---
- name: Generate privatekey
  openssl_privatekey:
    path: '{{ output_dir }}/privatekey.pem'

- name: Generate privatekey with password
  openssl_privatekey:
    path: '{{ output_dir }}/privatekeypw.pem'
    passphrase: hunter2
    cipher: auto
    select_crypto_backend: cryptography

- name: Generate CSR (no extensions)
  openssl_csr:
    path: '{{ output_dir }}/csr_noext.csr'
    privatekey_path: '{{ output_dir }}/privatekey.pem'
    subject:
      commonName: www.example.com
    useCommonNameForSAN: no

- name: Generate selfsigned certificate (no extensions)
  openssl_certificate:
    path: '{{ output_dir }}/cert_noext.pem'
    csr_path: '{{ output_dir }}/csr_noext.csr'
    privatekey_path: '{{ output_dir }}/privatekey.pem'
    provider: selfsigned
    selfsigned_digest: sha256

- name: Assert that subject_alt_name is there (should fail)
  openssl_certificate:
    path: '{{ output_dir }}/cert_noext.pem'
    provider: assertonly
    subject_alt_name:
      - "DNS:example.com"
  ignore_errors: yes
  register: extension_missing_san

- name: Assert that key_usage is there (should fail)
  openssl_certificate:
    path: '{{ output_dir }}/cert_noext.pem'
    provider: assertonly
    key_usage:
      - digitalSignature
  ignore_errors: yes
  register: extension_missing_ku

- name: Assert that extended_key_usage is there (should fail)
  openssl_certificate:
    path: '{{ output_dir }}/cert_noext.pem'
    provider: assertonly
    extended_key_usage:
      - biometricInfo
  ignore_errors: yes
  register: extension_missing_eku

- assert:
    that:
      - extension_missing_san is failed
      - "'Found no subjectAltName extension' in extension_missing_san.msg"
      - extension_missing_ku is failed
      - "'Found no keyUsage extension' in extension_missing_ku.msg"
      - extension_missing_eku is failed
      - "'Found no extendedKeyUsage extension' in extension_missing_eku.msg"

- name: Check private key passphrase fail 1
  openssl_certificate:
    path: '{{ output_dir }}/cert_noext.pem'
    privatekey_path: '{{ output_dir }}/privatekey.pem'
    privatekey_passphrase: hunter2
    provider: assertonly
  ignore_errors: yes
  register: passphrase_error_1

- name: Check private key passphrase fail 2
  openssl_certificate:
    path: '{{ output_dir }}/cert_noext.pem'
    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
    privatekey_passphrase: wrong_password
    provider: assertonly
  ignore_errors: yes
  register: passphrase_error_2

- name: Check private key passphrase fail 3
  openssl_certificate:
    path: '{{ output_dir }}/cert_noext.pem'
    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
    provider: assertonly
  ignore_errors: yes
  register: passphrase_error_3

- name:
  assert:
    that:
      - passphrase_error_1 is failed
      - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
      - passphrase_error_2 is failed
      - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
      - passphrase_error_3 is failed
      - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"