openssl_certificate: fix passphrase handling for cryptography backend (…

…ansible#56155) * Make sure passphrase is bytes string. * Fix typo. * Add more passphrase tests. * Fix test names. * Add changelog. (cherry picked from commit 7a957ba)
felixfontein · May 8, 2019 · 0351a2f · 0351a2f
1 parent 0829325
commit 0351a2f
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 5 deletions.
diff --git a/changelogs/fragments/56155-openssl_certificate-passphrase.yml b/changelogs/fragments/56155-openssl_certificate-passphrase.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - fix private key passphrase handling for ``cryptography`` backend."
diff --git a/lib/ansible/module_utils/crypto.py b/lib/ansible/module_utils/crypto.py
@@ -168,7 +168,7 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, content=None,
         elif backend == 'cryptography':
             try:
                 result = load_pem_private_key(priv_key_detail,
-                                              passphrase,
+                                              None if passphrase is None else to_bytes(passphrase),
                                               cryptography_backend())
             except TypeError as dummy:
                 raise OpenSSLBadPassphraseError('Wrong or empty passphrase provided for private key')

diff --git a/test/integration/targets/openssl_certificate/tasks/ownca.yml b/test/integration/targets/openssl_certificate/tasks/ownca.yml
@@ -3,6 +3,13 @@
   openssl_privatekey:
     path: '{{ output_dir }}/ca_privatekey.pem'
 
+- name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey with passphrase
+  openssl_privatekey:
+    path: '{{ output_dir }}/ca_privatekey_pw.pem'
+    passphrase: hunter2
+    cipher: auto
+    select_crypto_backend: cryptography
+
 - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
   openssl_csr:
     path: '{{ output_dir }}/ca_csr.csr'
@@ -14,6 +21,18 @@
     - 'CA:TRUE'
     basic_constraints_critical: yes
 
+- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
+  openssl_csr:
+    path: '{{ output_dir }}/ca_csr_pw.csr'
+    privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
+    privatekey_passphrase: hunter2
+    subject:
+      commonName: Example CA
+    useCommonNameForSAN: no
+    basic_constraints:
+    - 'CA:TRUE'
+    basic_constraints_critical: yes
+
 - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
   openssl_certificate:
     path: '{{ output_dir }}/ca_cert.pem'
@@ -23,6 +42,16 @@
     selfsigned_digest: sha256
     select_crypto_backend: '{{ select_crypto_backend }}'
 
+- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
+  openssl_certificate:
+    path: '{{ output_dir }}/ca_cert_pw.pem'
+    csr_path: '{{ output_dir }}/ca_csr_pw.csr'
+    privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
+    privatekey_passphrase: hunter2
+    provider: selfsigned
+    selfsigned_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+
 - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
   openssl_certificate:
     path: '{{ output_dir }}/ownca_cert.pem'
@@ -164,6 +193,18 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: ownca_certificate_ecc
 
+- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_ecc_2.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert_pw.pem'
+    ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
+    ownca_privatekey_passphrase: hunter2
+    provider: ownca
+    ownca_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: selfsigned_certificate_passphrase
+
 - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1)
   openssl_certificate:
     path: '{{ output_dir }}/ownca_cert_pw1.pem'
@@ -179,7 +220,7 @@
 
 - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2)
   openssl_certificate:
-    path: '{{ output_dir }}/ownca_cert_pw1.pem'
+    path: '{{ output_dir }}/ownca_cert_pw2.pem'
     csr_path: '{{ output_dir }}/csr_ecc.csr'
     ownca_path: '{{ output_dir }}/ca_cert.pem'
     ownca_privatekey_path: '{{ output_dir }}/privatekeypw.pem'

diff --git a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
@@ -176,6 +176,25 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: selfsigned_certificate_ecc
 
+- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR (privatekey passphrase)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_pass.csr'
+    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+    privatekey_passphrase: hunter2
+    subject:
+      commonName: www.example.com
+
+- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
+  openssl_certificate:
+    path: '{{ output_dir }}/cert_pass.pem'
+    csr_path: '{{ output_dir }}/csr_pass.csr'
+    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+    privatekey_passphrase: hunter2
+    provider: selfsigned
+    selfsigned_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: selfsigned_certificate_passphrase
+
 - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1)
   openssl_certificate:
     path: '{{ output_dir }}/cert_pw1.pem'

diff --git a/test/integration/targets/openssl_csr/tasks/impl.yml b/test/integration/targets/openssl_csr/tasks/impl.yml
@@ -249,7 +249,15 @@
     cipher: auto
     select_crypto_backend: cryptography
 
-- name: Generate publickey - PEM format
+- name: Generate CSR with privatekey passphrase
+  openssl_csr:
+    path: '{{ output_dir }}/csr_pw.csr'
+    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+    privatekey_passphrase: hunter2
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: passphrase_1
+
+- name: Generate CSR (failed passphrase 1)
   openssl_csr:
     path: '{{ output_dir }}/csr_pw1.csr'
     privatekey_path: '{{ output_dir }}/privatekey.pem'
@@ -258,7 +266,7 @@
   ignore_errors: yes
   register: passphrase_error_1
 
-- name: Generate publickey - PEM format
+- name: Generate CSR (failed passphrase 2)
   openssl_csr:
     path: '{{ output_dir }}/csr_pw2.csr'
     privatekey_path: '{{ output_dir }}/privatekeypw.pem'
@@ -267,7 +275,7 @@
   ignore_errors: yes
   register: passphrase_error_2
 
-- name: Generate publickey - PEM format
+- name: Generate CSR (failed passphrase 3)
   openssl_csr:
     path: '{{ output_dir }}/csr_pw3.csr'
     privatekey_path: '{{ output_dir }}/privatekeypw.pem'