From 5bc3bf7d36d872af5ab79c7531c80a7793c76307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Almeida?= Date: Sat, 8 Dec 2018 23:53:10 -0200 Subject: Adds a more descriptive error msg for wrong wrapping (#4504) * PoC code for check PEM wrap * Remove PoC check wrap code * Add PEM file info to FAQ * Add FAQ/PEM link in exception message * Fix flake8 style issues * refactor, update language * it's really amazing how bad the spell checker is * review feedback * change to etc --- docs/faq.rst | 32 ++++++++++++++++++++++ .../hazmat/backends/openssl/backend.py | 15 ++++++++-- 2 files changed, 44 insertions(+), 3 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index dce94b73..6d876610 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -111,6 +111,38 @@ not yet possible you can also install ``cryptography`` with dependency. This workaround will be available until the feature is fully removed. +Why can't I import my PEM file? +------------------------------- + +PEM is a format (defined by several RFCs, but originally :rfc:`1421`) for +encoding keys, certificates and others cryptographic data into a regular form. +The data is encoded as base64 and wrapped with a header and footer. + +If you are having trouble importing PEM files, make sure your file fits +the following rules: + +* has a one-line header like this: ``-----BEGIN [FILE TYPE]-----`` + (where ``[FILE TYPE]`` is ``CERTIFICATE``, ``PUBLIC KEY``, ``PRIVATE KEY``, + etc.) + +* has a one-line footer like this: ``-----END [FILE TYPE]-----`` + +* all lines, except for the final one, must consist of exactly 64 + characters. + +For example, this is a PEM file for a RSA Public Key: :: + + -----BEGIN PUBLIC KEY----- + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7CsKFSzq20NLb2VQDXma + 9DsDXtKADv0ziI5hT1KG6Bex5seE9pUoEcUxNv4uXo2jzAUgyRweRl/DLU8SoN8+ + WWd6YWik4GZvNv7j0z28h9Q5jRySxy4dmElFtIRHGiKhqd1Z06z4AzrmKEzgxkOk + LJjY9cvwD+iXjpK2oJwNNyavvjb5YZq6V60RhpyNtKpMh2+zRLgIk9sROEPQeYfK + 22zj2CnGBMg5Gm2uPOsGDltl/I/Fdh1aO3X4i1GXwCuPf1kSAg6lPJD0batftkSG + v0X0heUaV0j1HSNlBWamT4IR9+iJfKJHekOqvHQBcaCu7Ja4kXzx6GZ3M2j/Ja3A + 2QIDAQAB + -----END PUBLIC KEY----- + + .. _`NaCl`: https://nacl.cr.yp.to/ .. _`PyNaCl`: https://pynacl.readthedocs.io .. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index fda6293c..b2fdf78b 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1141,7 +1141,10 @@ class Backend(object): ) if x509 == self._ffi.NULL: self._consume_errors() - raise ValueError("Unable to load certificate") + raise ValueError( + "Unable to load certificate. See https://cryptography.io/en/la" + "test/faq/#why-can-t-i-import-my-pem-file for more details." + ) x509 = self._ffi.gc(x509, self._lib.X509_free) return _Certificate(self, x509) @@ -1163,7 +1166,10 @@ class Backend(object): ) if x509_crl == self._ffi.NULL: self._consume_errors() - raise ValueError("Unable to load CRL") + raise ValueError( + "Unable to load CRL. See https://cryptography.io/en/la" + "test/faq/#why-can-t-i-import-my-pem-file for more details." + ) x509_crl = self._ffi.gc(x509_crl, self._lib.X509_CRL_free) return _CertificateRevocationList(self, x509_crl) @@ -1185,7 +1191,10 @@ class Backend(object): ) if x509_req == self._ffi.NULL: self._consume_errors() - raise ValueError("Unable to load request") + raise ValueError( + "Unable to load request. See https://cryptography.io/en/la" + "test/faq/#why-can-t-i-import-my-pem-file for more details." + ) x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free) return _CertificateSigningRequest(self, x509_req) -- cgit v1.2.3