Commit Graph

5 Commits (54906a68fe9a6c7369ccc018e49f8a9c4a248484)

Author SHA1 Message Date
Felix Fontein 75ca8eb42f
openssl_certificate: fix failing SAN comparisons (#58256)
* Fix failing SAN comparison for older cryptography versions due to not implemented __hashh__ functions.

* Fix SAN comparison: IPv6 addresses need to be normalized before comparing strings.

* Add changelog.

* Fix comment.
6 years ago
Felix Fontein 90c067e947 openssl_* modules: private key errors (#54088)
* Improve error handling, in particular with respect to private key loading problems.

* Add tests to validate that modules regenerate invalid input and don't crash.

* Don't crash when input is invalid.

* Create 'better' broken input.

* Fix paths.

* Simplifying pyOpenSSL error handling.
6 years ago
Andrea Tartaglia 36a790dcde New cryptography backend for openssl_certificate (#53924)
* New cryptography backend for openssl_certificate

load_* functions in module_utils/crypto.py now have a backend paramter
which when set to 'cryptography' will return cryptography objects so
they can be used for both pyopenssl and cryptography backends.
Added a select_message_digest function too returning a cryptography
digest hash from `cryptography.hazmat.primitives.hashes`
Added new classes for Cryptography backend

* Run test with various backends.

* Prefixing tests.

* Make sure we have the correct backend available.

* Linting (flake8).

* Moved cryptography import to separate try/except

* Make sure certificate is actually valid at some time in the past.

* Improve error handling.

* Trying to fix validation for cryptography backend.

* Fixed issue with keyUsage test in assertonly

* Fixed CI/Lint issues

* Fix private key problem for OwnCA.

* Cryptography backend doesn't support v2 certs.

* issue an expired cert with command when using cryptography backend

* Added warning when backend is auto and v2 cert is requested

* Bumped min cryptography version to  1.6

* Correctly check for failure when backend is cryptography and cert is v2

* Use self.backend where possible

* Use secp521r1 EC when testing on CentOS6

* Fixed pylint issue

* AcmeCertificate support for both backends

* Review fixes

* Fixed missing '(' when raising error

* Fixed date_fmt loop

* Updated docs and requirements with cryptography

* Add openssl_certificate to changelog.
6 years ago
Felix Fontein caf7fd2245 openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489)
* Raise OpenSSLBadPassphraseError if passphrase is wrong.

* Improve handling of passphrase errors.

Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail.
Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate.

* Add changelog.

* Add tests.

* Adjustments for some versions of PyOpenSSL.

* Update lib/ansible/modules/crypto/openssl_certificate.py

Improve text.

Co-Authored-By: felixfontein <felix@fontein.de>
6 years ago
Felix Fontein 6249bb8ea4 openssl_certificate: make sure extensions are present when they are queried by assertonly (#53207)
* Make sure extensions are present when they are queried by assertonly provider.

* Add changelog.
6 years ago