internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-07 22:03:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove PyOpenSSL backends (except for openssl_pkcs12) (#273)

Browse Source 
* Remove Ubuntu 16.04 (Xenial Xerus) from CI.

* Removing PyOpenSSL backend from everywhere but openssl_pkcs12.

* Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12.

* Add changelog fragment.
This commit is contained in:
Felix Fontein
2021-09-28 17:46:35 +02:00
committed by GitHub
parent 24e7d07973
commit f644db3c79
72 changed files with 227 additions and 2638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/integration/targets/openssl_csr/meta/main.yml
View File

@@ -1,4 +1,3 @@
dependencies:
- setup_openssl
- setup_pyopenssl
- setup_remote_tmp_dir

126
tests/integration/targets/openssl_csr/tasks/impl.yml
View File

@@ -363,7 +363,6 @@
commonName: www.ansible.com
subject_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (idempotency)"
@@ -374,7 +373,6 @@
commonName: www.ansible.com
subject_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (change)"
@@ -385,7 +383,6 @@
commonName: www.ansible.com
subject_key_identifier: "44:55:66:77:88"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create)"
@@ -396,7 +393,6 @@
commonName: www.ansible.com
create_subject_key_identifier: yes
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create idempotency)"
@@ -407,7 +403,6 @@
commonName: www.ansible.com
create_subject_key_identifier: yes
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_5
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (remove)"
@@ -417,7 +412,6 @@
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: subject_key_identifier_6
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier"
@@ -428,7 +422,6 @@
commonName: www.ansible.com
authority_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (idempotency)"
@@ -439,7 +432,6 @@
commonName: www.ansible.com
authority_key_identifier: "00:11:22:33"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (change)"
@@ -450,7 +442,6 @@
commonName: www.ansible.com
authority_key_identifier: "44:55:66:77:88"
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (remove)"
@@ -460,7 +451,6 @@
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number"
@@ -474,7 +464,6 @@
- "IP:1.2.3.4"
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (idempotency)"
@@ -488,7 +477,6 @@
- "IP:1.2.3.4"
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change issuer)"
@@ -502,7 +490,6 @@
- "DNS:ca.example.org"
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change serial number)"
@@ -516,7 +503,6 @@
- "DNS:ca.example.org"
authority_cert_serial_number: 54321
select_crypto_backend: '{{ select_crypto_backend }}'
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (remove)"
@@ -525,7 +511,6 @@
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
when: select_crypto_backend != 'pyopenssl'
register: authority_cert_issuer_sn_5
- name: "({{ select_crypto_backend }}) Generate CSR with everything"
@@ -561,37 +546,24 @@
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage: '{{ value_for_extended_key_usage if select_crypto_backend != "pyopenssl" else value_for_extended_key_usage_pyopenssl }}'
subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
extended_key_usage: '{{ value_for_extended_key_usage }}'
subject_alt_name: '{{ value_for_san }}'
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
name_constraints_permitted: '{{ value_for_name_constraints_permitted }}'
name_constraints_excluded:
- "DNS:.example.com"
- "DNS:.org"
name_constraints_critical: yes
ocsp_must_staple: yes
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
subject_key_identifier: 00:11:22:33
authority_key_identifier: 44:55:66:77
authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
vars:
value_for_extended_key_usage_pyopenssl:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
value_for_extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
@@ -609,13 +581,6 @@
value_for_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
value_for_san_pyopenssl:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
- "RID:1.2.3.4"
value_for_san:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
@@ -631,9 +596,6 @@
- "DNS:www.example.com"
- "IP:1.2.3.0/24"
- "IP:::1:0:0/112"
value_for_name_constraints_permitted_pyopenssl:
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
register: everything_1
- name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent, check mode)"
@@ -669,37 +631,24 @@
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage: '{{ value_for_extended_key_usage if select_crypto_backend != "pyopenssl" else value_for_extended_key_usage_pyopenssl }}'
subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
extended_key_usage: '{{ value_for_extended_key_usage }}'
subject_alt_name: '{{ value_for_san }}'
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
name_constraints_permitted: '{{ value_for_name_constraints_permitted }}'
name_constraints_excluded:
- "DNS:.org"
- "DNS:.example.com"
name_constraints_critical: yes
ocsp_must_staple: yes
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
subject_key_identifier: 00:11:22:33
authority_key_identifier: 44:55:66:77
authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
vars:
value_for_extended_key_usage_pyopenssl:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
value_for_extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
@@ -717,13 +666,6 @@
value_for_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
value_for_san_pyopenssl:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
- "RID:1.2.3.4"
value_for_san:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
@@ -739,9 +681,6 @@
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
- "IP:0::0:1:0:0/112"
value_for_name_constraints_permitted_pyopenssl:
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
check_mode: yes
register: everything_2
@@ -778,37 +717,24 @@
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage: '{{ value_for_extended_key_usage if select_crypto_backend != "pyopenssl" else value_for_extended_key_usage_pyopenssl }}'
subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
extended_key_usage: '{{ value_for_extended_key_usage }}'
subject_alt_name: '{{ value_for_san }}'
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
name_constraints_permitted: '{{ value_for_name_constraints_permitted }}'
name_constraints_excluded:
- "DNS:.org"
- "DNS:.example.com"
name_constraints_critical: yes
ocsp_must_staple: yes
subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
subject_key_identifier: 00:11:22:33
authority_key_identifier: 44:55:66:77
authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
authority_cert_serial_number: 12345
select_crypto_backend: '{{ select_crypto_backend }}'
vars:
value_for_extended_key_usage_pyopenssl:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
value_for_extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
@@ -826,13 +752,6 @@
value_for_authority_cert_issuer:
- "DNS:ca.example.org"
- "IP:1.2.3.4"
value_for_san_pyopenssl:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
- "RID:1.2.3.4"
value_for_san:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
@@ -848,9 +767,6 @@
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
- "IP:0::0:1:0:0/112"
value_for_name_constraints_permitted_pyopenssl:
- "DNS:www.example.com"
- "IP:1.2.3.0/255.255.255.0"
register: everything_3
- name: "({{ select_crypto_backend }}) Get info from CSR with everything"

42
tests/integration/targets/openssl_csr/tasks/main.yml
View File

@@ -4,40 +4,18 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- name: Prepare private key for backend autodetection test
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backend_selection.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
- name: Prepare private key for backend autodetection test
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backend_selection.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: pyopenssl
when: pyopenssl_version.stdout is version('0.15', '>=')
- name: Remove output directory
file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:

41
tests/integration/targets/openssl_csr/tests/validate.yml
View File

@@ -74,13 +74,13 @@
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
- name: "({{ select_crypto_backend }}) Validate invalid SAN (2/2)"
# Note that pyOpenSSL simply accepts this name, and modern cryptography versions do so as well.
# Note that modern cryptography versions simply accept this name.
# The error has been observed with cryptography 1.7.2 and 1.9, but not with 2.3 and newer.
assert:
that:
- generate_csr_invalid_san_2 is failed
- "'The label system:kube-controller-manager is not a valid A-label' in generate_csr_invalid_san_2.msg"
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.0', '<')
when: cryptography_version.stdout is version('2.0', '<')
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
@@ -156,7 +156,6 @@
- subject_key_identifier_4 is changed
- subject_key_identifier_5 is not changed
- subject_key_identifier_6 is changed
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Verify that authority key identifier handling works"
assert:
@@ -165,7 +164,6 @@
- authority_key_identifier_2 is not changed
- authority_key_identifier_3 is changed
- authority_key_identifier_4 is changed
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Verify that authority cert issuer / serial number handling works"
assert:
@@ -175,7 +173,6 @@
- authority_cert_issuer_sn_3 is changed
- authority_cert_issuer_sn_4 is changed
- authority_cert_issuer_sn_5 is changed
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Check backup"
assert:
@@ -243,38 +240,7 @@
]
- everything_info.name_constraints_critical == true
- name: "({{ select_crypto_backend }}) Check CSR with everything (pyOpenSSL specific)"
assert:
that:
- everything_info.subject_alt_name == [
"DNS:www.ansible.com",
"IP:1.2.3.4",
"IP:::1",
"email:test@example.org",
"URI:https://example.org/test/index.html",
"RID:1.2.3.4",
]
- everything_info.extended_key_usage == [
"Any Extended Key Usage",
"Biometric Info",
"Code Signing",
"E-mail Protection",
"IPSec User",
"OCSP Signing",
"TLS Web Client Authentication",
"TLS Web Server Authentication",
"TLS Web Server Authentication",
"Time Stamping",
"dvcs",
"qcStatements",
]
- everything_info.name_constraints_permitted == [
"DNS:www.example.com",
"IP:1.2.3.0/24",
]
when: select_crypto_backend == 'pyopenssl'
- name: "({{ select_crypto_backend }}) Check CSR with everything (non-pyOpenSSL specific)"
- name: "({{ select_crypto_backend }}) Check CSR with everything"
assert:
that:
- everything_info.authority_cert_issuer == [
@@ -316,7 +282,6 @@
"IP:1.2.3.0/24",
"IP:::1:0:0/112",
]
when: select_crypto_backend != 'pyopenssl'
- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)"
assert: