[2.7] openssl_certificate, fixed has_expired to check the cert expiration date (#53203)

* Type error in openssl_certificate (#47508)

* Fixed #47505: Type error in openssl_certificate
* Use to_bytes instead of str.encode in SelfSignedCertificate. Updates #47508
* Use to_bytes instead of str.encode in OwnCACertificate
* Added integration tests for openssl_certificate: selfsigned_not_before/after and ownca_not_before/after

(cherry picked from commit 5b1c68579d)

* openssl_certificate, fixed has_expired to check the cert expiration date (#53168)

(cherry picked from commit d5d92e4a70)

* Use fixed timestamp in past instead of relative time (relative times are a feature of devel).

* Add changelog for #47508.

changelogs/fragments/47508-openssl_certificate-fix-not-before-after.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - fix Python 3 string/bytes problems for `notBefore`/`notAfter` for self-signed and ownCA providers."

changelogs/fragments/openssl_certificate_fix_has_expired.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - openssl_certificate - ``has_expired`` correctly checks if the certificate is expired or not

lib/ansible/modules/crypto/openssl_certificate.py

@@ -179,10 +179,11 @@ options:
         version_added: "2.5"
 
     has_expired:
-        default: False
-        type: bool
         description:
-            - Checks if the certificate is expired/not expired at the time the module is executed.
+            - Checks if the certificate is expired/not expired at the time the module is executed. This only applies to
+              the C(assertonly) provider.
+        type: bool
+        default: no
 
     version:
         description:
@@ -521,11 +522,11 @@ class SelfSignedCertificate(Certificate):
             cert = crypto.X509()
             cert.set_serial_number(self.serial_number)
             if self.notBefore:
-                cert.set_notBefore(self.notBefore)
+                cert.set_notBefore(to_bytes(self.notBefore))
             else:
                 cert.gmtime_adj_notBefore(0)
             if self.notAfter:
-                cert.set_notAfter(self.notAfter)
+                cert.set_notAfter(to_bytes(self.notAfter))
             else:
                 # If no NotAfter specified, expire in
                 # 10 years. 315360000 is 10 years in seconds.
@@ -618,11 +619,11 @@ class OwnCACertificate(Certificate):
             cert = crypto.X509()
             cert.set_serial_number(self.serial_number)
             if self.notBefore:
-                cert.set_notBefore(self.notBefore.encode())
+                cert.set_notBefore(to_bytes(self.notBefore))
             else:
                 cert.gmtime_adj_notBefore(0)
             if self.notAfter:
-                cert.set_notAfter(self.notAfter.encode())
+                cert.set_notAfter(to_bytes(self.notAfter))
             else:
                 # If no NotAfter specified, expire in
                 # 10 years. 315360000 is 10 years in seconds.
@@ -763,10 +764,17 @@ class AssertOnlyCertificate(Certificate):
                     )
 
         def _validate_has_expired():
-            if self.has_expired:
+            # The following 3 lines are the same as the current PyOpenSSL code for cert.has_expired().
-                if self.has_expired != self.cert.has_expired():
+            # Older version of PyOpenSSL have a buggy implementation,
+            # to avoid issues with those we added the code from a more recent release here.
+
+            time_string = to_native(self.cert.get_notAfter())
+            not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
+            cert_expired = not_after < datetime.datetime.utcnow()
+
+            if self.has_expired != cert_expired:
                 self.message.append(
-                        'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (self.cert.has_expired(), self.has_expired)
+                    'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (cert_expired, self.has_expired)
                 )
 
         def _validate_version():

test/integration/targets/openssl_certificate/tasks/expired.yml

@@ -0,0 +1,39 @@
+---
+- name: Generate privatekey
+  openssl_privatekey:
+    path: '{{ output_dir }}/has_expired_privatekey.pem'
+
+- name: Generate CSR
+  openssl_csr:
+    path: '{{ output_dir }}/has_expired_csr.csr'
+    privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
+    subject:
+      commonName: www.example.com
+
+- name: Generate expired selfsigned certificate
+  openssl_certificate:
+    path: '{{ output_dir }}/has_expired_cert.pem'
+    csr_path: '{{ output_dir }}/has_expired_csr.csr'
+    privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_not_after: "20181231000000Z"
+
+- name: "Check task fails because cert is expired (has_expired: false)"
+  openssl_certificate:
+    provider: assertonly
+    path: "{{ output_dir }}/has_expired_cert.pem"
+    has_expired: false
+  ignore_errors: true
+  register: expired_cert_check
+
+- name: Ensure previous task failed
+  assert:
+    that: expired_cert_check is failed
+
+- name: "Check expired cert check is ignored (has_expired: true)"
+  openssl_certificate:
+    provider: assertonly
+    path: "{{ output_dir }}/has_expired_cert.pem"
+    has_expired: true
+  register: expired_cert_skip

test/integration/targets/openssl_certificate/tasks/main.yml

@@ -1,5 +1,7 @@
 - block:
 
+    - import_tasks: expired.yml
+
     - import_tasks: selfsigned.yml
 
     - import_tasks: ownca.yml

test/integration/targets/openssl_certificate/tasks/ownca.yml

@@ -116,4 +116,15 @@
     issuer:
       commonName: Example CA
 
+- name: Create ownca certificate with notBefore and notAfter
+  openssl_certificate:
+    provider: ownca
+    ownca_not_before: 20181023133742Z
+    ownca_not_after: 20191023133742Z
+    path: "{{ output_dir }}/ownca_cert3.pem"
+    csr_path: "{{ output_dir }}/csr.csr"
+    privatekey_path: "{{ output_dir }}/privatekey3.pem"
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem'
+      
 - import_tasks: ../tests/validate_ownca.yml

test/integration/targets/openssl_certificate/tasks/selfsigned.yml

@@ -114,4 +114,24 @@
       - ipsecUser
       - biometricInfo
 
+- name: Create private key 3
+  openssl_privatekey:
+    path: "{{ output_dir }}/privatekey3.pem"
+
+- name: Create CSR 3
+  openssl_csr:
+    subject:
+      CN: www.example.com
+    privatekey_path: "{{ output_dir }}/privatekey3.pem"
+    path: "{{ output_dir }}/csr3.pem"
+        
+- name: Create certificate3 with notBefore and notAfter
+  openssl_certificate:
+    provider: selfsigned
+    selfsigned_not_before: 20181023133742Z
+    selfsigned_not_after: 20191023133742Z
+    path: "{{ output_dir }}/cert3.pem"
+    csr_path: "{{ output_dir }}/csr3.pem"
+    privatekey_path: "{{ output_dir }}/privatekey3.pem"
+        
 - import_tasks: ../tests/validate_selfsigned.yml

test/integration/targets/openssl_certificate/tests/validate_ownca.yml

@@ -47,3 +47,21 @@
   assert:
     that:
       - ownca_cert2_modulus.stdout == privatekey2_modulus.stdout
+
+- name: Validate owncal certificate3 (test - notBefore)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: ownca_cert3_notBefore
+
+- name: Validate ownca certificate3 (test - notAfter)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: ownca_cert3_notAfter
+
+- name: Validate ownca certificate3 (assert - notBefore)
+  assert:
+    that:
+      - ownca_cert3_notBefore.stdout == 'Oct 23 13:37:42 2018'
+
+- name: Validate ownca certificate3 (assert - notAfter)
+  assert:
+    that:
+      - ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'

test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml

@@ -50,3 +50,21 @@
   assert:
     that:
       - cert2_modulus.stdout == privatekey2_modulus.stdout
+
+- name: Validate certificate3 (test - notBefore)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: cert3_notBefore
+
+- name: Validate certificate3 (test - notAfter)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: cert3_notAfter
+
+- name: Validate certificate3 (assert - notBefore)
+  assert:
+    that:
+      - cert3_notBefore.stdout == 'Oct 23 13:37:42 2018'
+
+- name: Validate certificate3 (assert - notAfter)
+  assert:
+    that:
+      - cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'