diff --git a/states/_states/rsa_key.py b/states/_states/rsa_key.py index 96ebda8..f348891 100644 --- a/states/_states/rsa_key.py +++ b/states/_states/rsa_key.py @@ -2,7 +2,9 @@ # # some internal functions are copied from salt.states.file -from Crypto.PublicKey import RSA +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric import rsa import os @@ -86,10 +88,17 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'): return ret if not os.path.isfile(name): - rsa = RSA.generate(bits) + rsakey = rsa.generate_private_key( + public_exponent=65537, + key_size=bits, + backend=default_backend()) oldumask = os.umask(_calculate_umask(mode)) with open(name, 'w') as rsafile: - rsafile.write(rsa.exportKey()) + rsafile.write(rsakey.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.PKCS8, + encryption_algorithm=serialization.NoEncryption() + )) os.umask(oldumask) ret['comment'] = 'created new RSA key and saved PEM file {0}'.format( name) @@ -98,20 +107,22 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'): return ret try: with open(name, 'r') as rsafile: - rsa = RSA.importKey(rsafile.read()) + rsakey = serialization.load_pem_private_key( + rsafile.read(), + password=None, + backend=default_backend()) except Exception as e: ret['comment'] = 'error loading RSA key from file {0}: {1}'.format( name, e) ret['result'] = False return ret - keysize = rsa.size() + 1 - if keysize < bits: + if rsakey.key_size < bits: ret['comment'] = ( 'RSA key in {0} is only {1} bits, which is less than the ' - 'required {2} bits'.format(name, keysize, bits)) + 'required {2} bits'.format(name, rsakey.key_size, bits)) ret['result'] = False else: ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format( - name, keysize) + name, rsakey.key_size) ret['result'] = True return ret diff --git a/states/_states/x509_certificate.py b/states/_states/x509_certificate.py index ac1afb4..099920e 100644 --- a/states/_states/x509_certificate.py +++ b/states/_states/x509_certificate.py @@ -5,10 +5,11 @@ Manage X.509 certificate life cycle This state is useful for managing X.509 certificates' life cycles. -Copyright (c) 2014 Jan Dittberner +Copyright (c) 2014, 2016 Jan Dittberner ''' -from M2Crypto import X509 +from cryptography import x509 +from cryptography.hazmat.backends import default_backend from datetime import datetime import os @@ -39,14 +40,15 @@ def valid_certificate( if not os.path.isfile(name): return _error( ret, 'certificate file {0} does not exist'.format(name)) - try: - cert = X509.load_cert(name) - except Exception as e: - return _error( - ret, - 'error loading certificate {0}: {1}'.format(name, e)) - notafter = cert.get_not_after().get_datetime() - delta = notafter - datetime.now(notafter.tzinfo) + with open(name) as pemfile: + try: + cert = x509.load_pem_x509_certificate(pemfile.read(), + default_backend()) + except Exception as e: + return _error( + ret, 'error loading certificate {0}: {1}'.format(name, e)) + notafter = cert.not_valid_after + delta = notafter - datetime.utcnow() if delta.days < mindays: return _error( ret, diff --git a/states/gnuviechadmin/webinterface.sls b/states/gnuviechadmin/webinterface.sls index 0cd044e..612d76b 100644 --- a/states/gnuviechadmin/webinterface.sls +++ b/states/gnuviechadmin/webinterface.sls @@ -11,7 +11,7 @@ gnuviechadmin-dev-packages: - require_in: - pkg: gnuviechadmin-packages -python-m2crypto: +python-cryptography: pkg.installed: - reload_modules: true diff --git a/states/webserver/sslcert.macros.sls b/states/webserver/sslcert.macros.sls index e3bf201..9c5270e 100644 --- a/states/webserver/sslcert.macros.sls +++ b/states/webserver/sslcert.macros.sls @@ -23,7 +23,7 @@ - require: - file: {{ nginx_ssl_certdir }} - cmd: {{ certfile }} - - pkg: python-m2crypto + - pkg: python-cryptography - require_in: - file: /etc/nginx/sites-available/{{ domain_name }} - service: nginx