Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_certificate: fix passphrase handling for cryptography backend #56155

Merged
merged 5 commits into from May 8, 2019
Merged

openssl_certificate: fix passphrase handling for cryptography backend #56155

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2b398ef
Make sure passphrase is bytes string.
felixfontein May 7, 2019
59acb34
Fix typo.
felixfontein May 7, 2019
6c1d48b
Add more passphrase tests.
felixfontein May 7, 2019
809b030
Fix test names.
felixfontein May 7, 2019
595a854
Add changelog.
felixfontein May 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/56155-openssl_certificate-passphrase.yml
View file
Open in desktop
@@ -0,0 +1,2 @@
bugfixes:
- "openssl_certificate - fix private key passphrase handling for ``cryptography`` backend."
2 changes: 1 addition & 1 deletion lib/ansible/module_utils/crypto.py
View file
Open in desktop
Expand Up @@ -168,7 +168,7 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, content=None,
elif backend == 'cryptography':
try:
result = load_pem_private_key(priv_key_detail,
passphrase,
None if passphrase is None else to_bytes(passphrase),
cryptography_backend())
except TypeError as dummy:
raise OpenSSLBadPassphraseError('Wrong or empty passphrase provided for private key')
Expand Down
43 changes: 42 additions & 1 deletion test/integration/targets/openssl_certificate/tasks/ownca.yml
View file
Open in desktop
Expand Up @@ -3,6 +3,13 @@
openssl_privatekey:
path: '{{ output_dir }}/ca_privatekey.pem'

- name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey with passphrase
openssl_privatekey:
path: '{{ output_dir }}/ca_privatekey_pw.pem'
passphrase: hunter2
cipher: auto
select_crypto_backend: cryptography

- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
openssl_csr:
path: '{{ output_dir }}/ca_csr.csr'
Expand All @@ -14,6 +21,18 @@
- 'CA:TRUE'
basic_constraints_critical: yes

- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
openssl_csr:
path: '{{ output_dir }}/ca_csr_pw.csr'
privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
privatekey_passphrase: hunter2
subject:
commonName: Example CA
useCommonNameForSAN: no
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes

- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
openssl_certificate:
path: '{{ output_dir }}/ca_cert.pem'
Expand All @@ -23,6 +42,16 @@
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'

- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
openssl_certificate:
path: '{{ output_dir }}/ca_cert_pw.pem'
csr_path: '{{ output_dir }}/ca_csr_pw.csr'
privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
privatekey_passphrase: hunter2
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'

- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
openssl_certificate:
path: '{{ output_dir }}/ownca_cert.pem'
Expand Down Expand Up @@ -164,6 +193,18 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: ownca_certificate_ecc

- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
openssl_certificate:
path: '{{ output_dir }}/ownca_cert_ecc_2.pem'
csr_path: '{{ output_dir }}/csr_ecc.csr'
ownca_path: '{{ output_dir }}/ca_cert_pw.pem'
ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
ownca_privatekey_passphrase: hunter2
provider: ownca
ownca_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_passphrase

- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1)
openssl_certificate:
path: '{{ output_dir }}/ownca_cert_pw1.pem'
Expand All @@ -179,7 +220,7 @@

- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2)
openssl_certificate:
path: '{{ output_dir }}/ownca_cert_pw1.pem'
path: '{{ output_dir }}/ownca_cert_pw2.pem'
csr_path: '{{ output_dir }}/csr_ecc.csr'
ownca_path: '{{ output_dir }}/ca_cert.pem'
ownca_privatekey_path: '{{ output_dir }}/privatekeypw.pem'
Expand Down
19 changes: 19 additions & 0 deletions test/integration/targets/openssl_certificate/tasks/selfsigned.yml
View file
Open in desktop
Expand Up @@ -176,6 +176,25 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_ecc

- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR (privatekey passphrase)
openssl_csr:
path: '{{ output_dir }}/csr_pass.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
subject:
commonName: www.example.com

- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
openssl_certificate:
path: '{{ output_dir }}/cert_pass.pem'
csr_path: '{{ output_dir }}/csr_pass.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_passphrase

- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1)
openssl_certificate:
path: '{{ output_dir }}/cert_pw1.pem'
Expand Down
14 changes: 11 additions & 3 deletions test/integration/targets/openssl_csr/tasks/impl.yml
View file
Open in desktop
Expand Up @@ -249,7 +249,15 @@
cipher: auto
select_crypto_backend: cryptography

- name: Generate publickey - PEM format
- name: Generate CSR with privatekey passphrase
openssl_csr:
path: '{{ output_dir }}/csr_pw.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
select_crypto_backend: '{{ select_crypto_backend }}'
register: passphrase_1

- name: Generate CSR (failed passphrase 1)
openssl_csr:
path: '{{ output_dir }}/csr_pw1.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
Expand All @@ -258,7 +266,7 @@
ignore_errors: yes
register: passphrase_error_1

- name: Generate publickey - PEM format
- name: Generate CSR (failed passphrase 2)
openssl_csr:
path: '{{ output_dir }}/csr_pw2.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
Expand All @@ -267,7 +275,7 @@
ignore_errors: yes
register: passphrase_error_2

- name: Generate publickey - PEM format
- name: Generate CSR (failed passphrase 3)
openssl_csr:
path: '{{ output_dir }}/csr_pw3.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
Expand Down