openssl_pkcs12: add cryptography backend (#234)

* Began refactoring. * Continue. * Factor PyOpenSSL backend out. * Add basic cryptography backend. * Update plugins/modules/openssl_pkcs12.py Co-authored-by: Ajpantuso <ajpantuso@gmail.com> * Only run tests when new enough pyOpenSSL or cryptography is around. * Reduce required pyOpenSSL version from 17.1.0 to 0.15. I have no idea why 17.1.0 was there (in the tests), and not something smaller. The module itself did not mention any version. * Linting. * Linting. * Increase compatibility by selecting pyopenssl backend when iter_size or maciter_size is used. * Improve docs, add changelog fragment. * Move hackish code to cryptography_support. * Update plugins/modules/openssl_pkcs12.py Co-authored-by: Ajpantuso <ajpantuso@gmail.com> * Update plugins/modules/openssl_pkcs12.py Co-authored-by: Ajpantuso <ajpantuso@gmail.com> * Streamline cert creation. * Convert range to list. Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
2026-05-06 21:33:00 +00:00 · 2021-05-20 19:36:07 +02:00
parent 0a0d0f2bdf
commit e9bc7c7163
6 changed files with 504 additions and 187 deletions
--- a/plugins/module_utils/crypto/cryptography_support.py
+++ b/plugins/module_utils/crypto/cryptography_support.py
@@ -35,6 +35,15 @@ except ImportError:
    # Error handled in the calling module.
    pass

+try:
+    # This is a separate try/except since this is only present in cryptography 2.5 or newer
+    from cryptography.hazmat.primitives.serialization.pkcs12 import (
+        load_key_and_certificates as _load_key_and_certificates,
+    )
+except ImportError:
+    # Error handled in the calling module.
+    _load_key_and_certificates = None
+
 from .basic import (
    CRYPTOGRAPHY_HAS_ED25519,
    CRYPTOGRAPHY_HAS_ED448,
@@ -428,3 +437,21 @@ def cryptography_serial_number_of_cert(cert):
    except AttributeError:
        # The property was called "serial" before cryptography 1.4
        return cert.serial
+
+
+def parse_pkcs12(pkcs12_bytes, passphrase=None):
+    '''Returns a tuple (private_key, certificate, additional_certificates, friendly_name).
+    '''
+    if _load_key_and_certificates is None:
+        raise ValueError('load_key_and_certificates() not present in the current cryptography version')
+    private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase)
+
+    friendly_name = None
+    if certificate:
+        # See https://github.com/pyca/cryptography/issues/5760#issuecomment-842687238
+        maybe_name = certificate._backend._lib.X509_alias_get0(
+            certificate._x509, certificate._backend._ffi.NULL)
+        if maybe_name != certificate._backend._ffi.NULL:
+            friendly_name = certificate._backend._ffi.string(maybe_name)
+
+    return private_key, certificate, additional_certificates, friendly_name