internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-06 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove PyOpenSSL backends (except for openssl_pkcs12) (#273)

Browse Source 
* Remove Ubuntu 16.04 (Xenial Xerus) from CI.

* Removing PyOpenSSL backend from everywhere but openssl_pkcs12.

* Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12.

* Add changelog fragment.
This commit is contained in:
Felix Fontein
2021-09-28 17:46:35 +02:00
committed by GitHub
parent 24e7d07973
commit f644db3c79
72 changed files with 227 additions and 2638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/integration/targets/get_certificate/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- prepare_http_tests

12
tests/integration/targets/get_certificate/tasks/main.yml
View File

@@ -30,17 +30,7 @@
that:
- result is success or skip_tests
when: |
pyopenssl_version.stdout is version('0.15', '>=') or
cryptography_version.stdout is version('1.6', '>=')
- block:
- include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=') and not skip_tests
when: cryptography_version.stdout is version('1.6', '>=')
- block:

1
tests/integration/targets/openssl_csr/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

126
tests/integration/targets/openssl_csr/tasks/impl.yml
View File

@@ -363,7 +363,6 @@
commonName: www.ansible.com
subject_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (idempotency)"
@@ -374,7 +373,6 @@
commonName: www.ansible.com
subject_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (change)"
@@ -385,7 +383,6 @@
commonName: www.ansible.com
subject_key_identifier: "44:55:66:77:88"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create)"
@@ -396,7 +393,6 @@
commonName: www.ansible.com
create_subject_key_identifier: yes
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create idempotency)"
@@ -407,7 +403,6 @@
commonName: www.ansible.com
create_subject_key_identifier: yes
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_5
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (remove)"
@@ -417,7 +412,6 @@
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_6
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier"
@@ -428,7 +422,6 @@
commonName: www.ansible.com
authority_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (idempotency)"
@@ -439,7 +432,6 @@
commonName: www.ansible.com
authority_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (change)"
@@ -450,7 +442,6 @@
commonName: www.ansible.com
authority_key_identifier: "44:55:66:77:88"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (remove)"
@@ -460,7 +451,6 @@
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number"
@@ -474,7 +464,6 @@
- "IP:1.2.3.4"
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (idempotency)"
@@ -488,7 +477,6 @@
- "IP:1.2.3.4"
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change issuer)"
@@ -502,7 +490,6 @@
- "DNS:ca.example.org"
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change serial number)"
@@ -516,7 +503,6 @@
- "DNS:ca.example.org"
authority_cert_serial_number: 54321
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (remove)"
@@ -525,7 +511,6 @@
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_5
- name: "({{ select_crypto_backend }}) Generate CSR with everything"
@@ -561,37 +546,24 @@
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage: '{{ value_for_extended_key_usage if select_crypto_backend != "pyopenssl" else value_for_extended_key_usage_pyopenssl }}'
subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
extended_key_usage: '{{ value_for_extended_key_usage }}'
subject_alt_name: '{{ value_for_san }}'
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
name_constraints_permitted: '{{ value_for_name_constraints_permitted }}'
name_constraints_excluded:
- "DNS:.example.com"
- "DNS:.org"
name_constraints_critical: yes
ocsp_must_staple: yes
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
subject_key_identifier: 00:11:22:33
authority_key_identifier: 44:55:66:77
authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
vars:
value_for_extended_key_usage_pyopenssl:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
value_for_extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
@@ -609,13 +581,6 @@
value_for_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
value_for_san_pyopenssl:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
- "RID:1.2.3.4"
value_for_san:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
@@ -631,9 +596,6 @@
- "DNS:www.example.com"
- "IP:1.2.3.0/24"
- "IP:::1:0:0/112"
value_for_name_constraints_permitted_pyopenssl:
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
register: everything_1
- name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent, check mode)"
@@ -669,37 +631,24 @@
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage: '{{ value_for_extended_key_usage if select_crypto_backend != "pyopenssl" else value_for_extended_key_usage_pyopenssl }}'
subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
extended_key_usage: '{{ value_for_extended_key_usage }}'
subject_alt_name: '{{ value_for_san }}'
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
name_constraints_permitted: '{{ value_for_name_constraints_permitted }}'
name_constraints_excluded:
- "DNS:.org"
- "DNS:.example.com"
name_constraints_critical: yes
ocsp_must_staple: yes
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
subject_key_identifier: 00:11:22:33
authority_key_identifier: 44:55:66:77
authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
vars:
value_for_extended_key_usage_pyopenssl:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
value_for_extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
@@ -717,13 +666,6 @@
value_for_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
value_for_san_pyopenssl:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
- "RID:1.2.3.4"
value_for_san:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
@@ -739,9 +681,6 @@
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
- "IP:0::0:1:0:0/112"
value_for_name_constraints_permitted_pyopenssl:
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
check_mode: yes
register: everything_2
@@ -778,37 +717,24 @@
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage: '{{ value_for_extended_key_usage if select_crypto_backend != "pyopenssl" else value_for_extended_key_usage_pyopenssl }}'
subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
extended_key_usage: '{{ value_for_extended_key_usage }}'
subject_alt_name: '{{ value_for_san }}'
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
name_constraints_permitted: '{{ value_for_name_constraints_permitted }}'
name_constraints_excluded:
- "DNS:.org"
- "DNS:.example.com"
name_constraints_critical: yes
ocsp_must_staple: yes
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
subject_key_identifier: 00:11:22:33
authority_key_identifier: 44:55:66:77
authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
vars:
value_for_extended_key_usage_pyopenssl:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
value_for_extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
@@ -826,13 +752,6 @@
value_for_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
value_for_san_pyopenssl:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
- "RID:1.2.3.4"
value_for_san:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
@@ -848,9 +767,6 @@
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
- "IP:0::0:1:0:0/112"
value_for_name_constraints_permitted_pyopenssl:
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
register: everything_3
- name: "({{ select_crypto_backend }}) Get info from CSR with everything"

42
tests/integration/targets/openssl_csr/tasks/main.yml
View File

@@ -4,40 +4,18 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- name: Prepare private key for backend autodetection test
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backend_selection.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
- name: Prepare private key for backend autodetection test
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backend_selection.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:

41
tests/integration/targets/openssl_csr/tests/validate.yml
View File

@@ -74,13 +74,13 @@
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
- name: "({{ select_crypto_backend }}) Validate invalid SAN (2/2)"
# Note that pyOpenSSL simply accepts this name, and modern cryptography versions do so as well.
# Note that modern cryptography versions simply accept this name.
# The error has been observed with cryptography 1.7.2 and 1.9, but not with 2.3 and newer.
assert:
that:
- generate_csr_invalid_san_2 is failed
- "'The label system:kube-controller-manager is not a valid A-label' in generate_csr_invalid_san_2.msg"
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.0', '<')
when: cryptography_version.stdout is version('2.0', '<')
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
@@ -156,7 +156,6 @@
- subject_key_identifier_4 is changed
- subject_key_identifier_5 is not changed
- subject_key_identifier_6 is changed
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Verify that authority key identifier handling works"
assert:
@@ -165,7 +164,6 @@
- authority_key_identifier_2 is not changed
- authority_key_identifier_3 is changed
- authority_key_identifier_4 is changed
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Verify that authority cert issuer / serial number handling works"
assert:
@@ -175,7 +173,6 @@
- authority_cert_issuer_sn_3 is changed
- authority_cert_issuer_sn_4 is changed
- authority_cert_issuer_sn_5 is changed
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Check backup"
assert:
@@ -243,38 +240,7 @@
]
- everything_info.name_constraints_critical == true
- name: "({{ select_crypto_backend }}) Check CSR with everything (pyOpenSSL specific)"
assert:
that:
- everything_info.subject_alt_name == [
"DNS:www.ansible.com",
"IP:1.2.3.4",
"IP:::1",
"email:test@example.org",
"URI:https://example.org/test/index.html",
"RID:1.2.3.4",
]
- everything_info.extended_key_usage == [
"Any Extended Key Usage",
"Biometric Info",
"Code Signing",
"E-mail Protection",
"IPSec User",
"OCSP Signing",
"TLS Web Client Authentication",
"TLS Web Server Authentication",
"TLS Web Server Authentication",
"Time Stamping",
"dvcs",
"qcStatements",
]
- everything_info.name_constraints_permitted == [
"DNS:www.example.com",
"IP:1.2.3.0/24",
]
when: select_crypto_backend == 'pyopenssl'
- name: "({{ select_crypto_backend }}) Check CSR with everything (non-pyOpenSSL specific)"
- name: "({{ select_crypto_backend }}) Check CSR with everything"
assert:
that:
- everything_info.authority_cert_issuer == [
@@ -316,7 +282,6 @@
"IP:1.2.3.0/24",
"IP:::1:0:0/112",
]
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)"
assert:

1
tests/integration/targets/openssl_csr_info/meta/main.yml
View File

@@ -1,5 +1,4 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir
- prepare_jinja2_compat

22
tests/integration/targets/openssl_csr_info/tasks/impl.yml
View File

@@ -28,11 +28,7 @@
expected_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
- name: "({{ select_crypto_backend }}) Update result list"
set_fact:
info_results: "{{ info_results + [result] }}"
when: cryptography_version.stdout is version('1.3', '>=')
- name: "({{ select_crypto_backend }}) Read CSR"
slurp:
@@ -56,10 +52,6 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Update result list"
set_fact:
info_results: "{{ info_results + [result] }}"
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_3.csr'
@@ -76,11 +68,7 @@
expected_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
- name: "({{ select_crypto_backend }}) Update result list"
set_fact:
info_results: "{{ info_results + [result] }}"
when: cryptography_version.stdout is version('1.3', '>=')
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
@@ -94,8 +82,4 @@
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
- result.authority_cert_serial_number is none
when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
- name: "({{ select_crypto_backend }}) Update result list"
set_fact:
info_results: "{{ info_results + [result] }}"
when: cryptography_version.stdout is version('1.3', '>=')

42
tests/integration/targets/openssl_csr_info/tasks/main.yml
View File

@@ -119,50 +119,8 @@
useCommonNameForSAN: no
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Prepare result list
set_fact:
info_results: []
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Prepare result list
set_fact:
pyopenssl_info_results: "{{ info_results }}"
info_results: []
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
when: cryptography_version.stdout is version('1.3', '>=')
- name: Prepare result list
set_fact:
cryptography_info_results: "{{ info_results }}"
- block:
- name: Dump pyOpenSSL results
debug:
var: pyopenssl_info_results
- name: Dump cryptography results
debug:
var: cryptography_info_results
- name: Compare results
assert:
that:
- ' (item.0 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)
== (item.1 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)'
quiet: yes
loop: "{{ pyopenssl_info_results | zip(cryptography_info_results) | list }}"
when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.3', '>=')
vars:
keys_to_ignore:
- deprecations
- subject_key_identifier
- authority_key_identifier
- authority_cert_issuer
- authority_cert_serial_number

1
tests/integration/targets/openssl_csr_pipe/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

18
tests/integration/targets/openssl_csr_pipe/tasks/main.yml
View File

@@ -14,24 +14,6 @@
subject:
commonName: www.ansible.com
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml

1
tests/integration/targets/openssl_privatekey/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

22
tests/integration/targets/openssl_privatekey/tasks/impl.yml
View File

@@ -67,7 +67,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey5.pem'
passphrase: ansible
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -75,7 +75,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey5.pem'
passphrase: ansible
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey5_idempotence
@@ -84,13 +84,10 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey6.pem'
passphrase: ànsïblé
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
- set_fact:
ecc_types: []
when: select_crypto_backend == 'pyopenssl'
- set_fact:
ecc_types:
- curve: secp384r1
@@ -150,7 +147,6 @@
- curve: sect163r2
openssl_name: sect163r2
min_cryptography_version: "0.5"
when: select_crypto_backend == 'cryptography'
- name: "({{ select_crypto_backend }}) Test ECC key generation"
openssl_privatekey:
@@ -221,7 +217,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
backup: yes
@@ -231,7 +227,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
backup: yes
@@ -257,7 +253,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
backup: yes
@@ -278,7 +274,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
backup: yes
@@ -289,7 +285,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
backup: yes
@@ -551,7 +547,7 @@
type: RSA
size: '{{ default_rsa_key_size }}'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
cipher: auto
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
- name: "({{ select_crypto_backend }}) Regenerate - setup broken keys"

65
tests/integration/targets/openssl_privatekey/tasks/main.yml
View File

@@ -36,29 +36,6 @@
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
- import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: pyopenssl
# FIXME: minimal pyOpenSSL version?!
when: pyopenssl_version.stdout is version('0.6', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
@@ -70,45 +47,3 @@
select_crypto_backend: cryptography
when: cryptography_version.stdout is version('0.5', '>=')
- name: Check that fingerprints do not depend on the backend
block:
- name: "Fingerprint comparison: pyOpenSSL"
openssl_privatekey:
path: '{{ remote_tmp_dir }}/fingerprint-{{ item }}.pem'
type: "{{ item }}"
size: '{{ default_rsa_key_size }}'
select_crypto_backend: pyopenssl
loop:
- RSA
- DSA
register: fingerprint_pyopenssl
- name: "Fingerprint comparison: cryptography"
openssl_privatekey:
path: '{{ remote_tmp_dir }}/fingerprint-{{ item }}.pem'
type: "{{ item }}"
size: '{{ default_rsa_key_size }}'
select_crypto_backend: cryptography
loop:
- RSA
- DSA
register: fingerprint_cryptography
- name: Verify that keys were not regenerated
assert:
that:
- fingerprint_cryptography is not changed
- name: Verify that fingerprints match
assert:
that: item.0.fingerprint[item.2] == item.1.fingerprint[item.2]
when: item.0 is not skipped and item.1 is not skipped
loop: |
{{ query('nested',
fingerprint_pyopenssl.results | zip(fingerprint_cryptography.results),
fingerprint_pyopenssl.results[0].fingerprint.keys()
) if fingerprint_pyopenssl.results[0].fingerprint else [] }}
loop_control:
label: "{{ [item.0.item, item.2] }}"
when: pyopenssl_version.stdout is version('0.6', '>=') and cryptography_version.stdout is version('0.5', '>=')

1
tests/integration/targets/openssl_privatekey_info/meta/main.yml
View File

@@ -1,5 +1,4 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir
- prepare_jinja2_compat

45
tests/integration/targets/openssl_privatekey_info/tasks/impl.yml
View File

@@ -20,10 +20,6 @@
- "result.public_data.exponent > 5"
- "'private_data' not in result"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key1': result}) }}"
- name: ({{select_crypto_backend}}) Read private key
slurp:
src: '{{ remote_tmp_dir }}/privatekey_1.pem'
@@ -62,10 +58,6 @@
- "result.public_data.modulus == result.private_data.p * result.private_data.q"
- "result.private_data.exponent > 5"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key2': result}) }}"
- name: ({{select_crypto_backend}}) Get key 3 info (without passphrase)
openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
@@ -113,10 +105,6 @@
- "result.public_data.modulus == result.private_data.p * result.private_data.q"
- "result.private_data.exponent > 5"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key3': result}) }}"
- name: ({{select_crypto_backend}}) Get key 4 info
openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
@@ -124,37 +112,20 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- block:
- name: Check that ECC key info is ok
assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
- "'type' in result"
- "result.type == 'ECC'"
- "'public_data' in result"
- "result.public_data.curve is string"
- "result.public_data.x != 0"
- "result.public_data.y != 0"
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- "'private_data' in result"
- "result.private_data.multiplier > 1024"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key4': result}) }}"
when: select_crypto_backend != 'pyopenssl' or (pyopenssl_version.stdout is version('16.1.0', '>=') and cryptography_version.stdout is version('0.0', '>'))
- name: Check that ECC key info is ok
assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
- "'type' in result"
- "result.type.startswith('unknown ')"
- "result.type == 'ECC'"
- "'public_data' in result"
- "result.public_data.curve is string"
- "result.public_data.x != 0"
- "result.public_data.y != 0"
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- "'private_data' in result"
when: select_crypto_backend == 'pyopenssl' and not (pyopenssl_version.stdout is version('16.1.0', '>=') and cryptography_version.stdout is version('0.0', '>'))
- "result.private_data.multiplier > 1024"
- name: ({{select_crypto_backend}}) Get key 5 info
openssl_privatekey_info:
@@ -177,7 +148,3 @@
- "result.public_data.y > 2"
- "'private_data' in result"
- "result.private_data.x > 2"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key5': result}) }}"

34
tests/integration/targets/openssl_privatekey_info/tasks/main.yml
View File

@@ -36,42 +36,8 @@
type: DSA
size: 1024
- name: Prepare result list
set_fact:
info_results: {}
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Prepare result list
set_fact:
pyopenssl_info_results: "{{ info_results }}"
info_results: {}
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
when: cryptography_version.stdout is version('1.2.3', '>=')
- name: Prepare result list
set_fact:
cryptography_info_results: "{{ info_results }}"
- block:
- name: Dump pyOpenSSL results
debug:
var: pyopenssl_info_results
- name: Dump cryptography results
debug:
var: cryptography_info_results
- name: Compare results
assert:
that:
- ' (pyopenssl_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | list | items2dict)
== (cryptography_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | list | items2dict)'
loop: "{{ pyopenssl_info_results.keys() | intersect(cryptography_info_results.keys()) | list }}"
when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.2.3', '>=')

1
tests/integration/targets/openssl_privatekey_pipe/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

19
tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml
View File

@@ -8,25 +8,6 @@
openssl_privatekey_pipe:
size: '{{ default_rsa_key_size }}'
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
# FIXME: minimal pyOpenSSL version?!
when: pyopenssl_version.stdout is version('0.6', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml

1
tests/integration/targets/openssl_publickey/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

2
tests/integration/targets/openssl_publickey/tasks/impl.yml
View File

@@ -90,7 +90,7 @@
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey3.pem'
passphrase: ansible
cipher: aes256
cipher: auto
size: '{{ default_rsa_key_size }}'
- name: "({{ select_crypto_backend }}) Generate publickey3 - with passphrase protected privatekey"

27
tests/integration/targets/openssl_publickey/tasks/main.yml
View File

@@ -15,33 +15,6 @@
path: '{{ remote_tmp_dir }}/privatekey_autodetect_public.pem'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_autodetect.pem'
when: |
pyopenssl_version.stdout is version('16.0.0', '>=') or
cryptography_version.stdout is version('1.2.3', '>=')
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
- import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('16.0.0', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:

1
tests/integration/targets/openssl_publickey_info/meta/main.yml
View File

@@ -1,5 +1,4 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir
- prepare_jinja2_compat

37
tests/integration/targets/openssl_publickey_info/tasks/impl.yml
View File

@@ -18,10 +18,6 @@
- "2 ** (result.public_data.size - 1) < result.public_data.modulus < 2 ** result.public_data.size"
- "result.public_data.exponent > 5"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key1': result}) }}"
- name: ({{select_crypto_backend}}) Read file
slurp:
src: '{{ remote_tmp_dir }}/publickey_1.pem'
@@ -55,42 +51,23 @@
- "2 ** (result.public_data.size - 1) < result.public_data.modulus < 2 ** result.public_data.size"
- "result.public_data.exponent > 5"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key2': result}) }}"
- name: ({{select_crypto_backend}}) Get key 3 info
openssl_publickey_info:
path: '{{ remote_tmp_dir }}/publickey_3.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- block:
- name: Check that ECC key info is ok
assert:
that:
- "'fingerprints' in result"
- "'type' in result"
- "result.type == 'ECC'"
- "'public_data' in result"
- "result.public_data.curve is string"
- "result.public_data.x != 0"
- "result.public_data.y != 0"
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key3': result}) }}"
when: select_crypto_backend != 'pyopenssl' or (pyopenssl_version.stdout is version('16.1.0', '>=') and cryptography_version.stdout is version('0.0', '>'))
- name: Check that ECC key info is ok
assert:
that:
- "'fingerprints' in result"
- "'type' in result"
- "result.type.startswith('unknown ')"
- "result.type == 'ECC'"
- "'public_data' in result"
when: select_crypto_backend == 'pyopenssl' and not (pyopenssl_version.stdout is version('16.1.0', '>=') and cryptography_version.stdout is version('0.0', '>'))
- "result.public_data.curve is string"
- "result.public_data.x != 0"
- "result.public_data.y != 0"
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- name: ({{select_crypto_backend}}) Get key 4 info
openssl_publickey_info:
@@ -109,7 +86,3 @@
- "result.public_data.q > 2"
- "result.public_data.g >= 2"
- "result.public_data.y > 2"
- name: Update result list
set_fact:
info_results: "{{ info_results | combine({'key4': result}) }}"

30
tests/integration/targets/openssl_publickey_info/tasks/main.yml
View File

@@ -42,38 +42,8 @@
set_fact:
info_results: {}
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('16.0.0', '>=')
- name: Prepare result list
set_fact:
pyopenssl_info_results: "{{ info_results }}"
info_results: {}
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
when: cryptography_version.stdout is version('1.2.3', '>=')
- name: Prepare result list
set_fact:
cryptography_info_results: "{{ info_results }}"
- block:
- name: Dump pyOpenSSL results
debug:
var: pyopenssl_info_results
- name: Dump cryptography results
debug:
var: cryptography_info_results
- name: Compare results
assert:
that:
- ' (pyopenssl_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | list | items2dict)
== (cryptography_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | list | items2dict)'
loop: "{{ pyopenssl_info_results.keys() | intersect(cryptography_info_results.keys()) | list }}"
when: pyopenssl_version.stdout is version('16.0.0', '>=') and cryptography_version.stdout is version('1.2.3', '>=')

1
tests/integration/targets/openssl_signature/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

20
tests/integration/targets/openssl_signature/tasks/main.yml
View File

@@ -5,7 +5,7 @@
####################################################################
# Test matrix:
# * pyopenssl or cryptography
# * cryptography
# * DSA or ECC or ...
# * password protected private key or not
@@ -25,11 +25,6 @@
backends: "{{ backends + [ { 'backend': 'cryptography' } ] }}"
when: cryptography_version.stdout is version('1.4', '>=')
- name: Add pyopenssl backend
set_fact:
backends: "{{ backends + [ { 'backend': 'pyopenssl' } ] }}"
when: pyopenssl_version.stdout is version('0.11', '>=')
- name: Add RSA tests
set_fact:
key_types: "{{ key_types + [ { 'type': 'RSA', 'size': default_rsa_key_size } ] }}"
@@ -58,14 +53,11 @@
all_tests: >-
[
{% for b in backends %}
{% for kt in key_types %}
{% for kp in key_password %}
{# Exclude Ed25519 and Ed448 tests on pyopenssl #}
{% if not (b.backend == 'pyopenssl' and (kt.type == 'Ed25519' or kt.type == 'Ed448')) %}
{{ b | combine (kt) | combine(kp) }},
{% endif %}
{% endfor %}
{% endfor %}
{% for kt in key_types %}
{% for kp in key_password %}
{{ b | combine (kt) | combine(kp) }},
{% endfor %}
{% endfor %}
{% endfor %}
]

1
tests/integration/targets/x509_certificate/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

14
tests/integration/targets/x509_certificate/tasks/expired.yml
View File

@@ -12,20 +12,8 @@
commonName: www.example.com
- name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate
x509_certificate:
path: '{{ remote_tmp_dir }}/has_expired_cert.pem'
csr_path: '{{ remote_tmp_dir }}/has_expired_csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/has_expired_privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_not_after: "-1s"
selfsigned_not_before: "-100s"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend == 'pyopenssl' # cryptography won't allow creating expired certificates
- name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate
# Cryptography won't allow creating expired certificates; so we create it with 'command'
command: "{{ openssl_binary }} x509 -req -days -1 -in {{ remote_tmp_dir }}/has_expired_csr.csr -signkey {{ remote_tmp_dir }}/has_expired_privatekey.pem -out {{ remote_tmp_dir }}/has_expired_cert.pem"
when: select_crypto_backend == 'cryptography' # So we create it with 'command'
- name: "(Expired) Check task fails because cert is expired (has_expired: false)"
x509_certificate:

16
tests/integration/targets/x509_certificate/tasks/main.yml
View File

@@ -4,22 +4,6 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:

10
tests/integration/targets/x509_certificate/tasks/ownca.yml
View File

@@ -340,7 +340,6 @@
ownca_digest: sha256
ownca_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_subject_key_identifier_1
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (idempotency)
@@ -353,7 +352,6 @@
ownca_digest: sha256
ownca_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_subject_key_identifier_2
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove)
@@ -366,7 +364,6 @@
ownca_digest: sha256
ownca_create_subject_key_identifier: never_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_subject_key_identifier_3
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove idempotency)
@@ -379,7 +376,6 @@
ownca_digest: sha256
ownca_create_subject_key_identifier: never_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_subject_key_identifier_4
- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (re-enable)
@@ -392,7 +388,6 @@
ownca_digest: sha256
ownca_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_subject_key_identifier_5
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier
@@ -405,7 +400,6 @@
ownca_digest: sha256
ownca_create_authority_key_identifier: yes
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_authority_key_identifier_1
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (idempotency)
@@ -418,7 +412,6 @@
ownca_digest: sha256
ownca_create_authority_key_identifier: yes
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_authority_key_identifier_2
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove)
@@ -431,7 +424,6 @@
ownca_digest: sha256
ownca_create_authority_key_identifier: no
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_authority_key_identifier_3
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove idempotency)
@@ -444,7 +436,6 @@
ownca_digest: sha256
ownca_create_authority_key_identifier: no
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_authority_key_identifier_4
- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (re-add)
@@ -457,7 +448,6 @@
ownca_digest: sha256
ownca_create_authority_key_identifier: yes
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: ownca_authority_key_identifier_5
- name: (OwnCA, {{select_crypto_backend}}) Ed25519 and Ed448 tests (for cryptography >= 2.6)

5
tests/integration/targets/x509_certificate/tasks/selfsigned.yml
View File

@@ -353,7 +353,6 @@
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: selfsigned_subject_key_identifier_1
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (idempotency)
@@ -365,7 +364,6 @@
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: selfsigned_subject_key_identifier_2
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove)
@@ -377,7 +375,6 @@
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: never_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: selfsigned_subject_key_identifier_3
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove idempotency)
@@ -389,7 +386,6 @@
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: never_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: selfsigned_subject_key_identifier_4
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (re-enable)
@@ -401,7 +397,6 @@
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: selfsigned_subject_key_identifier_5
- name: (Selfsigned, {{select_crypto_backend}}) Ed25519 and Ed448 tests (for cryptography >= 2.6)

2
tests/integration/targets/x509_certificate/tests/validate_ownca.yml
View File

@@ -140,7 +140,6 @@
- ownca_subject_key_identifier_3 is changed
- ownca_subject_key_identifier_4 is not changed
- ownca_subject_key_identifier_5 is changed
when: select_crypto_backend != 'pyopenssl'
- name: (OwnCA validation, {{select_crypto_backend}}) Check create authority key identifier
assert:
@@ -150,7 +149,6 @@
- ownca_authority_key_identifier_3 is changed
- ownca_authority_key_identifier_4 is not changed
- ownca_authority_key_identifier_5 is changed
when: select_crypto_backend != 'pyopenssl'
- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
assert:

1
tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml
View File

@@ -185,7 +185,6 @@
- selfsigned_subject_key_identifier_3 is changed
- selfsigned_subject_key_identifier_4 is not changed
- selfsigned_subject_key_identifier_5 is changed
when: select_crypto_backend != 'pyopenssl'
- name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
assert:

1
tests/integration/targets/x509_certificate_info/meta/main.yml
View File

@@ -1,5 +1,4 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir
- prepare_jinja2_compat

26
tests/integration/targets/x509_certificate_info/tasks/impl.yml
View File

@@ -31,11 +31,7 @@
expected_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
- name: Update result list
set_fact:
info_results: "{{ info_results + [result] }}"
when: cryptography_version.stdout is version('1.3', '>=')
- name: ({{select_crypto_backend}}) Read file
slurp:
@@ -68,10 +64,6 @@
- not result.valid_at.past
- not result.valid_at.twentydays
- name: Update result list
set_fact:
info_results: "{{ info_results + [result] }}"
- name: ({{select_crypto_backend}}) Get certificate info
x509_certificate_info:
path: '{{ remote_tmp_dir }}/cert_3.pem'
@@ -88,11 +80,7 @@
expected_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
- name: Update result list
set_fact:
info_results: "{{ info_results + [result] }}"
when: cryptography_version.stdout is version('1.3', '>=')
- name: ({{select_crypto_backend}}) Get certificate info
x509_certificate_info:
@@ -106,11 +94,7 @@
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
- result.authority_cert_serial_number is none
when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
- name: Update result list
set_fact:
info_results: "{{ info_results + [result] }}"
when: cryptography_version.stdout is version('1.3', '>=')
- name: Copy packed cert 1 to remote
copy:
@@ -131,7 +115,3 @@
that:
- (result.fingerprints.sha256 == '57:7c:f1:f5:dd:cc:6e:e9:f3:17:28:73:17:e4:25:c7:69:74:3e:f7:9a:df:58:20:7a:5a:e4:aa:de:bf:24:5b' if result.fingerprints.sha256 is defined else true)
- (result.fingerprints.sha1 == 'b7:79:64:f4:2b:e0:ae:45:74:d4:f3:08:f6:53:cb:39:26:fa:52:6b' if result.fingerprints.sha1 is defined else true)
- name: Update result list
set_fact:
info_results: "{{ info_results + [result] }}"

42
tests/integration/targets/x509_certificate_info/tasks/main.yml
View File

@@ -134,50 +134,8 @@
- 3
- 4
- name: Prepare result list
set_fact:
info_results: []
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Prepare result list
set_fact:
pyopenssl_info_results: "{{ info_results }}"
info_results: []
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
when: cryptography_version.stdout is version('1.6', '>=')
- name: Prepare result list
set_fact:
cryptography_info_results: "{{ info_results }}"
- block:
- name: Dump pyOpenSSL results
debug:
var: pyopenssl_info_results
- name: Dump cryptography results
debug:
var: cryptography_info_results
- name: Compare results
assert:
that:
- ' (item.0 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)
== (item.1 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)'
quiet: yes
loop: "{{ pyopenssl_info_results | zip(cryptography_info_results) | list }}"
when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.6', '>=')
vars:
keys_to_ignore:
- deprecations
- subject_key_identifier
- authority_key_identifier
- authority_cert_issuer
- authority_cert_serial_number

1
tests/integration/targets/x509_certificate_pipe/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

18
tests/integration/targets/x509_certificate_pipe/tasks/main.yml
View File

@@ -13,24 +13,6 @@
provider: selfsigned
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml

1
tests/integration/targets/x509_crl/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl # the x509_crl* modules don't need this, but the other modules using during the tests do in some situations
- setup_remote_tmp_dir