internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-08 06:13:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve error message when lodaing corrupt private key or private key with wrong passphrase. (#939) (#940)

Browse Source 
(cherry picked from commit f219cac94c)
This commit is contained in:
Felix Fontein
2025-07-25 17:08:45 +02:00
committed by GitHub
parent 71e9d2273a
commit b6887ab1f4
3 changed files with 87 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
changelogs/fragments/939-private-key-errors.yml Normal file
View File

@@ -0,0 +1,4 @@
bugfixes:
- "Improve error message when loading a private key fails due to correct private key files or wrong passwords.
Also include the original cryptography error since it likely contains more helpful information
(https://github.com/ansible-collections/community.crypto/issues/936, https://github.com/ansible-collections/community.crypto/pull/939)."

9
plugins/module_utils/crypto/support.py
View File

@@ -40,6 +40,7 @@ except (ImportError, AttributeError):
try: try:
from cryptography import x509 from cryptography import x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.backends import default_backend as cryptography_backend from cryptography.hazmat.backends import default_backend as cryptography_backend
from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.serialization import load_pem_private_key from cryptography.hazmat.primitives.serialization import load_pem_private_key
@@ -213,12 +214,16 @@ def load_privatekey(
None if passphrase is None else to_bytes(passphrase), None if passphrase is None else to_bytes(passphrase),
cryptography_backend(), cryptography_backend(),
) )
except UnsupportedAlgorithm as exc:
raise OpenSSLBadPassphraseError("Unsupported private key type: {exc}".format(exc=exc))
except TypeError: except TypeError:
raise OpenSSLBadPassphraseError( raise OpenSSLBadPassphraseError(
"Wrong or empty passphrase provided for private key" "Wrong or empty passphrase provided for private key"
) )
except ValueError: except ValueError as exc:
raise OpenSSLBadPassphraseError("Wrong passphrase provided for private key") raise OpenSSLBadPassphraseError(
"Wrong passphrase provided for private key, or private key cannot be parsed: {exc}".format(exc=exc)
)
return result return result

76
tests/integration/targets/openssl_privatekey_info/tasks/impl.yml
View File

@@ -90,6 +90,32 @@
- "'public_data' not in result" - "'public_data' not in result"
- "'private_data' not in result" - "'private_data' not in result"
- name: ({{ select_crypto_backend }}) Get key 3 info (with wrong passphrase)
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
return_private_key_data: true
select_crypto_backend: '{{ select_crypto_backend }}'
passphrase: blabla
ignore_errors: true
register: result
- name: Check that loading passphrase protected key with wrong passphrase failed
ansible.builtin.assert:
that:
- result is failed
# Check that return values are there
- result.can_load_key is defined
- result.can_parse_key is defined
# Check that return values are correct
- result.can_load_key
- not result.can_parse_key
# Check that additional data isn't there
- "'pulic_key' not in result"
- "'pulic_key_fingerprints' not in result"
- "'type' not in result"
- "'public_data' not in result"
- "'private_data' not in result"
- name: ({{ select_crypto_backend }}) Get key 3 info (with passphrase) - name: ({{ select_crypto_backend }}) Get key 3 info (with passphrase)
community.crypto.openssl_privatekey_info: community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_3.pem' path: '{{ remote_tmp_dir }}/privatekey_3.pem'
@@ -155,3 +181,53 @@
- "result.public_data.y > 2" - "result.public_data.y > 2"
- "'private_data' in result" - "'private_data' in result"
- "result.private_data.x > 2" - "result.private_data.x > 2"
- name: ({{ select_crypto_backend }}) Get empty key info
community.crypto.openssl_privatekey_info:
content: ''
return_private_key_data: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
ignore_errors: true
- name: Check that empty key loading failed
ansible.builtin.assert:
that:
- result is failed
# Check that return values are there
- result.can_load_key is defined
- result.can_parse_key is defined
# Check that return values are correct
- result.can_load_key
- not result.can_parse_key
# Check that additional data isn't there
- "'pulic_key' not in result"
- "'pulic_key_fingerprints' not in result"
- "'type' not in result"
- "'public_data' not in result"
- "'private_data' not in result"
- name: ({{ select_crypto_backend }}) Get corrupt key info
community.crypto.openssl_privatekey_info:
content: C0RRUPT
return_private_key_data: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
ignore_errors: true
- name: Check that corrupt key loading failed
ansible.builtin.assert:
that:
- result is failed
# Check that return values are there
- result.can_load_key is defined
- result.can_parse_key is defined
# Check that return values are correct
- result.can_load_key
- not result.can_parse_key
# Check that additional data isn't there
- "'pulic_key' not in result"
- "'pulic_key_fingerprints' not in result"
- "'type' not in result"
- "'public_data' not in result"
- "'private_data' not in result"