acme_* modules: support private key passprases (#207)

* Support private key passprases. * Use c.c modules for key generation, add first passphrase tests. * Some more passphrase tests.
2026-05-08 14:22:56 +00:00 · 2021-03-21 17:53:20 +01:00
parent 5d32937321
commit e85554827f
16 changed files with 190 additions and 64 deletions
--- a/tests/integration/targets/acme_account/tasks/impl.yml
+++ b/tests/integration/targets/acme_account/tasks/impl.yml
@@ -1,20 +1,29 @@
- name: Generate account keys
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem"
-  loop:
-    - accountkey
-    - accountkey2
-    - accountkey3
-    - accountkey4
-    - accountkey5
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      passphrase: "{{ item.pass | default(omit, true) }}"
+      cipher: "{{ 'auto' if item.pass | default() else omit }}"
+      type: ECC
+      curve: secp256r1
+      force: true
+    loop: "{{ account_keys }}"

- name: Parse account keys (to ease debugging some test failures)
-  command: "{{ openssl_binary }} ec -in {{ output_dir }}/{{ item }}.pem -noout -text"
-  loop:
-    - accountkey
-    - accountkey2
-    - accountkey3
-    - accountkey4
-    - accountkey5
+  - name: Parse account keys (to ease debugging some test failures)
+    openssl_privatekey_info:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      passphrase: "{{ item.pass | default(omit, true) }}"
+      return_private_key_data: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: accountkey
+      - name: accountkey2
+        pass: "{{ 'hunter2' if select_crypto_backend != 'openssl' else '' }}"
+      - name: accountkey3
+      - name: accountkey4
+      - name: accountkey5

 - name: Do not try to create account
  acme_account:
@@ -173,6 +182,7 @@
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
    new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+    new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
    state: changed_key
    contact:
    - mailto:example@example.com
@@ -188,6 +198,7 @@
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
    new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+    new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
    state: changed_key
    contact:
    - mailto:example@example.com
@@ -197,6 +208,7 @@
  acme_account:
    select_crypto_backend: "{{ select_crypto_backend }}"
    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
@@ -209,6 +221,7 @@
  acme_account:
    select_crypto_backend: "{{ select_crypto_backend }}"
    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
@@ -219,6 +232,7 @@
  acme_account:
    select_crypto_backend: "{{ select_crypto_backend }}"
    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
@@ -229,6 +243,7 @@
  acme_account:
    select_crypto_backend: "{{ select_crypto_backend }}"
    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
--- a/tests/integration/targets/acme_account_info/tasks/impl.yml
+++ b/tests/integration/targets/acme_account_info/tasks/impl.yml
@@ -1,12 +1,23 @@
 ---
- name: Generate account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      type: ECC
+      curve: secp256r1
+      force: true
+    loop: "{{ account_keys }}"

- name: Generate second account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem"
+  - name: Parse account keys (to ease debugging some test failures)
+    openssl_privatekey_info:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      return_private_key_data: true
+    loop: "{{ account_keys }}"

- name: Parse account key (to ease debugging some test failures)
-  command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
+  vars:
+    account_keys:
+      - accountkey
+      - accountkey2

 - name: Check that account does not exist
  acme_account_info:
--- a/tests/integration/targets/acme_certificate/tasks/impl.yml
+++ b/tests/integration/targets/acme_certificate/tasks/impl.yml
@@ -1,11 +1,26 @@
 ---
 ## SET UP ACCOUNT KEYS ########################################################################
- name: Create ECC256 account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
- name: Create ECC384 account key
-  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
- name: Create RSA account key
-  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa.pem {{ default_rsa_key_size }}"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      type: "{{ item.type }}"
+      size: "{{ item.size | default(omit) }}"
+      curve: "{{ item.curve | default(omit) }}"
+      force: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: account-ec256
+        type: ECC
+        curve: secp256r1
+      - name: account-ec384
+        type: ECC
+        curve: secp384r1
+      - name: account-rsa
+        type: RSA
+        size: "{{ default_rsa_key_size }}"
 ## SET UP ACCOUNTS ############################################################################
 - name: Make sure ECC256 account hasn't been created yet
  acme_account:
@@ -72,6 +87,7 @@
  vars:
    certgen_title: Certificate 2
    certificate_name: cert-2
+    certificate_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else '' }}"
    key_type: ec256
    subject_alt_name: "DNS:*.example.com,DNS:example.com"
    subject_alt_name_critical: yes
--- a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml
+++ b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml
@@ -1,11 +1,26 @@
 ---
 ## SET UP ACCOUNT KEYS ########################################################################
- name: Create ECC256 account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
- name: Create ECC384 account key
-  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
- name: Create RSA account key
-  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa.pem {{ default_rsa_key_size }}"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      type: "{{ item.type }}"
+      size: "{{ item.size | default(omit) }}"
+      curve: "{{ item.curve | default(omit) }}"
+      force: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: account-ec256
+        type: ECC
+        curve: secp256r1
+      - name: account-ec384
+        type: ECC
+        curve: secp384r1
+      - name: account-rsa
+        type: RSA
+        size: "{{ default_rsa_key_size }}"
 ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
 - name: Obtain cert 1
  include_tasks: obtain-cert.yml
@@ -29,6 +44,7 @@
  vars:
    certgen_title: Certificate 2 for revocation
    certificate_name: cert-2
+    certificate_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else '' }}"
    key_type: ec256
    subject_alt_name: "DNS:*.example.com"
    subject_alt_name_critical: yes
@@ -71,6 +87,7 @@
  acme_certificate_revoke:
    select_crypto_backend: "{{ select_crypto_backend }}"
    private_key_src: "{{ output_dir }}/cert-2.key"
+    private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
    certificate: "{{ output_dir }}/cert-2.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
--- a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
+++ b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
@@ -5,8 +5,12 @@
 ####################################################################

 - block:
-  - name: Create ECC256 account key
-    command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
+  - name: Generate ECC256 accoun keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/account-ec256.pem"
+      type: ECC
+      curve: secp256r1
+      force: true
  - name: Obtain cert 1
    include_tasks: obtain-cert.yml
    vars:
--- a/tests/integration/targets/acme_inspect/tasks/impl.yml
+++ b/tests/integration/targets/acme_inspect/tasks/impl.yml
@@ -1,9 +1,22 @@
 ---
- name: Generate account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      type: ECC
+      curve: secp256r1
+      force: true
+    loop: "{{ account_keys }}"

- name: Parse account key (to ease debugging some test failures)
-  command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
+  - name: Parse account keys (to ease debugging some test failures)
+    openssl_privatekey_info:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      return_private_key_data: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - accountkey

 - name: Get directory
  acme_inspect:
--- a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml
+++ b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml
@@ -1,22 +1,25 @@
 ---
 ## PRIVATE KEY ################################################################################
- name: ({{ certgen_title }}) Create cert private key (RSA)
-  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else default_rsa_key_size }}"
-  when: "key_type == 'rsa'"
- name: ({{ certgen_title }}) Create cert private key (ECC 256)
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
-  when: "key_type == 'ec256'"
- name: ({{ certgen_title }}) Create cert private key (ECC 384)
-  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
-  when: "key_type == 'ec384'"
- name: ({{ certgen_title }}) Create cert private key (ECC 512)
-  command: "{{ openssl_binary }} ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
-  when: "key_type == 'ec521'"
+- name: ({{ certgen_title }}) Create cert private key
+  openssl_privatekey:
+    path: "{{ output_dir }}/{{ certificate_name }}.key"
+    type: "{{ 'RSA' if key_type == 'rsa' else 'ECC' }}"
+    size: "{{ rsa_bits if key_type == 'rsa' else omit }}"
+    curve: >-
+      {{ omit if key_type == 'rsa' else
+         'secp256r1' if key_type == 'ec256' else
+         'secp384r1' if key_type == 'ec384' else
+         'secp521r1' if key_type == 'ec521' else
+         'invalid value for key_type!' }}
+    passphrase: "{{ certificate_passphrase | default(omit, true) }}"
+    cipher: "{{ 'auto' if certificate_passphrase | default() else omit }}"
+    force: true
 ## CSR ########################################################################################
 - name: ({{ certgen_title }}) Create cert CSR
  openssl_csr:
    path: "{{ output_dir }}/{{ certificate_name }}.csr"
    privatekey_path: "{{ output_dir }}/{{ certificate_name }}.key"
+    privatekey_passphrase: "{{ certificate_passphrase | default(omit, true) }}"
    subject_alt_name: "{{ subject_alt_name }}"
    subject_alt_name_critical: "{{ subject_alt_name_critical }}"
    return_content: true
@@ -30,6 +33,7 @@
    validate_certs: no
    account_key: "{{ (output_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}"
    account_key_content: "{{ account_key_content | default(omit) }}"
+    account_key_passphrase: "{{ account_key_passphrase | default(omit, true) }}"
    modify_account: "{{ modify_account }}"
    csr: "{{ omit if use_csr_content | default(false) else output_dir ~ '/' ~ certificate_name ~ '.csr' }}"
    csr_content: "{{ csr_result.csr if use_csr_content | default(false) else omit }}"
@@ -69,6 +73,7 @@
    challenge: tls-alpn-01
    challenge_data: "{{ item.value['tls-alpn-01'] }}"
    private_key_src: "{{ output_dir }}/{{ certificate_name }}.key"
+    private_key_passphrase: "{{ certificate_passphrase | default(omit, true) }}"
  with_dict: "{{ challenge_data.challenge_data }}"
  register: tls_alpn_challenges
  when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
@@ -101,6 +106,7 @@
    validate_certs: no
    account_key: "{{ (output_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}"
    account_key_content: "{{ account_key_content | default(omit) }}"
+    account_key_passphrase: "{{ account_key_passphrase | default(omit, true) }}"
    account_uri: "{{ challenge_data.account_uri }}"
    modify_account: "{{ modify_account }}"
    csr: "{{ omit if use_csr_content | default(false) else output_dir ~ '/' ~ certificate_name ~ '.csr' }}"