diff --git a/changelogs/fragments/54192-openssl_publickey-openssh-passphrase.yml b/changelogs/fragments/54192-openssl_publickey-openssh-passphrase.yml new file mode 100644 index 00000000000..e60bb9c8f3b --- /dev/null +++ b/changelogs/fragments/54192-openssl_publickey-openssh-passphrase.yml @@ -0,0 +1,2 @@ +bugfixes: +- "openssl_publickey - fixed crash on Python 3 when OpenSSH private keys were used with passphrases." diff --git a/lib/ansible/modules/crypto/openssl_publickey.py b/lib/ansible/modules/crypto/openssl_publickey.py index 6ff923ffc96..c202fe9a047 100644 --- a/lib/ansible/modules/crypto/openssl_publickey.py +++ b/lib/ansible/modules/crypto/openssl_publickey.py @@ -123,7 +123,6 @@ fingerprint: sha512: "fd:ed:5e:39:48:5f:9f:fe:7f:25:06:3f:79:08:cd:ee:a5:e7:b3:3d:13:82:87:1f:84:e1:f5:c7:28:77:53:94:86:56:38:69:f0:d9:35:22:01:1e:a6:60:...:0f:9b" ''' -import hashlib import os try: @@ -136,7 +135,7 @@ else: pyopenssl_found = True from ansible.module_utils import crypto as crypto_utils -from ansible.module_utils._text import to_native +from ansible.module_utils._text import to_native, to_bytes from ansible.module_utils.basic import AnsibleModule @@ -170,10 +169,13 @@ class PublicKey(crypto_utils.OpenSSLObject): if not self.check(module, perms_required=False) or self.force: try: if self.format == 'OpenSSH': - privatekey_content = open(self.privatekey_path, 'rb').read() - key = crypto_serialization.load_pem_private_key(privatekey_content, - password=self.privatekey_passphrase, - backend=default_backend()) + with open(self.privatekey_path, 'rb') as private_key_fh: + privatekey_content = private_key_fh.read() + key = crypto_serialization.load_pem_private_key( + privatekey_content, + password=None if self.privatekey_passphrase is None else to_bytes(self.privatekey_passphrase), + backend=default_backend() + ) publickey_content = key.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH