internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-06 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Get rid of backend parameter whenever possible (#883)

Browse Source 
* Get rid of backend parameter whenever possible.

* Always auto-detect if backend choices are 'cryptography' and 'auto', resp. always check cryptography version.

* Improve error message.

* Update documentation.
This commit is contained in:
Felix Fontein
2025-05-03 10:46:53 +02:00
committed by GitHub
parent fbcb89f092
commit 645b7bf9ed
50 changed files with 502 additions and 1093 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
plugins/modules/acme_challenge_cert_helper.py
View File

@@ -149,9 +149,8 @@ regular_certificate:
import base64
import datetime
import ipaddress
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_bytes, to_text
from ansible_collections.community.crypto.plugins.module_utils.acme.errors import (
ModuleFailException,
@@ -164,16 +163,13 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.time import (
get_now_datetime,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
)
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
import cryptography.hazmat.backends
@@ -185,13 +181,8 @@ try:
import cryptography.hazmat.primitives.serialization
import cryptography.x509
import cryptography.x509.oid
HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion(
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
HAS_CRYPTOGRAPHY = False
pass
# Convert byte string to ASN1 encoded octet string
@@ -215,20 +206,8 @@ def main():
required_one_of=(["private_key_src", "private_key_content"],),
mutually_exclusive=(["private_key_src", "private_key_content"],),
)
if not HAS_CRYPTOGRAPHY:
# Some callbacks die when exception is provided with value None
if CRYPTOGRAPHY_IMP_ERR:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
)
)
assert_required_cryptography_version(COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION)
try:
# Get parameters

24
plugins/modules/certificate_complete_chain.py
View File

@@ -121,26 +121,21 @@ complete_chain:
"""
import os
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_bytes
from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
split_pem_list,
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
assert_required_cryptography_version,
)
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
import cryptography.exceptions
import cryptography.hazmat.backends
import cryptography.hazmat.primitives.asymmetric.ec
import cryptography.hazmat.primitives.asymmetric.padding
import cryptography.hazmat.primitives.asymmetric.rsa
@@ -149,13 +144,8 @@ try:
import cryptography.hazmat.primitives.serialization
import cryptography.x509
import cryptography.x509.oid
HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion(
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
HAS_CRYPTOGRAPHY = False
pass
class Certificate:
@@ -333,13 +323,7 @@ def main():
supports_check_mode=True,
)
if not HAS_CRYPTOGRAPHY:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
assert_required_cryptography_version(COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION)
# Load chain
chain = parse_PEM_list(module, module.params["input_chain"], source="input chain")

28
plugins/modules/ecs_certificate.py
View File

@@ -550,15 +550,15 @@ import datetime
import os
import re
import time
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_bytes
from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
load_certificate,
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.ecs.api import (
ECSClient,
@@ -567,22 +567,8 @@ from ansible_collections.community.crypto.plugins.module_utils.ecs.api import (
ecs_client_argument_spec,
)
from ansible_collections.community.crypto.plugins.module_utils.io import write_file
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
)
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
@@ -652,7 +638,7 @@ class EcsCertificate:
self.ecs_client = None
if self.path and os.path.exists(self.path):
try:
self.cert = load_certificate(self.path, backend="cryptography")
self.cert = load_certificate(self.path)
except Exception:
self.cert = None
# Instantiate the ECS client and then try a no-op connection to verify credentials are valid
@@ -1008,13 +994,7 @@ def main():
supports_check_mode=True,
)
if not CRYPTOGRAPHY_FOUND or CRYPTOGRAPHY_VERSION < LooseVersion(
MINIMAL_CRYPTOGRAPHY_VERSION
):
module.fail_json(
msg=missing_required_lib(f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"),
exception=CRYPTOGRAPHY_IMP_ERR,
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
# If validate_only is used, pointing to an existing tracking_id is an invalid operation
if module.params["tracking_id"]:

130
plugins/modules/get_certificate.py
View File

@@ -76,6 +76,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -265,7 +268,6 @@ import atexit
import base64
import ssl
import sys
import traceback
from os.path import isfile
from socket import create_connection, setdefaulttimeout, socket
from ssl import (
@@ -275,7 +277,7 @@ from ssl import (
create_default_context,
)
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_bytes, to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
CRYPTOGRAPHY_TIMEZONE,
@@ -286,29 +288,21 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.time import (
get_now_datetime,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
)
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
import cryptography.exceptions
import cryptography.x509
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
pass
def send_starttls_packet(sock, server_type):
@@ -367,32 +361,7 @@ def main():
f"The Python version used to run the get_certificate module is {sys.version}"
)
backend = module.params.get("select_crypto_backend")
if backend == "auto":
# Detection what is possible
can_use_cryptography = (
CRYPTOGRAPHY_FOUND
and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
)
# Try cryptography
if can_use_cryptography:
backend = "cryptography"
# Success?
if backend == "auto":
module.fail_json(
msg=f"Cannot detect the required Python library cryptography (>= {MINIMAL_CRYPTOGRAPHY_VERSION})"
)
if backend == "cryptography":
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
result = dict(
changed=False,
@@ -529,56 +498,55 @@ def main():
result["cert"] = cert
if backend == "cryptography":
x509 = cryptography.x509.load_pem_x509_certificate(to_bytes(cert))
result["subject"] = {}
for attribute in x509.subject:
result["subject"][cryptography_oid_to_name(attribute.oid, short=True)] = (
attribute.value
)
result["expired"] = get_not_valid_after(x509) < get_now_datetime(
with_timezone=CRYPTOGRAPHY_TIMEZONE
x509 = cryptography.x509.load_pem_x509_certificate(to_bytes(cert))
result["subject"] = {}
for attribute in x509.subject:
result["subject"][cryptography_oid_to_name(attribute.oid, short=True)] = (
attribute.value
)
result["extensions"] = []
for dotted_number, entry in cryptography_get_extensions_from_cert(x509).items():
oid = cryptography.x509.oid.ObjectIdentifier(dotted_number)
ext = {
"critical": entry["critical"],
"asn1_data": entry["value"],
"name": cryptography_oid_to_name(oid, short=True),
}
if not asn1_base64:
ext["asn1_data"] = base64.b64decode(ext["asn1_data"])
result["extensions"].append(ext)
result["expired"] = get_not_valid_after(x509) < get_now_datetime(
with_timezone=CRYPTOGRAPHY_TIMEZONE
)
result["issuer"] = {}
for attribute in x509.issuer:
result["issuer"][cryptography_oid_to_name(attribute.oid, short=True)] = (
attribute.value
)
result["extensions"] = []
for dotted_number, entry in cryptography_get_extensions_from_cert(x509).items():
oid = cryptography.x509.oid.ObjectIdentifier(dotted_number)
ext = {
"critical": entry["critical"],
"asn1_data": entry["value"],
"name": cryptography_oid_to_name(oid, short=True),
}
if not asn1_base64:
ext["asn1_data"] = base64.b64decode(ext["asn1_data"])
result["extensions"].append(ext)
result["not_after"] = get_not_valid_after(x509).strftime("%Y%m%d%H%M%SZ")
result["not_before"] = get_not_valid_before(x509).strftime("%Y%m%d%H%M%SZ")
result["serial_number"] = x509.serial_number
result["signature_algorithm"] = cryptography_oid_to_name(
x509.signature_algorithm_oid
result["issuer"] = {}
for attribute in x509.issuer:
result["issuer"][cryptography_oid_to_name(attribute.oid, short=True)] = (
attribute.value
)
# We need the -1 offset to get the same values as pyOpenSSL
if x509.version == cryptography.x509.Version.v1:
result["version"] = 1 - 1
elif x509.version == cryptography.x509.Version.v3:
result["version"] = 3 - 1
else:
result["version"] = "unknown"
result["not_after"] = get_not_valid_after(x509).strftime("%Y%m%d%H%M%SZ")
result["not_before"] = get_not_valid_before(x509).strftime("%Y%m%d%H%M%SZ")
if verified_chain is not None:
result["verified_chain"] = verified_chain
if unverified_chain is not None:
result["unverified_chain"] = unverified_chain
result["serial_number"] = x509.serial_number
result["signature_algorithm"] = cryptography_oid_to_name(
x509.signature_algorithm_oid
)
# We need the -1 offset to get the same values as pyOpenSSL
if x509.version == cryptography.x509.Version.v1:
result["version"] = 1 - 1
elif x509.version == cryptography.x509.Version.v3:
result["version"] = 3 - 1
else:
result["version"] = "unknown"
if verified_chain is not None:
result["verified_chain"] = verified_chain
if unverified_chain is not None:
result["unverified_chain"] = unverified_chain
module.exit_json(**result)

2
plugins/modules/openssh_keypair.py
View File

@@ -246,7 +246,7 @@ def main():
add_file_common_args=True,
)
keypair = select_backend(module, module.params["backend"])[1]
keypair = select_backend(module, module.params["backend"])
keypair.execute()

3
plugins/modules/openssl_csr.py
View File

@@ -340,8 +340,7 @@ def main():
)
try:
backend = module.params["select_crypto_backend"]
backend, module_backend = select_backend(module, backend)
module_backend = select_backend(module)
csr = CertificateSigningRequestModule(module, module_backend)
if module.params["state"] == "present":

7
plugins/modules/openssl_csr_info.py
View File

@@ -40,6 +40,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -341,9 +344,7 @@ def main():
except (IOError, OSError) as e:
module.fail_json(msg=f"Error while reading CSR file from disk: {e}")
backend, module_backend = select_backend(
module, module.params["select_crypto_backend"], data, validate_signature=True
)
module_backend = select_backend(module, data, validate_signature=True)
try:
result = module_backend.get_info()

3
plugins/modules/openssl_csr_pipe.py
View File

@@ -174,8 +174,7 @@ def main():
)
try:
backend = module.params["select_crypto_backend"]
backend, module_backend = select_backend(module, backend)
module_backend = select_backend(module)
csr = CertificateSigningRequestModule(module, module_backend)
csr.generate(module)

14
plugins/modules/openssl_dhparam.py
View File

@@ -132,15 +132,15 @@ import abc
import os
import re
import tempfile
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.math import (
count_bits,
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.io import (
load_file_if_exists,
@@ -153,7 +153,6 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
import cryptography.exceptions
@@ -163,7 +162,6 @@ try:
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
@@ -413,13 +411,7 @@ def main():
if backend == "openssl":
dhparam = DHParameterOpenSSL(module)
elif backend == "cryptography":
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
dhparam = DHParameterCryptography(module)
else:
raise AssertionError("Internal error: unknown backend")

75
plugins/modules/openssl_pkcs12.py
View File

@@ -166,6 +166,9 @@ options:
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- The value V(pyopenssl) has been removed for community.crypto 3.0.0.
- Note that with community.crypto 3.0.0, all remaining values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -278,7 +281,7 @@ import os
import stat
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_bytes, to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLBadPassphraseError,
@@ -297,32 +300,23 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.io import (
load_file_if_exists,
write_file,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
)
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.serialization.pkcs12 import (
serialize_key_and_certificates,
)
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
pass
CRYPTOGRAPHY_COMPATIBILITY2022_ERR = None
try:
@@ -340,14 +334,14 @@ else:
CRYPTOGRAPHY_HAS_COMPATIBILITY2022 = True
def load_certificate_set(filename, backend):
def load_certificate_set(filename):
"""
Load list of concatenated PEM files, and return a list of parsed certificates.
"""
with open(filename, "rb") as f:
data = f.read().decode("utf-8")
return [
load_certificate(None, content=cert.encode("utf-8"), backend=backend)
load_certificate(None, content=cert.encode("utf-8"))
for cert in split_pem_list(data)
]
@@ -357,14 +351,13 @@ class PkcsError(OpenSSLObjectError):
class Pkcs(OpenSSLObject):
def __init__(self, module, backend, iter_size_default=2048):
def __init__(self, module, iter_size_default=2048):
super(Pkcs, self).__init__(
module.params["path"],
module.params["state"],
module.params["force"],
module.check_mode,
)
self.backend = backend
self.action = module.params["action"]
self.other_certificates = module.params["other_certificates"]
self.other_certificates_parse_all = module.params[
@@ -416,11 +409,11 @@ class Pkcs(OpenSSLObject):
self.other_certificates = []
for other_cert_bundle in filenames:
self.other_certificates.extend(
load_certificate_set(other_cert_bundle, self.backend)
load_certificate_set(other_cert_bundle)
)
else:
self.other_certificates = [
load_certificate(other_cert, backend=self.backend)
load_certificate(other_cert)
for other_cert in self.other_certificates
]
elif self.other_certificates_content:
@@ -432,9 +425,7 @@ class Pkcs(OpenSSLObject):
)
)
self.other_certificates = [
load_certificate(
None, content=to_bytes(other_cert), backend=self.backend
)
load_certificate(None, content=to_bytes(other_cert))
for other_cert in certs
]
@@ -475,7 +466,6 @@ class Pkcs(OpenSSLObject):
None,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase,
backend=self.backend,
)
except OpenSSLObjectError:
return False
@@ -606,9 +596,7 @@ class Pkcs(OpenSSLObject):
class PkcsCryptography(Pkcs):
def __init__(self, module):
super(PkcsCryptography, self).__init__(
module, "cryptography", iter_size_default=50000
)
super(PkcsCryptography, self).__init__(module, iter_size_default=50000)
if (
self.encryption_level == "compatibility2022"
and not CRYPTOGRAPHY_HAS_COMPATIBILITY2022
@@ -628,16 +616,13 @@ class PkcsCryptography(Pkcs):
None,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase,
backend=self.backend,
)
except OpenSSLBadPassphraseError as exc:
raise PkcsError(exc)
cert = None
if self.certificate_content:
cert = load_certificate(
None, content=self.certificate_content, backend=self.backend
)
cert = load_certificate(None, content=self.certificate_content)
friendly_name = (
to_bytes(self.friendly_name) if self.friendly_name is not None else None
@@ -726,33 +711,9 @@ class PkcsCryptography(Pkcs):
return pkcs12[3]
def select_backend(module, backend):
if backend == "auto":
# Detection what is possible
can_use_cryptography = (
CRYPTOGRAPHY_FOUND
and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
)
if can_use_cryptography:
backend = "cryptography"
# Success?
if backend == "auto":
module.fail_json(
msg=f"Cannot detect the required Python library cryptography (>= {MINIMAL_CRYPTOGRAPHY_VERSION})"
)
if backend == "cryptography":
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
return backend, PkcsCryptography(module)
else:
raise ValueError(f"Unsupported value for backend: {backend}")
def select_backend(module):
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
return PkcsCryptography(module)
def main():
@@ -804,7 +765,7 @@ def main():
supports_check_mode=True,
)
backend, pkcs12 = select_backend(module, module.params["select_crypto_backend"])
pkcs12 = select_backend(module)
base_dir = os.path.dirname(module.params["path"]) or "."
if not os.path.isdir(base_dir):

5
plugins/modules/openssl_privatekey.py
View File

@@ -270,10 +270,7 @@ def main():
msg=f"The directory {base_dir} does not exist or the file is not a directory",
)
backend, module_backend = select_backend(
module=module,
backend=module.params["select_crypto_backend"],
)
module_backend = select_backend(module=module)
try:
private_key = PrivateKeyModule(module, module_backend)

6
plugins/modules/openssl_privatekey_info.py
View File

@@ -64,6 +64,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -245,9 +248,8 @@ def main():
result["can_load_key"] = True
backend, module_backend = select_backend(
module_backend = select_backend(
module,
module.params["select_crypto_backend"],
data,
passphrase=module.params["passphrase"],
return_private_key_data=module.params["return_private_key_data"],

114
plugins/modules/openssl_publickey.py
View File

@@ -84,6 +84,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -183,9 +186,8 @@ publickey:
"""
import os
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLBadPassphraseError,
OpenSSLObjectError,
@@ -201,29 +203,20 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.io import (
load_file_if_exists,
write_file,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
)
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
from cryptography.hazmat.primitives import serialization as crypto_serialization
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
pass
class PublicKeyError(OpenSSLObjectError):
@@ -232,7 +225,7 @@ class PublicKeyError(OpenSSLObjectError):
class PublicKey(OpenSSLObject):
def __init__(self, module, backend):
def __init__(self, module):
super(PublicKey, self).__init__(
module.params["path"],
module.params["state"],
@@ -250,7 +243,6 @@ class PublicKey(OpenSSLObject):
self.publickey_bytes = None
self.return_content = module.params["return_content"]
self.fingerprint = {}
self.backend = backend
self.backup = module.params["backup"]
self.backup_file = None
@@ -265,7 +257,7 @@ class PublicKey(OpenSSLObject):
try:
result.update(
get_publickey_info(
self.module, self.backend, content=data, prefer_one_fingerprint=True
self.module, content=data, prefer_one_fingerprint=True
)
)
result["can_parse_key"] = True
@@ -280,19 +272,17 @@ class PublicKey(OpenSSLObject):
path=self.privatekey_path,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase,
backend=self.backend,
)
if self.backend == "cryptography":
if self.format == "OpenSSH":
return self.privatekey.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
)
else:
return self.privatekey.public_key().public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo,
)
if self.format == "OpenSSH":
return self.privatekey.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
)
else:
return self.privatekey.public_key().public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo,
)
def generate(self, module):
"""Generate the public key."""
@@ -323,7 +313,6 @@ class PublicKey(OpenSSLObject):
path=self.privatekey_path,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase,
backend=self.backend,
)
file_args = module.load_file_common_arguments(module.params)
if module.check_file_absent_if_check_mode(file_args["path"]):
@@ -348,24 +337,23 @@ class PublicKey(OpenSSLObject):
self.diff_before = self.diff_after = self._get_info(publickey_content)
if self.return_content:
self.publickey_bytes = publickey_content
if self.backend == "cryptography":
if self.format == "OpenSSH":
# Read and dump public key. Makes sure that the comment is stripped off.
current_publickey = crypto_serialization.load_ssh_public_key(
publickey_content
)
publickey_content = current_publickey.public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
)
else:
current_publickey = crypto_serialization.load_pem_public_key(
publickey_content
)
publickey_content = current_publickey.public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo,
)
if self.format == "OpenSSH":
# Read and dump public key. Makes sure that the comment is stripped off.
current_publickey = crypto_serialization.load_ssh_public_key(
publickey_content
)
publickey_content = current_publickey.public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
)
else:
current_publickey = crypto_serialization.load_pem_public_key(
publickey_content
)
publickey_content = current_publickey.public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo,
)
except Exception:
return False
@@ -440,35 +428,7 @@ def main():
mutually_exclusive=(["privatekey_path", "privatekey_content"],),
)
backend = module.params["select_crypto_backend"]
if backend == "auto":
# Detection what is possible
can_use_cryptography = (
CRYPTOGRAPHY_FOUND
and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
)
# Decision
if can_use_cryptography:
backend = "cryptography"
# Success?
if backend == "auto":
module.fail_json(
msg=f"Cannot detect the required Python library cryptography (>= {MINIMAL_CRYPTOGRAPHY_VERSION})",
)
if module.params["format"] == "OpenSSH" and backend != "cryptography":
module.fail_json(msg="Format OpenSSH requires the cryptography backend.")
if backend == "cryptography":
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
base_dir = os.path.dirname(module.params["path"]) or "."
if not os.path.isdir(base_dir):
@@ -478,7 +438,7 @@ def main():
)
try:
public_key = PublicKey(module, backend)
public_key = PublicKey(module)
if public_key.state == "present":
if module.check_mode:

7
plugins/modules/openssl_publickey_info.py
View File

@@ -36,6 +36,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -191,9 +194,7 @@ def main():
msg=f"Error while reading public key file from disk: {e}", **result
)
backend, module_backend = select_backend(
module, module.params["select_crypto_backend"], data
)
module_backend = select_backend(module, data)
try:
result.update(module_backend.get_info())

49
plugins/modules/openssl_signature.py
View File

@@ -58,6 +58,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -96,10 +99,10 @@ signature:
import base64
import os
import traceback
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
@@ -108,7 +111,6 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
import cryptography.hazmat.primitives.asymmetric.padding
@@ -116,12 +118,9 @@ try:
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
CRYPTOGRAPHY_VERSION = LooseVersion("0.0")
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
@@ -133,7 +132,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
class SignatureBase(OpenSSLObject):
def __init__(self, module, backend):
def __init__(self, module):
super(SignatureBase, self).__init__(
path=module.params["path"],
state="present",
@@ -141,8 +140,6 @@ class SignatureBase(OpenSSLObject):
check_mode=module.check_mode,
)
self.backend = backend
self.privatekey_path = module.params["privatekey_path"]
self.privatekey_content = module.params["privatekey_content"]
if self.privatekey_content is not None:
@@ -161,8 +158,8 @@ class SignatureBase(OpenSSLObject):
# Implementation with using cryptography
class SignatureCryptography(SignatureBase):
def __init__(self, module, backend):
super(SignatureCryptography, self).__init__(module, backend)
def __init__(self, module):
super(SignatureCryptography, self).__init__(module)
def run(self):
_padding = cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15()
@@ -178,7 +175,6 @@ class SignatureCryptography(SignatureBase):
path=self.privatekey_path,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase,
backend=self.backend,
)
signature = None
@@ -249,33 +245,10 @@ def main():
msg=f"The file {module.params['path']} does not exist",
)
backend = module.params["select_crypto_backend"]
if backend == "auto":
# Detection what is possible
can_use_cryptography = (
CRYPTOGRAPHY_FOUND
and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
# Decision
if can_use_cryptography:
backend = "cryptography"
# Success?
if backend == "auto":
module.fail_json(
msg=f"Cannot detect the required Python library cryptography (>= {MINIMAL_CRYPTOGRAPHY_VERSION})",
)
try:
if backend == "cryptography":
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
_sign = SignatureCryptography(module, backend)
_sign = SignatureCryptography(module)
result = _sign.run()

49
plugins/modules/openssl_signature_info.py
View File

@@ -47,6 +47,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -85,10 +88,10 @@ valid:
import base64
import os
import traceback
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
@@ -97,7 +100,6 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
import cryptography.hazmat.primitives.asymmetric.padding
@@ -105,12 +107,9 @@ try:
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
CRYPTOGRAPHY_VERSION = LooseVersion("0.0")
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
@@ -122,7 +121,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
class SignatureInfoBase(OpenSSLObject):
def __init__(self, module, backend):
def __init__(self, module):
super(SignatureInfoBase, self).__init__(
path=module.params["path"],
state="present",
@@ -130,8 +129,6 @@ class SignatureInfoBase(OpenSSLObject):
check_mode=module.check_mode,
)
self.backend = backend
self.signature = module.params["signature"]
self.certificate_path = module.params["certificate_path"]
self.certificate_content = module.params["certificate_content"]
@@ -150,8 +147,8 @@ class SignatureInfoBase(OpenSSLObject):
# Implementation with using cryptography
class SignatureInfoCryptography(SignatureInfoBase):
def __init__(self, module, backend):
super(SignatureInfoCryptography, self).__init__(module, backend)
def __init__(self, module):
super(SignatureInfoCryptography, self).__init__(module)
def run(self):
_padding = cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15()
@@ -167,7 +164,6 @@ class SignatureInfoCryptography(SignatureInfoBase):
certificate = load_certificate(
path=self.certificate_path,
content=self.certificate_content,
backend=self.backend,
)
public_key = certificate.public_key()
verified = False
@@ -254,33 +250,10 @@ def main():
msg=f"The file {module.params['path']} does not exist",
)
backend = module.params["select_crypto_backend"]
if backend == "auto":
# Detection what is possible
can_use_cryptography = (
CRYPTOGRAPHY_FOUND
and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
# Decision
if can_use_cryptography:
backend = "cryptography"
# Success?
if backend == "auto":
module.fail_json(
msg=f"Cannot detect any of the required Python libraries cryptography (>= {MINIMAL_CRYPTOGRAPHY_VERSION})"
)
try:
if backend == "cryptography":
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
_sign = SignatureInfoCryptography(module, backend)
_sign = SignatureInfoCryptography(module)
result = _sign.run()

3
plugins/modules/x509_certificate.py
View File

@@ -396,8 +396,7 @@ def main():
"selfsigned": SelfSignedCertificateProvider,
}
backend = module.params["select_crypto_backend"]
module_backend = select_backend(module, backend, provider_map[provider]())
module_backend = select_backend(module, provider_map[provider]())
certificate = GenericCertificate(module, module_backend)
certificate.generate(module)

18
plugins/modules/x509_certificate_convert.py
View File

@@ -106,9 +106,8 @@ backup_file:
import base64
import os
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_bytes, to_text
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
@@ -126,6 +125,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.io import (
load_file_if_exists,
@@ -135,15 +135,11 @@ from ansible_collections.community.crypto.plugins.module_utils.io import (
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography # noqa: F401, pylint: disable=unused-import
from cryptography.x509 import load_der_x509_certificate
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
pass
def parse_certificate(input, strict=False):
@@ -226,13 +222,7 @@ class X509CertificateConvertModule(OpenSSLObject):
pass
def verify_cert_parsable(self, module):
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(
f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"
),
exception=CRYPTOGRAPHY_IMP_ERR,
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
try:
load_der_x509_certificate(self.input)
except Exception as exc:

7
plugins/modules/x509_certificate_info.py
View File

@@ -57,6 +57,9 @@ options:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
- Note that with community.crypto 3.0.0, all values behave the same.
This option will be deprecated in a later version.
We recommend to not set it explicitly.
type: str
default: auto
choices: [auto, cryptography]
@@ -430,9 +433,7 @@ def main():
except (IOError, OSError) as e:
module.fail_json(msg=f"Error while reading certificate file from disk: {e}")
backend, module_backend = select_backend(
module, module.params["select_crypto_backend"], data
)
module_backend = select_backend(module, data)
valid_at = module.params["valid_at"]
if valid_at:

3
plugins/modules/x509_certificate_pipe.py
View File

@@ -188,8 +188,7 @@ def main():
"selfsigned": SelfSignedCertificateProvider,
}
backend = module.params["select_crypto_backend"]
module_backend = select_backend(module, backend, provider_map[provider]())
module_backend = select_backend(module, provider_map[provider]())
certificate = GenericCertificate(module, module_backend)
certificate.generate(module)
result = certificate.dump()

27
plugins/modules/x509_crl.py
View File

@@ -425,9 +425,8 @@ crl:
import base64
import os
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_text
from ansible.module_utils.common.validation import check_type_int, check_type_str
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
@@ -471,6 +470,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
assert_required_cryptography_version,
)
from ansible_collections.community.crypto.plugins.module_utils.io import write_file
from ansible_collections.community.crypto.plugins.module_utils.serial import (
@@ -479,16 +479,11 @@ from ansible_collections.community.crypto.plugins.module_utils.serial import (
from ansible_collections.community.crypto.plugins.module_utils.time import (
get_relative_time_option,
)
from ansible_collections.community.crypto.plugins.module_utils.version import (
LooseVersion,
)
MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
CRYPTOGRAPHY_IMP_ERR = None
try:
import cryptography
from cryptography import x509
from cryptography.hazmat.primitives.serialization import Encoding
from cryptography.x509 import (
@@ -497,13 +492,8 @@ try:
NameAttribute,
RevokedCertificateBuilder,
)
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
except ImportError:
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
CRYPTOGRAPHY_FOUND = False
else:
CRYPTOGRAPHY_FOUND = True
pass
class CRLError(OpenSSLObjectError):
@@ -582,9 +572,7 @@ class CRL(OpenSSLObject):
try:
if rc["content"] is not None:
rc["content"] = rc["content"].encode("utf-8")
cert = load_certificate(
rc["path"], content=rc["content"], backend="cryptography"
)
cert = load_certificate(rc["path"], content=rc["content"])
result["serial_number"] = cert.serial_number
except OpenSSLObjectError as e:
if rc["content"] is not None:
@@ -631,7 +619,6 @@ class CRL(OpenSSLObject):
path=self.privatekey_path,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase,
backend="cryptography",
)
except OpenSSLBadPassphraseError as exc:
raise CRLError(exc)
@@ -1011,11 +998,7 @@ def main():
add_file_common_args=True,
)
if not CRYPTOGRAPHY_FOUND:
module.fail_json(
msg=missing_required_lib(f"cryptography >= {MINIMAL_CRYPTOGRAPHY_VERSION}"),
exception=CRYPTOGRAPHY_IMP_ERR,
)
assert_required_cryptography_version(MINIMAL_CRYPTOGRAPHY_VERSION)
try:
crl = CRL(module)