From: John Mulligan <jmulligan@redhat.com>
Date: Fri, 25 Apr 2025 15:05:46 +0000 (-0400)
Subject: python-common/cryptotools: catch all failures to read cert
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=f6ab08783c0f121d33709a2aaecb6087c69ae3f2;p=ceph.git

python-common/cryptotools: catch all failures to read cert

Previously, the internal crypto caller would catch (and convert) some
errors when reading the cert but not all cases. Move the logic to catch
the errors to a common location and do it once consistently.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
---

diff --git a/src/python-common/ceph/cryptotools/internal.py b/src/python-common/ceph/cryptotools/internal.py
index 2de8d742ced47..7d6e0a487ecc9 100644
--- a/src/python-common/ceph/cryptotools/internal.py
+++ b/src/python-common/ceph/cryptotools/internal.py
@@ -68,7 +68,10 @@ class InternalCryptoCaller(CryptoCaller):
 
     def _load_cert(self, crt: Union[str, bytes]) -> Any:
         crt_buffer = crt.encode() if isinstance(crt, str) else crt
-        cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt_buffer)
+        try:
+            cert = crypto.load_certificate(crypto.FILETYPE_PEM, crt_buffer)
+        except (ValueError, crypto.Error) as e:
+            self.fail('Invalid certificate: %s' % str(e))
         return cert
 
     def _issuer_info(self, cert: Any) -> Tuple[str, str]:
@@ -115,11 +118,7 @@ class InternalCryptoCaller(CryptoCaller):
             _key.check()
         except (ValueError, crypto.Error) as e:
             self.fail('Invalid private key: %s' % str(e))
-        try:
-            _crt = self._load_cert(crt)
-        except ValueError as e:
-            self.fail('Invalid certificate key: %s' % str(e))
-
+        _crt = self._load_cert(crt)
         try:
             context = SSL.Context(SSL.TLSv1_METHOD)
             with warnings.catch_warnings():