openssl_* modules: private key errors (#54088)

* Improve error handling, in particular with respect to private key loading problems. * Add tests to validate that modules regenerate invalid input and don't crash. * Don't crash when input is invalid. * Create 'better' broken input. * Fix paths. * Simplifying pyOpenSSL error handling.
2025-04-24 03:11:24 -07:00 · 2019-03-30 14:28:10 +01:00 · 2019-03-30 14:28:10 +01:00 · 90c067e947
commit 90c067e947
parent 627c5e7f50
21 changed files with 327 additions and 228 deletions
--- a/lib/ansible/module_utils/crypto.py
+++ b/lib/ansible/module_utils/crypto.py
@ -111,13 +111,14 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, backend='pyope
                                                priv_key_detail,
                                                to_bytes(passphrase or ''))
            except crypto.Error as e:
-                if len(e.args) > 0 and len(e.args[0]) > 0 and e.args[0][0][2] == 'bad decrypt':
-                    # This happens in case we have the wrong passphrase.
-                    if passphrase is not None:
-                        raise OpenSSLBadPassphraseError('Wrong passphrase provided for private key!')
-                    else:
-                        raise OpenSSLBadPassphraseError('No passphrase provided, but private key is password-protected!')
-                raise
+                if len(e.args) > 0 and len(e.args[0]) > 0:
+                    if e.args[0][0][2] in ('bad decrypt', 'bad password read'):
+                        # This happens in case we have the wrong passphrase.
+                        if passphrase is not None:
+                            raise OpenSSLBadPassphraseError('Wrong passphrase provided for private key!')
+                        else:
+                            raise OpenSSLBadPassphraseError('No passphrase provided, but private key is password-protected!')
+                raise OpenSSLObjectError('Error while deserializing key: {0}'.format(e))
            if check_passphrase:
                # Next we want to make sure that the key is actually protected by
                # a passphrase (in case we did try the empty string before, make
@ -131,10 +132,11 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, backend='pyope
                        # key isn't password-protected
                        raise OpenSSLBadPassphraseError('Passphrase provided, but private key is not password-protected!')
                except crypto.Error as e:
-                    if passphrase is None and len(e.args) > 0 and len(e.args[0]) > 0 and e.args[0][0][2] == 'bad decrypt':
-                        # The key is obviously protected by the empty string.
-                        # Don't do this at home (if it's possible at all)...
-                        raise OpenSSLBadPassphraseError('No passphrase provided, but private key is password-protected!')
+                    if passphrase is None and len(e.args) > 0 and len(e.args[0]) > 0:
+                        if e.args[0][0][2] in ('bad decrypt', 'bad password read'):
+                            # The key is obviously protected by the empty string.
+                            # Don't do this at home (if it's possible at all)...
+                            raise OpenSSLBadPassphraseError('No passphrase provided, but private key is password-protected!')
        elif backend == 'cryptography':
            try:
                result = load_pem_private_key(priv_key_detail,