mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-07 13:53:06 +00:00
Remove assertonly (#289)
* Remove assertonly backend. * Remove assertonly tests. * The expired test is basically a test of assertonly. * Replace assertonly verification by _info + assert.
This commit is contained in:
Felix Fontein
GitHub
@@ -1,166 +0,0 @@
|
||||
---
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Generate privatekey
|
||||
openssl_privatekey:
|
||||
path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
size: '{{ default_rsa_key_size_certifiates }}'
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Generate privatekey with password
|
||||
openssl_privatekey:
|
||||
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
|
||||
passphrase: hunter2
|
||||
cipher: auto
|
||||
select_crypto_backend: cryptography
|
||||
size: '{{ default_rsa_key_size_certifiates }}'
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Generate CSR (no extensions)
|
||||
openssl_csr:
|
||||
path: '{{ remote_tmp_dir }}/csr_noext.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
subject:
|
||||
commonName: www.example.com
|
||||
useCommonNameForSAN: no
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Generate CSR (with SANs)
|
||||
openssl_csr:
|
||||
path: '{{ remote_tmp_dir }}/csr_sans.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
subject:
|
||||
commonName: www.example.com
|
||||
subject_alt_name:
|
||||
- "DNS:ansible.com"
|
||||
- "IP:127.0.0.1"
|
||||
- "IP:::1"
|
||||
useCommonNameForSAN: no
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Generate selfsigned certificate (no extensions)
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_noext.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
provider: selfsigned
|
||||
selfsigned_digest: sha256
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Generate selfsigned certificate (with SANs)
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_sans.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_sans.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
provider: selfsigned
|
||||
selfsigned_digest: sha256
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Assert that subject_alt_name is there (should fail)
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
provider: assertonly
|
||||
subject_alt_name:
|
||||
- "DNS:example.com"
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: extension_missing_san
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Assert that subject_alt_name is there
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_sans.pem'
|
||||
provider: assertonly
|
||||
subject_alt_name:
|
||||
- "DNS:ansible.com"
|
||||
- "IP:127.0.0.1"
|
||||
- "IP:::1"
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: extension_san
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Assert that subject_alt_name is there (strict)
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_sans.pem'
|
||||
provider: assertonly
|
||||
subject_alt_name:
|
||||
- "DNS:ansible.com"
|
||||
- "IP:127.0.0.1"
|
||||
- "IP:::1"
|
||||
subject_alt_name_strict: yes
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: extension_san_strict
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Assert that key_usage is there (should fail)
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
provider: assertonly
|
||||
key_usage:
|
||||
- digitalSignature
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: extension_missing_ku
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Assert that extended_key_usage is there (should fail)
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
provider: assertonly
|
||||
extended_key_usage:
|
||||
- biometricInfo
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: extension_missing_eku
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- extension_missing_san is failed
|
||||
- "'Found no subjectAltName extension' in extension_missing_san.msg"
|
||||
- extension_san is succeeded
|
||||
- extension_san_strict is succeeded
|
||||
- extension_missing_ku is failed
|
||||
- "'Found no keyUsage extension' in extension_missing_ku.msg"
|
||||
- extension_missing_eku is failed
|
||||
- "'Found no extendedKeyUsage extension' in extension_missing_eku.msg"
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Check wrong key fail
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
|
||||
privatekey_passphrase: hunter2
|
||||
provider: assertonly
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: private_key_error
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 1
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
privatekey_passphrase: hunter2
|
||||
provider: assertonly
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: passphrase_error_1
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 2
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
|
||||
privatekey_passphrase: wrong_password
|
||||
provider: assertonly
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: passphrase_error_2
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 3
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/cert_noext.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
|
||||
provider: assertonly
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: passphrase_error_3
|
||||
|
||||
- name: (Assertonly, {{select_crypto_backend}}) -
|
||||
assert:
|
||||
that:
|
||||
- private_key_error is failed
|
||||
- "'Certificate and private key ' in private_key_error.msg and ' do not match' in private_key_error.msg"
|
||||
- passphrase_error_1 is failed
|
||||
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
|
||||
- passphrase_error_2 is failed
|
||||
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
|
||||
- passphrase_error_3 is failed
|
||||
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
|
||||
@@ -1,37 +0,0 @@
|
||||
---
|
||||
- name: (Expired, {{select_crypto_backend}}) Generate privatekey
|
||||
openssl_privatekey:
|
||||
path: '{{ remote_tmp_dir }}/has_expired_privatekey.pem'
|
||||
size: '{{ default_rsa_key_size_certifiates }}'
|
||||
|
||||
- name: (Expired, {{select_crypto_backend}}) Generate CSR
|
||||
openssl_csr:
|
||||
path: '{{ remote_tmp_dir }}/has_expired_csr.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/has_expired_privatekey.pem'
|
||||
subject:
|
||||
commonName: www.example.com
|
||||
|
||||
- name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate
|
||||
# Cryptography won't allow creating expired certificates; so we create it with 'command'
|
||||
command: "{{ openssl_binary }} x509 -req -days -1 -in {{ remote_tmp_dir }}/has_expired_csr.csr -signkey {{ remote_tmp_dir }}/has_expired_privatekey.pem -out {{ remote_tmp_dir }}/has_expired_cert.pem"
|
||||
|
||||
- name: "(Expired) Check task fails because cert is expired (has_expired: false)"
|
||||
x509_certificate:
|
||||
provider: assertonly
|
||||
path: "{{ remote_tmp_dir }}/has_expired_cert.pem"
|
||||
has_expired: false
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: true
|
||||
register: expired_cert_check
|
||||
|
||||
- name: (Expired, {{select_crypto_backend}}) Ensure previous task failed
|
||||
assert:
|
||||
that: expired_cert_check is failed
|
||||
|
||||
- name: "(Expired) Check expired cert check is ignored (has_expired: true)"
|
||||
x509_certificate:
|
||||
provider: assertonly
|
||||
path: "{{ remote_tmp_dir }}/has_expired_cert.pem"
|
||||
has_expired: true
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: expired_cert_skip
|
||||
@@ -1,8 +1,6 @@
|
||||
---
|
||||
- debug:
|
||||
msg: "Executing tests with backend {{ select_crypto_backend }}"
|
||||
- import_tasks: assertonly.yml
|
||||
- import_tasks: expired.yml
|
||||
- import_tasks: selfsigned.yml
|
||||
- import_tasks: ownca.yml
|
||||
- import_tasks: removal.yml
|
||||
|
||||
@@ -110,21 +110,27 @@
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
check_mode: yes
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate
|
||||
x509_certificate:
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Get certificate information
|
||||
community.crypto.x509_certificate_info:
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
provider: assertonly
|
||||
has_expired: False
|
||||
version: 3
|
||||
signature_algorithms:
|
||||
- sha256WithRSAEncryption
|
||||
- sha256WithECDSAEncryption
|
||||
subject:
|
||||
commonName: www.example.com
|
||||
issuer:
|
||||
commonName: Example CA
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Get private key information
|
||||
community.crypto.openssl_privatekey_info:
|
||||
path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result_privatekey
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate
|
||||
assert:
|
||||
that:
|
||||
- result.public_key == result_privatekey.public_key
|
||||
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
|
||||
- "result.subject.commonName == 'www.example.com'"
|
||||
- "result.issuer.commonName == 'Example CA'"
|
||||
- not result.expired
|
||||
- result.version == 3
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca v2 certificate
|
||||
x509_certificate:
|
||||
@@ -151,33 +157,35 @@
|
||||
ownca_digest: sha256
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate2
|
||||
x509_certificate:
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Get certificate information
|
||||
community.crypto.x509_certificate_info:
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert2.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
|
||||
provider: assertonly
|
||||
has_expired: False
|
||||
version: 3
|
||||
signature_algorithms:
|
||||
- sha256WithRSAEncryption
|
||||
- sha256WithECDSAEncryption
|
||||
subject:
|
||||
commonName: www.example.com
|
||||
C: US
|
||||
ST: California
|
||||
L: Los Angeles
|
||||
O: ACME Inc.
|
||||
OU:
|
||||
- Roadrunner pest control
|
||||
- Pyrotechnics
|
||||
keyUsage:
|
||||
- digitalSignature
|
||||
extendedKeyUsage:
|
||||
- ipsecUser
|
||||
- biometricInfo
|
||||
issuer:
|
||||
commonName: Example CA
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Get private key information
|
||||
community.crypto.openssl_privatekey_info:
|
||||
path: '{{ remote_tmp_dir }}/privatekey2.pem'
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result_privatekey
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate2
|
||||
assert:
|
||||
that:
|
||||
- result.public_key == result_privatekey.public_key
|
||||
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
|
||||
- "result.subject.commonName == 'www.example.com'"
|
||||
- "result.subject.countryName == 'US'"
|
||||
- "result.subject.localityName == 'Los Angeles'" # L
|
||||
- "result.subject.organizationName == 'ACME Inc.'"
|
||||
- "['organizationalUnitName', 'Pyrotechnics'] in result.subject_ordered"
|
||||
- "['organizationalUnitName', 'Roadrunner pest control'] in result.subject_ordered"
|
||||
- "result.issuer.commonName == 'Example CA'"
|
||||
- not result.expired
|
||||
- result.version == 3
|
||||
- "'Digital Signature' in result.key_usage"
|
||||
- "'IPSec User' in result.extended_key_usage"
|
||||
- "'Biometric Info' in result.extended_key_usage"
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Create ownca certificate with notBefore and notAfter
|
||||
x509_certificate:
|
||||
|
||||
@@ -99,19 +99,26 @@
|
||||
check_mode: yes
|
||||
register: selfsigned_certificate_csr_minimal_change
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate
|
||||
x509_certificate:
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Get certificate information
|
||||
community.crypto.x509_certificate_info:
|
||||
path: '{{ remote_tmp_dir }}/cert.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
provider: assertonly
|
||||
has_expired: False
|
||||
version: 3
|
||||
signature_algorithms:
|
||||
- sha256WithRSAEncryption
|
||||
- sha256WithECDSAEncryption
|
||||
subject:
|
||||
commonName: www.example.com
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Get private key information
|
||||
community.crypto.openssl_privatekey_info:
|
||||
path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result_privatekey
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate
|
||||
assert:
|
||||
that:
|
||||
- result.public_key == result_privatekey.public_key
|
||||
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
|
||||
- "result.subject.commonName == 'www.example.com'"
|
||||
- not result.expired
|
||||
- result.version == 3
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned v2 certificate
|
||||
x509_certificate:
|
||||
@@ -158,31 +165,34 @@
|
||||
selfsigned_digest: sha256
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate2
|
||||
x509_certificate:
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Get certificate information
|
||||
community.crypto.x509_certificate_info:
|
||||
path: '{{ remote_tmp_dir }}/cert2.pem'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
|
||||
provider: assertonly
|
||||
has_expired: False
|
||||
version: 3
|
||||
signature_algorithms:
|
||||
- sha256WithRSAEncryption
|
||||
- sha256WithECDSAEncryption
|
||||
subject:
|
||||
commonName: www.example.com
|
||||
C: US
|
||||
ST: California
|
||||
L: Los Angeles
|
||||
O: ACME Inc.
|
||||
OU:
|
||||
- Roadrunner pest control
|
||||
- Pyrotechnics
|
||||
keyUsage:
|
||||
- digitalSignature
|
||||
extendedKeyUsage:
|
||||
- ipsecUser
|
||||
- biometricInfo
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Get private key information
|
||||
community.crypto.openssl_privatekey_info:
|
||||
path: '{{ remote_tmp_dir }}/privatekey2.pem'
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result_privatekey
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate2
|
||||
assert:
|
||||
that:
|
||||
- result.public_key == result_privatekey.public_key
|
||||
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
|
||||
- "result.subject.commonName == 'www.example.com'"
|
||||
- "result.subject.countryName == 'US'"
|
||||
- "result.subject.localityName == 'Los Angeles'" # L
|
||||
- "result.subject.organizationName == 'ACME Inc.'"
|
||||
- "['organizationalUnitName', 'Pyrotechnics'] in result.subject_ordered"
|
||||
- "['organizationalUnitName', 'Roadrunner pest control'] in result.subject_ordered"
|
||||
- not result.expired
|
||||
- result.version == 3
|
||||
- "'Digital Signature' in result.key_usage"
|
||||
- "'IPSec User' in result.extended_key_usage"
|
||||
- "'Biometric Info' in result.extended_key_usage"
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Create private key 3
|
||||
openssl_privatekey:
|
||||
|
||||
Reference in New Issue
Block a user