New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to select openssl_privatekey format #59253
Comments
Files identified in the description: If these files are inaccurate, please update the |
That would mean there would be four values, the fourth being |
Since I wondered what |
Not every key type will support every format. Also, I'm not sure what the PyOpenSSL backend will be able to do with this. |
I'd anyways propose to deprecate pyOpenSSL support starting with 2.9 (will have to be in there for a while longer), since Debian Jessie is EOL now. Ubuntu Xenial might keep us back on pyOpenSSL though. :-( |
Yes, I wanted to propose that as well. We will still need it for some modules which have no other backend (or no corresponding code in cryptography they can use, like openssl_pkcs12), but for modules which have good cryptography support, let's really get rid of it! |
(On pyOpenSSL deprecation: I've created a PR for that in #59907) |
|
If you want this feature in Ansible 2.9, there's some help needed: #60388 (comment) |
Ok, the formal spec of PKCS#8 textual representation can be found here: https://tools.ietf.org/html/rfc7468#page-12 For PKCS#1 there is no formal reference, but openssl convention is |
Hmm, so we only know when a key is definitely not PKCS#8. But if it starts with |
Actually, this is how openssl do this job (by parsing PEM file header): |
It would also be nice to have support for JSON Web Keys, and being able to convert between different key formats (i.e. if everything fits but the key format, don't regenerate, but convert). |
SUMMARY
Allow to specify a new "format" parameter in "openssl_privatekey". Today the output format is decided by a very simple heuristic which requires further commands to work properly.
I need, for example, to generate a RSA private key but in PKCS8 format. The current heuristic uses OpenSSH format for RSA keys and only uses PKCS8 for Ed25519 and similar. This makes me use a "command" with "openssl" to convert the generated key, which leads to idempotency problems and unnecessary complexity.
ISSUE TYPE
COMPONENT NAME
openssl_privatekey
ADDITIONAL INFORMATION
The current heuristic should be kept unless overwritten by user.
The values allowed are
pkcs1
,raw
andpkcs8
The text was updated successfully, but these errors were encountered: