[stable-1] x509_certificate: regenerate certificate on CA's subject change (#406)

* Regenerate certificate on CA's subject change. (#402) (cherry picked from commit 3ebc132c03) * Add fix for PyOpenSSL backend. * x509_certificate: check existing certificate's signature for selfsigned and ownca provider (#407) * Verify whether signature matches. * Add changelog fragment. * Forgot imports. * Fix wrong name. * Check whether the CA private key fits to the CA certificate. Use correct key in tests. * Refactor code. (cherry picked from commit 28729657ac) * There doesn't seem a way to do this with pyOpenSSL.
2026-05-06 13:22:58 +00:00 · 2022-02-19 18:51:28 +01:00
parent 2aa38fe247
commit 60c6d87b05
7 changed files with 202 additions and 17 deletions
--- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py
@@ -28,8 +28,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    cryptography_compare_public_keys,
    cryptography_key_needs_digest_for_signing,
    cryptography_serial_number_of_cert,
+    cryptography_verify_certificate_signature,
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
@@ -107,6 +109,9 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
        except OpenSSLBadPassphraseError as exc:
            module.fail_json(msg=str(exc))

+        if not cryptography_compare_public_keys(self.ca_cert.public_key(), self.ca_private_key.public_key()):
+            raise CertificateError('The CA private key does not belong to the CA certificate')
+
        if cryptography_key_needs_digest_for_signing(self.ca_private_key):
            if self.digest is None:
                raise CertificateError(
@@ -173,6 +178,16 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
        if super(OwnCACertificateBackendCryptography, self).needs_regeneration():
            return True

+        self._ensure_existing_certificate_loaded()
+
+        # Check whether certificate is signed by CA certificate
+        if not cryptography_verify_certificate_signature(self.existing_certificate, self.ca_cert.public_key()):
+            return True
+
+        # Check subject
+        if self.ca_cert.subject != self.existing_certificate.issuer:
+            return True
+
        # Check AuthorityKeyIdentifier
        if self.create_authority_key_identifier:
            try:
@@ -185,7 +200,6 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
            except cryptography.x509.ExtensionNotFound:
                expected_ext = x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_cert.public_key())

-            self._ensure_existing_certificate_loaded()
            try:
                ext = self.existing_certificate.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
                if ext.value != expected_ext:
@@ -297,6 +311,18 @@ class OwnCACertificateBackendPyOpenSSL(CertificateBackend):
        """Return bytes for self.cert."""
        return crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert)

+    def needs_regeneration(self):
+        if super(OwnCACertificateBackendPyOpenSSL, self).needs_regeneration():
+            return True
+
+        self._ensure_existing_certificate_loaded()
+
+        # Check subject
+        if self.ca_cert.get_subject() != self.existing_certificate.get_issuer():
+            return True
+
+        return False
+
    def dump(self, include_certificate):
        result = super(OwnCACertificateBackendPyOpenSSL, self).dump(include_certificate)
        result.update({
--- a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
@@ -22,6 +22,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
    cryptography_key_needs_digest_for_signing,
    cryptography_serial_number_of_cert,
+    cryptography_verify_certificate_signature,
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
@@ -134,6 +135,18 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
        """Return bytes for self.cert."""
        return self.cert.public_bytes(Encoding.PEM)

+    def needs_regeneration(self):
+        if super(SelfSignedCertificateBackendCryptography, self).needs_regeneration():
+            return True
+
+        self._ensure_existing_certificate_loaded()
+
+        # Check whether certificate is signed by private key
+        if not cryptography_verify_certificate_signature(self.existing_certificate, self.privatekey.public_key()):
+            return True
+
+        return False
+
    def dump(self, include_certificate):
        result = super(SelfSignedCertificateBackendCryptography, self).dump(include_certificate)