acme_* modules: support private key passprases (#207)

* Support private key passprases. * Use c.c modules for key generation, add first passphrase tests. * Some more passphrase tests.
2026-05-06 13:22:58 +00:00 · 2021-03-21 17:53:20 +01:00
parent 5d32937321
commit e85554827f
16 changed files with 190 additions and 64 deletions
--- a/plugins/module_utils/acme/acme.py
+++ b/plugins/module_utils/acme/acme.py
@@ -112,6 +112,7 @@ class ACMEClient(object):
        # account_key path and content are mutually exclusive
        self.account_key_file = module.params['account_key_src']
        self.account_key_content = module.params['account_key_content']
+        self.account_key_passphrase = module.params['account_key_passphrase']

        # Grab account URI from module parameters.
        # Make sure empty string is treated as None.
@@ -122,7 +123,10 @@ class ACMEClient(object):
        self.account_jws_header = None
        if self.account_key_file is not None or self.account_key_content is not None:
            try:
-                self.account_key_data = self.parse_key(key_file=self.account_key_file, key_content=self.account_key_content)
+                self.account_key_data = self.parse_key(
+                    key_file=self.account_key_file,
+                    key_content=self.account_key_content,
+                    passphrase=self.account_key_passphrase)
            except KeyParsingError as e:
                raise ModuleFailException("Error while parsing account key: {msg}".format(msg=e.msg))
            self.account_jwk = self.account_key_data['jwk']
@@ -146,14 +150,14 @@ class ACMEClient(object):
            self.account_jws_header.pop('jwk')
            self.account_jws_header['kid'] = self.account_uri

-    def parse_key(self, key_file=None, key_content=None):
+    def parse_key(self, key_file=None, key_content=None, passphrase=None):
        '''
        Parses an RSA or Elliptic Curve key file in PEM format and returns key_data.
        In case of an error, raises KeyParsingError.
        '''
        if key_file is None and key_content is None:
            raise AssertionError('One of key_file and key_content must be specified!')
-        error, key_data = self.backend.parse_key(key_file, key_content)
+        error, key_data = self.backend.parse_key(key_file, key_content, passphrase=passphrase)
        if error:
            raise KeyParsingError(error)
        return key_data
@@ -311,6 +315,7 @@ def get_default_argspec():
    return dict(
        account_key_src=dict(type='path', aliases=['account_key']),
        account_key_content=dict(type='str', no_log=True),
+        account_key_passphrase=dict(type='str', no_log=True),
        account_uri=dict(type='str'),
        acme_directory=dict(type='str'),
        acme_version=dict(type='int', choices=[1, 2]),
--- a/plugins/module_utils/acme/backend_cryptography.py
+++ b/plugins/module_utils/acme/backend_cryptography.py
@@ -179,7 +179,7 @@ class CryptographyBackend(CryptoBackend):
    def __init__(self, module):
        super(CryptographyBackend, self).__init__(module)

-    def parse_key(self, key_file=None, key_content=None):
+    def parse_key(self, key_file=None, key_content=None, passphrase=None):
        '''
        Parses an RSA or Elliptic Curve key file in PEM format and returns a pair
        (error, key_data).
@@ -191,7 +191,10 @@ class CryptographyBackend(CryptoBackend):
            key_content = to_bytes(key_content)
        # Parse key
        try:
-            key = cryptography.hazmat.primitives.serialization.load_pem_private_key(key_content, password=None, backend=_cryptography_backend)
+            key = cryptography.hazmat.primitives.serialization.load_pem_private_key(
+                key_content,
+                password=to_bytes(passphrase) if passphrase is not None else None,
+                backend=_cryptography_backend)
        except Exception as e:
            return 'error while loading key: {0}'.format(e), None
        if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey):
--- a/plugins/module_utils/acme/backend_openssl_cli.py
+++ b/plugins/module_utils/acme/backend_openssl_cli.py
@@ -41,11 +41,13 @@ class OpenSSLCLIBackend(CryptoBackend):
            openssl_binary = module.get_bin_path('openssl', True)
        self.openssl_binary = openssl_binary

-    def parse_key(self, key_file=None, key_content=None):
+    def parse_key(self, key_file=None, key_content=None, passphrase=None):
        '''
        Parses an RSA or Elliptic Curve key file in PEM format and returns a pair
        (error, key_data).
        '''
+        if passphrase is not None:
+            return 'openssl backend does not support key passphrases', {}
        # If key_file isn't given, but key_content, write that to a temporary file
        if key_file is None:
            fd, tmpsrc = tempfile.mkstemp()
--- a/plugins/module_utils/acme/backends.py
+++ b/plugins/module_utils/acme/backends.py
@@ -19,7 +19,7 @@ class CryptoBackend(object):
        self.module = module

    @abc.abstractmethod
-    def parse_key(self, key_file=None, key_content=None):
+    def parse_key(self, key_file=None, key_content=None, passphrase=None):
        '''
        Parses an RSA or Elliptic Curve key file in PEM format and returns a pair
        (error, key_data).