File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/states/__pycache__/x509_v2.cpython-310.pyc
o
�����N�g�������������������������@���s����d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�m�Z�m�Z�m�Z���d�d�l Z
d�d�l�m�Z�m
Z
��d�d�l�m�Z���z�d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�Z���d�d�l�m�����m�Z���d�Z�W�n���e�yX������d Z�Y�n�w�e���e���Z�d
Z d�d���Z! � � �
� � � � � � � � � � � � � � � � �d6d�d���Z" � � � � �
�d7d�d���Z# � �
�d8d�d���Z$d�d���Z% � � �
d9d�d���Z&d�d���Z'd�d���Z(d�d���Z)d:d d!��Z*d"d#��Z+ �d;d$d%��Z,d&d'��Z-d(d)��Z.d*d+��Z/d,d-��Z0d.d/��Z1d0d1��Z2d2d3��Z3d4d5��Z4d�S�)<a/���
Manage X.509 certificates
=========================
.. versionadded:: 3006.0
This module represents a complete rewrite of the original ``x509`` modules
and is named ``x509_v2`` since it introduces breaking changes.
:depends: cryptography
.. note::
All parameters that take a public key, private key, certificate,
CSR or CRL can be specified either as a PEM/hex/base64 string or
a path to a local file encoded in all supported formats for the type.
Configuration instructions and general remarks are documented
in the :ref:`execution module docs <x509-setup>`.
For the list of breaking changes versus the previous ``x509`` modules,
please also refer to the :ref:`execution module docs <x509-setup>`.
About
-----
This module can enable managing a complete PKI infrastructure, including creating
private keys, CAs, certificates and CRLs. It includes the ability to generate a
private key on a server, and have the corresponding public key sent to a remote
CA to create a CA signed certificate. This can be done in a secure manner, where
private keys are always generated locally and never moved across the network.
Example
-------
Here is a simple example scenario. In this example ``ca`` is the ca server,
and ``www`` is a web server that needs a certificate signed by ``ca``.
.. note::
Remote signing requires the setup of :term:`Peer Communication` and signing
policies. Please see the :ref:`execution module docs <x509-setup>`.
/srv/salt/top.sls
.. code-block:: yaml
base:
'*':
- cert
'ca':
- ca
'www':
- www
This state creates the CA key, certificate and signing policy. It also publishes
the certificate to the mine, where it can be easily retrieved by other minions.
.. code-block:: yaml
# /srv/salt/ca.sls
Configure the x509 module:
file.managed:
- name: /etc/salt/minion.d/x509.conf
- source: salt://x509.conf
Restart Salt minion:
cmd.run:
- name: 'salt-call service.restart salt-minion'
- bg: true
- onchanges:
- file: /etc/salt/minion.d/x509.conf
Ensure PKI directories exist:
file.directory:
- name: /etc/pki/issued_certs
- makedirs: true
Create CA private key:
x509.private_key_managed:
- name: /etc/pki/ca.key
- keysize: 4096
- backup: true
- require:
- file: /etc/pki/issued_certs
Create self-signed CA certificate:
x509.certificate_managed:
- name: /etc/pki/ca.crt
- signing_private_key: /etc/pki/ca.key
- CN: ca.example.com
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical, CA:true"
- keyUsage: "critical, cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid:always,issuer
- days_valid: 3650
- days_remaining: 0
- backup: true
- require:
- x509: /etc/pki/ca.key
.. code-block:: yaml
# /srv/salt/x509.conf
# enable x509_v2
features:
x509_v2: true
# publish the CA certificate to the mine
mine_functions:
x509.get_pem_entries: [/etc/pki/ca.crt]
# define at least one signing policy for remote signing
x509_signing_policies:
www:
- minions: 'www'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid:always,issuer
- days_valid: 30
- copypath: /etc/pki/issued_certs/
This example state will instruct all minions to trust certificates signed by
our new CA. Mind that this example works for Debian-based OS only.
Also note the Jinja call to encode the string to JSON, which will avoid
YAML issues with newline characters.
.. code-block:: jinja
# /srv/salt/cert.sls
Ensure the CA trust bundle exists:
file.directory:
- name: /usr/local/share/ca-certificates
Ensure our self-signed CA certificate is included:
x509.pem_managed:
- name: /usr/local/share/ca-certificates/myca.crt
- text: {{ salt["mine.get"]("ca", "x509.get_pem_entries")["ca"]["/etc/pki/ca.crt"] | json }}
This state creates a private key, then requests a certificate signed by our CA
according to the www policy.
.. code-block:: yaml
# /srv/salt/www.sls
Ensure PKI directory exists:
file.directory:
- name: /etc/pki
Create private key for the certificate:
x509.private_key_managed:
- name: /etc/pki/www.key
- keysize: 4096
- backup: true
- require:
- file: /etc/pki
Request certificate:
x509.certificate_managed:
- name: /etc/pki/www.crt
- ca_server: ca
- signing_policy: www
- private_key: /etc/pki/www.key
- CN: www.example.com
- days_remaining: 7
- backup: true
- require:
- x509: /etc/pki/www.key
�����N)���datetime� timedelta��timezone)���CommandExecutionError��SaltInvocationError)���STATE_INTERNAL_KEYWORDS)���UnsupportedAlgorithm)���hashesTF��x509c��������������������C���s����t�s�d�S�t�d�����d���s
d�S�t�S�)�N)�Fz�Could not load cryptographyZ�featuresZ�x509_v2)�Fz�x509_v2 needs to be explicitly enabled by setting `x509_v2: true` in the minion configuration value `features` until Salt 3008 (Argon).)���HAS_CRYPTOGRAPHY��__opts__��get��__virtualname__��r����r�����G/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py��__virtual__����s
�������������r������pem��sha256c������������/�������K���s$���|�d�u�r |�d�u�r z�t�j�j���d�d�����d�}�W�n���t�y�������d�}�Y�n�w�|�d�u�r<z�t�j�j���d�d�����d�}�W�n���t�y;������d�}�Y�n�w�d |�v�rMt�j�j���d�d
����|���d ��}�t���|���}�|�i�d�d�d
��}�d���}�}�i�}�d�}�t�t |�����\�}�}�|�plg�}�t
|�t���su|�g�}���zwt�|�f�d�d�d���|�����} | d���d�u�r�d�|�d�<�d�|�d�<�t
|�| ����|�W�S�d�| d���v�r�t
|�| ����|�W�S�|�}!d�}"t�d���|���r�|���d�d���r�t�j���|���}!n�t�d���|�����d�}"t�d���|!����r�z�t�j�|!|�d�d���\�}�}�}#}$W�n0��t���y
��}%��z#d�t�|%��v�r�d�|�d�<�n�t�d�t�|%��v�d�t�|%��v�f���r�d�}"n���W�Y�d�}%~%n�d�}%~%w�w�|�|�k���r�|�|�d�<�n�|�d�k���r/|$j�j�|���r't�j�j���|���n�d�k���r/|�|�d <�z�|�j�}&W�n���t���yF������|�j�j�t�j d!��}&Y�n�w�|&t!j"t�j d"��t#|�d#����k���rZd�|�d$<�|#��p^g�}#d%d&��|�D���}'t$|#|'����spd�|�d'<�t%dN|�|�|�| |
|�|�|
|�|�|�|�|�|�|�d(��|�����\�}(})}*}+z�|�j&d�u���r�t
|�j&t't��(|+d)����������s�|�|�d)<�W�n���t)��y�������t*�+d*|�����Y�n�w�|��,t-|�|(|*|�|�|�d+������n�|�|�d,<�|"��r�|�|�d-<�|���s�| d�����r�| d.����s�t
|�| ����|�W�S�|�|�d.<�|���r�|���r�d/}�t.d0����r�|���r�d�n�d�|�d�<�|���r�d1|���d2��n�|�d���|�d�<�t
|�| ����|�W�S�|���r�t/|���h�d3������s>|�d�k���r4t�d4��|�|�|�|)|�|�|�d5��},nOt�d4��|�|�|�d6��},nEt�d7��dNi�d8|���d9|���d�|���d:|���d�|���d;|���d |���d)|���d<| ��d=|
��d>|���d?|���d@|
��dA|���dB|���dC|���dD|���dE|���dF|���dG|���|�����},dH|���d2��|�d�<�|�dIv���r�t�|�f�dJd�i�|�����}-t
|�|-����t0|-|�|�����s�|�W�S�t1|!t2�3|,��|���dKdL������|���r�|�dIv���r�t4|�dIv���o�|���}"|"��r�|,n�d�}.t�|�f�|.|"dM��|�����}-t
|�|-����t0|-|�|�����s�|�W�S�W�|�S�W�|�S���t5t�f���y���}%��z�d�|�d�<�t�|%��|�d�<�i�|�d.<�W�Y�d�}%~%|�S�d�}%~%w�w�)Oa����
Ensure an X.509 certificate is present as specified.
This function accepts the same arguments as :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`,
as well as most ones for `:py:func:`file.managed <salt.states.file.managed>`.
name
The path the certificate should be present at.
days_remaining
The certificate will be recreated once the remaining certificate validity
period is less than this number of days.
Defaults to ``90`` (until v3009) or ``7`` (from v3009 onwards).
ca_server
Request a remotely signed certificate from ca_server. For this to
work, a ``signing_policy`` must be specified, and that same policy
must be configured on the ca_server. Also, the Salt master must
permit peers to call the ``x509.sign_remote_certificate`` function.
See the :ref:`execution module docs <x509-setup>` for details.
signing_policy
The name of a configured signing policy. Parameters specified in there
are hardcoded and cannot be overridden. This is required for remote signing,
otherwise optional.
encoding
Specify the encoding of the resulting certificate. It can be serialized
as a ``pem`` (or ``pkcs7_pem``) text file or in several binary formats
(``der``, ``pkcs7_der``, ``pkcs12``). Defaults to ``pem``.
append_certs
A list of additional certificates to append to the new one, e.g. to create a CA chain.
.. note::
Mind that when ``der`` encoding is in use, appending certificatees is prohibited.
copypath
Create a copy of the issued certificate in PEM format in this directory.
The file will be named ``<serial_number>.crt`` if prepend_cn is false.
prepend_cn
When ``copypath`` is set, prepend the common name of the certificate to
the file name like so: ``<CN>-<serial_number>.crt``. Defaults to false.
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
signing_private_key
The private key corresponding to the public key in ``signing_cert``. Required.
signing_private_key_passphrase
If ``signing_private_key`` is encrypted, the passphrase to decrypt it.
signing_cert
The CA certificate to be used for signing the issued certificate.
public_key
The public key the certificate should be issued for. Other ways of passing
the required information are ``private_key`` and ``csr``. If neither are set,
the public key of the ``signing_private_key`` will be included, i.e.
a self-signed certificate is generated.
private_key
The private key corresponding to the public key the certificate should
be issued for. This is one way of specifying the public key that will
be included in the certificate, the other ones being ``public_key`` and ``csr``.
private_key_passphrase
If ``private_key`` is specified and encrypted, the passphrase to decrypt it.
csr
A certificate signing request to use as a base for generating the certificate.
The following information will be respected, depending on configuration:
* public key
* extensions, if not otherwise specified (arguments, signing_policy)
subject
The subject's distinguished name embedded in the certificate. This is one way of
passing this information (see ``kwargs`` below for the other).
This argument will be preferred and allows to control the order of RDNs in the DN
as well as to embed RDNs with multiple attributes.
This can be specified as a RFC4514-encoded string (``CN=example.com,O=Example Inc,C=US``,
mind that the rendered order is reversed from what is embedded), a list
of RDNs encoded as in RFC4514 (``["C=US", "O=Example Inc", "CN=example.com"]``)
or a dictionary (``{"CN": "example.com", "C": "US", "O": "Example Inc"}``,
default ordering).
Multiple name attributes per RDN are concatenated with a ``+``.
.. note::
Parsing of RFC4514 strings requires at least cryptography release 37.
serial_number
A serial number to be embedded in the certificate. If unspecified, will
autogenerate one. This should be an integer, either in decimal or
hexadecimal notation.
not_before
Set a specific date the certificate should not be valid before.
The format should follow ``%Y-%m-%d %H:%M:%S`` and will be interpreted as GMT/UTC.
Defaults to the time of issuance.
not_after
Set a specific date the certificate should not be valid after.
The format should follow ``%Y-%m-%d %H:%M:%S`` and will be interpreted as GMT/UTC.
If unspecified, defaults to the current time plus ``days_valid`` days.
days_valid
If ``not_after`` is unspecified, the number of days from the time of issuance
the certificate should be valid for.
Defaults to ``365`` (until v3009) or ``30`` (from v3009 onwards).
pkcs12_passphrase
When encoding a certificate as ``pkcs12``, encrypt it with this passphrase.
.. note::
PKCS12 encryption is very weak and `should not be relied on for security <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
pkcs12_encryption_compat
OpenSSL 3 and cryptography v37 switched to a much more secure default
encryption for PKCS12, which might be incompatible with some systems.
This forces the legacy encryption. Defaults to False.
pkcs12_friendlyname
When encoding a certificate as ``pkcs12``, a name for the certificate can be included.
kwargs
Embedded X.509v3 extensions and the subject's distinguished name can be
controlled via supplemental keyword arguments. See
:py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`
for an overview.
N� PotassiumzYThe default value for `days_valid` will change to 30. Please adapt your code accordingly.im��������z\The default value for `days_remaining` will change to 7. Please adapt your code accordingly.�Z��������� algorithm�B`algorithm` has been renamed to `digest`. Please update your code.Tz'The certificate is in the correct state����name��changes��result��comment��createF����test��replacer�����:Problem while testing file.managed changes, see its outputr�����*is not present and is not set for creation��file.is_link��follow_symlinks��file.remove��file.file_exists���
passphrase��get_encoding��Bad decrypt��pkcs12_passphrase�!Could not deserialize binary data��Could not load PEM-encoded��encodingZ�pkcs12��pkcs12_friendlyname����tzinfo����tz����days�
expirationc��������������������S���s����g�|�]�}�t���|�����q�S�r����)���x509util� load_cert����.0��xr����r����r�����
<listcomp>����s������z'certificate_managed.<locals>.<listcomp>��additional_certs)�� ca_server��signing_policy��digest��signing_private_key��signing_private_key_passphrase��signing_cert�
public_key��private_key��private_key_passphrase��csr��subject�
serial_number�
not_before� not_after�
days_validrB����HCould not determine signature hash algorithm of '%s'. Continuing anyways)�rE���rK���rL���rM�����created��replacedr������recreater!���z The certificate would have been ��d>����r1���r0���r?���z�x509.encode_certificate)���append_certsr0���rG���r-�����pkcs12_encryption_compatr1���)�r0���rT���z�x509.create_certificater@���rA���rT���rU���rC���rD���rE���rF���rG���rH���rI���rJ���rK���rL���rM���rN���z�The certificate has been )�r����Z pkcs7_pemr"�����backup������contentsr"���r����)6��salt��utils��versions�
warn_until��RuntimeError��popr9�����ensure_cert_kwargs_compat��_split_file_kwargs��_filter_state_internal_kwargs�
isinstance��list�
_file_managed��_add_sub_state_run��__salt__r
�����os��path��realpathr:���r������str��any��certZ
friendly_nameZ�stringutils��to_bytesZ�not_valid_after_utc��AttributeErrorZ�not_valid_afterr"���r������utcr������nowr������_compare_ca_chain��_build_cert��signature_hash_algorithm��type��get_hashing_algorithmr������log��warning��update�
_compare_certr������set��_check_file_ret��_safe_atomic_write��base64� b64decode��boolr����)/r������days_remainingr@���rA���r0���rT���Z�copypathZ
prepend_cnrB���rC���rD���rE���rF���rG���rH���rI���rJ���rK���rL���rM���rN���r-���rU���r1�����kwargs��ret��current��current_encodingr������verb� file_argsZ cert_args��file_managed_test� real_namer"���Z
current_chainZ
current_extra��errZ�curr_not_afterZ�ca_chain��builder��private_key_loadedZ�signing_cert_loaded��final_kwargsrm�����file_managed_retrY���r����r����r������certificate_managed����s������(������������������������������������������������
�
���������������������
���������������
�����
�����������������������������������������
���
�
�������������
���������������
�������
�����������
�����������������������������������������������������������������������������������������������������������������������
���������
�����������
�������
��������������������
��������������������������������������� ���
�����������
����������������������������������
���
�������������������������������
���������������������������r����c������������"�������K���s\���d�|�v�r�t�j�j���d�g�d�����|���d�����|�d�u�r.z�t�j�j���d�d�����d�}�W�n���t�y-������d�}�Y�n�w�|�d�u�rJz�t�j�j���d�d�����d�}�W�n���t�yI������d }�Y�n�w�g�}�|�D�]R}
i�}�t�|
��d
k�r{t�|
t t
|
������t���r{t�j�j���d�d�����|
t t
|
������D�]�}�|���|�����qsd�|�p|
v�r�t�j�j���d�d
����t�j�j
��|�p�|
d�|�p�|
��d�������|���|�p�|
����qN|�}�|�i�d�d�d���}�d���}�}�i�}�d�}�t�t�|�����\�}�}�|
p�i�}
|�r�t�d�t�|�������������z?t�|�f�d�d�d���|�����}�|�d���d�u�r�d�|�d�<�d�|�d�<�t�|�|�����|�W�S�d�|�d���v�r�t�|�|�����|�W�S�|�}�d�}�t�d���|�����r�|���d�d�����r�t�j���|���}�n�t�d���|�����d�}�t�d���|�����r�z�t�j�|�d�d���\�}�}�W�n&��t���yS��}���z�t�d�t�|���v�d t�|���v�f�����rHd�}�n���W�Y�d�}�~�n�d�}�~�w�w�z�|�j�d�u���rkt�|�j�t�t�� |���������sk|�|�d!<�W�n���t!��y|������t"�#d"|�����Y�n�w�| |�k���r�| |�d#<�z�|�j$}�W�n���t%��y�������|�j&j't(j)d$��}�Y�n�w�|���r�|�t*j+t(j)d%��t,|�d&����k���r�d�|�d'<�|
��d(��d)k�}�|���r�|
��d(����t�j-|�|�|�|�|�|�|
d*��\�}�}�|���t.|�|�|��/��������|���r�d)|
d(<�|�d+��d,����|�d+��d,���0d(������t�|�d+���1������s�|���d+����n�|�|�d-<�|���r
|�|�d.<�|���s"|�d�����r"|�d/����s"t�|�|�����|�W�S�|�|�d/<�|���r.|���r.d0}�t2d1����rS|���r8d�n�d�|�d�<�|���rEd2|���d3��n�|�d���|�d�<�t�|�|�����|�W�S�|���r�t3|���d#h�����sgt�d4��|�| d5��}�n8|
��d(��d)k���r�z�|�j4�5t6j7��j8j9d
��|
d(<�W�n���t%t6j:f���y�������d
|
d(<�Y�n�w�t�d6��|�|�|�|�|�|�|�| |
d7� }�d8|���d3��|�d�<�| d9k���r�t�|�f�d:d�i�|�����} t�|�| ����t;| |�|�����s�|�W�S�t<|�t=�>|���|���d;d<������|���r�| d=k���r�t?| d=k���o�|���}�|���r�|�n�d�}!t�|�f�|!|�d>��|�����} t�|�| ����t;| |�|�����s�|�W�S�W�|�S�W�|�S���t@t�f���y-��}���z�d�|�d�<�t�|���|�d�<�i�|�d/<�W�Y�d�}�~�|�S�d�}�~�w�w�)?a����
Ensure a certificate revocation list is present as specified.
This function accepts the same arguments as :py:func:`x509.create_crl <salt.modules.x509_v2.create_crl>`,
as well as most ones for `:py:func:`file.managed <salt.states.file.managed>`.
name
The path the certificate revocation list should be present at.
signing_private_key
Your certificate authority's private key. It will be used to sign
the CRL. Required.
revoked
A list of dicts containing all the certificates to revoke. Each dict
represents one certificate. A dict must contain either the key
``serial_number`` with the value of the serial number to revoke, or
``certificate`` with some reference to the certificate to revoke.
The dict can optionally contain the ``revocation_date`` key. If this
key is omitted, the revocation date will be set to now. It should be a
string in the format ``%Y-%m-%d %H:%M:%S``.
The dict can also optionally contain the ``not_after`` key. This is
redundant if the ``certificate`` key is included. If the
``certificate`` key is not included, this can be used for the logic
behind the ``include_expired`` parameter. It should be a string in
the format ``%Y-%m-%d %H:%M:%S``.
The dict can also optionally contain the ``extensions`` key, which
allows to set CRL entry-specific extensions. The following extensions
are supported:
certificateIssuer
Identifies the certificate issuer associated with an entry in an
indirect CRL. The format is the same as for subjectAltName.
CRLReason
Identifies the reason for certificate revocation.
Available choices are ``unspecified``, ``keyCompromise``, ``CACompromise``,
``affiliationChanged``, ``superseded``, ``cessationOfOperation``,
``certificateHold``, ``privilegeWithdrawn``, ``aACompromise`` and
``removeFromCRL``.
invalidityDate
Provides the date on which the certificate became invalid.
The value should be a string in the same format as ``revocation_date``.
days_remaining
The certificate revocation list will be recreated once the remaining
CRL validity period is less than this number of days.
Defaults to ``30`` (until v3009) or ``3`` (from v3009 onwards).
Set to 0 to disable automatic renewal without anything changing.
signing_cert
The CA certificate to be used for signing the issued certificate.
signing_private_key_passphrase
If ``signing_private_key`` is encrypted, the passphrase to decrypt it.
include_expired
Also include already expired certificates in the CRL. Defaults to false.
days_valid
The number of days that the CRL should be valid for. This sets the ``Next Update``
field in the CRL. Defaults to ``100`` (until v3009) or ``7`` (from v3009 onwards).
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
encoding
Specify the encoding of the resulting certificate revocation list.
It can be serialized as a ``pem`` text or binary ``der`` file.
Defaults to ``pem``.
extensions
Add CRL extensions. See :py:func:`x509.create_crl <salt.modules.x509_v2.create_crl>`
for details.
.. note::
For ``cRLNumber``, in addition the value ``auto`` is supported, which
automatically increases the counter every time a new CRL is issued.
Example:
.. code-block:: yaml
Manage CRL:
x509.crl_managed:
- name: /etc/pki/ca.crl
- signing_private_key: /etc/pki/myca.key
- signing_cert: /etc/pki/myca.crt
- revoked:
- certificate: /etc/pki/certs/badweb.crt
revocation_date: 2022-11-01 00:00:00
extensions:
CRLReason: keyCompromise
- serial_number: D6:D2:DC:D8:4D:5C:C0:F4
not_after: 2023-03-14 00:00:00
revocation_date: 2022-10-25 00:00:00
extensions:
CRLReason: cessationOfOperation
- extensions:
cRLNumber: auto
��textr����NzXThe default value for `days_valid` will change to 7. Please adapt your code accordingly.�d���r����z\The default value for `days_remaining` will change to 3. Please adapt your code accordingly.r��������������zCRevoked certificates should be specified as a simple list of dicts.��reasonz\The `reason` parameter for revoked certificates should be specified in extensions:CRLReason.z�extensions:CRLReasonTz7The certificate revocation list is in the correct stater����r����� Unrecognized keyword arguments: Fr ���r����r#���r����r$���r%���r&���r'���r(�����r+���r/�����Could not load DER-encodedrB���rO���r0���r2���r4���r6���r8���Z cRLNumber��auto)�rE���rD�����include_expiredrN����
extensionsr������removedrP���rQ���r����rR���r!���z0The certificate revocation list would have been rS���z�x509.encode_crl��r0���z�x509.create_crl)�rE���rD���r����rN���rB���r0���r����z)The certificate revocation list has been ��derr"���rV���rW���r����rX���)ArZ���r[���r\�����kwargs_warn_untilr_���r]���r^�����lenrc�����next��iterrd���ry���Z
dictupdateZ�set_dict_key_value��appendra���rb���r����re���rf���rg���r
���rh���ri���rj���r9���Z�load_crlrl���rk���rt���ru���rv���r����rw���rx���Z�next_update_utcro���Z�next_updater"���r����rp���r����rq���r����Z build_crl��_compare_crlrF�����index��valuesr����r{���r����Z�get_extension_for_class��cx509Z CRLNumber��valueZ
crl_number��ExtensionNotFoundr|���r}���r~���r���r����r����)"r����rC�����revokedr����rE���rD���r����rN���rB���r0���r����r����Z�revoked_parsed��rev��parsed��valr����r����r����r����r����r�����
extra_argsr����r����r"���r����Z�curr_next_updateZ�crl_autor����Z�sig_privkeyZ�crlr����rY���r����r����r������crl_managed����s�����{��
�����������������������������������������������"���������������������������������������������������������������������
�����
�������������������������������
�
�����������������������������������������
�����
���������������������
�����������������
�� ������������
���������������������
���������
�����������
�������������������������
�������������������������������
���
�������������������������������
��������
������������������r����c����������������
���K���s0���d�|�v�r�t�j�j���d�d�����|���d���}�t���|���}�|�i�d�d�d���}�d���}�} i�}
d�}�t�t�|�����\�}�}
��z�t |�f�d�d d
��|�����}�|�d���d u�rPd |�d�<�d�|�d
<�t
|�|�����|�W�S�d�|�d
��v�r^t
|�|�����|�W�S�|�}�d }�t�d���|���r}|���d�d���rut
j���|���}�n�t�d���|�����d�}�t�d���|�����r�z�t�j�|�d�d���\�}�} W�n3��t�y���}���z�t�d�t�|���v�d�t�|���v�f���r�d�}�n���W�Y�d�}�~�njd�}�~�w���t�j�y�������d�|
d�<�d�}�Y�nWw�z�|�j�d�u�r�t�|�j�t�t���|�������s�|�|
d�<�W�n���t�y�������t���d�|�����Y�n�w�|�| k�r�|�|
d�<�t�j�|�f�|�|�d���|
����\�}�}�t���|�����|�����s�d�|
d�<�|
� t!|�|�������n�|�|
d�<�|���r |�|
d�<�|
��s5|�d�����r5|�d�����s5t
|�|�����|�W�S�|
|�d�<�|���rA|
��rAd�}�t"d ����rf|
��rKd�n�d�|�d�<�|
��rXd!|���d"��n�|�d
��|�d
<�t
|�|�����|�W�S�|
��r�t#|
��d�h�����szt�d#��|�|�d$��}�n�t�d%��|�f�|�|�|�|�d&��|
����}�d'|���d"��|�d
<�|�d(k���r�t |�f�d)d i�|�����}�t
|�|�����t$|�|�|�����s�|�W�S�t%|�t&�'|���|���d*d+������|
��r�|�d,k���r�t(|�d,k���o�|
��}�|���r�|�n�d�}�t |�f�|�|�d-��|�����}�t
|�|�����t$|�|�|�����s�|�W�S�W�|�S�W�|�S���t)t�f���y���}���z�d |�d�<�t�|���|�d
<�i�|�d�<�W�Y�d�}�~�|�S�d�}�~�w�w�).a����
Ensure a certificate signing request is present as specified.
This function accepts the same arguments as :py:func:`x509.create_csr <salt.modules.x509_v2.create_csr>`,
as well as most ones for :py:func:`file.managed <salt.states.file.managed>`.
name
The path the certificate signing request should be present at.
private_key
The private key corresponding to the public key the certificate should
be issued for. The CSR will be signed by it. Required.
private_key_passphrase
If ``private_key`` is encrypted, the passphrase to decrypt it.
digest
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to ``sha256``.
This will be ignored for ``ed25519`` and ``ed448`` key types.
encoding
Specify the encoding of the resulting certificate revocation list.
It can be serialized as a ``pem`` text or binary ``der`` file.
Defaults to ``pem``.
kwargs
Embedded X.509v3 extensions and the subject's distinguished name can be
controlled via supplemental keyword arguments.
See :py:func:`x509.create_certificate <salt.modules.x509_v2.create_certificate>`
for an overview. Mind that some extensions are not available for CSR
(``authorityInfoAccess``, ``authorityKeyIdentifier``,
``issuerAltName``, ``crlDistributionPoints``).
r����r����r����Tz7The certificate signing request is in the correct stater����Nr����Fr ���r����r#���r����r$���r%���r&���r'���r(���r����r/���r����Z�invalid_versionrB���rO���r0���)�rH���rJ���rG���rP���rQ���r����rR���r!���z0The certificate signing request would have been rS���z�x509.encode_csrr����z�x509.create_csr)�rH���rB���r0���rJ���z)The certificate signing request has been r����r"���rV���rW���r����rX���)*rZ���r[���r\���r]���r_���r9���r`���ra���rb���re���rf���rg���r
���rh���ri���rj���Z�load_csrr����rl���rk���r����Z�InvalidVersionrt���rc���ru���rv���r����rw���rx���Z build_csrZ�is_pairrF���ry�����_compare_csrr����r{���r|���r}���r~���r���r����r����)�r����rG���rH���rB���r0���rJ���r����r����r����r����r����r����r����Z�csr_argsr����r����r"���r����r����Z�privkeyrI���r����rY���r����r����r������csr_managed����s&����-��������
�
�������������������������������
�����
�������������������������������
�
�����������������������������������������������������������������
�������������������������
���������
�����������
�������������������������������
���
�������������������������������
���������������������������r����c����������������
���K���s����t�|���\�}�}�|�r�t�d�t�|�����������z�t�d���|�d���|�d�<�W�n���t�t�f�y9��}���z�|�d�t�|���i�d���W���Y�d�}�~�S�d�}�~�w�w�t�|�f�i�|�����S�)�aK���
Manage the contents of a PEM file directly with the content in text,
ensuring correct formatting.
name
The path to the file to manage.
text
The PEM-formatted text to write.
kwargs
Most arguments supported by :py:func:`file.managed <salt.states.file.managed>` are passed through.
r����z�x509.get_pem_entry)�r����rY���F)�r����r����r����r����N)�ra���r����rd���rg���r����rk���re���)�r����r����r����r����r����r����r����r����r������pem_managed����s������������������������r������rsac����������������
���K���sj���d�|�v�r�t�j�j���d�d�����|���d���}�h�d�����|���} | r,t�j�j���| d�����| D�]�}
|���|
����q$|�i�d�d�d���}�d���}�}
i�}�d }�t�|���\�}�}�|�rLt�d
t |�����������|��
d���sUd�|�d�<���z:|�rd|�d
v�rdt�d�|���������t�|�f�d�d�d���|�����}�|�d���d�u�r�d�|�d�<�d�|�d�<�t�|�|�����|�W�S�d�|�d���v�r�t�|�|�����|�W�S�|�}�d�}�t
d���|���r�|��
d�d���r�t�j���|���}�n�t
d���|�����d�}�t
d���|���}�|���r?|���s?z
t�j�|�|�d�d���\�}�}
}�W�ns��t���y>��}���zfd�t�|���v�r�|�s�t�d���|���d�|�d�<�nNt�d�t�|���v�d�t�|���v�d�t�|���v�f�����r�|���s�t�d ��|���d�}�n/d!t�|���v���r�d�|�d�<�t�j�|�d�d�d���\�}�}
}�n�d"t�|���v���r3|���s3|���s.t�d#��|���d�|�d�<�n���W�Y�d�}�~�n�d�}�~�w�w�|���r�t���|���}�|�}�|�d�u���r]|�d$k���rVd%}�n�|�d&k���r]d'}�t�|�d$k���oi|�t�j�j�k���|�d&k���ot|�t�j�j�k���|�d(k���o|�t�j�j�k���|�d)k���o�|�t�j�j�k���f�����r�|�|�d*<�d*|�v���r�|�d+v���r�|�j�|�k���r�|�|�d,<�|�|
k���r�|�|�d-<�n�|���r�|���r�|�|�d.<�n�|�|�d/<�|���s�|�d�����r�|�d0����s�t�|�|�����|�W�S�|�|�d0<�|���r�|���r�d1}�t�d2����r�|���r�d�n�d�|�d�<�|���r�d3|���d4��n�|�d���|�d�<�t�|�|�����|�W�S�|���rYt�|���d-d�h�����s�t
d5��|�|�|�d6��}�n�t
d7��|�|�|�|�|�d8��}�d9|���d4��|�d�<�|�d:k���rYt�|�f�d;d�i�|�����}�t�|�|�����t�|�|�|�����sL|�W�S�t |�t!�"|���|��
d<d=������|���ra|�d:k���r�t#|�d:k���oh|���}�|���ro|�n�d�}�t�|�f�|�|�d>��|�����}�t�|�|�����t�|�|�|�����s�|�W�S�W�|�S�W�|�S���t�t�f���y���}���z�d�|�d�<�t�|���|�d�<�i�|�d0<�W�Y�d�}�~�|�S�d�}�~�w�w�)?a�
��
Ensure a private key is present as specified.
This function accepts the same arguments as :py:func:`x509.create_private_key <salt.modules.x509_v2.create_private_key>`,
as well as most ones for :py:func:`file.managed <salt.states.file.managed>`.
.. note::
If ``mode`` is unspecified, it will default to ``0400``.
name
The path the private key should be present at.
algo
The digital signature scheme the private key should be based on.
Available: ``rsa``, ``ec``, ``ed25519``, ``ed448``. Defaults to ``rsa``.
keysize
For ``rsa``, specifies the bitlength of the private key (2048, 3072, 4096).
For ``ec``, specifies the NIST curve to use (256, 384, 521).
Irrelevant for Edwards-curve schemes (``ed25519``, ``ed448``).
Defaults to 2048 for RSA and 256 for EC.
passphrase
If this is specified, the private key will be encrypted using this
passphrase. The encryption algorithm cannot be selected, it will be
determined automatically as the best available one.
encoding
Specify the encoding of the resulting private key. It can be serialized
as a ``pem`` text, binary ``der`` or ``pkcs12`` file.
Defaults to ``pem``.
new
Always create a new key. Defaults to false.
Combining new with :mod:`prereq <salt.states.requisites.prereq>`
can allow key rotation whenever a new certificate is generated.
overwrite
Overwrite an existing private key if the provided passphrase cannot decrypt it.
Defaults to false.
pkcs12_encryption_compat
Some operating systems are incompatible with the encryption defaults
for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
``PBESv1SHA1And3KeyTripleDESCBC``.
Please consider the `notes on PKCS12 encryption <https://cryptography.io/en/stable/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates>`_.
Example:
The Jinja templating in this example ensures a new private key is generated
if the file does not exist and whenever the associated certificate
is to be renewed.
.. code-block:: jinja
Manage www private key:
x509.private_key_managed:
- name: /etc/pki/www.key
- keysize: 4096
- new: true
{%- if salt["file.file_exists"]("/etc/pki/www.key") %}
- prereq:
- x509: /etc/pki/www.crt
{%- endif %}
��bitsr����z>`bits` has been renamed to `keysize`. Please update your code.>����r������cipher��verboseTz'The private key is in the correct stater����Nr����r������modeZ�0400)���ed25519��ed448z$keysize is an invalid parameter for Fr ���r����r#���r����r$���r%���r&���r'���r(���r)���r,���zbThe provided passphrase cannot decrypt the private key. Pass overwrite: true to force regenerationr*���r.���r����r/���z�The existing file does not seem to be a private key formatted as DER, PEM or embedded in PKCS12. Pass overwrite: true to force regenerationz�Private key is unencryptedz�Private key is encryptedz]The existing file is encrypted. Pass overwrite: true to force regeneration without passphraser����i������ec�����r����r������algo)�r����r������keysizer0���rQ���rP���r����rR���r!���z The private key would have been rS���z�x509.encode_private_key)�r*���r0���z�x509.create_private_key)�r����r����r*���r0���rU���z�The private key has been r����r"���rV���rW���rX���)$rZ���r[���r\���r]���r_�����intersectionr����ra���r����rd���r
���re���rf���rg���rh���ri���rj���r9���Z�load_privkeyrk���r����rl���Z�get_key_typeZ�KEY_TYPEZ�RSAZ�ECZ�ED25519Z�ED448Z�key_sizer����r{���r|���r}���r~���r���r����)�r����r����r����r*���r0�����newZ overwriterU���r����Z�ignored_paramsr=���r����r����r����r����r����r����r����r����r����r"���Z�file_exists��_r����Z�key_typeZ
check_keysize��pkr����rY���r����r����r������private_key_managed����sh����N��������
�������������������������������������
�������������������
�����
���������������������������������������������
���
�
�
�������������������������������������������
��������$
���
�
���
�������������������
�
�����
�������
���������������
���������
�����������
�����������������������������
���
�������������������������������
��������
������������������r����c������������������������s$���t�t���d�h�������f�d�d���|�����D���S�)�N� check_cmdc������������������������s����i�|�]�\�}�}�|���v�r�|�|���q�S�r����r����)�r<�����k��v����ignorer����r�����
<dictcomp>����s������z1_filter_state_internal_kwargs.<locals>.<dictcomp>)�r{�����_STATE_INTERNAL_KEYWORDS��items)�r����r����r����r����rb�������s��������rb���c��������������������C���sH���g�d���}�d�d�i�}�i�}�|�����D�]�\�}�}�|�|�v�r�|�|�|�<�q�|�|�|�<�q�|�|�f�S�)�N)���user��groupr����Z�attrs��makedirsZ�dir_moderV���r����r&���r����Z�tmp_dirZ�tmp_extZ�selinuxr0���Z�encoding_errorsZ win_ownerZ win_permsZ�win_deny_permsZ�win_inheritanceZ�win_perms_resetZ�show_changesF)�r����)�r����Z�valid_file_argsr����r����r����r����r����r����r����ra�������s��������������
�
���ra���c��������������������C���s<���|�d���d�t�d���d�d���|�d�<�d�|�v�r�g�|�d�<�|�d�����|�����d�S�)�Nr������file��__id__Z�managed)�r������stater����Z�fun��lowZ
sub_state_run)�Z�__low__r����)�r������subr����r����r����rf���%���s������������
�������rf���c��������������������K���sF���|�d�v�r�t�d�����|�p
t�d���}�t�d���d�|�f�d�|�i�|�����}�|�t�t�|�������S�)�N)�NTz#test param can only be None or Truer!���z�state.singlez�file.managed)�r����r����rg���r����r����)�r����r!���r������resr����r����r����re���1���s
�������������re���c��������������������C���s<���|�d���d�u�r�d�|�d�<�d�|�s�d�n�d���d���|�d�<�i�|�d�<�d�S�d S�)
Nr����Fz
Could not r����ry���z� file, see file.managed outputr����r����Tr����)�Z�fretr����r����r����r����r����r|���:���s������������������r|���c������������ �������K���sb���t���|���}�|�|�d�<�t���t�d���|�|�d���|�����|���d���}�t�j�|�f�d�|�d�u�i�|�����\�}�}�}�}�|�|�|�|�f�S�)�NrC���z�x509.get_signing_policy)�r@���Z�skip_load_signing_private_key)���copy��deepcopyr9���Z�merge_signing_policyrg���r_���Z build_crt) r@���rA���rC���r����r����r����r����r����rE���r����r����r����rs���E���s����
�����������
�����������������rs���c��������������������C���s����i�}�|�d�u�r�t�|�d���|�j�k�r�|�|�d�<�t���t�|�d���|�������s!d�|�d�<�|�r/t���|�|�������s/d�|�d�<�t�|�d���|�j�k�r@t�|�d�������|�d�<�t�|�d ��|�j�k�rQt�|�d ������|�d
<�t |�|���}�t
|�������r`|�|�d�<�|�S�)�NZ�_serial_numberrK���Z�_public_keyTrG���rC����
_subject_name��subject_name��_issuer_name��issuer_namer����)��
_getattr_saferK���r9���Z�match_pubkeyrF���Z�verify_signaturerJ�����rfc4514_string��issuer�
_compare_extsrl���r����)�r����r����rE���rK���rL���rM���r������ext_changesr����r����r����rz���X���s0�������������������������������������������
�������rz���c��������������������C���sF���i�}�t�|�d�|�j���s�t�|�d�������|�d�<�t�|�|���}�t�|�������r!|�|�d�<�|�S�)�Nr����r����r����)���_compareattr_saferJ���r����r����r����rl���r����)�r����r����r����r����r����r����r����r����y���s������������������
�������r����c������������
�������C���s����d�d���}�d�d���}�i�}�t�|�d���|�j�k�r�t�|�d�������|�d�<�|���|���s$d�|�d�<�g�g�g�d ��}�t�|�d
��}�|�D�][}�|���|�j���} | d�u�rI|�d�����t���|�j�������q1|�j D�]%}
|�| j |
j
��}�t�|�d�u�|�j�|
j�k�|�j
|
j
k�f���rq|�d�����t���|�j�������qL| j D�]�}�|�|�j |�j
��d�u�r�|�d�����t���|�j�������quq1|�D�]�}�|�|�|�j���d�u�r�|�d
����t���|�j�������q�t�|�������r�|�|�d�<�t�|�|���}�t�|�������r�|�|�d�<�|�S�)�Nc�������������������������.���z���f�d�d���|�D���d���W�S���t�y�������Y�d�S�w�)�Nc�����������������������������g�|�] }�|�j���k�r�|���q�S�r����)�rK���r;�������serialr����r����r>��������������zS_compare_crl.<locals>._get_revoked_certificate_by_serial_number.<locals>.<listcomp>r�������
IndexError)�r����r����r����r����r�����)_get_revoked_certificate_by_serial_number�����
�������������z?_compare_crl.<locals>._get_revoked_certificate_by_serial_numberc������������������������r����)�Nc������������������������r����r��������oidr;���r����r����r����r>�������r����z@_compare_crl.<locals>._get_extension_for_oid.<locals>.<listcomp>r����r����)�r����r����r����r����r������_get_extension_for_oid����r����z,_compare_crl.<locals>._get_extension_for_oidr����r����TrF�������added��changedr����Z�_revoked_certificatesr����r����r����Z�revocationsr����)�r����r����r����Z�is_signature_validZ(get_revoked_certificate_by_serial_numberrK���r����r9���Z�dec2hexr����r����rl�����criticalr����r����r����)
r����r����Z
sig_pubkeyr����r����r����Z�rev_changesr����r����Z�cur��ext��cur_extr����r����r����r����r��������sR�������������
�����
�����������
�������
�
���������
�����������
�������������
�������r����c������������ ��� ���C���s����d�d���}�g�}�g�}�g�}�t���t�|�d�����}�t�|���D�]0}�z�|�j���|�j�j���}�|�j�|�j�k�s-|�j�|�j�k�r4|�� |�|�������W�q���t�j
yF������|�� |�|�������Y�q�w�|�j�D�]�}�z |���|�j�j�����W�qJ��t�j
yf������|�� |�|�������Y�qJw�|�|�|�d���S�)�Nc��������������������S���s&���z�|�j�j�W�S���t�y�������|�j�j���Y�S�w���N)�r������_namero���Z
dotted_string)�r����r����r����r�����
getextname����s
�����
�������z!_compare_exts.<locals>.getextnameZ�_extensionsr����)�r����Z
Extensionsr����r����r����Z�get_extension_for_oidr����r����r����r����r����) r����r����r����r����r����r����Z�builder_extensionsr����r����r����r����r����r��������s*�������������������������������
�������������r����c��������������������C���sP���t�|���t�|���k�s
d�S�t�|���D�]�\�}�}�|���t�������|�|�����t�������k�r%��d�S�q�d�S�)�NFT)�r����� enumerateZ�fingerprintr �����SHA256)�r����r������iZ�new_certr����r����r����rr�������s����������������������rr���c����������������
���C���sB���z�t�|�|���W�S���t�y ��}���z�t�d�|���d�|�j�j���d�����|���d�}�~�w�w�)�Nz�Could not get attribute z� from z.. Did the internal API of cryptography change?)���getattrro���r����� __class__��__name__)���obj��attrr����r����r����r����r��������s������������������������r����c��������������������C���s&���z�t�|�|���|�k�W�S���t�y�������Y�d�S�w�)�NF)�r����ro���)�r����r������compr����r����r����r��������s
�������������r����c��������������������C���s����t�j�j�j�t�j�j�j�d���}�t�j�j���|�d����
}�|���|�����W�d���������n�1�s#w�������Y���t�j�j���|�|�t�d���|���t d�������t�j�j��
|�����d�S�)�z~
Create a temporary file with only user r/w perms and atomically
copy it to the destination, honoring ``backup``.
)���prefix��wbNz�config.backup_modeZ�cachedir)�rZ���r[�����filesZ�mkstempZ�TEMPFILE_PREFIXZ�fopen��write��copyfilerg���r����Z�safe_rm)���dst��datarV�����tmpZ�tmp_r����r����r����r}�������s��������������������r}���)�NNNr����NNFr����NNNNNNNNNNNNNFN)�NNNFNr����r����N)�Nr����r����N)�r����NNr����FFFr����)�NNN)5��__doc__r~���r������loggingZ�os.pathrh���r����r����r����Z�salt.utils.filesrZ���Z�salt.exceptionsr����r����Z
salt.stater����r����Z�cryptography.x509r
���r����Z�cryptography.exceptionsr����Z�cryptography.hazmat.primitivesr ���Z�salt.utils.x509r[���r9���r������ImportError� getLoggerr����rw���r����r����r����r����r����r����r����rb���ra���rf���re���r|���rs���rz���r����r����r����rr���r����r����r}���r����r����r����r������<module>����s��������8��������������������������������
���������������������������������������������������
�����<��������������
����n������
���R��������������
��������!
�� ��
����!���@�����
��