From a1dcba63b3ae93186e703c57d35c1a190a4fa286 Mon Sep 17 00:00:00 2001 From: Alvaro Olmedo Rodriguez Date: Mon, 15 Jul 2019 18:44:30 +0200 Subject: [PATCH] java_keystore - Prefer SHA256 and solve SHA256 keytool in java11 version (#57302) --- changelogs/fragments/57302-java_keystore_sha256.yaml | 2 ++ lib/ansible/modules/system/java_keystore.py | 8 ++++---- test/units/modules/system/test_java_keystore.py | 10 +++++----- 3 files changed, 11 insertions(+), 9 deletions(-) create mode 100644 changelogs/fragments/57302-java_keystore_sha256.yaml diff --git a/changelogs/fragments/57302-java_keystore_sha256.yaml b/changelogs/fragments/57302-java_keystore_sha256.yaml new file mode 100644 index 00000000000..9a98476f01b --- /dev/null +++ b/changelogs/fragments/57302-java_keystore_sha256.yaml @@ -0,0 +1,2 @@ +bugfixes: +- java_keystore - Use SHA256 to check the fingerprints' certs. The module is compatible with java<=8 (SHA1 by default) and Java>=9 (SHA256 by default) now. diff --git a/lib/ansible/modules/system/java_keystore.py b/lib/ansible/modules/system/java_keystore.py index 51b4bd7c602..ffc0f934a66 100644 --- a/lib/ansible/modules/system/java_keystore.py +++ b/lib/ansible/modules/system/java_keystore.py @@ -106,7 +106,7 @@ cmd: description: Executed command to get action done returned: changed and failure type: str - sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha1" + sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha256" ''' @@ -116,7 +116,7 @@ import re def read_certificate_fingerprint(module, openssl_bin, certificate_path): - current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha1" % (openssl_bin, certificate_path) + current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha256" % (openssl_bin, certificate_path) (rc, current_certificate_fingerprint_out, current_certificate_fingerprint_err) = run_commands(module, current_certificate_fingerprint_cmd) if rc != 0: return module.fail_json(msg=current_certificate_fingerprint_out, @@ -136,7 +136,7 @@ def read_certificate_fingerprint(module, openssl_bin, certificate_path): def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password): - stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s'" % (keytool_bin, alias, keystore_path, keystore_password) + stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s' -v" % (keytool_bin, alias, keystore_path, keystore_password) (rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd) if rc != 0: if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out: @@ -147,7 +147,7 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat else: return None else: - stored_certificate_match = re.search(r": ([\w:]+)", stored_certificate_fingerprint_out) + stored_certificate_match = re.search(r"SHA256: ([\w:]+)", stored_certificate_fingerprint_out) if not stored_certificate_match: return module.fail_json( msg="Unable to find the stored certificate fingerprint in %s" % stored_certificate_fingerprint_out, diff --git a/test/units/modules/system/test_java_keystore.py b/test/units/modules/system/test_java_keystore.py index b46973faed8..434be518e3b 100644 --- a/test/units/modules/system/test_java_keystore.py +++ b/test/units/modules/system/test_java_keystore.py @@ -168,7 +168,7 @@ class TestCertChanged(ModuleTestCase): ) with patch('os.remove', return_value=True): - self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: abcd:1234:efgh', '')] + self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: abcd:1234:efgh', '')] result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') self.assertFalse(result, 'Fingerprint is identical') @@ -187,7 +187,7 @@ class TestCertChanged(ModuleTestCase): ) with patch('os.remove', return_value=True): - self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: wxyz:9876:stuv', '')] + self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: wxyz:9876:stuv', '')] result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') self.assertTrue(result, 'Fingerprint mismatch') @@ -228,10 +228,10 @@ class TestCertChanged(ModuleTestCase): module.fail_json = Mock() with patch('os.remove', return_value=True): - self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'foo: wxyz:9876:stuv', '')] + self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'SHA256: wxyz:9876:stuv', '')] cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') module.fail_json.assert_called_once_with( - cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha1", + cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha256", msg='', err='Oops', rc=1 @@ -257,7 +257,7 @@ class TestCertChanged(ModuleTestCase): self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')] cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') module.fail_json.assert_called_with( - cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit'", + cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit' -v", msg='', err='Oops', rc=1