CVE-2020-25646: no_log=True missing for private key content options (#125)

* Mark private key content options as no_log (CVE-2020-25646.) * Mention no_log for openssl_privatekey's return_content option. * Add change PR's URL. * Plural.
2026-05-06 13:22:58 +00:00 · 2020-10-13 14:14:05 +02:00
parent 7d0e5e814e
commit 233d1afc29
8 changed files with 16 additions and 7 deletions
--- a/plugins/modules/openssl_csr.py
+++ b/plugins/modules/openssl_csr.py
@@ -1163,7 +1163,7 @@ def main():
            state=dict(type='str', default='present', choices=['absent', 'present']),
            digest=dict(type='str', default='sha256'),
            privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
            privatekey_passphrase=dict(type='str', no_log=True),
            version=dict(type='int', default=1),
            force=dict(type='bool', default=False),
--- a/plugins/modules/openssl_privatekey.py
+++ b/plugins/modules/openssl_privatekey.py
@@ -152,6 +152,8 @@ options:
            - If set to C(yes), will return the (current or generated) private key's content as I(privatekey).
            - Note that especially if the private key is not encrypted, you have to make sure that the returned
              value is treated appropriately and not accidentally written to logs etc.! Use with care!
+            - Use Ansible's I(no_log) task option to avoid the output being shown. See also
+              U(https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-keep-secret-data-in-my-playbook).
        type: bool
        default: no
        version_added: '1.0.0'
--- a/plugins/modules/openssl_privatekey_info.py
+++ b/plugins/modules/openssl_privatekey_info.py
@@ -583,7 +583,7 @@ def main():
    module = AnsibleModule(
        argument_spec=dict(
            path=dict(type='path'),
-            content=dict(type='str'),
+            content=dict(type='str', no_log=True),
            passphrase=dict(type='str', no_log=True),
            return_private_key_data=dict(type='bool', default=False),
            select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
--- a/plugins/modules/openssl_publickey.py
+++ b/plugins/modules/openssl_publickey.py
@@ -395,7 +395,7 @@ def main():
            force=dict(type='bool', default=False),
            path=dict(type='path', required=True),
            privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
            format=dict(type='str', default='PEM', choices=['OpenSSH', 'PEM']),
            privatekey_passphrase=dict(type='str', no_log=True),
            backup=dict(type='bool', default=False),
--- a/plugins/modules/openssl_signature.py
+++ b/plugins/modules/openssl_signature.py
@@ -259,7 +259,7 @@ def main():
    module = AnsibleModule(
        argument_spec=dict(
            privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
            privatekey_passphrase=dict(type='str', no_log=True),
            path=dict(type='path', required=True),
            select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'),
--- a/plugins/modules/x509_certificate.py
+++ b/plugins/modules/x509_certificate.py
@@ -2565,7 +2565,7 @@ def main():

            # General properties of a certificate
            privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
            privatekey_passphrase=dict(type='str', no_log=True),

            # provider: assertonly
@@ -2609,7 +2609,7 @@ def main():
            ownca_path=dict(type='path'),
            ownca_content=dict(type='str'),
            ownca_privatekey_path=dict(type='path'),
-            ownca_privatekey_content=dict(type='str'),
+            ownca_privatekey_content=dict(type='str', no_log=True),
            ownca_privatekey_passphrase=dict(type='str', no_log=True),
            ownca_digest=dict(type='str', default='sha256'),
            ownca_version=dict(type='int', default=3),
--- a/plugins/modules/x509_crl.py
+++ b/plugins/modules/x509_crl.py
@@ -754,7 +754,7 @@ def main():
            path=dict(type='path', required=True),
            format=dict(type='str', default='pem', choices=['pem', 'der']),
            privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
            privatekey_passphrase=dict(type='str', no_log=True),
            issuer=dict(type='dict'),
            last_update=dict(type='str', default='+0s'),