[BUG] keystore state uses incorrect key to get SHA1 fingreprint

[anderssynstad]

Description salt.states.keystore.managed appears to be looking for incorrect key when trying to get the SHA1 fingerprint from a certfile.

Using x509_v2 in minion config:

features:
  x509_v2: true

It is able to successfully run and create the keystore files initially, but on consecutive runs, it throws the following error:

[ERROR   ] An exception occurred in this state: Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/keystore.py", line 92, in managed
    new_sha1 = __salt__["x509.read_certificate"](entry["certificate"])[
KeyError: 'SHA1 Finger Print'

https://github.com/saltstack/salt/blob/2b364c92e6319ec3a9884afff10e6e4e1e1642db/salt/states/keystore.py#L92

Reading the cert manually with x509.read_certificate gives the following structure:

$ salt-call x509.read_certificate /path/to/certificate.pem
local:
    ----------
    ...
    fingerprints:
        ----------
        md5:
            5A:FA:...:3C:38
        sha1:
            5D:7F:...:8E:B1
        sha256:
            9F:3B:...:EF:D5

Changing the keystore.py file with something like this seems to make it work as expected:

             if existing_entry:
                 existing_sha1 = existing_entry[0]["sha1"]
                 try:
-                    new_sha1 = __salt__["x509.read_certificate"](entry["certificate"])[
-                        "SHA1 Finger Print"
-                    ]
+                    new_sha1 = __salt__["x509.read_certificate"](entry["certificate"])['fingerprints']['sha1'].encode(__salt_system_encoding__)
                 except (KeyError, TypeError) as err:
                     log.debug(
                         "Unable to obtain SHA1 finger print from entry's certificate"

Setup The sls file I'm running contains some fairly simple state definitions:

/path/to/keystore1.jks:
  keystore.managed:
    - passphrase: ...
    - entries:
      - alias: {{ grains['id'] }}
        certificate: /path/to/certificate.pem
        private_key: /path/to/certificate.key

/path/to/keystore2.jks:
  keystore.managed:
    - passphrase: ...
    - force_remove: True
    - entries:
      - alias: ca1
        certificate: /path/to/ca1.pem
      - alias: ca2
        certificate: /path/to/ca2.pem

• [x] on-prem machine
• [x] VM (Virtualbox, KVM, etc. please specify)
• [ ] VM running on a cloud service, please be explicit and add details
• [ ] container (Kubernetes, Docker, containerd, etc. please specify)
• [ ] or a combination, please be explicit
• [ ] jails if it is FreeBSD
• [ ] classic packaging
• [x] onedir packaging
• [ ] used bootstrap to install

Expected behavior Expect the keystore state to function as documented.

Versions Report $ salt-call --versions-report Salt Version: Salt: 3006.6

Python Version: Python: 3.10.13 (main, Nov 15 2023, 04:34:27) [GCC 11.2.0]

Dependency Versions: cffi: 1.14.6 cherrypy: 18.6.1 dateutil: 2.8.1 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.3 libgit2: Not Installed looseversion: 1.0.2 M2Crypto: 0.40.1 Mako: Not Installed msgpack: 1.0.2 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 22.0 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.19.1 pygit2: Not Installed python-gnupg: 0.4.8 PyYAML: 6.0.1 PyZMQ: 23.2.0 relenv: 0.14.2 smmap: Not Installed timelib: 0.2.4 Tornado: 4.5.3 ZMQ: 4.3.4

System Versions: dist: debian 12 bookworm locale: utf-8 machine: x86_64 release: 6.1.0-17-cloud-amd64 system: Linux version: Debian GNU/Linux 12 bookworm

[welcome[bot]]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!