---
- name : Validate CSR (test - privatekey modulus)
shell : 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
register : privatekey_modulus
- name : Validate CSR (test - Common Name)
shell : "openssl req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"
register : csr_cn
- name : Validate CSR (test - csr modulus)
shell : 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr'
register : csr_modulus
- name : Validate CSR (assert)
assert :
that :
- csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_modulus.stdout == privatekey_modulus.stdout
- name : Validate CSR (check mode, idempotency)
assert :
that :
- generate_csr_check is changed
- generate_csr is changed
- generate_csr_check_idempotent is not changed
- generate_csr_check_idempotent_check is not changed
- name : Validate CSR without SAN (check mode, idempotency)
assert :
that :
- generate_csr_nosan_check is changed
- generate_csr_nosan is changed
- generate_csr_nosan_check_idempotent is not changed
- generate_csr_nosan_check_idempotent_check is not changed
- name : Validate CSR_KU_XKU (assert idempotency, change)
assert :
that :
- csr_ku_xku is not changed
- csr_ku_xku_change is changed
- csr_ku_xku_change_2 is changed
- name : Validate old_API CSR (test - Common Name)
shell : "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
register : csr_oldapi_cn
- name : Validate old_API CSR (test - csr modulus)
shell : 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
register : csr_oldapi_modulus
- name : Validate old_API CSR (assert)
assert :
that :
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout
- name : Validate invalid SAN
assert :
that :
- generate_csr_invalid_san is failed
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
- name : Validate OCSP Must Staple CSR (test - everything)
shell : "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
register : csr_ocsp
- name : Validate OCSP Must Staple CSR (assert)
assert :
that :
- "(csr_ocsp.stdout is search('\\s+TLS Feature:\\s*\\n\\s+status_request\\s+')) or
(csr_ocsp.stdout is search('\\s+1.3.6.1.5.5.7.1.24:\\s*\\n\\s+0\\.\\.\\.\\.\\s+'))"
- name : Validate OCSP Must Staple CSR (assert idempotency)
assert :
that :
- csr_ocsp_idempotency is not changed
- name : Validate ECC CSR (test - privatekey's public key)
shell : 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem'
register : privatekey_ecc_key
- name : Validate ECC CSR (test - Common Name)
shell : "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"
register : csr_ecc_cn
- name : Validate ECC CSR (test - CSR pubkey)
shell : 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr'
register : csr_ecc_pubkey
- name : Validate ECC CSR (assert)
assert :
that :
- csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
- name : Validate CSR (text common name - Common Name)
shell : "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
register : csr3_cn
- name : Validate CSR (assert)
assert :
that :
- csr3_cn.stdout.split('=')[-1] == 'This is for Ansible'
- name : Validate country name idempotency and validation
assert :
that :
- country_idempotent_1 is changed
- country_idempotent_2 is not changed
- country_idempotent_3 is not changed
- country_fail_4 is failed
- name :
assert :
that :
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name : Verify that broken CSR will be regenerated
assert :
that :
- output_broken is changed
- name : Verify that subject key identifier handling works
assert :
that :
- subject_key_identifier_1 is changed
- subject_key_identifier_2 is not changed
- subject_key_identifier_3 is changed
- subject_key_identifier_4 is changed
- subject_key_identifier_5 is not changed
- subject_key_identifier_6 is changed
when : select_crypto_backend != 'pyopenssl'
- name : Verify that authority key identifier handling works
assert :
that :
- authority_key_identifier_1 is changed
- authority_key_identifier_2 is not changed
- authority_key_identifier_3 is changed
- authority_key_identifier_4 is changed
when : select_crypto_backend != 'pyopenssl'
- name : Verify that authority cert issuer / serial number handling works
assert :
that :
- authority_cert_issuer_sn_1 is changed
- authority_cert_issuer_sn_2 is not changed
- authority_cert_issuer_sn_3 is changed
- authority_cert_issuer_sn_4 is changed
- authority_cert_issuer_sn_5 is changed
when : select_crypto_backend != 'pyopenssl'
- name : Check backup
assert :
that :
- csr_backup_1 is changed
- csr_backup_1.backup_file is undefined
- csr_backup_2 is not changed
- csr_backup_2.backup_file is undefined
- csr_backup_3 is changed
- csr_backup_3.backup_file is string
- csr_backup_4 is changed
- csr_backup_4.backup_file is string
- csr_backup_5 is not changed
- csr_backup_5.backup_file is undefined
- name : Check CSR with everything
assert :
that :
- everything_1 is changed
- everything_2 is not changed
- everything_3 is not changed
- name : Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
assert :
that :
- generate_csr_ed25519_ed448.results[0] is failed
- generate_csr_ed25519_ed448.results[1] is failed
- generate_csr_ed25519_ed448.results[0].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
- generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
- generate_csr_ed25519_ed448_idempotent.results[0] is failed
- generate_csr_ed25519_ed448_idempotent.results[1] is failed
when : select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<')
- name : Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
assert :
that :
- generate_csr_ed25519_ed448 is succeeded
- generate_csr_ed25519_ed448.results[0] is changed
- generate_csr_ed25519_ed448.results[1] is changed
- generate_csr_ed25519_ed448_idempotent is succeeded
- generate_csr_ed25519_ed448_idempotent.results[0] is not changed
- generate_csr_ed25519_ed448_idempotent.results[1] is not changed
when : select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=')