Commit Graph

25 Commits (880bbb99464a41c8c00e474f9a1430b0212b6921)

Author SHA1 Message Date
Felix Fontein fed267df03
openssl_csr and openssl_certificate: fix support for Ed25519 and Ed448 private keys (#63984)
* Move X25519, X448, Ed25519 and Ed448 feature tests to module_utils.

* Correctly sign with Ed25519 and Ed448 keys.

* Fix public key comparison. Ed25519 and Ed448 do not have public_numbers().

* Add tests.

* Add changelog.

* Give better errors for cryptography 2.6.x and 2.7.x.

* Test for new errors.

* Forgot one.

* Used wrong private key.

* Use private key password for CA key. Add more stuff to its certificate.
5 years ago
Felix Fontein fa70690e5c
openssl_certificate/csr(_info): add support for SubjectKeyIdentifier and AuthorityKeyIdentifier (#60741)
* Add support for SubjectKeyIdentifier and AuthorityKeyIdentifier to _info modules.

* Adding SubjectKeyIdentifier and AuthorityKeyIdentifier support to openssl_certificate and openssl_csr.

* Fix type of authority_cert_issuer.

* Add basic tests.

* Add changelog.

* Added proper tests for _info modules.

* Fix docs bug.

* Make sure new features are only used when cryptography backend for openssl_csr is available.

* Work around jinja2 being too old on some CI hosts.

* Add tests for openssl_csr.

* Add openssl_certificate tests.

* Fix idempotence test.

* Move one level up.

* Add ownca_create_authority_key_identifier option.

* Add ownca_create_authority_key_identifier option.

* Add idempotency check.

* Apparently the function call expected different args for cryptography < 2.7.

* Fix copy'n'paste errors and typos.

* string -> general name.

* Add disclaimer.

* Implement always_create / create_if_not_provided / never_create for openssl_certificate.

* Update changelog and porting guide.

* Add comments for defaults.
5 years ago
Felix Fontein 0d88ec241f
openssl_certificate: fix idempotency (#60745)
* Fix openssl_certificate idempotency.

* Add changelog.

* Add integration test.
5 years ago
Felix Fontein 75ca8eb42f
openssl_certificate: fix failing SAN comparisons (#58256)
* Fix failing SAN comparison for older cryptography versions due to not implemented __hashh__ functions.

* Fix SAN comparison: IPv6 addresses need to be normalized before comparing strings.

* Add changelog.

* Fix comment.
5 years ago
Felix Fontein 7a957ba64a openssl_certificate: fix passphrase handling for cryptography backend (#56155)
* Make sure passphrase is bytes string.

* Fix typo.

* Add more passphrase tests.

* Fix test names.

* Add changelog.
6 years ago
Felix Fontein 188903448a openssl_*: add backup option (#54294) 6 years ago
Felix Fontein 90c067e947 openssl_* modules: private key errors (#54088)
* Improve error handling, in particular with respect to private key loading problems.

* Add tests to validate that modules regenerate invalid input and don't crash.

* Don't crash when input is invalid.

* Create 'better' broken input.

* Fix paths.

* Simplifying pyOpenSSL error handling.
6 years ago
Felix Fontein 5bb5c9d295 openssl_certificate: update for #54298 (state=absent fix) (#54353)
* Update for #54298: Certificate is abstract, so instantiating doesn't work.

* Add test for removal.
6 years ago
Andrea Tartaglia 36a790dcde New cryptography backend for openssl_certificate (#53924)
* New cryptography backend for openssl_certificate

load_* functions in module_utils/crypto.py now have a backend paramter
which when set to 'cryptography' will return cryptography objects so
they can be used for both pyopenssl and cryptography backends.
Added a select_message_digest function too returning a cryptography
digest hash from `cryptography.hazmat.primitives.hashes`
Added new classes for Cryptography backend

* Run test with various backends.

* Prefixing tests.

* Make sure we have the correct backend available.

* Linting (flake8).

* Moved cryptography import to separate try/except

* Make sure certificate is actually valid at some time in the past.

* Improve error handling.

* Trying to fix validation for cryptography backend.

* Fixed issue with keyUsage test in assertonly

* Fixed CI/Lint issues

* Fix private key problem for OwnCA.

* Cryptography backend doesn't support v2 certs.

* issue an expired cert with command when using cryptography backend

* Added warning when backend is auto and v2 cert is requested

* Bumped min cryptography version to  1.6

* Correctly check for failure when backend is cryptography and cert is v2

* Use self.backend where possible

* Use secp521r1 EC when testing on CentOS6

* Fixed pylint issue

* AcmeCertificate support for both backends

* Review fixes

* Fixed missing '(' when raising error

* Fixed date_fmt loop

* Updated docs and requirements with cryptography

* Add openssl_certificate to changelog.
6 years ago
Felix Fontein caf7fd2245 openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489)
* Raise OpenSSLBadPassphraseError if passphrase is wrong.

* Improve handling of passphrase errors.

Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail.
Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate.

* Add changelog.

* Add tests.

* Adjustments for some versions of PyOpenSSL.

* Update lib/ansible/modules/crypto/openssl_certificate.py

Improve text.

Co-Authored-By: felixfontein <felix@fontein.de>
6 years ago
Felix Fontein 6249bb8ea4 openssl_certificate: make sure extensions are present when they are queried by assertonly (#53207)
* Make sure extensions are present when they are queried by assertonly provider.

* Add changelog.
6 years ago
Andrea Tartaglia d5d92e4a70 openssl_certificate, fixed has_expired to check the cert expiration date (#53168) 6 years ago
MarkusTeufelberger c1bc556b0a Relative time support for crypto modules (openssl_certificate) (#50570)
* Move relative time handling to module_utils and rewrite it

* Fix cases with no seconds defined

* fix a small typo along the way

* add relative time handling to the ownca provider in openssl_certificate

* add initial integration test for relative time ownca

* quote the documentation to produce valid yaml

* move timespec conversion and validation to the init function

* fix small edge case in conversion function

* add relative timestamp handling to the selfsigned provider

* add get_relative_time_option

* add relative timestamp handling to valid_in

* pep8 fix indentation

* add quotes in error message

* add changelog fragment

* Update changelogs/fragments/50570-relative_time_crypto.yaml

Co-Authored-By: MarkusTeufelberger <mteufelberger@mgit.at>
6 years ago
Felix Fontein 345011e024 openssl_csr cryptography backend, try II (#50894)
* Revert "Revert "openssl_csr: Allow to use cryptography as backend (#50324)""

This reverts commit bbd2e31e9f.

* Remove more complicated selection copy'n'pasted from openssl_privatekey.

* Add tests for backend selection.

* Add openssl_csr test for arbitrary string commonName.

* Allow to disable commonName -> SAN copying (fixes #36690).
6 years ago
Felix Fontein e1218ca10f Elliptic curve tests for crypto modules (#50109)
* Add openssl_csr ECC test.

* Add openssl_publickey ECC test.

* Add openssl_certificate ECC test.
6 years ago
s3lph 5b1c68579d Type error in openssl_certificate (#47508)
* Fixed #47505: Type error in openssl_certificate
* Use to_bytes instead of str.encode in SelfSignedCertificate. Updates #47508
* Use to_bytes instead of str.encode in OwnCACertificate
* Added integration tests for openssl_certificate: selfsigned_not_before/after and ownca_not_before/after
6 years ago
Jordan Borean 9ba33f6ac1
test: openssl 1.1.x compatibility (#47112) 6 years ago
Loïc b61b113fb9 new provider: ownca (#35840) 7 years ago
Yanis Guenane 99497ce54c openssl_certificate: Handle dump() in check_mode (#38386)
Currently, when ones run the module in check_mode it tries to retrieve
values from the actual certificate generated in the generate() function.

Since in check_mode we call dump() without calling generate(), self.cert
is None, leading to self.cert.get_notBefore(), self.cert.get_notAfter()
and self.cert.get_serial_number() raising an error.

>  NoneType' object has no attribute 'get_notBefore'

The solution is to have two way to handle dump() method, whether its run
in check_mode=True or check_mode=False leading to different way the
information is retrieved.
7 years ago
Yanis Guenane a724b8e722 openssl_certificate: Return self.cert.get_VALUES() (#33970)
Currently when we make up the return value, we take values based of the
parameters rather than the generated openssl_certificate itself.

This commits returns the actual certificate values making it all time
accurate.
7 years ago
MarkusTeufelberger 9ea1b18ff7 Allow multiple values per key in name fields in openssl_certificate/csr (#30338)
* allow multiple values per key in name fields in openssl_certificate

* check correct side of comparison

* trigger only on lists

* add subject parameter to openssl_csr

* fix key: value mapping not skipping None elements

* temporary fix for undefined "subject" field

* fix iteration over subject entries

* fix docs

* quote sample string

* allow csr with only subject defined

* fix integration test

* look up NIDs before comparing, add hidden _strict params

* deal with empty issuer/subject fields

* adapt integration tests

* also normalize output from pyopenssl

* fix issue with _sanitize_inputs

* don't convert empty lists

* workaround for pyopenssl limitations

* properly encode the input to the txt2nid function

* another to_bytes fix

* make subject, commonname and subjecAltName completely optional

* don't compare hashes of keys in openssl_csr integration tests

* add integration test for old API in openssl_csr

* compare keys directly in certificate and publickey integration tests

* fix typo
7 years ago
Matt Martz 4fe08441be Deprecate tests used as filters (#32361)
* Warn on tests used as filters

* Update docs, add aliases for tests that fit more gramatically with test syntax

* Fix rst formatting

* Add successful filter, alias of success

* Remove renamed_deprecation, it was overkill

* Make directory alias for is_dir

* Update tests to use proper jinja test syntax

* Update additional documentation, living outside of YAML files, to reflect proper jinja test syntax

* Add conversion script, porting guide updates, and changelog updates

* Update newly added uses of tests as filters

* No underscore variable

* Convert recent tests as filter changes to win_stat

* Fix some changes related to rebasing a few integration tests

* Make tests_as_filters_warning explicitly accept the name of the test, instead of inferring the name

* Add test for tests_as_filters_warning

* Update tests as filters in newly added/modified tests

* Address recent changes to several integration tests

* Address recent changes in cs_vpc
7 years ago
Yanis Guenane 0648e339a7 openssl: remove static dict for keyUsage (#30339)
keyUsage and extendedKeyUsage are currently statically limited via a
static dict defined in modules_utils/crypto.py. If one specify a value
that isn't in there, idempotency won't work.

Instead of having static dict, we uses keyUsage and extendedKyeUsage
values OpenSSL NID and compare those rather than comparing strings.

Fixes: https://github.com/ansible/ansible/issues/30316
7 years ago
Yanis Guenane 3e4a306a42 openssl_certificate: Correctly set the version (#30314)
Current openssl_certificate is mistakenly taking its derivating its
version number from the csr version number.

Thos two fields are completly unrelated and hence the version number of
the certificate should be able to be directly specified (via
selfsigned_version parameter).
7 years ago
MarkusTeufelberger 2186b04934 Add simple integration test for openssl_certificate (#29038)
* openssl_certificate: Fix parameter assertion in Python3

Parameter assertion in Python3 is broken. pyOpenSSL get_X() functions
returns b'' type string and tries to compare it with '' string, leading
to failure.

The error mentionned above has been fixed by sanitizing the inputs from
a user to the assert only backend.

Also, this error was hidden by the fact that the improper check method
was called in the generate() functions.

* Add simple integration test for openssl_certificate

* remove subject == issuer assertion

* run integration tests only on supported hosts

* change min supported version to 0.15.x

* Add test for more CSR fields

* also convert dict members to bytes

* fix version_compare

* openssl_{csr, certificate}: Fail if pyOpenSSL <= 0.15

Previous 0.13 pyOpenSSL was a C-binding, and required the parameter
passed to add_extention to be in ASN.1. This has changed with the move
to 0.14 and it is now all pythong and string based.

Previous the 0.15 release, the `get_extensions()` method didn't exist,
since the modules rely heavily on it we ensure pyOpenSSL version is at
last 0.15.0.

* check pyopenssl version in openssl_csr integration test
7 years ago