x509_certificate: check existing certificate's signature for selfsigned and ownca provider (#407)

* Verify whether signature matches. * Add changelog fragment. * Forgot imports. * Fix wrong name. * Check whether the CA private key fits to the CA certificate. Use correct key in tests. * Refactor code.
2026-05-06 13:22:58 +00:00 · 2022-02-16 07:38:11 +01:00
parent 3ebc132c03
commit 28729657ac
5 changed files with 102 additions and 15 deletions
--- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py
@@ -28,8 +28,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    cryptography_compare_public_keys,
    cryptography_key_needs_digest_for_signing,
    cryptography_serial_number_of_cert,
+    cryptography_verify_certificate_signature,
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
@@ -107,6 +109,9 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
        except OpenSSLBadPassphraseError as exc:
            module.fail_json(msg=str(exc))

+        if not cryptography_compare_public_keys(self.ca_cert.public_key(), self.ca_private_key.public_key()):
+            raise CertificateError('The CA private key does not belong to the CA certificate')
+
        if cryptography_key_needs_digest_for_signing(self.ca_private_key):
            if self.digest is None:
                raise CertificateError(
@@ -175,6 +180,10 @@ class OwnCACertificateBackendCryptography(CertificateBackend):

        self._ensure_existing_certificate_loaded()

+        # Check whether certificate is signed by CA certificate
+        if not cryptography_verify_certificate_signature(self.existing_certificate, self.ca_cert.public_key()):
+            return True
+
        # Check subject
        if self.ca_cert.subject != self.existing_certificate.issuer:
            return True
--- a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
@@ -22,6 +22,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
    cryptography_key_needs_digest_for_signing,
    cryptography_serial_number_of_cert,
+    cryptography_verify_certificate_signature,
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
@@ -135,8 +136,16 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
        return self.cert.public_bytes(Encoding.PEM)

    def needs_regeneration(self):
-        return super(SelfSignedCertificateBackendCryptography, self).needs_regeneration(
-            not_before=self.notBefore, not_after=self.notAfter)
+        if super(SelfSignedCertificateBackendCryptography, self).needs_regeneration(not_before=self.notBefore, not_after=self.notAfter):
+            return True
+
+        self._ensure_existing_certificate_loaded()
+
+        # Check whether certificate is signed by private key
+        if not cryptography_verify_certificate_signature(self.existing_certificate, self.privatekey.public_key()):
+            return True
+
+        return False

    def dump(self, include_certificate):
        result = super(SelfSignedCertificateBackendCryptography, self).dump(include_certificate)