Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Module java_keystore cert_changed doesn't work correctly #57301

Closed
alvarolmedo opened this issue Jun 3, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@alvarolmedo
Copy link
Contributor

commented Jun 3, 2019

SUMMARY

java_keystore have a dependency with keytool (provided with java). The java_keystore module uses keytool for a lot things. One of this tasks is to get the cert stored in java keystore (the fingerprint exactly).
The java_keystore module have a function to check if a cert has changed (cert_changed) in order to import in the keystore (or not). The cert_changed function doesn't work correctly because fingerprint is not showed in SHA1 always to be compared, it depends of the keytool (java) version. When comparing sha1 (openssl) with sha256 fingerprints the cert_changed returns true. Result: If a new version of keytool is used to execute everytime that the module is executed, the certificate is imported in the keystore. This funcion affects to changed state of the module and to idempotence.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

Module java_keystore

ANSIBLE VERSION
ansible 2.7.7
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/aolmedo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/aolmedo/.local/lib/python3.6/site-packages/ansible
  executable location = /home/aolmedo/.local/bin/ansible
  python version = 3.6.7 (default, Oct 22 2018, 11:32:17) [GCC 8.2.0]


--------------------

ansible 2.8.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/aolmedo/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/aolmedo/.local/share/virtualenvs/ansible-role-kafka-E5JKgdsX/local/lib/python2.7/site-packages/ansible
  executable location = /home/aolmedo/.local/share/virtualenvs/ansible-role-kafka-E5JKgdsX/bin/ansible
  python version = 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0]


CONFIGURATION
DEFAULT_HASH_BEHAVIOUR(/etc/ansible/ansible.cfg) = merge

OS / ENVIRONMENT
$ java --version
openjdk 11.0.3 2019-04-16
OpenJDK Runtime Environment (build 11.0.3+7-Ubuntu-1ubuntu218.04.1)
OpenJDK 64-Bit Server VM (build 11.0.3+7-Ubuntu-1ubuntu218.04.1, mixed mode, sharing)

STEPS TO REPRODUCE
$ /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/keytool -list -alias test-ssl -keystore keystore.p12 -storepass changeit
test-ssl, 3 jun. 2019, PrivateKeyEntry, 
Huella de certificado (SHA-256): CC:2F:2A:B6:EA:CE:86:66:22:91:84:68:9C:52:DF:6B:AF:B5:48:51:2A:0F:EC:F3:F5:E9:F7:48:3A:CF:F7:36

$ /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/keytool -list -alias test-ssl -keystore keystore.p12 -storepass changeit
test-ssl, 03-jun-2019, PrivateKeyEntry, 
Huella Digital de Certificado (SHA1): 88:5E:0C:8E:00:D1:81:B4:12:2F:FF:28:DC:BD:77:39:8D:A5:F3:91


EXPECTED RESULTS

Keytool show by default differents hashes formats of the same key. When you expect the same format (SHA1 exactly).

ACTUAL RESULTS

Keytool show by default differents hashes formats of the same key. When you expect the same format (SHA1 exactly).

@alvarolmedo

This comment has been minimized.

Copy link
Contributor Author

commented Jun 3, 2019

If you exectute keytool -list with verbose option you get all hashes and you can match by SHA1's fingerprint:

>>> stored_certificate_fingerprint_out=os.popen('/usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/keytool -list -alias test-ssl -keystore keystore.p12 -storepass changeit -v').read()
>>> print(stored_certificate_fingerprint_out)
Nombre de Alias: test-ssl
Fecha de Creación: 3 jun. 2019
Tipo de Entrada: PrivateKeyEntry
Longitud de la Cadena de Certificado: 1
Certificado[1]:
Propietario: CN=localhost, O=Default Company Ltd, L=Default City, C=ES
Emisor: CN=localhost, O=Default Company Ltd, L=Default City, C=ES
Número de serie: 92e27965545459c6
Válido desde: Sun Jun 02 13:12:07 CEST 2019 hasta: Wed May 30 13:12:07 CEST 2029
Huellas digitales del certificado:
	 SHA1: 88:5E:0C:8E:00:D1:81:B4:12:2F:FF:28:DC:BD:77:39:8D:A5:F3:91
	 SHA256: CC:2F:2A:B6:EA:CE:86:66:22:91:84:68:9C:52:DF:6B:AF:B5:48:51:2A:0F:EC:F3:F5:E9:F7:48:3A:CF:F7:36
Nombre del algoritmo de firma: SHA256withRSA
Algoritmo de clave pública de asunto: Clave RSA de 1024 bits
Versión: 1
>>> stored_certificate_match = re.search(r"SHA1: ([\w:]+)", stored_certificate_fingerprint_out)
>>> print(stored_certificate_match.group(1))
88:5E:0C:8E:00:D1:81:B4:12:2F:FF:28:DC:BD:77:39:8D:A5:F3:91

alvarolmedo added a commit to alvarolmedo/ansible that referenced this issue Jun 3, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

@alvarolmedo

This comment has been minimized.

Copy link
Contributor Author

commented Jun 3, 2019

The official doc of java11 shows that the new format by default is SHA256:
https://docs.oracle.com/en/java/javase/11/tools/keytool.html

@samdoran samdoran added the has_pr label Jun 4, 2019

@ansibot ansibot removed the needs_triage label Jun 4, 2019

alvarolmedo added a commit to alvarolmedo/ansible that referenced this issue Jun 5, 2019

Solve SHA256 keytool of java11 version issue(ansible#57301)
Unit test modified

command modified to pass unit test

Grep output in command

solve pep8 < than 160 per line

Full path to solve unit test

Not use grep to be more portable

Grep_bin param doesn't exists already

solving unit test

Change revert in unit test

Revert everything

Revert "Revert everything"

This reverts commit 491bef0.

Tests updated

alvarolmedo added a commit to alvarolmedo/ansible that referenced this issue Jun 5, 2019

alvarolmedo added a commit to alvarolmedo/ansible that referenced this issue Jul 9, 2019

SHA256 better than SHA1 and solve SHA256 keytool in java11 version is…
…sue(ansible#57301)

SHA256 preferred than SHA1

Changelog fragment added
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.