-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCS#12 operations fail with "TypeError: password must be bytes-like" on the cryptography backend #247
Comments
Interesting. I'll take a look at this later today. I'm wondering a bit why our tests didn't catch this... probably need to expand the tests :) |
It's in def parse_pkcs12(pkcs12_bytes, passphrase=None):
'''Returns a tuple (private_key, certificate, additional_certificates, friendly_name).
'''
if _load_key_and_certificates is None:
raise ValueError('load_key_and_certificates() not present in the current cryptography version')
private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase) Should probably just wrap in a |
@Ajpantuso yep, that's the solution. I've created a PR (#248) which fixes this and adds tests (I also ran them before fixing this, they resulted in the same crash as reported here). |
That was quick. Thanks! |
SUMMARY
Some PKCS#12 operations that involve
passphrase
, which worked withthe
pyopenssl
backend, stopped working aftercryptography
was madethe default backend. Error message output may indicate that there are
missing calls to
to_bytes
forself.passphrase
.ISSUE TYPE
COMPONENT NAME
openssl_pkcs12 with
cryptography
backend.ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Tested on Linux and MacOS with a minimal example with no networking.
STEPS TO REPRODUCE
Playbooks and dummy PKCS#12 file available at
https://github.com/sverrehu/ansible-tests/tree/master/pkcs12-issue
EXPECTED RESULTS
Expected the certificate to be output to a file, and the output from
the run to look like this:
ACTUAL RESULTS
No certificate, and an error message:
WORKAROUND
Force use of old backend by adding the following to the
openssl_pkcs12
invokation:With this in place, our plays are running again.
The text was updated successfully, but these errors were encountered: