-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add openssl_certificate_info module #54709
Add openssl_certificate_info module #54709
Conversation
a05e905
to
078c9b6
Compare
I'd still offer the validation parameters in here eventually, |
BTW, I'm not really sure about the validation parameters; they feel wrong in an |
"A slightly complex A bigger question in case of a difference is if the module result should be failed (probably not, got vetoed in the core meeting), changed (similar to running modules in check_mode?) or OK (but it was different and that's NOT ok?). |
Instead of passing the subject into the - name: Check certificate subject
assert:
that:
- result.subject == expected_subject
vars:
expected_subject:
commonName: www.ansible.com
country: us About the return value: But for most conditions of current (I added the |
078c9b6
to
6554cc4
Compare
This comment has been minimized.
This comment has been minimized.
6554cc4
to
11307c8
Compare
11307c8
to
9b06b6c
Compare
#29951 would likely also need a special option here, right? As well as checking if a given private key fits to a certain certificate. |
If we decide that this module should be able to do that, yes. But that won't happen before stable-2.8 is branched.
That would already be possible if there is a corresponding |
4e56f30
to
4b02a53
Compare
point_1: "+1d" | ||
point_2: "+3w" | ||
register: result | ||
- assert: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add an empty line above this one and give it a name, it seems like the assert
task is just a parameter of the openssl_certificate_info
one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've extended the examples a bit. Can you check again?
(you might want to change/fix the title of this PR by the way) I mostly went through the docs, not deeply into the code so far. Great work as always, I'm starting to warm up more and more to the idea of rewriting my role(s) to use a second |
Thanks! Fixed it (also in the description). I also noticed I forgot to check in the tests... I hope they pass as they do on my machine ;-)
I'm currently aiming at 2.8. I'm not sure whether I want to add the deprecation notice for |
94f47f2
to
3bd42aa
Compare
(Also, core freeze finally happened and feature freeze will be on April 11th, so there isn't that much time left :) ) |
Yeah, that's why I was asking. ;-) |
Probably needs a changelog entry? |
New modules don't need one, changelog entries are autogenerated for new modules. (source) |
debug: | ||
var: cryptography_info_results | ||
- name: Compare results | ||
assert: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't that fail CSR/Cert number 2 later, since it was issued for the private key with a password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The private key isn't used/needed for retrieving information on certificates.
(What's interesting though is that creating the self-signed certificate works with the wrong key... But that's unrelated to this PR...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this would only be discovered if there's also an openssl_privatekey_info
task and then the public keys of the subject, issuer and private key need to match up?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Passphrases are only discovered when private keys protected with passphrases are loaded, it doesn't matter by whom.
Does the cert actually contain the public key of the issuer? I thougt there's only the signature, which can be validated given the public key of the issuer (which has to be taken fom the issuer's cert, or from another source).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://www.alvestrand.no/objectid/2.5.29.35.html exists, but that's not set in many cases. We'd need #29951 for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's also a feature request for that: #50782
But that doesn't store the public key, only some kind of hash, so you still need to get the public key from somewhere else :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Urgh, sometimes x509 really feels like they want to make it as hard as possible to varify/validate information... :-/
So in this case (selfsigned) only Issuer == Subject
can be checked currently and the matching public key check once the openssl_privatekey_info
module is here...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The aim is also to make the cert small, so you can't insert everything ;) If the objectID extension is there, you can also check if the cert's public key matches it.
Anyway, it might make sense to have another module which does some more validation, or have some more parameters to allow more complex information retrieval. But I wouldn't do that for 2.8, since we have to look at it in some more detail to find a really good solution ;)
One feature that's now missing a bit (but not really critical, since it is likely that this module will be used in tandem with Not much more from my side on this, having an info module that exposes everything in a cert seems generally useful. shipit |
One could argue that people should use the |
( |
@MarkusTeufelberger you're right! Also, thanks for reviewing! |
SUMMARY
Adds a new module
openssl_certificate_info
. Useful for doing most checks from #54635 /openssl_certificate
'sassertonly
provider directly with in Ansible withregister
/assert
.ISSUE TYPE
COMPONENT NAME
openssl_certificate_info