Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accommodate the new OpenSSL behavior when failed to decrypt certs #3197

Merged
merged 5 commits into from
Aug 29, 2024
Merged

Accommodate the new OpenSSL behavior when failed to decrypt certs #3197

merged 5 commits into from
Aug 29, 2024

Conversation

nagworld9
Copy link
Contributor

Description

fixing #3163

If the decryption fails, old version of openssl overwrite the output file(if exist) with empty data while
new version of openssl does not overwrite the output file, so output file may contain old certs data and agent process the old certs again. Correcting the behavior by removing temporary state certificate files.

2024-08-28T00:22:15.391660Z ERROR ExtHandler ExtHandler Failed to decrypt /var/lib/waagent/Certificates.p7m (return code: 1)
[stdout]
 
[stderr]
Error reading SMIME Content Info
4072163C0D7B0000:error:0680008E:asn1 encoding routines:asn1_d2i_read_bio:not enough data:crypto/asn1/a_d2i_fp.c:216:
4072163C0D7B0000:error:0680006E:asn1 encoding routines:b64_read_asn1:decode error:crypto/asn1/asn_mime.c:151:
4072163C0D7B0000:error:068000CB:asn1 encoding routines:SMIME_read_ASN1_ex:asn1 parse error:crypto/asn1/asn_mime.c:500:
 
2024-08-28T00:22:15.391869Z INFO ExtHandler ExtHandler Removing temporary state certificate files ['/var/lib/waagent/Certificates.p7m', '/var/lib/waagent/Certificates.pem']
2024-08-28T00:22:15.392123Z INFO ExtHandler ExtHandler Removed file /var/lib/waagent/Certificates.p7m
2024-08-28T00:22:15.392267Z INFO ExtHandler ExtHandler Removed file /var/lib/waagent/Certificates.pem
2024-08-28T00:22:15.392632Z INFO ExtHandler Fetch goal state completed

Issue #

PR information

  • The title of the PR is clear and informative.
  • There are a small number of commits, each of which has an informative message. This means that previously merged commits do not appear in the history of the PR. For information on cleaning up the commits in your pull request, see this page.
  • If applicable, the PR references the bug/issue that it fixes in the description.
  • New Unit tests were added for the changes made

Quality of Code and Contribution Guidelines

@nagworld9 nagworld9 changed the title Addressing new openssl behavior when failed to decrypt certs Accommodate the new OpenSSL behavior when failed to decrypt certs Aug 28, 2024
narrieta
narrieta previously approved these changes Aug 29, 2024
View reviewed changes
Copy link
Member

@narrieta narrieta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one minor comment

azurelinuxagent/common/utils/cryptutil.py Outdated
@@ -99,6 +109,13 @@ def decrypt_p7m(self, p7m_file, trans_prv_file, trans_cert_file, pem_file):
except shellutil.CommandError as command_error:
logger.error("Failed to decrypt {0} (return code: {1})\n[stdout]\n{2}\n[stderr]\n{3}",
p7m_file, command_error.returncode, command_error.stdout, command_error.stderr)
# If the decryption fails, old version of openssl overwrite the output file(if exist) with empty data while
# new version of openssl does not overwrite the output file, So output file may contain old certs data.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's add the "new version" value to the comment, in case we ever need it in the future

maddieford
maddieford previously approved these changes Aug 29, 2024
View reviewed changes
@nagworld9 nagworld9 dismissed stale reviews from maddieford and narrieta via 2181751 August 29, 2024 19:22
@codecov Codecov
Copy link

codecov bot commented Aug 29, 2024

Codecov Report

Attention: Patch coverage is 90.32258% with 3 lines in your changes missing coverage. Please review.

Project coverage is 72.30%. Comparing base (3aebcdd) to head (2181751).
Report is 297 commits behind head on develop.

Files with missing lines Patch % Lines
azurelinuxagent/common/utils/cryptutil.py 72.72% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           develop    #3197      +/-   ##
===========================================
+ Coverage    71.97%   72.30%   +0.32%     
===========================================
  Files          103      114      +11     
  Lines        15692    16953    +1261     
  Branches      2486     2448      -38     
===========================================
+ Hits         11295    12258     +963     
- Misses        3881     4131     +250     
- Partials       516      564      +48

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nagworld9 nagworld9 merged commit d9c866f into Azure:develop Aug 29, 2024
11 checks passed
@nagworld9 nagworld9 deleted the openssl-out branch August 29, 2024 21:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maddieford maddieford maddieford approved these changes

@narrieta narrieta narrieta approved these changes

@ZhidongPeng ZhidongPeng Awaiting requested review from ZhidongPeng ZhidongPeng is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nagworld9 @narrieta @maddieford