated on each
minion by including the following line in the minion configuration:
.. code-block:: yaml
# /etc/salt/minion.d/x509.conf
features:
x509_v2: true
Peer communication
~~~~~~~~~~~~~~~~~~
To be able to remotely sign certificates, it is required to configure the Salt
master to allow :term:`Peer Communication`:
.. code-block:: yaml
# /etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
In order for the :term:`Compound Matcher` to work with restricting signing
policies to a subset of minions, in addition calls to :py:func:`match.compound <salt.modules.match.compound>`
by the minion acting as the CA must be permitted:
.. code-block:: yaml
# /etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
ca_server:
- match.compound
.. note::
Compound matching in signing policies currently has security tradeoffs since the
CA server queries the requesting minion itself if it matches, not the Salt master.
It is recommended to rely on glob matching only.
Signing policies
~~~~~~~~~~~~~~~~
In addition, the minion representing the CA needs to have at least one
signing policy configured, remote calls not referencing one are always
rejected.
The parameters specified in this signing policy override any
parameters passed from the minion requesting the certificate. It can be
configured in the CA minion's pillar, which takes precedence, or any
location :py:func:`config.get <salt.modules.config.get>` looks up in.
Signing policies are defined under ``x509_signing_policies``.
You can restrict which minions can request a certificate under a configured
signing policy by specifying a matcher in ``minions``. This can be a glob
or compound matcher (for the latter, see the notes above).
.. code-block:: yaml
x509_signing_policies:
www:
- minions: 'www*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical, CA:false"
- keyUsage: "critical, cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 90
- copypath: /etc/pki/issued_certs/
.. note::
The following semantics are applied regarding the order of preference
for specifying the subject name:
* If neither ``subject`` nor any name attributes (like ``CN``) are part of the policy,
issued certificates can contain any requested ones.
* If any name attributes are specified in the signing policy, ``subject`` contained
in requests is ignored.
* If ``subject`` is specified in the signing policy, any name attributes are ignored.
If the request contains the same data type for ``subject`` as the signing policy
(for dicts and lists, and only then), merging is performed, otherwise ``subject``
is taken from the signing policy. Dicts are merged and list items are appended,
with the items taken from the signing policy having priority.
Breaking changes versus the previous ``x509`` modules
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The output format has changed for all ``read_*`` functions as well as the state return dict.
* The formatting of some extension definitions might have changed, but should
be stable for most basic use cases.
* The default ordering of RDNs/Name Attributes in the subject's Distinguished Name
has been adapted to industry standards. This might cause a reissuance
during the first state run.
* For ``x509.private_key_managed``, the file mode defaults to ``0400``. This should
be considered a bug fix because writing private keys with world-readable
permissions by default is a security issue.
Note that when a ``ca_server`` is involved, both peers must use the updated module version.
.. _x509-setup:
�����N)���datetime� timedelta��timezone)���hashes�
serializationTF)���CommandExecutionError��SaltInvocationError)���OrderedDict��x509c��������������������C���s"���t�s�d�S�t���d�i�����d���s�d�S�t�S�)�N)�Fz�Could not load cryptographyZ�featuresZ�x509_v2)�Fz�x509_v2 needs to be explicitly enabled by setting `x509_v2: true` in the minion configuration value `features` until Salt 3008 (Argon).)���HAS_CRYPTOGRAPHY��__opts__��get��__virtualname__��r����r�����H/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/x509_v2.py��__virtual__����s
�������������r������pemc
���������������
���K���s0���d�|
v�r�t�j�j���d�d�����|
��d���|
d�<�h�d�����|
��}�|�r$t�j�j���|�d�����t���|
��}
d�|
v�rId�|
v�rIz�t�j�j���d�d�����d |
d�<�W�n ��t yH������Y�n�w�|�d
v�rUt
d�|���d�������|
��d�d
������d�v�rit
d�|
d�����d�������|�d�k�rs|�rst
d�����|�d�k�rd�|
v�rt
d�����d�|
v�r�|�s�t
d�����|�r�|�s�t�d���|���r�d�|���d���S�|�r�|�d�u�r�t
d�����t�|�|�f�i�|
����\�}�}
n�t���t�|���|
����t�d#i�|
����\�}�}
|�d�k�r�t�|�|�|�|
|�|�|�t�|���p�| d���}�n�t�|�|�|�t�|���p�| d���}�|�d�u�r�|�S�|�d�k�r�t�|�����|�|�d�d ��S�t�j�j���|�d!���
}�|���|�����W�d���������n 1���s�w�������Y���d"|�����S�)$a�)��
Create an X.509 certificate and return an encoded version of it.
.. note::
All parameters that take a public key, private key or certificate
can be specified either as a PEM/hex/base64 string or a path to a
local file encoded in all supported formats for the type.
CLI Example:
.. code-block:: bash
salt '*' x509.create_certificate signing_private_key='/etc/pki/myca.key' csr='/etc/pki/my.csr'
ca_server
Request a remotely signed certificate from ca_server. For this to
work, a ``signing_policy`` must be specified, and that same policy
must be configured on the ca_server. See `Signing policies`_ for
details. Also, the Salt master must permit peers to call the
``sign_remote_certificate`` function, see `Peer communication`_.
signing_policy
The name of a configured signing policy. Parameters specified in there
are hardcoded and cannot be overridden. This is required for remote signing,
otherwise optional. See `Signing policies`_ for details.
encoding
Specify the encoding of the resulting certificate. It can be returned
as a ``pem`` (or ``pkcs7_pem``) string or several (base64-encoded)
binary formats (``der``, ``pkcs7_der``, ``pkcs12``). Defaults to ``pem``.
append_certs
A list of additional certificates to append to the new one, e.g. to create a CA chain.
.. note::
Mind that when ``der`` encoding is in use, appending certificatees is prohibited.
copypath
Create a copy of the issued certificate in PEM format in this directory.
The file will be named ``<serial_number>.crt`` if prepend_cn is False.
prepend_cn
When ``copypath`` is set, prepend the common name of the certificate to
the file name like so: ``<CN>-<serial_number>.crt``. Defaults to false.
pkcs12_passphrase
When encoding a certificate as ``pkcs12``, encrypt it with this passphrase.
.. note::
PKCS12 encryption is very weak and `should not be relied on for security <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
pkcs12_encryption_compat
OpenSSL 3 and cryptography v37 switched to a much more secure default
encryption for PKCS12, which might be incompatible with some systems.
This forces the legacy encryption. Defaults to False.
pkcs12_friendlyname
When encoding a certificate as ``pkcs12``, a name for the certificate can be included.
path
Instead of returning the certificate, write it to this file path.
overwrite
If ``path`` is specified and the file exists, overwrite it.
Defaults to true.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
private_key
The private key corresponding to the public key the certificate should
be issued for. This is one way of specifying the public key that will
be included in the certificate, the other ones being ``public_key`` and ``csr``.
private_key_passphrase
If ``private_key`` is specified and encrypted, the passphrase to decrypt it.
public_key
The public key the certificate should be issued for. Other ways of passing
the required information are ``private_key`` and ``csr``. If neither are set,
the public key of the ``signing_private_key`` will be included, i.e.
a self-signed certificate is generated.
csr
A certificate signing request to use as a base for generating the certificate.
The following information will be respected, depending on configuration:
* public key
* extensions, if not otherwise specified (arguments, signing_policy)
signing_cert
The CA certificate to be used for signing the issued certificate.
signing_private_key
The private key corresponding to the public key in ``signing_cert``. Required.
signing_private_key_passphrase
If ``signing_private_key`` is encrypted, the passphrase to decrypt it.
serial_number
A serial number to be embedded in the certificate. If unspecified, will
autogenerate one. This should be an integer, either in decimal or
hexadecimal notation.
not_before
Set a specific date the certificate should not be valid before.
The format should follow ``%Y-%m-%d %H:%M:%S`` and will be interpreted as GMT/UTC.
Defaults to the time of issuance.
not_after
Set a specific date the certificate should not be valid after.
The format should follow ``%Y-%m-%d %H:%M:%S`` and will be interpreted as GMT/UTC.
If unspecified, defaults to the current time plus ``days_valid`` days.
days_valid
If ``not_after`` is unspecified, the number of days from the time of issuance
the certificate should be valid for. Defaults to ``30``.
subject
The subject's distinguished name embedded in the certificate. This is one way of
passing this information (see ``kwargs`` below for the other).
This argument will be preferred and allows to control the order of RDNs in the DN
as well as to embed RDNs with multiple attributes.
This can be specified as an RFC4514-encoded string (``CN=example.com,O=Example Inc,C=US``,
mind that the rendered order is reversed from what is embedded), a list
of RDNs encoded as in RFC4514 (``["C=US", "O=Example Inc", "CN=example.com"]``)
or a dictionary (``{"CN": "example.com", "C": "US", "O": "Example Inc"}``,
default ordering).
Multiple name attributes per RDN are concatenated with a ``+``.
.. note::
Parsing of RFC4514 strings requires at least cryptography release 37.
kwargs
Embedded X.509v3 extensions and the subject's distinguished name can be
controlled via supplemental keyword arguments. See the following for an overview.
Subject properties in kwargs
C, ST, L, STREET, O, OU, CN, MAIL, SN, GN, UID, SERIALNUMBER
X.509v3 extensions in kwargs
Most extensions can be configured using the same string format as OpenSSL,
while some require adjustments. In general, since the strings are
parsed to dicts/lists, you can always use the latter formats directly.
Marking an extension as critical is done by including it at the beginning
of the configuration string, in the list or as a key in the dictionary
with the value ``true``.
Examples (some showcase dict/list correspondance):
basicConstraints
``critical, CA:TRUE, pathlen:1`` or
.. code-block:: yaml
- basicConstraints:
critical: true
ca: true
pathlen: 1
keyUsage
``critical, cRLSign, keyCertSign`` or
.. code-block:: yaml
- keyUsage:
- critical
- cRLSign
- keyCertSign
subjectKeyIdentifier
This can be an explicit value or ``hash``, in which case the value
will be set to the SHA1 hash of some encoding of the associated public key,
depending on the underlying algorithm (RSA/ECDSA/EdDSA).
authorityKeyIdentifier
``keyid:always, issuer``
subjectAltName
There is support for all OpenSSL-defined types except ``otherName``.
``email:me@example.com,DNS:example.com`` or
.. code-block:: yaml
# mind this being a list, not a dict
- subjectAltName:
- email:me@example.com
- DNS:example.com
issuerAltName
The syntax is the same as for ``subjectAltName``, except that the additional
value ``issuer:copy`` is supported, which will copy the values of
``subjectAltName`` in the issuer's certificate.
authorityInfoAccess
``OCSP;URI:http://ocsp.example.com/,caIssuers;URI:http://myca.example.com/ca.cer``
crlDistributionPoints
When set to a string value, items are interpreted as fullnames:
``URI:http://example.com/myca.crl, URI:http://example.org/my.crl``
There is also support for more attributes using the full form:
.. code-block:: yaml
- crlDistributionPoints:
- fullname: URI:http://example.com/myca.crl
crlissuer: DNS:example.org
reasons:
- keyCompromise
- URI:http://example.org/my.crl
certificatePolicies
``critical, 1.2.4.5, 1.1.3.4``
Again, there is support for more attributes using the full form:
.. code-block:: yaml
- certificatePolicies:
critical: true
1.2.3.4.5: https://my.ca.com/pratice_statement
1.2.4.5.6:
- https://my.ca.com/pratice_statement
- organization: myorg
noticeNumbers: [1, 2, 3]
text: mytext
policyConstraints
``requireExplicitPolicy:3,inhibitPolicyMapping:1``
inhibitAnyPolicy
The value is just an integer: ``- inhibitAnyPolicy: 1``
nameConstraints
``critical,permitted;IP:192.168.0.0/255.255.0.0,permitted;email:.example.com,excluded;email:.com``
.. code-block:: yaml
- nameConstraints:
critical: true
permitted:
- IP:192.168.0.0/24
- email:.example.com
excluded:
- email:.com
noCheck
This extension does not take any values, except ``critical``. Just the presence
in the keyword args will include it.
tlsfeature
``status_request``
For more information, visit the `OpenSSL docs <https://www.openssl.org/docs/man3.0/man5/x509v3_config.html>`_.
� algorithm� Potassium�B`algorithm` has been renamed to `digest`. Please update your code.��digest>����Z�serial_bits��version��text�
days_valid� not_afterzYThe default value for `days_valid` will change to 30. Please adapt your code accordingly.im�������derr����Z pkcs7_der� pkcs7_pem��pkcs12��Invalid value '�=' for encoding. Valid: der, pem, pkcs7_der, pkcs7_pem, pkcs12��sha256����sha1��sha224r!�����sha384��sha512Z
sha512_224Z
sha512_256��sha3_224��sha3_256��sha3_384��sha3_512�y' for digest. Valid: sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512r�����(Cannot encode a certificate chain in DERr������private_key�QCreating a PKCS12-encoded certificate without embedded private key is unsupported��signing_private_keyzGCreating a certificate locally at least requires a signing private key.z�file.file_existsz�The file at z& exists and overwrite was set to falseNzQsigning_policy must be specified to request a certificate from a remote ca_server)���append_certs��encodingr-�����pkcs12_passphrase��pkcs12_encryption_compat��pkcs12_friendlyname��raw)�r0���r1���r5���r������CERTIFICATE)�� overwrite��pem_type��wbz�Certificate written to r����)���salt��utils��versions�
warn_until��pop��intersection��kwargs_warn_until��x509util��ensure_cert_kwargs_compat��RuntimeErrorr����r
�����lowerr������__salt__��_create_certificate_remote��merge_signing_policy��_get_signing_policy��_create_certificate_local��encode_certificate��bool� write_pem��decode��files��fopen��write)�� ca_server��signing_policyr1���r0���r2���r3���r4�����pathr7���r5�����kwargs��ignored_params��cert��private_key_loaded��out��fp_r����r����r������create_certificate����s����������������������������
�������������������������
������
����������������������������������������������������������������������
���������������������������
�rZ���c����������������
���K���s����d�}�|�r�t�j�|�|�d���}�t���|�������|�d�<�n�|���d���r&t���t���|�d�������|�d�<�|���d���r7t���t���|�d�������|�d�<�t�|�|�|���}�z�t���|���|�f�W�S���t t
f�y[��}���z�t d�|�������|���d�}�~�w�w�)�N���
passphrase�
public_key��csrz(ca_server did not return a certificate: )�rA�����load_privkey��to_derr]���r
�����load_pubkey��load_csr�
_query_remote� load_certr����r����)�rQ���rR���r-�����private_key_passphraserT���rW�����result��errr����r����r����rF���4���s.���������������
�������
�������������������������rF���r!���c��������������������K���s����t�j�d
i�|�����\�}�}�}�}�d�}�t���|���t�j�j�t�j�j�f�v�r t���|���}�|�j�|�|�d���} |�r]d�}
|�rGz�| j�� t�j
d�����d���j�d���}
W�n ��t�yF������Y�n�w�t
t���| ��t�j���|�|
��| j�d���d�����d�d ����| |�f�S�)�N��r��������CNr������-��xz�.crtr6���)�r����rS���r8���r����)�rA���Z build_crt��get_key_type��KEY_TYPE��ED25519��ED448��get_hashing_algorithm��sign��subject��get_attributes_for_oid��NAME_ATTRS_OID��value�
IndexErrorrL�����to_pem��osrS�����join�
serial_number)�r����Z�copypathZ
prepend_cnrT�����builderr/���rW�����_r����rV���Z�prependr����r����r����rI���M���s8���������������
�������������������������������������������rI���c ���������������
���C���s����|�d�v�r�t�d�|���d�������|�d�k�r�|�r�t�d�����|�d�k�r |�r t�d�����|�d�k�r*|�s*t�d�����|�p-g�}�t�|�t���s6|�g�}�t���|���} d d
��|�D���}�|�d�v�rbt�t�j�|�� ����}
| �
|
��}�|�D�]�}�|�d�|��
|
����7�}�qUnz|�d�k�r�t�j�|�|�d
��}�|�d�u�rvt�����}
n(t�|�t
��r|�����}�|�r�t�j�j�������d�����t�j�j�j�����t���������|���}
n�t���|���}
t�j�j�|�r�t�j�j�� |���n�d�|�| |�|
d���}�n)z�t�j!j"| g�|���t�t�j�|�d�k�r�d�n�d���d���}�W�n���t#y���}���z�t�d���|���d�}�~�w�w�|�r�|�S�|�d�v�r�|��$��S�t%�&|����$��S�)�a����
Create an encoded representation of a certificate, optionally including
other structures. This can be used to create certificate chains, convert
a certificate into a different encoding or embed the corresponding
private key (for ``pkcs12``).
CLI Example:
.. code-block:: bash
salt '*' x509.encode_certificate /etc/pki/my.crt pem /etc/pki/ca.crt
certificate
The certificate to encode.
encoding
Specify the encoding of the resulting certificate. It can be returned
as a ``pem`` (or ``pkcs7_pem``) string or several (base64-encoded)
binary formats (``der``, ``pkcs7_der``, ``pkcs12``). Defaults to ``pem``.
append_certs
A list of additional certificates to encode with the new one, e.g. to create a CA chain.
.. note::
Mind that when ``der`` encoding is in use, appending certificatees is prohibited.
private_key
For ``pkcs12``, the private key corresponding to the public key of the ``certificate``
to be embedded.
private_key_passphrase
For ``pkcs12``, if the private key to embed is encrypted, specify the corresponding
passphrase.
pkcs12_passphrase
For ``pkcs12``, the container can be encrypted. Specify the passphrase to use here.
Mind that PKCS12 encryption should not be relied on for security purposes, see
note above in :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
pkcs12_encryption_compat
OpenSSL 3 and cryptography v37 switched to a much more secure default
encryption for PKCS12, which might be incompatible with some systems.
This forces the legacy encryption. Defaults to False.
pkcs12_friendlyname
When encoding a certificate as ``pkcs12``, a name for the certificate can be included.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
r����r����r ���r����r,���r����z<Embedding private keys is only supported for pkcs12 encodingr.���c��������������������S���s����g�|�]�}�t���|�����q�S�r����)�rA���rd���)���.0rl���r����r����r�����
<listcomp>����s������z&encode_certificate.<locals>.<listcomp>��r����r���������
r[���N�P�������name��keyrV���Z�cas��encryption_algorithmr����Z�PEMZ�DER��r1���zASerialization to pkcs7 requires at least cryptography release 37.)�r����r����)'r����r�����
isinstance��listrA���rd�����getattrr������Encoding��upper��public_bytesr_�����NoEncryption��str��encode�
PrivateFormat��PKCS12��encryption_builder�
kdf_rounds��key_cert_algorithmr������PBES��PBESv1SHA1And3KeyTripleDESCBC� hmac_hashr������SHA1��build��BestAvailableEncryption��serialize_key_and_certificatesr:���r;�����stringutils��to_bytesZ�pkcs7Z�serialize_certificates��AttributeErrorrM�����base64� b64encode)���certificater1���r0���r-���re���r2���r3���r4���r5���rV���Z�crt_encodingZ crt_bytesZ�append_cert��cipherrg���r����r����r����rJ���m���s�����>��
�������������������������
���
�������
�����������������
�
�����
���������
�����
������������������������������
���������������������������rJ���c���������������� ���K���s>���|�r&d�|�v�r�t�j�j���d�g�d�����|���d�����d�d���|�D���}�|�r&t�d�t�|�����������|�d�u�rBz�t�j�j���d�d�����d�}�W�n���t�yA������d }�Y�n�w�g�}
|�D�]R}�i�}�t |���d
k�rst
|�t�t�|�������t���rst�j�j���d�d�����|�t�t�|�������D�]�}�|��
|�����qkd�|�pw|�v�r�t�j�j���d�d
����t�j�j���|�p�|�d�|�p�|���d�������|
��|�p�|�����qF|
}�|�d�v�r�t�d�|���d�������|�����d�v�r�t�d�|���d�������t�j�|�|�|�|�|�|�|�d���\�}�}�d�}�t���|���t�j�j�t�j�j�f�v�r�t���|���}�|�j�|�|�d���}�t�|�|�t�| ��p�|
d���}�| d�u�r�|�S�|�d�k�r�t�|�����| d�d���S�t�j�j�� | d����
}�|��!|�����W�d���������n 1���s�w�������Y���d�| ����S�)�a����
Create a certificate revocation list.
CLI Example:
.. code-block:: bash
salt '*' x509.create_crl signing_cert=/etc/pki/ca.crt signing_private_key=/etc/pki/ca.key revoked="[{'certificate': '/etc/pki/certs/www1.crt', 'revocation_date': '2015-03-01 00:00:00'}]"
signing_private_key
Your certificate authority's private key. It will be used to sign
the CRL. Required.
revoked
A list of dicts containing all the certificates to revoke. Each dict
represents one certificate. A dict must contain either the key
``serial_number`` with the value of the serial number to revoke, or
``certificate`` with some reference to the certificate to revoke.
The dict can optionally contain the ``revocation_date`` key. If this
key is omitted, the revocation date will be set to now. It should be a
string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the ``not_after`` key. This is
redundant if the ``certificate`` key is included, since it will be
sourced from the certificate. If the ``certificate`` key is not included,
this can be used for the logic behind the ``include_expired`` parameter.
It should be a string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the ``extensions`` key, which
allows to set CRL entry-specific extensions. The following extensions
are supported:
certificateIssuer
Identifies the certificate issuer associated with an entry in an
indirect CRL. The format is the same as for subjectAltName.
CRLReason
Identifies the reason for certificate revocation.
Available choices are ``unspecified``, ``keyCompromise``, ``CACompromise``,
``affiliationChanged``, ``superseded``, ``cessationOfOperation``,
``certificateHold``, ``privilegeWithdrawn``, ``aACompromise`` and
``removeFromCRL``.
invalidityDate
Provides the date on which the certificate likely became invalid.
The value should be a string in the same format as ``revocation_date``.
signing_cert
The CA certificate to be used for signing the CRL.
signing_private_key_passphrase
If ``signing_private_key`` is encrypted, the passphrase to decrypt it.
include_expired
Also include already expired certificates in the CRL. Defaults to false.
days_valid
The number of days the CRL should be valid for. This sets the ``Next Update``
field. Defaults to ``100`` (until v3009) or ``7`` (from v3009 onwards).
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
encoding
Specify the encoding of the resulting certificate revocation list.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
extensions
Add CRL extensions. The following are available:
authorityKeyIdentifier
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
authorityInfoAccess
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
cRLNumber
Specifies a sequential number for each CRL issued by a CA.
Values must be integers.
deltaCRLIndicator
If the CRL is a delta CRL, this value points to the cRLNumber
of the base cRL. Values must be integers.
freshestCRL
Identifies how delta CRL information is obtained. The format
is the same as ``crlDistributionPoints``.
issuerAltName
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`.
issuingDistributionPoint
Identifies the CRL distribution point for a particular CRL and
indicates what kinds of revocation it covers. The format is
comparable to ``crlDistributionPoints``. Specify as follows:
.. code-block:: yaml
issuingDistributionPoint:
fullname: # or relativename with RDN
- URI:http://example.com/myca.crl
onlysomereasons:
- keyCompromise
onlyuser: true
onlyCA: true
onlyAA: true
indirectCRL: false
path
Instead of returning the CRL, write it to this file path.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
r����r����c��������������������S��������g�|�] }�|���d���s�|���q�S���r}������
startswith��r~�����kwargr����r����r����r��������������z�create_crl.<locals>.<listcomp>� Unrecognized keyword arguments: NzXThe default value for `days_valid` will change to 7. Please adapt your code accordingly.�d�������������zCRevoked certificates should be specified as a simple list of dicts.��reasonz\The `reason` parameter for revoked certificates should be specified in extensions:CRLReason.z�extensions:CRLReasonr����r������' for encoding. Valid: der, pemr"���r+���)���signing_cert��signing_private_key_passphrase��include_expiredr�����
extensionsrh�����r1���r5���r����z�X509 CRL��r8���r9���z�CRL written to )"r:���r;���r<���r@���r>���r����r����r=���rC�����lenr������next��iter��updateZ
dictupdateZ�set_dict_key_value��appendr����rD���rA���Z build_crlrm���rn���ro���rp���rq���rr����
encode_crlrK���rL���rM���rN���rO���rP���)�r/�����revokedr����r����r����r����r����r1���r����rS���r5���rT�����unknownZ�revoked_parsedZ�rev��parsed��valr|���r������crlrX���rY���r����r����r�����
create_crl����s�����������
�������������������������������������"�������������������������������������
������
�������������������
�� ��������
�������������������
�r����c��������������������C����b���|�d�v�r�t�d�|���d�������t���|���}�t�t�j�|�������}�|���|���}�|�r"|�S�|�d�k�r*|�����S�t �
|�������S�)�a����
Create an encoded representation of a certificate revocation list.
CLI Example:
.. code-block:: bash
salt '*' x509.encode_crl /etc/pki/my.crl der
crl
The certificate revocation list to encode.
encoding
Specify the encoding of the resulting certificate revocation list.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
r����r����r����r����)�r����rA�����load_crlr����r����r����r����r����rM���r����r����)�r����r1���r5���Z�crl_encodingZ crl_bytesr����r����r����r��������s��������
���
���
�����������r����c������������
�������K���sR���d�|�v�r�t�j�j���d�d�����|���d���}�d�d�h���|���}�|�r"t�j�j���|�d�����t���|���}�|�d�v�r3t d�|���d�������|��
��d v�rAt d�|���d
������t�j�|�f�d�|�i�|�����\�}�}�d�} t���|���t�j
j�t�j
j�f�v�rbt���|���} |�j�|�| d
��}
t�|
|�t�|���pq|�d���}�|�d�u�rz|�S�|�d�k�r�t�|�����|�d�d���S�t�j�j���|�d����
}�|���|�����W�d���������n�1�s�w�������Y���d�|�����S�)�a����
Create a certificate signing request.
CLI Example:
.. code-block:: bash
salt '*' x509.create_csr private_key='/etc/pki/myca.key' CN='My Cert'
private_key
The private key corresponding to the public key the certificate should
be issued for. The CSR will be signed by it. Required.
private_key_passphrase
If ``private_key`` is encrypted, the passphrase to decrypt it.
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
encoding
Specify the encoding of the resulting certificate signing request.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
path
Instead of returning the CSR, write it to this file path.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
kwargs
Embedded X.509v3 extensions and the subject's distinguished name can be
controlled via supplemental keyword arguments.
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`
for an overview. Mind that some extensions are not available for CSR
(``authorityInfoAccess``, ``authorityKeyIdentifier``,
``issuerAltName``, ``crlDistributionPoints``).
r����r����r����r����r����r����r����r����r"���r+���re���Nrh���r����r����z�CERTIFICATE REQUESTr����r9���z�CSR written to )�r:���r;���r<���r=���r>���r?���r@���rA���rB���r����rD���Z build_csrrm���rn���ro���rp���rq���rr����
encode_csrrK���rL���rM���rN���rO���rP���)
r-���re���r����r1���rS���r5���rT���rU���r|���r����r^���rX���rY���r����r����r�����
create_csr����sR����3��������
�������
�����
������
���������������
�����������
�������������������
�r����c��������������������C���r����)�a����
Create an encoded representation of a certificate signing request.
CLI Example:
.. code-block:: bash
salt '*' x509.encode_csr /etc/pki/my.csr der
csr
The certificate signing request to encode.
encoding
Specify the encoding of the resulting certificate signing request.
It can be returned as a ``pem`` string or base64-encoded ``der``.
Defaults to ``pem``.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
r����r����r����r����)�r����rA���rb���r����r����r����r����r����rM���r����r����)�r^���r1���r5���Z�csr_encodingZ csr_bytesr����r����r����r����s���s��������
���
���
�����������r������rsac������������
�������K���s����d�|�v�r�t�j�j���d�d�����|���d���}�h�d�����|���}�|�r,t�j�j���|�d�����|�D�]�} |���| ����q$d�d���|�D���}
|
r>t�d�t�|
����������|�d�v�rJt d |���d
������t
t�|�|�d���|�|�|�t�|���pX|�d���}�|�d
u�ra|�S�|�d�k�rnt
|�����|�d�d���S�t�j�j���|�d�����}�|���|�����W�d
��������d
S�1�s�w�������Y���d
S�)�a����
Create a private key.
CLI Example:
.. code-block:: bash
salt '*' x509.create_private_key algo=ec keysize=384
algo
The digital signature scheme the private key should be based on.
Available: ``rsa``, ``ec``, ``ed25519``, ``ed448``. Defaults to ``rsa``.
keysize
For ``rsa``, specifies the bitlength of the private key (2048, 3072, 4096).
For ``ec``, specifies the NIST curve to use (256, 384, 521).
Irrelevant for Edwards-curve schemes (``ed25519``, ``ed448``).
Defaults to 2048 for RSA and 256 for EC.
passphrase
If this is specified, the private key will be encrypted using this
passphrase. The encryption algorithm cannot be selected, it will be
determined automatically as the best available one.
encoding
Specify the encoding of the resulting private key. It can be returned
as a ``pem`` string, base64-encoded ``der`` or base64-encoded ``pkcs12``.
Defaults to ``pem``.
pkcs12_encryption_compat
Some operating systems are incompatible with the encryption defaults
for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
``PBESv1SHA1And3KeyTripleDESCBC``.
Please consider the `notes on PKCS12 encryption <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
path
Instead of returning the private key, write it to this file path.
Note that this does not use safe permissions and should be avoided.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
��bitsr����z>`bits` has been renamed to `keysize`. Please update your code.>����r����r������verbosec��������������������S���r����r����r����r����r����r����r����r�������r����z&create_private_key.<locals>.<listcomp>r������r����r����r����r�����'' for encoding. Valid: der, pem, pkcs12����algo��keysize)�r1���r\���r3���r5���Nr����z (?:(RSA|ENCRYPTED) )?PRIVATE KEYr����r9���)�r:���r;���r<���r=���r>���r?���r@���r����r����r������encode_private_key��_generate_pkrK���rL���rM���rN���rO���rP���)
r����r����r\���r1���r3���rS���r5���rT���rU���rl���r����rX���rY���r����r����r������create_private_key����sN����5��������
�������������������������
�����
�������
�����������
�������
�������r����c������������ �������C���s����|�d�v�r�t�d�|���d�������t�j�|�|�d���}�|�d�u�r�t�����}�n,t�|�t���r%|�����}�|�d�k�rC|�rCt�j�j �
����d�����t�j
j�j�����t���������|���}�n�t���|���}�|�d�v�r_t�t�j�|�������}�|�j�|�t�j�j�|�d ��}�n�t�j
j�d�|�d�d�|�d
��}�|�rn|�S�|�d�k�rv|�����S�t���|�������S�)�a9���
Create an encoded representation of a private key.
CLI Example:
.. code-block:: bash
salt '*' x509.encode_private_key /etc/pki/my.key der
private_key
The private key to encode.
encoding
Specify the encoding of the resulting private key. It can be returned
as a ``pem`` string, base64-encoded ``der`` and base64-encoded ``pkcs12``.
Defaults to ``pem``.
passphrase
If this is specified, the private key will be encrypted using this
passphrase. The encryption algorithm cannot be selected, it will be
determined automatically as the best available one.
private_key_passphrase
.. versionadded:: 3006.2
If the current ``private_key`` is encrypted, the passphrase to
decrypt it.
pkcs12_encryption_compat
Some operating systems are incompatible with the encryption defaults
for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
``PBESv1SHA1And3KeyTripleDESCBC``.
Please consider the `notes on PKCS12 encryption <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
raw
Return the encoded raw bytes instead of a string. Defaults to false.
r����r����r����r[���Nr����r����r����)�r1�����formatr����r����r����)�r����rA���r_���r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����r����Z
private_bytesZ�PKCS8r����rM���r����r����) r-���r1���r\���re���r3���r5���r����Z�pk_encodingZ�pk_bytesr����r����r����r��������sD����-��
�������
�
�����
���������
�����
����������������
�������������r����c��������������������C���sT���t���|���}�z�|�j�}�W�n���t�y�������|�j�j�t�j�d���}�Y�n�w�|�t�j t�j�d���t
|�d�����k�S�)�a����
Determine whether a certificate will expire or has expired already.
Returns a boolean only.
CLI Example:
.. code-block:: bash
salt '*' x509.expires /etc/pki/my.crt days=7
certificate
The certificate to check.
days
If specified, determine expiration x days in the future.
Defaults to ``0``, which checks for the current time.
����tzinfo)���tz)���days)�rA���rd�����not_valid_after_utcr������not_valid_after��replacer������utcr������nowr����)�r����r����rV���r����r����r����r������expiresP���s����
���
���������r����c��������������������C���sd���i�}�t���|���r�|�|�d�<�t���|���}�z�|�j���t�j�d�����d���j�|�d�<�W�n ��t�y)������Y�n�w�t�|���|�d�<�|�S�)�a����
Returns a dict containing limited details of a
certificate and whether the certificate has expired.
CLI Example:
.. code-block:: bash
salt '*' x509.expired /etc/pki/mycert.crt
certificate
The certificate to check.
rS���rj���r������cn��expired� rA�����isfilerd���rs���rt���ru���rv���rw���r����)�r������retrV���r����r����r����r����k���s������
���
�����������
�����������r����c���������������� ���C����J���i�}�t���|���D�]�}�t�j���|���r"z t�|�d���|�|�<�W�q���t�y!������Y�q�w�q�|�S�)�z�
Returns a dict containing PEM entries in files matching a glob.
CLI Example:
.. code-block:: bash
salt '*' x509.get_pem_entries "/etc/pki/*.crt"
glob_path
A path representing certificates to be read and returned.
)�r����)���globry���rS���r�����
get_pem_entry�
ValueError��Z glob_pathr����rS���r����r����r������get_pem_entries����������
������������������r����c��������������������C���s����t���|�������}�|���d�d���}�t�|�������d�k�r�|���d���r�|���d���r�g�}�|�}�t�|���d�k�r�|���d���rJ|���|�d�|�� d�d���d�����������|�|�� d�d���d���d�����}�n0|�d�d������
d ��d�k�re|���|�d�d���������|�d�d�����}�n�|���|�d�|�� d ����������|�|�� d ��d�����}�t�|���d�k�s)d���|���}�d
|�����}�|�r�d�|���d�|�����}�t�|�|���}�|�s�t
|�����|�����}�|�d
��}�|�d���}�|�d���} |�d���}
|�d���}�d���|�������}�|�d���}�|�r�|�|�d���7�}�| r�|�| d���d���7�}�t�d�t�|���d���D�]�}
|�|�|
|
d�������d���7�}�q�|�|
d���7�}�t�j�j�j�|�d�d���S�)�a'���
Returns a properly formatted PEM string from the input text,
fixing any whitespace or line-break issues.
CLI Example:
.. code-block:: bash
salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST"
text
Text containing the X509 PEM entry to be returned or path to
a file containing the text.
pem_type
If specified, this function will only return a pem of a certain type,
for example 'CERTIFICATE' or 'CERTIFICATE REQUEST'.
z�\n��
r����z�-----r����N������@���rk���z�PEM text not valid:
z,PEM does not contain a single entry of type z�:
�
pem_header� proc_type��dek_info�
pem_footer��pem_bodyri�����asciir����)�rA�����load_file_or_bytesrM���r����r�����
splitlinesr������endswithr������index��countrz����
_valid_pemr����� groupdict��split��ranger:���r;���r����r����)�r����r8���Z pem_fixedZ�pem_temp��errmsg��_matchZ�_match_dictr����r����r����r����r����r������ir����r����r����r��������sT�����������������������
�����������������
�����
�������������������������������������r����c��������������������C���s"���t�j�|�|�d���}�t�|�d���s�d�S�|�j�S�)�a;���
Return information about the keysize of a private key (RSA/EC).
CLI Example:
.. code-block:: bash
salt '*' x509.get_private_key_size /etc/pki/my.key
private_key
The private key to check.
passphrase
If ``private_key`` is encrypted, the passphrase to decrypt it.
r[�����key_sizeN)�rA���r_�����hasattrr����)�r-���r\�����privkeyr����r����r������get_private_key_size����s������
�����r����c���������������� ���C���s����|�d�u�r
t�j�j���d�g�d�����z�t���t���|���������W�S���t�t f�y#������Y�n�w�z�t���t�j
|�|�d�������������W�S���t�t f�y>������Y�n�w�z�t���t�j�|�|�d�������������W�S���t�t f�yY������Y�n�w�z
t���t��
|�������������W�S���t ys������Y�t�d�����w�)�a����
Returns a PEM-encoded public key derived from some reference.
The reference should be a public key, certificate, private key or CSR.
CLI Example:
.. code-block:: bash
salt '*' x509.get_public_key /etc/pki/my.key
key
A reference to the structure to look the public key up for.
passphrase
If ``key`` is encrypted, the passphrase to decrypt it.
N��asObjr����r[���zACould not load key as certificate, public key, private key or CSR)�r:���r;���r<���r@���rA���rx���ra���rM���r����r����rd���r]���r_���rb���)�r����r\���r����r����r����r������get_public_key����sB���������������������������������������������������������������������r����c������������ �������C���sX���|�d�u�r t�|���}�nKd�}�|�t�v�r�i�t�|�<�|�t�|���v�r�i�t�|���|�<�|�t�|���|���v�rIt�|�|�i�d�d���}�d�|�v�rAt���t���|�d�����������|�d�<�|�t�|���|���|�<�t���t�|���|���|�����}�t�j �
��D�]%\�}�}�|�D�]�}�|�|�v�r}t�j�j
��d�d�|���d�|���d |���������|���|���|�|�<�q_qYt�j��
��D�]%\�}�}�|�D�]�}�|�|�v�r�t�j�j
��d�d�|���d�|���d |���������|���|���|�|�<�q�q�|�S�)
a[���
Returns the specified named signing policy.
CLI Example:
.. code-block:: bash
salt '*' x509.get_signing_policy www
signing_policy
The name of the signing policy to return.
ca_server
If this is set, the CA server will be queried for the
signing policy instead of looking it up locally.
NZ�_x509_policiesT)���get_signing_policy_onlyr����r����z�Found z� in z$. Please migrate to the short name: )�rH�����__context__rc���rA���rx���rd���rM�����copy��deepcopyZ�NAME_ATTRS_ALT_NAMES��itemsr:���r;���r<���r=���r>���Z�EXTENSIONS_ALT_NAMES) rR���rQ�����policyZ�ckeyZ�policy_r����Z
long_namesZ long_name��extnamer����r����r������get_signing_policy3���sP�����
�������������������������������������������������������� ��������������������r����c��������������������C���s����t���|���}�t�j�|�����d�d���}�z�|�j�}�|�j�}�W�n���t�y/������|�j�j�t j
d���}�|�j�j�t j
d���}�Y�n�w�|�j�j
d���|�d�v�r>|�����j�n�d�|�t���|�j���t���|�j�t�����d�����t���|�j�t�����d�����d���t�|�j���t���t�|�j�����|�j�����t�|�j���t���t�|�j�����|�j�����|���t�j���|���t�j���t�|���t�|�j���d ��}�z�|�j j!|�d
<�W�n*��t�y�������z�t"j#�$��D�]�\�}�}�|�|�j k�r�|�|�d
<���n�q�W�n ��t�y�������Y�n�w�Y�n�w�d
|�v�r�|�j j%|�d
<�t&d���d�u�r�t���|�j�t��'��d�����|�d
��d�<�|�S�)�z�
Returns a dict containing details of a certificate.
CLI Example:
.. code-block:: bash
salt '*' x509.read_certificate /etc/pki/mycert.crt
certificate
The certificate to read.
T��� as_stringr����r��������ecr����Nrh���)�r#���r!���)�r����r������key_typer{�����fingerprintsrs�����subject_hash��subject_str��issuerZ�issuer_hashZ
issuer_str�
not_beforer����r]���r������signature_algorithmZ fips_modeFr������md5)(rA���rd���rm���r]���Z�not_valid_before_utcr����r����Z�not_valid_beforer����r����r����r����r����rv���r������dec2hexr{����
pretty_hexZ�fingerprintr����r������SHA256� _parse_dnrs�����_get_name_hash��rfc4514_stringr������strftime��TIME_FMTr������_parse_extensionsr������signature_algorithm_oid��_name��cx509��SignatureAlgorithmOIDr�����
dotted_stringr������MD5)�r����rV���r����r����r����r����r������oidr����r����r������read_certificatep���sb���
������
���������
�����
�������������������
�
�����������������
�������������������� ������������r(���c���������������� ���C���r����)�z�
Returns a dict containing details of all certificates matching a glob.
CLI Example:
.. code-block:: bash
salt '*' x509.read_certificates "/etc/pki/*.crt"
glob_path
A path to certificates to be read and returned.
)�r����)�r����ry���rS���r����r(���r����r����r����r����r������read_certificates����r����r)���c��������������������C���sf���t���|���}�z�|�j�}�|�j�}�W�n���t�y&������|�j�j�t�j�d���}�|�j j�t�j�d���}�Y�n�w�t
|�j���|���t�j
��|���t�j
��i�t�|�j���d���}�z�|�j�j�|�d�<�W�n*��t�yo������z�t�j�����D�]�\�}�}�|�|�j�k�ra|�|�d�<���n�qRW�n ��t�yl������Y�n�w�Y�n�w�d�|�v�rz|�j�j�|�d�<�|�D�]4}�z�|�j�}�W�n���t�y�������|�j�j�t�j�d���}�Y�n�w�|�d�����t���|�j�����d�d���|���t�j
��t�|�j���d���i�����q||�S�)�z�
Returns a dict containing details of a certificate revocation list.
CLI Example:
.. code-block:: bash
salt '*' x509.read_crl /etc/pki/my.crl
crl
The certificate revocation list to read.
r����)�r������last_update��next_update��revoked_certificatesr����r����r,�����:ri���)���revocation_dater����)�rA���r����Z�last_update_utcZ�next_update_utcr����r*���r����r����r����r+���r����r����r����r����r ���r����r!���r"���r#���r$���r����r%���Z�revocation_date_utcr.���r����r����r{�����_parse_crl_entry_extensions)�r����r*���r+���r����r����r'���r����r.���r����r����r������read_crl����sZ���
����
�����������
�
�����������������
�������������������� ������
�����������
�����������r0���c��������������������C���st���t���|���}�t�j�|�����d�d���}�|�d�v�r�|�����j�n�d�|�t�|�j���t���t�|�j�����|�j�� ��t���t
j���|�������j
��t�|�j���d���S�)�z�
Returns a dict containing details of a certificate signing request.
CLI Example:
.. code-block:: bash
salt '*' x509.read_csr /etc/pki/mycert.csr
csr
The certificate signing request to read.
Tr����r����N)�r����r����rs���r����r����Z�public_key_hashr����)�rA���rb���rm���r]���r����r����rs���r����r����r����r#���Z�SubjectKeyIdentifierZ�from_public_keyr����r ���r����)�r^���r����r����r����r������read_csr����s����
����������������������r1���c������������ ���
���K���s����d�g�d���}�z�t�|���}�|�s�|�d�����d�����|�W�S�d�|�v�r<d�|�v�r(|�d�����d�����|�W�S�t�|���d���|�d�����s<|�d�����d�����|�W�S�|�r�|���d d�����|���d
d�����d�|�v�r�z�t���t���|�d�������|�d�<�W�n$��t�t�f�y���}���z�d�|�d�<�|�d�����t |�������|�W���Y�d�}�~�W�S�d�}�~�w�w�|�|�d�<�|�W�S�t��
|�|�����|���d
d�����W�n���t�y���}���z�t��
t |�������d�d�g�d���W���Y�d�}�~�S�d�}�~�w�w�z�t�d�i�|�����\�}�}�t���|���|�d�<�|�W�S���t�y���}���z�d�|�d�<�|�d�����t |�������|�W���Y�d�}�~�S�d�}�~�w�w�)�a����
Request a certificate to be remotely signed according to a signing policy.
This is mostly for internal use and does not make much sense on the CLI.
CLI Example:
.. code-block:: bash
salt '*' x509.sign_remote_certificate www kwargs="{'public_key': '/etc/pki/www.key'}"
signing_policy
The name of the signing policy to use. Required.
kwargs
A dict containing all the arguments to be passed into the
:py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>` function.
get_signing_policy_only
Only return the named signing policy. Defaults to false.
N)���data��errorsr3���z>signing_policy must be specified and defined on signing minionZ�minionsZ�__pub_idz3minion sending this request could not be identifiedz4minion not permitted to use specified signing policyr/���r����r����r2���rQ���zBFailed building the signing policy. See CA server log for details.z*Internal error. This is most likely a bug.r����)�rH���r������_match_minionsr>���rA���r`���rd���r����r����r����rG���� Exception��log��errorrI���) rR���rT���r����Z�more_kwargsr����rg���rV���r}���Z�err_messager����r����r������sign_remote_certificate#���sr���
�����������������������������������������������������������������������������������������������������������������r8���c��������������������C���s����t�d���|�d�|�|�|�g�d���}�|�s�t�d�����|�t�t�|�������}�t�|�t���r#d�|�v�r-t���d�|�����t�d�����|�� d���r=t�d d
�
|�d�����������|�d���S�)�N��publish.publishz�x509.sign_remote_certificate)���argzfca_server did not respond. Salt master must permit peers to call the sign_remote_certificate function.r2���z0Received invalid return value from ca_server: %szHReceived invalid return value from ca_server. See minion log for detailsr3���z�ca_server reported errors:
r����)�rE���r����r����r����r������dictr6���r7���r����r
���rz���)�rQ���rR���rT���r����rf���r����r����r����rc���|���s(���������������������������������
���������rc���c��������������������C���s"���t���|���}�t���t�|�����}�|���|���S�)�a����
Verify that a signature on a certificate revocation list was made
by the private key corresponding to the public key associated
with the specified certificate.
CLI Example:
.. code-block:: bash
salt '*' x509.verify_crl /etc/pki/my.crl /etc/pki/my.crt
crl
The certificate revocation list to check the signature on.
cert
The certificate (or any reference that can be passed
to ``get_public_key``) to retrieve the public key from.
)�rA���r����ra���r����Z�is_signature_valid)�r����rV�����pubkeyr����r����r�����
verify_crl����s����
���
�r=���c��������������������C���s(���t�j�|�|�d���}�t���t�|�����}�t���|�|���S�)�a����
Verify that a private key belongs to the specified public key.
CLI Example:
.. code-block:: bash
salt '*' x509.verify_private_key /etc/pki/my.key /etc/pki/my.crt
private_key
The private key to check.
public_key
The certificate (or any reference that can be passed
to ``get_public_key``) to retrieve the public key from.
passphrase
If ``private_key`` is encrypted, the passphrase to decrypt it.
r[���)�rA���r_���ra���r����Z�is_pair)�r-���r]���r\���r����r<���r����r����r������verify_private_key����s����������r>���c��������������������C���s,���t���|���}�t���t�|�p�|�|�d�����}�t���|�|���S�)�a����
Verify that a signature on a certificate was made
by the private key corresponding to the public key associated
with the specified certificate.
CLI Example:
.. code-block:: bash
salt '*' x509.verify_signature /etc/pki/my.key /etc/pki/my.crt
certificate
The certificate to check the signature on.
signing_pub_key
Any reference that can be passed to ``get_public_key`` to retrieve
the public key of the signing entity from. If unspecified, will
take the public key of ``certificate``, i.e. verify a self-signed
certificate.
signing_pub_key_passphrase
If ``signing_pub_key`` is encrypted, the passphrase to decrypt it.
r[���)�rA���rd���ra���r������verify_signature)�r����Z�signing_pub_keyZ�signing_pub_key_passphraserV���r<���r����r����r����r?�������s����
�������������r?���c��������������������C���sj���d�|�i�}�t���|���r
|�|�d�<�t���|���}�z�|�j���t�j�d�����d���j�|�d�<�W�n ��t�y+������Y�n�w�t�|�|���|�d�<�|�S�)�aw���
Returns a dict containing details of a certificate and whether
the certificate will expire in the specified number of days.
CLI Example:
.. code-block:: bash
salt '*' x509.will_expire "/etc/pki/mycert.crt" days=30
certificate
The certificate to check.
days
The number of days in the future to check the validity for.
Z
check_daysrS���rj���r����r������will_expirer����)�r����r����r����rV���r����r����r����r@�������s������
���
�����������
�����������r@���c������������ �������C���s����t�|�|�d���}�t�j�j���d�������d�}�d�}�|�ru|�d�k�rut�j���|���ru|�sut�� |����
��}�z�t�|�d���}�W�n���t�yM��}���z�t��
d�|�����t�j�|�|�d�����W�Y�d�}�~�n�d�}�~�w�w�z�t�|�d ��}�W�n���t�yt��}���z�t��
d
|�����t�j�|�|�d�����W�Y�d�}�~�n�d�}�~�w�w�t�j�j���|�d����6}�|�r�|�d�k�r�|�r�|���t�j�j���|�������|���t�j�j���|�������|�r�|�d�k�r�|�r�|���t�j�j���|�������W�d���������n�1�s�w�������Y���W�d���������n�1�s�w�������Y���d�|�����S�)
a����
Writes out a PEM string, fixing any formatting or whitespace
issues before writing.
CLI Example:
.. code-block:: bash
salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt
text
PEM string input to be written out.
path
Path of the file to write the PEM out to.
overwrite
If ``True`` (default), write_pem will overwrite the entire PEM file.
Set to ``False`` to preserve existing private keys and DH params that may
exist in the PEM file.
pem_type
The PEM type to be saved, for example ``CERTIFICATE`` or
``PUBLIC KEY``. Adding this will allow the function to take
input that may contain multiple PEM types.
r�����?���ri���r6���z
DH PARAMETERSz(Error while retrieving DH PARAMETERS: %s)���exc_infoNz�(?:RSA )?PRIVATE KEYz&Error while retrieving PRIVATE KEY: %s��wz�PEM written to )�r����r:���r;���rN���Z set_umaskry���rS���r����rA���r����rM���r����r6�����debugZ�tracerO���rP���r����Z�to_str) r����rS���r7���r8���Z _dhparamsZ�_private_keyZ
_filecontentsrg�����_fpr����r����r����rL�������sJ�����������������
���������������������������������������������������������
�rL���c��������������������C���s����t���d�|���d�|���d���t�j���S�)�z8
Dynamically generate a regex to match pem_type
z�\s*(?P<pem_header>-----BEGIN z�-----)\s+(?:(?P<proc_type>Proc-Type: 4,ENCRYPTED)\s*)?(?:(?P<dek_info>DEK-Info: (?:DES-[3A-Z\-]+,[0-9A-F]{{16}}|[0-9A-Z\-]+,[0-9A-F]{{32}}))\s*)?(?P<pem_body>.+?)\s+(?P<pem_footer>-----END z -----)\s*)���re��compile��DOTALLr����r����r����r������_make_pem_regexD���s����������������rI���c��������������������C���s8���|�d�u�r�d�n�|�}�t�|���}�|���|���D�]�}�|�r�|�����S�q�d�S�)�Nz
[0-9A-Z ]+)�rI�����finditer)�r����r8���Z�_dregexr����r����r����r����r����S���s������������������r����c��������������������C���s`���|�d�k�r�t�j�|�p d�d���S�|�d�k�r�t�j�|�p�d�d���S�|�d�k�r t�����S�|�d�k�r(t�����S�t�d�|���d ������)
Nr����i����)�r����r���������Z�ed25519Z�ed448z8Invalid algorithm specified for generating private key: z . Valid: rsa, ec, ed25519, ed448)�rA���Z�generate_rsa_privkeyZ�generate_ec_privkeyZ�generate_ed25519_privkeyZ�generate_ed448_privkeyr����r����r����r����r����r����\���s����������������������
���r����c��������������������C���sf���|�d�u�r�i�S�t�d���d�i�����|���}�|�p�t�d���d�i�����|���}�t�|�t���r/i�}�|�D�]�}�|���|�����q%|�}�|�p2i�S�)�Nz
pillar.getZ�x509_signing_policiesz
config.get)�rE���r
���r����r����r����)�r����Z�policiesZ�dict_��itemr����r����r����rH���k���s������������
�����������rH���c���������������� ���C���sH���t���}�t�j�����D�]�\�}�}�z�|���|���d���j�|�|�<�W�q���t�y!������Y�q�w�|�S�)�zA
Returns a dict containing all values in an X509 Subject
r����)�r ���rA���ru���r����rt���rv���rw���)�rs���r����Z�nid_namer'���r����r����r����r����x���s��������������������r����r#���c��������������������C���sf���|�����d�v�r�t�d�|���d�������t���t���|�����}�|���|���������|�����d�d�����}�t j
d�k�r1|�d�d�d�����}�|�S�)�z�
Returns the OpenSSL name hash.
This is the first four bytes of the SHA1 (pre v1: MD5) hash
of the DER-encoded form of name. On little-endian systems,
OpenSSL inverts the bytes.
)�r#���r����z)Invalid hashing algorithm for name hash: z�. Only SHA1 and MD5 are allowedN�������little���)�rD���r����r����Z�HashrA���rq���r����r������finalize��sys� byteorder)�r����r����Z�hsh��resr����r����r����r��������s��������
���������
�����r����c���������������� ���C����N���i�}�t�j�����D�]�\�}�}�z�|���|���}�W�n
��t�j�y�������Y�q�w�t���|���|�|�<�q�|�S���N)�rA���Z�EXTENSIONS_OIDr������get_extension_for_oidr#�����ExtensionNotFound��render_extension��r����r����r
���r'�����extr����r����r����r ������������������������������r ���c���������������� ���C���rT���rU���)�rA���Z�EXTENSIONS_CRL_ENTRY_OIDr����rV���r#���rW���rX���rY���r����r����r����r/�������r[���r/���c��������������������C���s@���d�|�v�r�t�d���|�d�|�d���}�|�|�v�r�t�d�����|�|���S�t�d���|�|���S�)�N��@r9���z�match.compound)�Z�tgtZ�funr:���z�Could not verify if minion matches compound matching expression. Make sure the ca_server is allowed to run `match.compound` on the requesting minionz
match.glob)�rE���r����)���testZ�minion��matchr����r����r����r4�������s��������������������r4���)
NNr����NNFNNTF)�NN)�r!���NF)�r����NNNNFNF) NNFNr!���r����NNF)�r����F)�Nr!���r����NF)�r����NNr����FNF)�r����NNFF)�r����rU���)�F)�TN)�r����N)�r#���)J��__doc__r����r����r������loggingZ�os.pathry���rF���rQ���r����r����r����Z�cryptography.x509r
���r#���Z�cryptography.hazmat.primitivesr����r����Z�salt.utils.x509r;���rA���r������ImportErrorZ�salt.utils.dictupdater:���Z�salt.utils.filesZ�salt.utils.stringutilsZ�salt.exceptionsr����r����Z�salt.utils.odictr ���� getLogger��__name__r6���r����r����rZ���rF���rI���rJ���r����r����r����r����r����r����r����r����r����r����r����r����r����r(���r)���r0���r1���r8���rc���r=���r>���r?���r@���rL���rI���r����r����rH���r����r����r ���r/���r4���r����r����r����r������<module>����s�������������������������������������������������
�������������������������
������
���
��"��������������
��������������������
��
d�(��������
�
k�&������������
��c��������
�
W����
�
M
�
.�=�B���;��
�
Y��
���
��$
�9
�
���
������