Add openssl_privatekey_info module

lib/ansible/module_utils/crypto.py

@@ -95,20 +95,34 @@ def get_fingerprint(path, passphrase=None):
     privatekey = load_privatekey(path, passphrase, check_passphrase=False)
     try:
         publickey = crypto.dump_publickey(crypto.FILETYPE_ASN1, privatekey)
-        return get_fingerprint_of_bytes(publickey)
     except AttributeError:
         # If PyOpenSSL < 16.0 crypto.dump_publickey() will fail.
-        # By doing this we prevent the code from raising an error
-        # yet we return no value in the fingerprint hash.
-        return None
+        try:
+            bio = crypto._new_mem_buf()
+            rc = crypto._lib.i2d_PUBKEY_bio(bio, privatekey._pkey)
+            if rc != 1:
+                crypto._raise_current_error()
+            publickey = crypto._bio_to_string(bio)
+        except AttributeError:
+            # By doing this we prevent the code from raising an error
+            # yet we return no value in the fingerprint hash.
+            return None
+    return get_fingerprint_of_bytes(publickey)
 
 
-def load_privatekey(path, passphrase=None, check_passphrase=True, backend='pyopenssl'):
-    """Load the specified OpenSSL private key."""
+def load_privatekey(path, passphrase=None, check_passphrase=True, content=None, backend='pyopenssl'):
+    """Load the specified OpenSSL private key.
+
+    The content can also be specified via content; in that case,
+    this function will not load the key from disk.
+    """
 
     try:
-        with open(path, 'rb') as b_priv_key_fh:
-            priv_key_detail = b_priv_key_fh.read()
+        if content is None:
+            with open(path, 'rb') as b_priv_key_fh:
+                priv_key_detail = b_priv_key_fh.read()
+        else:
+            priv_key_detail = content
 
         if backend == 'pyopenssl':
 
@@ -773,3 +787,43 @@ def cryptography_get_basic_constraints(constraints):
             else:
                 raise OpenSSLObjectError('Unknown basic constraint "{0}"'.format(constraint))
     return ca, path_length
+
+
+def binary_exp_mod(f, e, m):
+    '''Computes f^e mod m in O(log e) multiplications modulo m.'''
+    # Compute len_e = floor(log_2(e))
+    len_e = -1
+    x = e
+    while x > 0:
+        x >>= 1
+        len_e += 1
+    # Compute f**e mod m
+    result = 1
+    for k in range(len_e, -1, -1):
+        result = (result * result) % m
+        if ((e >> k) & 1) != 0:
+            result = (result * f) % m
+    return result
+
+
+def simple_gcd(a, b):
+    '''Compute GCD of its two inputs.'''
+    while b != 0:
+        a, b = b, a % b
+    return a
+
+
+def quick_is_not_prime(n):
+    '''Does some quick checks to see if we can poke a hole into the primality of n.
+
+    A result of `False` does **not** mean that the number is prime; it just means
+    that we couldn't detect quickly whether it is not prime.
+    '''
+    if n <= 2:
+        return True
+    # The constant in the next line is the product of all primes < 200
+    if simple_gcd(n, 7799922041683461553249199106329813876687996789903550945093032474868511536164700810) > 1:
+        return True
+    # TODO: maybe do some iterations of Miller-Rabin to increase confidence
+    # (https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test)
+    return False

lib/ansible/modules/crypto/openssl_certificate.py

@@ -1777,7 +1777,7 @@ def main():
 
                 # Fail if no backend has been found
                 if backend == 'auto':
-                    module.fail_json(msg=("Can't detect none of the required Python libraries "
+                    module.fail_json(msg=("Can't detect any of the required Python libraries "
                                           "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
                                               MINIMAL_CRYPTOGRAPHY_VERSION,
                                               MINIMAL_PYOPENSSL_VERSION))

lib/ansible/modules/crypto/openssl_certificate_info.py

@@ -637,8 +637,19 @@ def _get_public_key(self, binary):
                 self.cert.get_pubkey()
             )
         except AttributeError:
-            self.module.warn('Your pyOpenSSL version does not support dumping public keys. '
-                             'Please upgrade to version 16.0 or newer, or use the cryptography backend.')
+            try:
+                # pyOpenSSL < 16.0:
+                bio = crypto._new_mem_buf()
+                if binary:
+                    rc = crypto._lib.i2d_PUBKEY_bio(bio, self.cert.get_pubkey()._pkey)
+                else:
+                    rc = crypto._lib.PEM_write_bio_PUBKEY(bio, self.cert.get_pubkey()._pkey)
+                if rc != 1:
+                    crypto._raise_current_error()
+                return crypto._bio_to_string(bio)
+            except AttributeError:
+                self.module.warn('Your pyOpenSSL version does not support dumping public keys. '
+                                 'Please upgrade to version 16.0 or newer, or use the cryptography backend.')
 
     def _get_serial_number(self):
         return self.cert.get_serial_number()

lib/ansible/modules/crypto/openssl_csr.py

@@ -881,8 +881,8 @@ def main():
 
         # Success?
         if backend == 'auto':
-            module.fail_json(msg=('Can detect none of the Python libraries '
-                                  'cryptography (>= {0}) and pyOpenSSL (>= {1})').format(
+            module.fail_json(msg=("Can't detect any of the required Python libraries "
+                                  "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
                                       MINIMAL_CRYPTOGRAPHY_VERSION,
                                       MINIMAL_PYOPENSSL_VERSION))
     try:

lib/ansible/modules/crypto/openssl_privatekey.py

@@ -56,7 +56,7 @@
             - Depending on the curve, you need a newer version of the cryptography backend.
         type: str
         default: RSA
-        #choices: [ DSA, ECC, RSA, X448, X25519 ]
+        #choices: [ DSA, ECC, RSA, X448, X25519, Ed448, Ed25519 ]
         choices: [ DSA, ECC, RSA ]
     curve:
         description:
@@ -246,6 +246,16 @@
         CRYPTOGRAPHY_HAS_X448 = True
     except ImportError:
         CRYPTOGRAPHY_HAS_X448 = False
+    try:
+        import cryptography.hazmat.primitives.asymmetric.ed25519
+        CRYPTOGRAPHY_HAS_ED25519 = True
+    except ImportError:
+        CRYPTOGRAPHY_HAS_ED25519 = False
+    try:
+        import cryptography.hazmat.primitives.asymmetric.ed448
+        CRYPTOGRAPHY_HAS_ED448 = True
+    except ImportError:
+        CRYPTOGRAPHY_HAS_ED448 = False
 
 from ansible.module_utils import crypto as crypto_utils
 from ansible.module_utils._text import to_native, to_bytes
@@ -459,6 +469,10 @@ def __init__(self, module):
             self.module.fail_json(msg='Your cryptography version does not support X25519')
         if not CRYPTOGRAPHY_HAS_X448 and self.type == 'X448':
             self.module.fail_json(msg='Your cryptography version does not support X448')
+        if not CRYPTOGRAPHY_HAS_ED25519 and self.type == 'Ed25519':
+            self.module.fail_json(msg='Your cryptography version does not support Ed25519')
+        if not CRYPTOGRAPHY_HAS_ED448 and self.type == 'Ed448':
+            self.module.fail_json(msg='Your cryptography version does not support Ed448')
 
     def _generate_private_key_data(self):
         try:
@@ -477,6 +491,10 @@ def _generate_private_key_data(self):
                 self.privatekey = cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.generate()
             if CRYPTOGRAPHY_HAS_X448 and self.type == 'X448':
                 self.privatekey = cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.generate()
+            if CRYPTOGRAPHY_HAS_ED25519 and self.type == 'Ed25519':
+                self.privatekey = cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.generate()
+            if CRYPTOGRAPHY_HAS_ED448 and self.type == 'Ed448':
+                self.privatekey = cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey.generate()
             if self.type == 'ECC' and self.curve in self.curves:
                 if self.curves[self.curve]['deprecated']:
                     self.module.warn('Elliptic curves of type {0} should not be used for new keys!'.format(self.curve))
@@ -573,9 +591,9 @@ def main():
             size=dict(type='int', default=4096),
             type=dict(type='str', default='RSA', choices=[
                 'RSA', 'DSA', 'ECC',
-                # x25519 is missing serialization functions: https://github.com/pyca/cryptography/issues/4386
-                # x448 is also missing it: https://github.com/pyca/cryptography/pull/4580#issuecomment-437913340
-                # 'X448', 'X25519',
+                # FIXME: NO LONGER TRUE: x25519 is missing serialization functions: https://github.com/pyca/cryptography/issues/4386
+                # FIXME: NO LONGER TRUE: x448 is also missing it: https://github.com/pyca/cryptography/pull/4580#issuecomment-437913340
+                # 'X448', 'X25519', 'Ed448', 'Ed25519'
             ]),
             curve=dict(type='str', choices=[
                 'secp384r1', 'secp521r1', 'secp224r1', 'secp192r1', 'secp256k1',
@@ -629,8 +647,8 @@ def main():
 
         # Success?
         if backend == 'auto':
-            module.fail_json(msg=('Can detect none of the Python libraries '
-                                  'cryptography (>= {0}) and pyOpenSSL (>= {1})').format(
+            module.fail_json(msg=("Can't detect any of the required Python libraries "
+                                  "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
                                       MINIMAL_CRYPTOGRAPHY_VERSION,
                                       MINIMAL_PYOPENSSL_VERSION))
     try: