Release 2.7.0.

* Only access C.STRING_CONVERSION_ACTION for old ansible-base / Ansible versions.

* Always use self.__xxx instead of xxx directly.

.azure-pipelines/README.md

@@ -1,3 +1,9 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
 ## Azure Pipelines Configuration
 
 Please see the [Documentation](https://github.com/ansible/community/wiki/Testing:-Azure-Pipelines) for more information.

.azure-pipelines/azure-pipelines.yml

@@ -1,3 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 trigger:
   batch: true
   branches:
@@ -19,6 +24,11 @@ schedules:
     branches:
       include:
         - main
+  - cron: 0 12 * * 0
+    displayName: Weekly (old stable branches)
+    always: true
+    branches:
+      include:
         - stable-*
 
 variables:
@@ -36,7 +46,7 @@ variables:
 resources:
   containers:
     - container: default
-      image: quay.io/ansible/azure-pipelines-test-container:1.9.0
+      image: quay.io/ansible/azure-pipelines-test-container:3.0.0
 
 pool: Standard
 
@@ -55,6 +65,39 @@ stages:
               test: 'devel/sanity/extra'
             - name: Units
               test: 'devel/units/1'
+  - stage: Ansible_2_14
+    displayName: Sanity & Units 2.14
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.14/sanity/1'
+            - name: Units
+              test: '2.14/units/1'
+  - stage: Ansible_2_13
+    displayName: Sanity & Units 2.13
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.13/sanity/1'
+            - name: Units
+              test: '2.13/units/1'
+  - stage: Ansible_2_12
+    displayName: Sanity & Units 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.12/sanity/1'
+            - name: Units
+              test: '2.12/units/1'
   - stage: Ansible_2_11
     displayName: Sanity & Units 2.11
     dependsOn: []
@@ -97,24 +140,58 @@ stages:
         parameters:
           testFormat: devel/linux/{0}/1
           targets:
-            - name: CentOS 6
-              test: centos6
             - name: CentOS 7
               test: centos7
-            - name: CentOS 8
-              test: centos8
-            - name: Fedora 32
-              test: fedora32
-            - name: Fedora 33
-              test: fedora33
-            - name: openSUSE 15 py2
-              test: opensuse15py2
-            - name: openSUSE 15 py3
+            - name: Fedora 36
+              test: fedora36
+            - name: openSUSE 15
               test: opensuse15
-            - name: Ubuntu 18.04
-              test: ubuntu1804
             - name: Ubuntu 20.04
               test: ubuntu2004
+            - name: Ubuntu 22.04
+              test: ubuntu2204
+            - name: Alpine 3
+              test: alpine3
+  - stage: Docker_2_14
+    displayName: Docker 2.14
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.14/linux/{0}/1
+          targets:
+            - name: Ubuntu 22.04
+              test: ubuntu2204
+  - stage: Docker_2_13
+    displayName: Docker 2.13
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.13/linux/{0}/1
+          targets:
+            - name: openSUSE 15 py2
+              test: opensuse15py2
+            - name: Fedora 35
+              test: fedora35
+            - name: Fedora 34
+              test: fedora34
+            - name: Ubuntu 18.04
+              test: ubuntu1804
+            - name: Alpine 3
+              test: alpine3
+  - stage: Docker_2_12
+    displayName: Docker 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.12/linux/{0}/1
+          targets:
+            - name: CentOS 6
+              test: centos6
+            - name: Fedora 33
+              test: fedora33
   - stage: Docker_2_11
     displayName: Docker 2.11
     dependsOn: []
@@ -125,18 +202,10 @@ stages:
           targets:
             - name: CentOS 7
               test: centos7
-            - name: CentOS 8
-              test: centos8
             - name: Fedora 32
               test: fedora32
-            - name: openSUSE 15 py2
-              test: opensuse15py2
-            - name: openSUSE 15 py3
-              test: opensuse15
-            - name: Ubuntu 18.04
-              test: ubuntu1804
-            - name: Ubuntu 20.04
-              test: ubuntu2004
+            - name: Alpine 3
+              test: alpine3
   - stage: Docker_2_10
     displayName: Docker 2.10
     dependsOn: []
@@ -147,22 +216,6 @@ stages:
           targets:
             - name: CentOS 6
               test: centos6
-            - name: CentOS 7
-              test: centos7
-            - name: CentOS 8
-              test: centos8
-            - name: Fedora 31
-              test: fedora31
-            - name: Fedora 32
-              test: fedora32
-            - name: openSUSE 15 py2
-              test: opensuse15py2
-            - name: openSUSE 15 py3
-              test: opensuse15
-            - name: Ubuntu 16.04
-              test: ubuntu1604
-            - name: Ubuntu 18.04
-              test: ubuntu1804
   - stage: Docker_2_9
     displayName: Docker 2.9
     dependsOn: []
@@ -171,25 +224,27 @@ stages:
         parameters:
           testFormat: 2.9/linux/{0}/1
           targets:
-            - name: CentOS 6
-              test: centos6
-            - name: CentOS 7
-              test: centos7
-            - name: CentOS 8
-              test: centos8
-            - name: Fedora 30
-              test: fedora30
             - name: Fedora 31
               test: fedora31
-            - name: openSUSE 15 py2
-              test: opensuse15py2
-            - name: openSUSE 15 py3
-              test: opensuse15
-            - name: Ubuntu 16.04
-              test: ubuntu1604
             - name: Ubuntu 18.04
               test: ubuntu1804
 
+### Community Docker
+  - stage: Docker_community_devel
+    displayName: Docker (community images) devel
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: devel/linux-community/{0}/1
+          targets:
+            - name: Debian Bullseye
+              test: debian-bullseye/3.9
+            - name: ArchLinux
+              test: archlinux/3.10
+            - name: CentOS Stream 8
+              test: centos-stream8/3.8
+
 ### Remote
   - stage: Remote_devel
     displayName: Remote devel
@@ -199,16 +254,52 @@ stages:
         parameters:
           testFormat: devel/{0}/1
           targets:
-            - name: macOS 11.1
-              test: macos/11.1
+            - name: macOS 12.0
+              test: macos/12.0
             - name: RHEL 7.9
               test: rhel/7.9
-            - name: RHEL 8.3
-              test: rhel/8.3
-            - name: FreeBSD 12.2
-              test: freebsd/12.2
+            - name: RHEL 9.0
+              test: rhel/9.0
+            - name: FreeBSD 12.3
+              test: freebsd/12.3
+            - name: FreeBSD 13.1
+              test: freebsd/13.1
+  - stage: Remote_2_14
+    displayName: Remote 2.14
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.14/{0}/1
+          targets:
+            - name: RHEL 9.0
+              test: rhel/9.0
+  - stage: Remote_2_13
+    displayName: Remote 2.13
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.13/{0}/1
+          targets:
+            - name: macOS 12.0
+              test: macos/12.0
+            - name: RHEL 8.5
+              test: rhel/8.5
             - name: FreeBSD 13.0
               test: freebsd/13.0
+  - stage: Remote_2_12
+    displayName: Remote 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.12/{0}/1
+          targets:
+            # - name: macOS 11.1
+            #   test: macos/11.1
+            - name: RHEL 8.4
+              test: rhel/8.4
   - stage: Remote_2_11
     displayName: Remote 2.11
     dependsOn: []
@@ -217,10 +308,8 @@ stages:
         parameters:
           testFormat: 2.11/{0}/1
           targets:
-            - name: RHEL 7.9
-              test: rhel/7.9
-            - name: macOS 11.1
-              test: macos/11.1
+            - name: RHEL 8.3
+              test: rhel/8.3
             - name: FreeBSD 12.2
               test: freebsd/12.2
   - stage: Remote_2_10
@@ -231,14 +320,10 @@ stages:
         parameters:
           testFormat: 2.10/{0}/1
           targets:
-            - name: RHEL 7.8
-              test: rhel/7.8
             - name: OS X 10.11
               test: osx/10.11
-            - name: macOS 10.15
-              test: macos/10.15
-            - name: FreeBSD 12.1
-              test: freebsd/12.1
+            # - name: macOS 10.15
+            #   test: macos/10.15
   - stage: Remote_2_9
     displayName: Remote 2.9
     dependsOn: []
@@ -259,13 +344,45 @@ stages:
           nameFormat: Python {0}
           testFormat: devel/cloud/{0}/1
           targets:
-            - test: 2.6
             - test: 2.7
             - test: 3.5
             - test: 3.6
             - test: 3.7
             - test: 3.8
             - test: 3.9
+            - test: "3.10"
+            - test: "3.11"
+  - stage: Cloud_2_14
+    displayName: Cloud 2.14
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: Python {0}
+          testFormat: 2.14/cloud/{0}/1
+          targets:
+            - test: 3.9
+  - stage: Cloud_2_13
+    displayName: Cloud 2.13
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: Python {0}
+          testFormat: 2.13/cloud/{0}/1
+          targets:
+            - test: 3.8
+  - stage: Cloud_2_12
+    displayName: Cloud 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: Python {0}
+          testFormat: 2.12/cloud/{0}/1
+          targets:
+            - test: 2.6
+            - test: 3.9
   - stage: Cloud_2_11
     displayName: Cloud 2.11
     dependsOn: []
@@ -295,7 +412,7 @@ stages:
           nameFormat: Python {0}
           testFormat: 2.9/cloud/{0}/1
           targets:
-            - test: 3.5
+            - test: 2.7
 
   ## Finally
 
@@ -303,20 +420,33 @@ stages:
     condition: succeededOrFailed()
     dependsOn:
       - Ansible_devel
+      - Ansible_2_14
+      - Ansible_2_13
+      - Ansible_2_12
       - Ansible_2_11
       - Ansible_2_10
       - Ansible_2_9
       - Remote_devel
-      - Docker_devel
-      - Cloud_devel
+      - Remote_2_14
+      - Remote_2_13
+      - Remote_2_12
       - Remote_2_11
-      - Docker_2_11
-      - Cloud_2_11
       - Remote_2_10
-      - Docker_2_10
-      - Cloud_2_10
       - Remote_2_9
+      - Docker_devel
+      - Docker_2_14
+      - Docker_2_13
+      - Docker_2_12
+      - Docker_2_11
+      - Docker_2_10
       - Docker_2_9
+      - Docker_community_devel
+      - Cloud_devel
+      - Cloud_2_14
+      - Cloud_2_13
+      - Cloud_2_12
+      - Cloud_2_11
+      - Cloud_2_10
       - Cloud_2_9
     jobs:
       - template: templates/coverage.yml

.azure-pipelines/scripts/aggregate-coverage.sh

@@ -1,4 +1,8 @@
 #!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # Aggregate code coverage results for later processing.
 
 set -o pipefail -eu
@@ -9,9 +13,13 @@ PATH="${PWD}/bin:${PATH}"
 
 mkdir "${agent_temp_directory}/coverage/"
 
+if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
+    exit
+fi
+
 options=(--venv --venv-system-site-packages --color -v)
 
-ansible-test coverage combine --export "${agent_temp_directory}/coverage/" "${options[@]}"
+ansible-test coverage combine --group-by command --export "${agent_temp_directory}/coverage/" "${options[@]}"
 
 if ansible-test coverage analyze targets generate --help >/dev/null 2>&1; then
     # Only analyze coverage if the installed version of ansible-test supports it.

.azure-pipelines/scripts/combine-coverage.py

@@ -1,4 +1,8 @@
 #!/usr/bin/env python
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 """
 Combine coverage data from multiple jobs, keeping the data only from the most recent attempt from each job.
 Coverage artifacts must be named using the format: "Coverage $(System.JobAttempt) {StableUniqueNameForEachJob}"

.azure-pipelines/scripts/process-results.sh

@@ -1,4 +1,8 @@
 #!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # Check the test results and set variables for use in later steps.
 
 set -o pipefail -eu

.azure-pipelines/scripts/publish-codecov.py

@@ -0,0 +1,105 @@
+#!/usr/bin/env python
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+Upload code coverage reports to codecov.io.
+Multiple coverage files from multiple languages are accepted and aggregated after upload.
+Python coverage, as well as PowerShell and Python stubs can all be uploaded.
+"""
+
+import argparse
+import dataclasses
+import pathlib
+import shutil
+import subprocess
+import tempfile
+import typing as t
+import urllib.request
+
+
+@dataclasses.dataclass(frozen=True)
+class CoverageFile:
+    name: str
+    path: pathlib.Path
+    flags: t.List[str]
+
+
+@dataclasses.dataclass(frozen=True)
+class Args:
+    dry_run: bool
+    path: pathlib.Path
+
+
+def parse_args() -> Args:
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-n', '--dry-run', action='store_true')
+    parser.add_argument('path', type=pathlib.Path)
+
+    args = parser.parse_args()
+
+    # Store arguments in a typed dataclass
+    fields = dataclasses.fields(Args)
+    kwargs = {field.name: getattr(args, field.name) for field in fields}
+
+    return Args(**kwargs)
+
+
+def process_files(directory: pathlib.Path) -> t.Tuple[CoverageFile, ...]:
+    processed = []
+    for file in directory.joinpath('reports').glob('coverage*.xml'):
+        name = file.stem.replace('coverage=', '')
+
+        # Get flags from name
+        flags = name.replace('-powershell', '').split('=')  # Drop '-powershell' suffix
+        flags = [flag if not flag.startswith('stub') else flag.split('-')[0] for flag in flags]  # Remove "-01" from stub files
+
+        processed.append(CoverageFile(name, file, flags))
+
+    return tuple(processed)
+
+
+def upload_files(codecov_bin: pathlib.Path, files: t.Tuple[CoverageFile, ...], dry_run: bool = False) -> None:
+    for file in files:
+        cmd = [
+            str(codecov_bin),
+            '--name', file.name,
+            '--file', str(file.path),
+        ]
+        for flag in file.flags:
+            cmd.extend(['--flags', flag])
+
+        if dry_run:
+            print(f'DRY-RUN: Would run command: {cmd}')
+            continue
+
+        subprocess.run(cmd, check=True)
+
+
+def download_file(url: str, dest: pathlib.Path, flags: int, dry_run: bool = False) -> None:
+    if dry_run:
+        print(f'DRY-RUN: Would download {url} to {dest} and set mode to {flags:o}')
+        return
+
+    with urllib.request.urlopen(url) as resp:
+        with dest.open('w+b') as f:
+            # Read data in chunks rather than all at once
+            shutil.copyfileobj(resp, f, 64 * 1024)
+
+    dest.chmod(flags)
+
+
+def main():
+    args = parse_args()
+    url = 'https://ansible-ci-files.s3.amazonaws.com/codecov/linux/codecov'
+    with tempfile.TemporaryDirectory(prefix='codecov-') as tmpdir:
+        codecov_bin = pathlib.Path(tmpdir) / 'codecov'
+        download_file(url, codecov_bin, 0o755, args.dry_run)
+
+        files = process_files(args.path)
+        upload_files(codecov_bin, files, args.dry_run)
+
+
+if __name__ == '__main__':
+    main()

.azure-pipelines/scripts/publish-codecov.sh

@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-# Upload code coverage reports to codecov.io.
-# Multiple coverage files from multiple languages are accepted and aggregated after upload.
-# Python coverage, as well as PowerShell and Python stubs can all be uploaded.
-
-set -o pipefail -eu
-
-output_path="$1"
-
-curl --silent --show-error https://codecov.io/bash > codecov.sh
-
-for file in "${output_path}"/reports/coverage*.xml; do
-    name="${file}"
-    name="${name##*/}"  # remove path
-    name="${name##coverage=}"  # remove 'coverage=' prefix if present
-    name="${name%.xml}"  # remove '.xml' suffix
-
-    bash codecov.sh \
-        -f "${file}" \
-        -n "${name}" \
-        -X coveragepy \
-        -X gcov \
-        -X fix \
-        -X search \
-        -X xcode \
-        || echo "Failed to upload code coverage report to codecov.io: ${file}"
-done

.azure-pipelines/scripts/report-coverage.sh

@@ -1,10 +1,18 @@
 #!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # Generate code coverage reports for uploading to Azure Pipelines and codecov.io.
 
 set -o pipefail -eu
 
 PATH="${PWD}/bin:${PATH}"
 
+if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
+    exit
+fi
+
 if ! ansible-test --help >/dev/null 2>&1; then
     # Install the devel version of ansible-test for generating code coverage reports.
     # This is only used by Ansible Collections, which are typically tested against multiple Ansible versions (in separate jobs).
@@ -12,4 +20,4 @@ if ! ansible-test --help >/dev/null 2>&1; then
     pip install https://github.com/ansible/ansible/archive/devel.tar.gz --disable-pip-version-check
 fi
 
-ansible-test coverage xml --stub --venv --venv-system-site-packages --color -v
+ansible-test coverage xml --group-by command --stub --venv --venv-system-site-packages --color -v

.azure-pipelines/scripts/run-tests.sh

@@ -1,4 +1,8 @@
 #!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # Configure the test environment and run the tests.
 
 set -o pipefail -eu

.azure-pipelines/scripts/time-command.py

@@ -1,4 +1,8 @@
 #!/usr/bin/env python
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 """Prepends a relative timestamp to each input line from stdin and writes it to stdout."""
 
 from __future__ import (absolute_import, division, print_function)

.azure-pipelines/templates/coverage.yml

@@ -1,3 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # This template adds a job for processing code coverage data.
 # It will upload results to Azure Pipelines and codecov.io.
 # Use it from a job stage that completes after all other jobs have completed.
@@ -33,7 +38,7 @@ jobs:
           summaryFileLocation: "$(outputPath)/reports/$(pipelinesCoverage).xml"
         displayName: Publish to Azure Pipelines
         condition: gt(variables.coverageFileCount, 0)
-      - bash: .azure-pipelines/scripts/publish-codecov.sh "$(outputPath)"
+      - bash: .azure-pipelines/scripts/publish-codecov.py "$(outputPath)"
         displayName: Publish to codecov.io
         condition: gt(variables.coverageFileCount, 0)
         continueOnError: true

.azure-pipelines/templates/matrix.yml

@@ -1,3 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # This template uses the provided targets and optional groups to generate a matrix which is then passed to the test template.
 # If this matrix template does not provide the required functionality, consider using the test template directly instead.
 

.azure-pipelines/templates/test.yml

@@ -1,3 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # This template uses the provided list of jobs to create test one or more test jobs.
 # It can be used directly if needed, or through the matrix template.
 

.github/patchback.yml

@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+backport_branch_prefix: patchback/backports/
+backport_label_prefix: backport-
+target_branch_prefix: stable-
+...

.github/workflows/docs-pr.yml

@@ -0,0 +1,58 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: Collection Docs
+concurrency:
+  group: docs-${{ github.head_ref }}
+  cancel-in-progress: true
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, closed]
+
+jobs:
+  build-docs:
+    permissions:
+      contents: read
+    name: Build Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@main
+    with:
+      init-fail-on-error: true
+
+  comment:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    needs: build-docs
+    name: PR comments
+    steps:
+      - name: PR comment
+        uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@main
+        with:
+          body-includes: '## Docs Build'
+          reactions: heart
+          action: ${{ needs.build-docs.outputs.changed != 'true' && 'remove' || '' }}
+          on-closed-body: |
+            ## Docs Build 📝
+
+            This PR is closed and any previously published docsite has been unpublished.
+          on-merged-body: |
+            ## Docs Build 📝
+
+            Thank you for contribution!✨
+
+            This PR has been merged and your docs changes will be incorporated when they are next published.
+          body: |
+            ## Docs Build 📝
+
+            Thank you for contribution!✨
+
+            The docsite for **this PR** is available for download as an artifact from this run:
+            ${{ needs.build-docs.outputs.artifact-url }}
+
+            File changes:
+
+            ${{ needs.build-docs.outputs.diff-files-rendered }}
+
+            ${{ needs.build-docs.outputs.diff-rendered }}

.github/workflows/ee.yml

@@ -0,0 +1,113 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: execution environment
+on:
+  # Run CI against all pushes (direct commits, also merged PRs), Pull Requests
+  push:
+    branches:
+      - main
+      - stable-*
+  pull_request:
+  # Run CI once per day (at 04:45 UTC)
+  # This ensures that even if there haven't been commits that we are still testing against latest version of ansible-builder
+  schedule:
+    - cron: '45 4 * * *'
+
+env:
+  NAMESPACE: community
+  COLLECTION_NAME: crypto
+
+jobs:
+  build:
+    name: Build and test EE (Ⓐ${{ matrix.runner_tag }})
+    strategy:
+      matrix:
+        runner_tag:
+          - devel
+          - stable-2.12-latest
+          - stable-2.11-latest
+          - stable-2.9-latest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          path: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: '3.10'
+
+      - name: Install ansible-builder and ansible-navigator
+        run: pip install ansible-builder ansible-navigator
+
+      - name: Verify requirements
+        run: ansible-builder introspect --sanitize .
+
+      - name: Make sure galaxy.yml has version entry
+        run: >-
+          python -c
+          'import yaml ;
+          f = open("galaxy.yml", "rb") ;
+          data = yaml.safe_load(f) ;
+          f.close() ;
+          data["version"] = data.get("version") or "0.0.1" ;
+          f = open("galaxy.yml", "wb") ;
+          f.write(yaml.dump(data).encode("utf-8")) ;
+          f.close() ;
+          '
+        working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
+
+      - name: Build collection
+        run: |
+          ansible-galaxy collection build --output-path ../../../
+        working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
+
+      - name: Create files for building execution environment
+        run: |
+          COLLECTION_FILENAME="$(ls "${{ env.NAMESPACE }}-${{ env.COLLECTION_NAME }}"-*.tar.gz)"
+
+          # EE config
+          cat > execution-environment.yml <<EOF
+          ---
+          version: 1
+          build_arg_defaults:
+            EE_BASE_IMAGE: 'quay.io/ansible/ansible-runner:${{ matrix.runner_tag }}'
+          dependencies:
+            galaxy: requirements.yml
+          EOF
+          echo "::group::execution-environment.yml"
+          cat execution-environment.yml
+          echo "::endgroup::"
+
+          # Requirements
+          cat > requirements.yml <<EOF
+          ---
+          collections:
+            - name: ${COLLECTION_FILENAME}
+              type: file
+          EOF
+          echo "::group::requirements.yml"
+          cat requirements.yml
+          echo "::endgroup::"
+
+      - name: Build image based on ${{ matrix.runner_tag }}
+        run: |
+          mkdir -p context/_build/
+          cp "${{ env.NAMESPACE }}-${{ env.COLLECTION_NAME }}"-*.tar.gz context/_build/
+          ansible-builder build -v 3 -t test-ee:latest --container-runtime=podman
+
+      - name: Run basic tests
+        run: >
+          ansible-navigator run
+          --mode stdout
+          --pull-policy never
+          --set-environment-variable ANSIBLE_PRIVATE_ROLE_VARS=true
+          --execution-environment-image test-ee:latest
+          -v
+          all.yml
+        working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}/tests/ee

.github/workflows/reuse.yml

@@ -0,0 +1,34 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: Verify REUSE
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  # Run CI once per day (at 04:45 UTC)
+  schedule:
+    - cron: '45 4 * * *'
+
+jobs:
+  check:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: |
+          pip install reuse
+
+      - name: Check REUSE compliance (except some PEM files)
+        run: |
+          rm -f tests/integration/targets/*/files/*.pem
+          rm -f tests/integration/targets/*/files/roots/*.pem
+          reuse lint

.gitignore

@@ -1,3 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 # Community.crypt specific things
 /changelogs/.plugin-cache.yaml
 

.reuse/dep5

@@ -0,0 +1,5 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+
+Files: changelogs/fragments/*
+Copyright: Ansible Project
+License: GPL-3.0-or-later

CHANGELOG.rst

@@ -5,6 +5,506 @@ Community Crypto Release Notes
 .. contents:: Topics
 
 
+v2.7.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- acme* modules - also support the HTTP 503 Service Unavailable and 408 Request Timeout response status for automatic retries (https://github.com/ansible-collections/community.crypto/pull/513).
+
+Bugfixes
+--------
+
+- openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core (https://github.com/ansible-collections/community.crypto/pull/515).
+
+v2.6.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- acme* modules - support the HTTP 429 Too Many Requests response status (https://github.com/ansible-collections/community.crypto/pull/508).
+- openssh_keypair - added ``pkcs1``, ``pkcs8``, and ``ssh`` to the available choices for the ``private_key_format`` option (https://github.com/ansible-collections/community.crypto/pull/511).
+
+v2.5.0
+======
+
+Release Summary
+---------------
+
+Maintenance release with improved licensing declaration and documentation fixes.
+
+Minor Changes
+-------------
+
+- All software licenses are now in the ``LICENSES/`` directory of the collection root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable license for every file that is not automatically generated (https://github.com/ansible-collections/community.crypto/pull/491).
+
+v2.4.0
+======
+
+Release Summary
+---------------
+
+Deprecation and bugfix release. No new features this time.
+
+Deprecated Features
+-------------------
+
+- Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed in the next major release (community.crypto 3.0.0). Some modules might still work with these versions afterwards, but we will no longer keep compatibility code that was needed to support them (https://github.com/ansible-collections/community.crypto/pull/460).
+
+Bugfixes
+--------
+
+- openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486, https://github.com/ansible-collections/community.crypto/pull/487).
+
+v2.3.4
+======
+
+Release Summary
+---------------
+
+Re-release of what was intended to be 2.3.3.
+
+A mistake during the release process caused the 2.3.3 tag to end up on the
+commit for 1.9.17, which caused the release pipeline to re-publish 1.9.17
+as 2.3.3.
+
+This release is identical to what should have been 2.3.3, except that the
+version number has been bumped to 2.3.4 and this changelog entry for 2.3.4
+has been added.
+
+
+v2.3.3
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py`` and ``plugins/module_utils/crypto/_objects_data.py``.
+- openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees must be a non-empty list or None' if only one of ``name_constraints_permitted`` and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481).
+- x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473, https://github.com/ansible-collections/community.crypto/pull/474).
+
+v2.3.2
+======
+
+Release Summary
+---------------
+
+Maintenance and bugfix release.
+
+Bugfixes
+--------
+
+- Include ``simplified_bsd.txt`` license file for the ECS module utils.
+- certificate_complete_chain - do not stop execution if an unsupported signature algorithm is encountered; warn instead (https://github.com/ansible-collections/community.crypto/pull/457).
+
+v2.3.1
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``.
+
+v2.3.0
+======
+
+Release Summary
+---------------
+
+Feature and bugfix release.
+
+Minor Changes
+-------------
+
+- Prepare collection for inclusion in an Execution Environment by declaring its dependencies. Please note that system packages are used for cryptography and PyOpenSSL, which can be rather limited. If you need features from newer cryptography versions, you will have to manually force a newer version to be installed by pip by specifying something like ``cryptography >= 37.0.0`` in your Execution Environment's Python dependencies file (https://github.com/ansible-collections/community.crypto/pull/440).
+- Support automatic conversion for Internalionalized Domain Names (IDNs). When passing general names, for example Subject Altenative Names to ``community.crypto.openssl_csr``, these will automatically be converted to IDNA. Conversion will be done per label to IDNA2008 if possible, and IDNA2003 if IDNA2008 conversion fails for that label. Note that IDNA conversion requires `the Python idna library <https://pypi.org/project/idna/>`_ to be installed. Please note that depending on which versions of the cryptography library are used, it could try to process the converted IDNA another time with the Python ``idna`` library and reject IDNA2003 encoded values. Using a new enough ``cryptography`` version avoids this (https://github.com/ansible-collections/community.crypto/issues/426, https://github.com/ansible-collections/community.crypto/pull/436).
+- acme_* modules - add parameter ``request_timeout`` to manage HTTP(S) request timeout (https://github.com/ansible-collections/community.crypto/issues/447, https://github.com/ansible-collections/community.crypto/pull/448).
+- luks_devices - added ``perf_same_cpu_crypt``, ``perf_submit_from_crypt_cpus``, ``perf_no_read_workqueue``, ``perf_no_write_workqueue`` for performance tuning when opening LUKS2 containers (https://github.com/ansible-collections/community.crypto/issues/427).
+- luks_devices - added ``persistent`` option when opening LUKS2 containers (https://github.com/ansible-collections/community.crypto/pull/434).
+- openssl_csr_info - add ``name_encoding`` option to control the encoding (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+- openssl_pkcs12 - allow to provide the private key as text instead of having to read it from a file. This allows to store the private key in an encrypted form, for example in Ansible Vault (https://github.com/ansible-collections/community.crypto/pull/452).
+- x509_certificate_info - add ``name_encoding`` option to control the encoding (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+- x509_crl - add ``name_encoding`` option to control the encoding (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+- x509_crl_info - add ``name_encoding`` option to control the encoding (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+
+Bugfixes
+--------
+
+- Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (https://github.com/ansible-collections/community.crypto/pull/445).
+- x509_crl - fix crash when ``issuer`` for a revoked certificate is specified (https://github.com/ansible-collections/community.crypto/pull/441).
+
+v2.2.4
+======
+
+Release Summary
+---------------
+
+Regular maintenance release.
+
+Bugfixes
+--------
+
+- openssh_* modules - fix exception handling to report traceback to users for enhanced traceability (https://github.com/ansible-collections/community.crypto/pull/417).
+
+v2.2.3
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- luks_device - fix parsing of ``lsblk`` output when device name ends with ``crypt`` (https://github.com/ansible-collections/community.crypto/issues/409, https://github.com/ansible-collections/community.crypto/pull/410).
+
+v2.2.2
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+In this release, we extended the test matrix to include Alpine 3, ArchLinux, Debian Bullseye, and CentOS Stream 8. CentOS 8 was removed from the test matrix.
+
+
+Bugfixes
+--------
+
+- certificate_complete_chain - allow multiple potential intermediate certificates to have the same subject (https://github.com/ansible-collections/community.crypto/issues/399, https://github.com/ansible-collections/community.crypto/pull/403).
+- x509_certificate - for the ``ownca`` provider, check whether the CA private key actually belongs to the CA certificate (https://github.com/ansible-collections/community.crypto/pull/407).
+- x509_certificate - regenerate certificate when the CA's public key changes for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/pull/407).
+- x509_certificate - regenerate certificate when the CA's subject changes for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400, https://github.com/ansible-collections/community.crypto/pull/402).
+- x509_certificate - regenerate certificate when the private key changes for ``provider=selfsigned`` (https://github.com/ansible-collections/community.crypto/pull/407).
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- openssh_cert - fixed false ``changed`` status for ``host`` certificates when using ``full_idempotence`` (https://github.com/ansible-collections/community.crypto/issues/395, https://github.com/ansible-collections/community.crypto/pull/396).
+
+v2.2.0
+======
+
+Release Summary
+---------------
+
+Regular bugfix and feature release.
+
+Minor Changes
+-------------
+
+- openssh_cert - added ``ignore_timestamps`` parameter so it can be used semi-idempotent with relative timestamps in ``valid_to``/``valid_from`` (https://github.com/ansible-collections/community.crypto/issues/379).
+
+Bugfixes
+--------
+
+- luks_devices - set ``LANG`` and similar environment variables to avoid translated output, which can break some of the module's functionality like key management (https://github.com/ansible-collections/community.crypto/pull/388, https://github.com/ansible-collections/community.crypto/issues/385).
+
+v2.1.0
+======
+
+Release Summary
+---------------
+
+Feature and bugfix release.
+
+Minor Changes
+-------------
+
+- Adjust error messages that indicate ``cryptography`` is not installed from ``Can't`` to ``Cannot`` (https://github.com/ansible-collections/community.crypto/pull/374).
+
+Bugfixes
+--------
+
+- Various modules and plugins - use vendored version of ``distutils.version`` instead of the deprecated Python standard library ``distutils`` (https://github.com/ansible-collections/community.crypto/pull/353).
+- certificate_complete_chain - do not append root twice if the chain already ends with a root certificate (https://github.com/ansible-collections/community.crypto/pull/360).
+- certificate_complete_chain - do not hang when infinite loop is found (https://github.com/ansible-collections/community.crypto/issues/355, https://github.com/ansible-collections/community.crypto/pull/360).
+
+New Modules
+-----------
+
+- crypto_info - Retrieve cryptographic capabilities
+- openssl_privatekey_convert - Convert OpenSSL private keys
+
+v2.0.2
+======
+
+Release Summary
+---------------
+
+Documentation fix release. No actual code changes.
+
+v2.0.1
+======
+
+Release Summary
+---------------
+
+Bugfix release with extra forward compatibility for newer versions of cryptography.
+
+Minor Changes
+-------------
+
+- acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core ``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339).
+
+Bugfixes
+--------
+
+- acme_certificate - avoid passing multiple certificates to ``cryptography``'s X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324).
+- get_certificate, openssl_csr_info, x509_certificate_info - add fallback code for extension parsing that works with cryptography 36.0.0 and newer. This code re-serializes de-serialized extensions and thus can return slightly different values if the extension in the original CSR resp. certificate was not canonicalized correctly. This code is currently used as a fallback if the existing code stops working, but we will switch it to be the main code in a future release (https://github.com/ansible-collections/community.crypto/pull/331).
+- luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent`` to make sure that also the secondary LUKS2 header is wiped when older versions of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326, https://github.com/ansible-collections/community.crypto/pull/327).
+- openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography 36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302).
+
+v2.0.0
+======
+
+Release Summary
+---------------
+
+A new major release of the ``community.crypto`` collection. The main changes are removal of the PyOpenSSL backends for almost all modules (``openssl_pkcs12`` being the only exception), and removal of the ``assertonly`` provider in the ``x509_certificate`` provider. There are also some other breaking changes which should improve the user interface/experience of this collection long-term.
+
+
+Minor Changes
+-------------
+
+- acme_certificate - the ``subject`` and ``issuer`` fields in in the ``select_chain`` entries are now more strictly validated (https://github.com/ansible-collections/community.crypto/pull/316).
+- openssl_csr, openssl_csr_pipe - provide a new ``subject_ordered`` option if the order of the components in the subject is of importance (https://github.com/ansible-collections/community.crypto/issues/291, https://github.com/ansible-collections/community.crypto/pull/316).
+- openssl_csr, openssl_csr_pipe - there is now stricter validation of the values of the ``subject`` option (https://github.com/ansible-collections/community.crypto/pull/316).
+- openssl_privatekey_info - add ``check_consistency`` option to request private key consistency checks to be done (https://github.com/ansible-collections/community.crypto/pull/309).
+- x509_certificate, x509_certificate_pipe - add ``ignore_timestamps`` option which allows to enable idempotency for 'not before' and 'not after' options (https://github.com/ansible-collections/community.crypto/issues/295, https://github.com/ansible-collections/community.crypto/pull/317).
+- x509_crl - provide a new ``issuer_ordered`` option if the order of the components in the issuer is of importance (https://github.com/ansible-collections/community.crypto/issues/291, https://github.com/ansible-collections/community.crypto/pull/316).
+- x509_crl - there is now stricter validation of the values of the ``issuer`` option (https://github.com/ansible-collections/community.crypto/pull/316).
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Adjust ``dirName`` text parsing and to text converting code to conform to `Sections 2 and 3 of RFC 4514 <https://datatracker.ietf.org/doc/html/rfc4514.html>`_. This is similar to how `cryptography handles this <https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Name.rfc4514_string>`_ (https://github.com/ansible-collections/community.crypto/pull/274).
+- acme module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290).
+- acme_* modules - removed vendored copy of the Python library ``ipaddress``. If you are using Python 2.x, please make sure to install the library (https://github.com/ansible-collections/community.crypto/pull/287).
+- compatibility module_utils - removed vendored copy of the Python library ``ipaddress`` (https://github.com/ansible-collections/community.crypto/pull/287).
+- crypto module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290).
+- get_certificate, openssl_csr_info, x509_certificate_info - depending on the ``cryptography`` version used, the modules might not return the ASN.1 value for an extension as contained in the certificate respectively CSR, but a re-encoded version of it. This should usually be identical to the value contained in the source file, unless the value was malformed. For extensions not handled by C(cryptography) the value contained in the source file is always returned unaltered (https://github.com/ansible-collections/community.crypto/pull/318).
+- module_utils - removed various PyOpenSSL support functions and default backend values that are not needed for the openssl_pkcs12 module (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_csr, openssl_csr_pipe, x509_crl - the ``subject`` respectively ``issuer`` fields no longer ignore empty values, but instead fail when encountering them (https://github.com/ansible-collections/community.crypto/pull/316).
+- openssl_privatekey_info - by default consistency checks are not run; they need to be explicitly requested by passing ``check_consistency=true`` (https://github.com/ansible-collections/community.crypto/pull/309).
+- x509_crl - for idempotency checks, the ``issuer`` order is ignored. If order is important, use the new ``issuer_ordered`` option (https://github.com/ansible-collections/community.crypto/pull/316).
+
+Deprecated Features
+-------------------
+
+- acme_* modules - ACME version 1 is now deprecated and support for it will be removed in community.crypto 2.0.0 (https://github.com/ansible-collections/community.crypto/pull/288).
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- acme_* modules - the ``acme_directory`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290).
+- acme_* modules - the ``acme_version`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290).
+- acme_account_facts - the deprecated redirect has been removed. Use community.crypto.acme_account_info instead (https://github.com/ansible-collections/community.crypto/pull/290).
+- acme_account_info - ``retrieve_orders=url_list`` no longer returns the return value ``orders``. Use the ``order_uris`` return value instead (https://github.com/ansible-collections/community.crypto/pull/290).
+- crypto.info module utils - the deprecated redirect has been removed. Use ``crypto.pem`` instead (https://github.com/ansible-collections/community.crypto/pull/290).
+- get_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_certificate - the deprecated redirect has been removed. Use community.crypto.x509_certificate instead (https://github.com/ansible-collections/community.crypto/pull/290).
+- openssl_certificate_info - the deprecated redirect has been removed. Use community.crypto.x509_certificate_info instead (https://github.com/ansible-collections/community.crypto/pull/290).
+- openssl_csr - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_csr and openssl_csr_pipe - ``version`` now only accepts the (default) value 1 (https://github.com/ansible-collections/community.crypto/pull/290).
+- openssl_csr_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_csr_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_privatekey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_privatekey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_privatekey_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_publickey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_publickey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_signature - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- openssl_signature_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- x509_certificate - remove ``assertonly`` provider (https://github.com/ansible-collections/community.crypto/pull/289).
+- x509_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- x509_certificate_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+- x509_certificate_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+
+Bugfixes
+--------
+
+- cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313).
+- get_certificate - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+- openssl_csr_info - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+- openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/296).
+- x509_certificate_info - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+
+v1.9.4
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- acme_* modules - fix commands composed for OpenSSL backend to retrieve information on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``. This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279).
+- acme_challenge_cert_helper - only return exception when cryptography is not installed, not when a too old version of it is installed. This prevents Ansible's callback to crash (https://github.com/ansible-collections/community.crypto/pull/281).
+
+v1.9.3
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used to compare strings with the cryptography backend. This fixes idempotency problems with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270, https://github.com/ansible-collections/community.crypto/pull/271).
+
+v1.9.2
+======
+
+Release Summary
+---------------
+
+Bugfix release to fix the changelog. No other change compared to 1.9.0.
+
+v1.9.1
+======
+
+Release Summary
+---------------
+
+Accidental 1.9.1 release. Identical to 1.9.0.
+
+v1.9.0
+======
+
+Release Summary
+---------------
+
+Regular feature release.
+
+Minor Changes
+-------------
+
+- get_certificate - added ``starttls`` option to retrieve certificates from servers which require clients to request an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264).
+- openssh_keypair - added ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/260).
+
+Bugfixes
+--------
+
+- keypair_backend module utils - simplify code to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263).
+- openssh_keypair - fixed ``cryptography`` backend to preserve original file permissions when regenerating a keypair requires existing files to be overwritten (https://github.com/ansible-collections/community.crypto/pull/260).
+- openssh_keypair - fixed error handling to restore original keypair if regeneration fails (https://github.com/ansible-collections/community.crypto/pull/260).
+- x509_crl - restore inherited function signature to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263).
+
+v1.8.0
+======
+
+Release Summary
+---------------
+
+Regular bugfix and feature release.
+
+Minor Changes
+-------------
+
+- Avoid internal ansible-core module_utils in favor of equivalent public API available since at least Ansible 2.9 (https://github.com/ansible-collections/community.crypto/pull/253).
+- openssh certificate module utils - new module_utils for parsing OpenSSH certificates (https://github.com/ansible-collections/community.crypto/pull/246).
+- openssh_cert - added ``regenerate`` option to validate additional certificate parameters which trigger regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256).
+- openssh_cert - adding ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/255).
+
+Bugfixes
+--------
+
+- openssh_cert - fixed certificate generation to restore original certificate if an error is encountered (https://github.com/ansible-collections/community.crypto/pull/255).
+- openssh_keypair - fixed a bug that prevented custom file attributes being applied to public keys (https://github.com/ansible-collections/community.crypto/pull/257).
+
+v1.7.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- openssl_pkcs12 - fix crash when loading passphrase-protected PKCS#12 files with ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/issues/247, https://github.com/ansible-collections/community.crypto/pull/248).
+
+v1.7.0
+======
+
+Release Summary
+---------------
+
+Regular feature and bugfix release.
+
+Minor Changes
+-------------
+
+- cryptography_openssh module utils - new module_utils for managing asymmetric keypairs and OpenSSH formatted/encoded asymmetric keypairs (https://github.com/ansible-collections/community.crypto/pull/213).
+- openssh_keypair - added ``backend`` parameter for selecting between the cryptography library or the OpenSSH binary for the execution of actions performed by ``openssh_keypair`` (https://github.com/ansible-collections/community.crypto/pull/236).
+- openssh_keypair - added ``passphrase`` parameter for encrypting/decrypting OpenSSH private keys (https://github.com/ansible-collections/community.crypto/pull/225).
+- openssl_csr - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- openssl_csr_info - now returns ``public_key_type`` and ``public_key_data`` (https://github.com/ansible-collections/community.crypto/pull/233).
+- openssl_csr_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/204).
+- openssl_csr_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography`` backend. This requires cryptography 3.0 or newer, and does not support the ``iter_size`` and ``maciter_size`` options (https://github.com/ansible-collections/community.crypto/pull/234).
+- openssl_privatekey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- openssl_privatekey_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/205).
+- openssl_privatekey_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- openssl_publickey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- x509_certificate - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- x509_certificate_info - now returns ``public_key_type`` and ``public_key_data`` (https://github.com/ansible-collections/community.crypto/pull/233).
+- x509_certificate_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/206).
+- x509_certificate_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- x509_crl - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150).
+- x509_crl_info - add ``list_revoked_certificates`` option to avoid enumerating all revoked certificates (https://github.com/ansible-collections/community.crypto/pull/232).
+- x509_crl_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/203).
+
+Bugfixes
+--------
+
+- openssh_keypair - fix ``check_mode`` to populate return values for existing keypairs (https://github.com/ansible-collections/community.crypto/issues/113, https://github.com/ansible-collections/community.crypto/pull/230).
+- various modules - prevent crashes when modules try to set attributes on not yet existing files in check mode. This will be fixed in ansible-core 2.12, but it is not backported to every Ansible version we support (https://github.com/ansible-collections/community.crypto/issue/242, https://github.com/ansible-collections/community.crypto/pull/243).
+- x509_certificate - fix crash when ``assertonly`` provider is used and some error conditions should be reported (https://github.com/ansible-collections/community.crypto/issues/240, https://github.com/ansible-collections/community.crypto/pull/241).
+
+New Modules
+-----------
+
+- openssl_publickey_info - Provide information for OpenSSL public keys
+
 v1.6.2
 ======
 

CHANGELOG.rst.license

@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project

LICENSES/Apache-2.0.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

LICENSES/BSD-2-Clause.txt

@@ -0,0 +1,8 @@
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

LICENSES/BSD-3-Clause.txt

@@ -0,0 +1,27 @@
+Copyright (c) Individual contributors.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    3. Neither the name of PyCA Cryptography nor the names of its contributors
+       may be used to endorse or promote products derived from this software
+       without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSES/GPL-3.0-or-later.txt

@@ -0,0 +1 @@
+../COPYING

LICENSES/PSF-2.0.txt

@@ -0,0 +1,48 @@
+PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
+--------------------------------------------
+
+1. This LICENSE AGREEMENT is between the Python Software Foundation
+("PSF"), and the Individual or Organization ("Licensee") accessing and
+otherwise using this software ("Python") in source or binary form and
+its associated documentation.
+
+2. Subject to the terms and conditions of this License Agreement, PSF hereby
+grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce,
+analyze, test, perform and/or display publicly, prepare derivative works,
+distribute, and otherwise use Python alone or in any derivative version,
+provided, however, that PSF's License Agreement and PSF's notice of copyright,
+i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;
+All Rights Reserved" are retained in Python alone or in any derivative version
+prepared by Licensee.
+
+3. In the event Licensee prepares a derivative work that is based on
+or incorporates Python or any part thereof, and wants to make
+the derivative work available to others as provided herein, then
+Licensee hereby agrees to include in any such work a brief summary of
+the changes made to Python.
+
+4. PSF is making Python available to Licensee on an "AS IS"
+basis.  PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
+IMPLIED.  BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND
+DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS
+FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT
+INFRINGE ANY THIRD PARTY RIGHTS.
+
+5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON
+FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS
+A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,
+OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
+
+6. This License Agreement will automatically terminate upon a material
+breach of its terms and conditions.
+
+7. Nothing in this License Agreement shall be deemed to create any
+relationship of agency, partnership, or joint venture between PSF and
+Licensee.  This License Agreement does not grant permission to use PSF
+trademarks or trade name in a trademark sense to endorse or promote
+products or services of Licensee, or any third party.
+
+8. By copying, installing or otherwise using Python, Licensee
+agrees to be bound by the terms and conditions of this License
+Agreement.

README.md

@@ -1,3 +1,9 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
 # Ansible Community Crypto Collection
 
 [![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
@@ -7,9 +13,11 @@ Provides modules for [Ansible](https://www.ansible.com/community) for various cr
 
 You can find [documentation for this collection on the Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/).
 
+Please note that this collection does **not** support Windows targets.
+
 ## Tested with Ansible
 
-Tested with the current Ansible 2.9, ansible-base 2.10 and ansible-core 2.11 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
+Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, and ansible-core 2.14 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
 
 ## External requirements
 
@@ -106,6 +114,10 @@ In 2.0.0, the following notable features will be removed:
 
 ## Licensing
 
-GNU General Public License v3.0 or later.
+This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
 
-See [COPYING](https://www.gnu.org/licenses/gpl-3.0.txt) to see the full text.
+See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/main/COPYING) for the full text.
+
+Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
+
+Almost all files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `.reuse/dep5`. Right now a few vendored PEM files do not have licensing information as well. This conforms to the [REUSE specification](https://reuse.software/spec/) up to the aforementioned PEM files.

changelogs/changelog.yaml

@@ -394,3 +394,588 @@ releases:
     - 1.6.2.yml
     - 221-acme-meta.yml
     release_date: '2021-04-28'
+  1.7.0:
+    changes:
+      bugfixes:
+      - openssh_keypair - fix ``check_mode`` to populate return values for existing
+        keypairs (https://github.com/ansible-collections/community.crypto/issues/113,
+        https://github.com/ansible-collections/community.crypto/pull/230).
+      - various modules - prevent crashes when modules try to set attributes on not
+        yet existing files in check mode. This will be fixed in ansible-core 2.12,
+        but it is not backported to every Ansible version we support (https://github.com/ansible-collections/community.crypto/issue/242,
+        https://github.com/ansible-collections/community.crypto/pull/243).
+      - x509_certificate - fix crash when ``assertonly`` provider is used and some
+        error conditions should be reported (https://github.com/ansible-collections/community.crypto/issues/240,
+        https://github.com/ansible-collections/community.crypto/pull/241).
+      minor_changes:
+      - cryptography_openssh module utils - new module_utils for managing asymmetric
+        keypairs and OpenSSH formatted/encoded asymmetric keypairs (https://github.com/ansible-collections/community.crypto/pull/213).
+      - openssh_keypair - added ``backend`` parameter for selecting between the cryptography
+        library or the OpenSSH binary for the execution of actions performed by ``openssh_keypair``
+        (https://github.com/ansible-collections/community.crypto/pull/236).
+      - openssh_keypair - added ``passphrase`` parameter for encrypting/decrypting
+        OpenSSH private keys (https://github.com/ansible-collections/community.crypto/pull/225).
+      - openssl_csr - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - openssl_csr_info - now returns ``public_key_type`` and ``public_key_data``
+        (https://github.com/ansible-collections/community.crypto/pull/233).
+      - openssl_csr_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/204).
+      - openssl_csr_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography``
+        backend. This requires cryptography 3.0 or newer, and does not support the
+        ``iter_size`` and ``maciter_size`` options (https://github.com/ansible-collections/community.crypto/pull/234).
+      - openssl_privatekey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - openssl_privatekey_info - refactor module to allow code re-use for diff mode
+        (https://github.com/ansible-collections/community.crypto/pull/205).
+      - openssl_privatekey_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - openssl_publickey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - x509_certificate - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - x509_certificate_info - now returns ``public_key_type`` and ``public_key_data``
+        (https://github.com/ansible-collections/community.crypto/pull/233).
+      - x509_certificate_info - refactor module to allow code re-use for diff mode
+        (https://github.com/ansible-collections/community.crypto/pull/206).
+      - x509_certificate_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - x509_crl - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
+        https://github.com/ansible-collections/community.crypto/pull/150).
+      - x509_crl_info - add ``list_revoked_certificates`` option to avoid enumerating
+        all revoked certificates (https://github.com/ansible-collections/community.crypto/pull/232).
+      - x509_crl_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/203).
+      release_summary: Regular feature and bugfix release.
+    fragments:
+    - 1.7.0.yml
+    - 150-diff.yml
+    - 203-x509_crl_info.yml
+    - 204-openssl_csr_info.yml
+    - 205-openssl_privatekey_info.yml
+    - 206-x509_certificate_info.yml
+    - 213-cryptography-openssh-module-utils.yml
+    - 225-openssh-keypair-passphrase.yml
+    - 230-openssh_keypair-check_mode-return-values.yml
+    - 232-x509_crl_info-list_revoked_certificates.yml
+    - 233-public-key-info.yml
+    - 234-openssl_pkcs12-cryptography.yml
+    - 236-openssh_keypair-backends.yml
+    - 241-x509_certificate-assertonly.yml
+    - 243-permission-check-crash.yml
+    modules:
+    - description: Provide information for OpenSSL public keys
+      name: openssl_publickey_info
+      namespace: ''
+    release_date: '2021-06-02'
+  1.7.1:
+    changes:
+      bugfixes:
+      - openssl_pkcs12 - fix crash when loading passphrase-protected PKCS#12 files
+        with ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/issues/247,
+        https://github.com/ansible-collections/community.crypto/pull/248).
+      release_summary: Bugfix release.
+    fragments:
+    - 1.7.1.yml
+    - 248-openssl_pkcs12-passphrase-fix.yml
+    release_date: '2021-06-11'
+  1.8.0:
+    changes:
+      bugfixes:
+      - openssh_cert - fixed certificate generation to restore original certificate
+        if an error is encountered (https://github.com/ansible-collections/community.crypto/pull/255).
+      - openssh_keypair - fixed a bug that prevented custom file attributes being
+        applied to public keys (https://github.com/ansible-collections/community.crypto/pull/257).
+      minor_changes:
+      - Avoid internal ansible-core module_utils in favor of equivalent public API
+        available since at least Ansible 2.9 (https://github.com/ansible-collections/community.crypto/pull/253).
+      - openssh certificate module utils - new module_utils for parsing OpenSSH certificates
+        (https://github.com/ansible-collections/community.crypto/pull/246).
+      - openssh_cert - added ``regenerate`` option to validate additional certificate
+        parameters which trigger regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256).
+      - openssh_cert - adding ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/255).
+      release_summary: Regular bugfix and feature release.
+    fragments:
+    - 1.8.0.yml
+    - 246-openssh-certificate-module-utils.yml
+    - 255-openssh_cert-adding-diff-support.yml
+    - 256-openssh_cert-adding-idempotency-option.yml
+    - 257-openssh-keypair-fix-pubkey-permissions.yml
+    - ansible-core-_text.yml
+    release_date: '2021-08-10'
+  1.9.0:
+    changes:
+      bugfixes:
+      - keypair_backend module utils - simplify code to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263).
+      - openssh_keypair - fixed ``cryptography`` backend to preserve original file
+        permissions when regenerating a keypair requires existing files to be overwritten
+        (https://github.com/ansible-collections/community.crypto/pull/260).
+      - openssh_keypair - fixed error handling to restore original keypair if regeneration
+        fails (https://github.com/ansible-collections/community.crypto/pull/260).
+      - x509_crl - restore inherited function signature to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263).
+      minor_changes:
+      - get_certificate - added ``starttls`` option to retrieve certificates from
+        servers which require clients to request an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264).
+      - openssh_keypair - added ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/260).
+      release_summary: Regular feature release.
+    fragments:
+    - 1.9.0.yml
+    - 260-openssh_keypair-diff-support.yml
+    - 263-sanity.yml
+    - 264-get_certificate-add-starttls-option.yml
+    release_date: '2021-08-30'
+  1.9.1:
+    changes:
+      release_summary: Accidental 1.9.1 release. Identical to 1.9.0.
+    release_date: '2021-08-30'
+  1.9.2:
+    changes:
+      release_summary: Bugfix release to fix the changelog. No other change compared
+        to 1.9.0.
+    fragments:
+    - 1.9.2.yml
+    release_date: '2021-08-30'
+  1.9.3:
+    changes:
+      bugfixes:
+      - openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used
+        to compare strings with the cryptography backend. This fixes idempotency problems
+        with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270,
+        https://github.com/ansible-collections/community.crypto/pull/271).
+      release_summary: Regular bugfix release.
+    fragments:
+    - 1.9.3.yml
+    - 271-openssl_csr-utf8.yml
+    release_date: '2021-09-14'
+  1.9.4:
+    changes:
+      bugfixes:
+      - acme_* modules - fix commands composed for OpenSSL backend to retrieve information
+        on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``.
+        This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279).
+      - acme_challenge_cert_helper - only return exception when cryptography is not
+        installed, not when a too old version of it is installed. This prevents Ansible's
+        callback to crash (https://github.com/ansible-collections/community.crypto/pull/281).
+      release_summary: Regular bugfix release.
+    fragments:
+    - 1.9.4.yml
+    - 279-acme-openssl.yml
+    - 282-acme_challenge_cert_helper-error.yml
+    release_date: '2021-09-28'
+  2.0.0:
+    changes:
+      breaking_changes:
+      - Adjust ``dirName`` text parsing and to text converting code to conform to
+        `Sections 2 and 3 of RFC 4514 <https://datatracker.ietf.org/doc/html/rfc4514.html>`_.
+        This is similar to how `cryptography handles this <https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Name.rfc4514_string>`_
+        (https://github.com/ansible-collections/community.crypto/pull/274).
+      - acme module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290).
+      - acme_* modules - removed vendored copy of the Python library ``ipaddress``.
+        If you are using Python 2.x, please make sure to install the library (https://github.com/ansible-collections/community.crypto/pull/287).
+      - compatibility module_utils - removed vendored copy of the Python library ``ipaddress``
+        (https://github.com/ansible-collections/community.crypto/pull/287).
+      - crypto module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290).
+      - get_certificate, openssl_csr_info, x509_certificate_info - depending on the
+        ``cryptography`` version used, the modules might not return the ASN.1 value
+        for an extension as contained in the certificate respectively CSR, but a re-encoded
+        version of it. This should usually be identical to the value contained in
+        the source file, unless the value was malformed. For extensions not handled
+        by C(cryptography) the value contained in the source file is always returned
+        unaltered (https://github.com/ansible-collections/community.crypto/pull/318).
+      - module_utils - removed various PyOpenSSL support functions and default backend
+        values that are not needed for the openssl_pkcs12 module (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_csr, openssl_csr_pipe, x509_crl - the ``subject`` respectively ``issuer``
+        fields no longer ignore empty values, but instead fail when encountering them
+        (https://github.com/ansible-collections/community.crypto/pull/316).
+      - openssl_privatekey_info - by default consistency checks are not run; they
+        need to be explicitly requested by passing ``check_consistency=true`` (https://github.com/ansible-collections/community.crypto/pull/309).
+      - x509_crl - for idempotency checks, the ``issuer`` order is ignored. If order
+        is important, use the new ``issuer_ordered`` option (https://github.com/ansible-collections/community.crypto/pull/316).
+      bugfixes:
+      - cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313).
+      - get_certificate - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+      - openssl_csr_info - fix compatibility with the cryptography 35.0.0 release
+        (https://github.com/ansible-collections/community.crypto/pull/294).
+      - openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/296).
+      - x509_certificate_info - fix compatibility with the cryptography 35.0.0 release
+        (https://github.com/ansible-collections/community.crypto/pull/294).
+      deprecated_features:
+      - acme_* modules - ACME version 1 is now deprecated and support for it will
+        be removed in community.crypto 2.0.0 (https://github.com/ansible-collections/community.crypto/pull/288).
+      minor_changes:
+      - acme_certificate - the ``subject`` and ``issuer`` fields in in the ``select_chain``
+        entries are now more strictly validated (https://github.com/ansible-collections/community.crypto/pull/316).
+      - openssl_csr, openssl_csr_pipe - provide a new ``subject_ordered`` option if
+        the order of the components in the subject is of importance (https://github.com/ansible-collections/community.crypto/issues/291,
+        https://github.com/ansible-collections/community.crypto/pull/316).
+      - openssl_csr, openssl_csr_pipe - there is now stricter validation of the values
+        of the ``subject`` option (https://github.com/ansible-collections/community.crypto/pull/316).
+      - openssl_privatekey_info - add ``check_consistency`` option to request private
+        key consistency checks to be done (https://github.com/ansible-collections/community.crypto/pull/309).
+      - x509_certificate, x509_certificate_pipe - add ``ignore_timestamps`` option
+        which allows to enable idempotency for 'not before' and 'not after' options
+        (https://github.com/ansible-collections/community.crypto/issues/295, https://github.com/ansible-collections/community.crypto/pull/317).
+      - x509_crl - provide a new ``issuer_ordered`` option if the order of the components
+        in the issuer is of importance (https://github.com/ansible-collections/community.crypto/issues/291,
+        https://github.com/ansible-collections/community.crypto/pull/316).
+      - x509_crl - there is now stricter validation of the values of the ``issuer``
+        option (https://github.com/ansible-collections/community.crypto/pull/316).
+      release_summary: 'A new major release of the ``community.crypto`` collection.
+        The main changes are removal of the PyOpenSSL backends for almost all modules
+        (``openssl_pkcs12`` being the only exception), and removal of the ``assertonly``
+        provider in the ``x509_certificate`` provider. There are also some other breaking
+        changes which should improve the user interface/experience of this collection
+        long-term.
+
+        '
+      removed_features:
+      - acme_* modules - the ``acme_directory`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290).
+      - acme_* modules - the ``acme_version`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290).
+      - acme_account_facts - the deprecated redirect has been removed. Use community.crypto.acme_account_info
+        instead (https://github.com/ansible-collections/community.crypto/pull/290).
+      - acme_account_info - ``retrieve_orders=url_list`` no longer returns the return
+        value ``orders``. Use the ``order_uris`` return value instead (https://github.com/ansible-collections/community.crypto/pull/290).
+      - crypto.info module utils - the deprecated redirect has been removed. Use ``crypto.pem``
+        instead (https://github.com/ansible-collections/community.crypto/pull/290).
+      - get_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_certificate - the deprecated redirect has been removed. Use community.crypto.x509_certificate
+        instead (https://github.com/ansible-collections/community.crypto/pull/290).
+      - openssl_certificate_info - the deprecated redirect has been removed. Use community.crypto.x509_certificate_info
+        instead (https://github.com/ansible-collections/community.crypto/pull/290).
+      - openssl_csr - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_csr and openssl_csr_pipe - ``version`` now only accepts the (default)
+        value 1 (https://github.com/ansible-collections/community.crypto/pull/290).
+      - openssl_csr_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_csr_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_privatekey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_privatekey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_privatekey_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_publickey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_publickey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_signature - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - openssl_signature_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - x509_certificate - remove ``assertonly`` provider (https://github.com/ansible-collections/community.crypto/pull/289).
+      - x509_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - x509_certificate_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+      - x509_certificate_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273).
+    fragments:
+    - 2.0.0.yml
+    - 273-pyopenssl-removal.yml
+    - 274-dirname-rfc4514.yml
+    - 287-remove-ipaddress.yml
+    - 288-depecate-acme-v1.yml
+    - 289-assertonly-removed.yml
+    - 290-remove-deprecations.yml
+    - 294-cryptography-35.0.0.yml
+    - 296-openssl_pkcs12-cryptography-35.yml
+    - 309-openssl_privatekey_info-consistency.yml
+    - 313-unicode-names.yml
+    - 315-ordered-names.yml
+    - 317-ignore-timestamps.yml
+    - 318-extension-value-note.yml
+    release_date: '2021-11-01'
+  2.0.1:
+    changes:
+      bugfixes:
+      - acme_certificate - avoid passing multiple certificates to ``cryptography``'s
+        X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324).
+      - get_certificate, openssl_csr_info, x509_certificate_info - add fallback code
+        for extension parsing that works with cryptography 36.0.0 and newer. This
+        code re-serializes de-serialized extensions and thus can return slightly different
+        values if the extension in the original CSR resp. certificate was not canonicalized
+        correctly. This code is currently used as a fallback if the existing code
+        stops working, but we will switch it to be the main code in a future release
+        (https://github.com/ansible-collections/community.crypto/pull/331).
+      - luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent``
+        to make sure that also the secondary LUKS2 header is wiped when older versions
+        of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326,
+        https://github.com/ansible-collections/community.crypto/pull/327).
+      - openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography
+        36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302).
+      minor_changes:
+      - acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core
+        ``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339).
+      release_summary: Bugfix release with extra forward compatibility for newer versions
+        of cryptography.
+    fragments:
+    - 2.0.1.yml
+    - 302-openssl_pkcs12-cryptography-36.0.0.yml
+    - 324-acme_certificate-fullchain.yml
+    - 327-luks_device-wipe.yml
+    - 331-cryptography-extensions.yml
+    - fetch_url-devel.yml
+    release_date: '2021-11-22'
+  2.0.2:
+    changes:
+      release_summary: Documentation fix release. No actual code changes.
+    fragments:
+    - 2.0.2.yml
+    release_date: '2021-12-20'
+  2.1.0:
+    changes:
+      bugfixes:
+      - Various modules and plugins - use vendored version of ``distutils.version``
+        instead of the deprecated Python standard library ``distutils`` (https://github.com/ansible-collections/community.crypto/pull/353).
+      - certificate_complete_chain - do not append root twice if the chain already
+        ends with a root certificate (https://github.com/ansible-collections/community.crypto/pull/360).
+      - certificate_complete_chain - do not hang when infinite loop is found (https://github.com/ansible-collections/community.crypto/issues/355,
+        https://github.com/ansible-collections/community.crypto/pull/360).
+      minor_changes:
+      - Adjust error messages that indicate ``cryptography`` is not installed from
+        ``Can't`` to ``Cannot`` (https://github.com/ansible-collections/community.crypto/pull/374).
+      release_summary: Feature and bugfix release.
+    fragments:
+    - 2.1.0.yml
+    - 353-distutils.version.yml
+    - 360-certificate_complete_chain-loop.yml
+    - 374-docs.yml
+    modules:
+    - description: Retrieve cryptographic capabilities
+      name: crypto_info
+      namespace: ''
+    - description: Convert OpenSSL private keys
+      name: openssl_privatekey_convert
+      namespace: ''
+    release_date: '2022-01-10'
+  2.2.0:
+    changes:
+      bugfixes:
+      - luks_devices - set ``LANG`` and similar environment variables to avoid translated
+        output, which can break some of the module's functionality like key management
+        (https://github.com/ansible-collections/community.crypto/pull/388, https://github.com/ansible-collections/community.crypto/issues/385).
+      minor_changes:
+      - openssh_cert - added ``ignore_timestamps`` parameter so it can be used semi-idempotent
+        with relative timestamps in ``valid_to``/``valid_from`` (https://github.com/ansible-collections/community.crypto/issues/379).
+      release_summary: Regular bugfix and feature release.
+    fragments:
+    - 2.2.0.yml
+    - 381_openssh_cert_add_ignore_timestamps.yml
+    - 388-luks_device-i18n.yml
+    release_date: '2022-02-01'
+  2.2.1:
+    changes:
+      bugfixes:
+      - openssh_cert - fixed false ``changed`` status for ``host`` certificates when
+        using ``full_idempotence`` (https://github.com/ansible-collections/community.crypto/issues/395,
+        https://github.com/ansible-collections/community.crypto/pull/396).
+      release_summary: Bugfix release.
+    fragments:
+    - 2.2.1.yml
+    - 396-openssh_cert-host-cert-idempotence-fix.yml
+    release_date: '2022-02-05'
+  2.2.2:
+    changes:
+      bugfixes:
+      - certificate_complete_chain - allow multiple potential intermediate certificates
+        to have the same subject (https://github.com/ansible-collections/community.crypto/issues/399,
+        https://github.com/ansible-collections/community.crypto/pull/403).
+      - x509_certificate - for the ``ownca`` provider, check whether the CA private
+        key actually belongs to the CA certificate (https://github.com/ansible-collections/community.crypto/pull/407).
+      - x509_certificate - regenerate certificate when the CA's public key changes
+        for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/pull/407).
+      - x509_certificate - regenerate certificate when the CA's subject changes for
+        ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400,
+        https://github.com/ansible-collections/community.crypto/pull/402).
+      - x509_certificate - regenerate certificate when the private key changes for
+        ``provider=selfsigned`` (https://github.com/ansible-collections/community.crypto/pull/407).
+      release_summary: 'Regular bugfix release.
+
+
+        In this release, we extended the test matrix to include Alpine 3, ArchLinux,
+        Debian Bullseye, and CentOS Stream 8. CentOS 8 was removed from the test matrix.
+
+        '
+    fragments:
+    - 2.2.2.yml
+    - 402-x509_certificate-ownca-subject.yml
+    - 403-certificate_complete_chain-same-subject.yml
+    - 407-x509_certificate-signature.yml
+    release_date: '2022-02-21'
+  2.2.3:
+    changes:
+      bugfixes:
+      - luks_device - fix parsing of ``lsblk`` output when device name ends with ``crypt``
+        (https://github.com/ansible-collections/community.crypto/issues/409, https://github.com/ansible-collections/community.crypto/pull/410).
+      release_summary: Regular bugfix release.
+    fragments:
+    - 2.2.3.yml
+    - 410-luks_device-lsblk-parsing.yml
+    release_date: '2022-03-04'
+  2.2.4:
+    changes:
+      bugfixes:
+      - openssh_* modules - fix exception handling to report traceback to users for
+        enhanced traceability (https://github.com/ansible-collections/community.crypto/pull/417).
+      release_summary: Regular maintenance release.
+    fragments:
+    - 2.2.4.yml
+    - 417-openssh_modules-fix-exception-reporting.yml
+    release_date: '2022-03-22'
+  2.3.0:
+    changes:
+      bugfixes:
+      - Make collection more robust when PyOpenSSL is used with an incompatible cryptography
+        version (https://github.com/ansible-collections/community.crypto/pull/445).
+      - x509_crl - fix crash when ``issuer`` for a revoked certificate is specified
+        (https://github.com/ansible-collections/community.crypto/pull/441).
+      minor_changes:
+      - Prepare collection for inclusion in an Execution Environment by declaring
+        its dependencies. Please note that system packages are used for cryptography
+        and PyOpenSSL, which can be rather limited. If you need features from newer
+        cryptography versions, you will have to manually force a newer version to
+        be installed by pip by specifying something like ``cryptography >= 37.0.0``
+        in your Execution Environment's Python dependencies file (https://github.com/ansible-collections/community.crypto/pull/440).
+      - Support automatic conversion for Internalionalized Domain Names (IDNs). When
+        passing general names, for example Subject Altenative Names to ``community.crypto.openssl_csr``,
+        these will automatically be converted to IDNA. Conversion will be done per
+        label to IDNA2008 if possible, and IDNA2003 if IDNA2008 conversion fails for
+        that label. Note that IDNA conversion requires `the Python idna library <https://pypi.org/project/idna/>`_
+        to be installed. Please note that depending on which versions of the cryptography
+        library are used, it could try to process the converted IDNA another time
+        with the Python ``idna`` library and reject IDNA2003 encoded values. Using
+        a new enough ``cryptography`` version avoids this (https://github.com/ansible-collections/community.crypto/issues/426,
+        https://github.com/ansible-collections/community.crypto/pull/436).
+      - acme_* modules - add parameter ``request_timeout`` to manage HTTP(S) request
+        timeout (https://github.com/ansible-collections/community.crypto/issues/447,
+        https://github.com/ansible-collections/community.crypto/pull/448).
+      - luks_devices - added ``perf_same_cpu_crypt``, ``perf_submit_from_crypt_cpus``,
+        ``perf_no_read_workqueue``, ``perf_no_write_workqueue`` for performance tuning
+        when opening LUKS2 containers (https://github.com/ansible-collections/community.crypto/issues/427).
+      - luks_devices - added ``persistent`` option when opening LUKS2 containers (https://github.com/ansible-collections/community.crypto/pull/434).
+      - openssl_csr_info - add ``name_encoding`` option to control the encoding (IDNA,
+        Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+      - openssl_pkcs12 - allow to provide the private key as text instead of having
+        to read it from a file. This allows to store the private key in an encrypted
+        form, for example in Ansible Vault (https://github.com/ansible-collections/community.crypto/pull/452).
+      - x509_certificate_info - add ``name_encoding`` option to control the encoding
+        (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+      - x509_crl - add ``name_encoding`` option to control the encoding (IDNA, Unicode)
+        used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+      - x509_crl_info - add ``name_encoding`` option to control the encoding (IDNA,
+        Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436).
+      release_summary: Feature and bugfix release.
+    fragments:
+    - 2.3.0.yml
+    - 434-add-persistent-and-perf-options.yml
+    - 436-idns.yml
+    - 440-ee.yml
+    - 441-x509-crl-cert-issuer.yml
+    - 445-fix.yml
+    - 448-acme-request-timeouts.yml
+    - 452-openssl_pkcs12-private-key-content.yml
+    release_date: '2022-05-09'
+  2.3.1:
+    changes:
+      bugfixes:
+      - Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``.
+      release_summary: Maintenance release.
+    fragments:
+    - 2.3.1.yml
+    - psf-license.yml
+    release_date: '2022-05-16'
+  2.3.2:
+    changes:
+      bugfixes:
+      - Include ``simplified_bsd.txt`` license file for the ECS module utils.
+      - certificate_complete_chain - do not stop execution if an unsupported signature
+        algorithm is encountered; warn instead (https://github.com/ansible-collections/community.crypto/pull/457).
+      release_summary: Maintenance and bugfix release.
+    fragments:
+    - 2.3.2.yml
+    - 457-certificate_complete_chain-unsupported-algorithm.yml
+    - simplified-bsd-license.yml
+    release_date: '2022-06-02'
+  2.3.3:
+    changes:
+      bugfixes:
+      - Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py``
+        and ``plugins/module_utils/crypto/_objects_data.py``.
+      - openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees
+        must be a non-empty list or None' if only one of ``name_constraints_permitted``
+        and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481).
+      - x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473,
+        https://github.com/ansible-collections/community.crypto/pull/474).
+      release_summary: Bugfix release.
+    fragments:
+    - 2.3.3.yml
+    - 474-x509_crl-ed25519-ed448.yml
+    - 481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml
+    - apache-license.yml
+    release_date: '2022-06-17'
+  2.3.4:
+    changes:
+      release_summary: 'Re-release of what was intended to be 2.3.3.
+
+
+        A mistake during the release process caused the 2.3.3 tag to end up on the
+
+        commit for 1.9.17, which caused the release pipeline to re-publish 1.9.17
+
+        as 2.3.3.
+
+
+        This release is identical to what should have been 2.3.3, except that the
+
+        version number has been bumped to 2.3.4 and this changelog entry for 2.3.4
+
+        has been added.
+
+        '
+    fragments:
+    - 2.3.4.yml
+    release_date: '2022-06-21'
+  2.4.0:
+    changes:
+      bugfixes:
+      - openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying
+        to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486,
+        https://github.com/ansible-collections/community.crypto/pull/487).
+      deprecated_features:
+      - Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed
+        in the next major release (community.crypto 3.0.0). Some modules might still
+        work with these versions afterwards, but we will no longer keep compatibility
+        code that was needed to support them (https://github.com/ansible-collections/community.crypto/pull/460).
+      release_summary: Deprecation and bugfix release. No new features this time.
+    fragments:
+    - 2.4.0.yml
+    - 487-openssl_pkcs12-other-certs-crash.yml
+    - deprecate-ansible-2.9-2.10.yml
+    release_date: '2022-07-09'
+  2.5.0:
+    changes:
+      minor_changes:
+      - All software licenses are now in the ``LICENSES/`` directory of the collection
+        root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable
+        license for every file that is not automatically generated (https://github.com/ansible-collections/community.crypto/pull/491).
+      release_summary: Maintenance release with improved licensing declaration and
+        documentation fixes.
+    fragments:
+    - 2.5.0.yml
+    - 491-licenses.yml
+    release_date: '2022-08-04'
+  2.6.0:
+    changes:
+      minor_changes:
+      - acme* modules - support the HTTP 429 Too Many Requests response status (https://github.com/ansible-collections/community.crypto/pull/508).
+      - openssh_keypair - added ``pkcs1``, ``pkcs8``, and ``ssh`` to the available
+        choices for the ``private_key_format`` option (https://github.com/ansible-collections/community.crypto/pull/511).
+      release_summary: Feature release.
+    fragments:
+    - 2.6.0.yml
+    - 508-acme-429.yml
+    - 511-openssh_keypair-private_key_format_options.yml
+    release_date: '2022-09-19'
+  2.7.0:
+    changes:
+      bugfixes:
+      - openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core
+        (https://github.com/ansible-collections/community.crypto/pull/515).
+      minor_changes:
+      - acme* modules - also support the HTTP 503 Service Unavailable and 408 Request
+        Timeout response status for automatic retries (https://github.com/ansible-collections/community.crypto/pull/513).
+      release_summary: Feature release.
+    fragments:
+    - 2.7.0.yml
+    - 513-acme-503.yml
+    - 515-action-module-compat.yml
+    release_date: '2022-09-23'

changelogs/changelog.yaml.license

@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project

changelogs/config.yaml

@@ -1,3 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 changelog_filename_template: ../CHANGELOG.rst
 changelog_filename_version_depth: 0
 changes_file: changelog.yaml

docs/docsite/extra-docs.yml

@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+sections:
+  - title: Scenario Guides
+    toctree:
+      - guide_selfsigned
+      - guide_ownca

docs/docsite/links.yml

@@ -0,0 +1,27 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+edit_on_github:
+  repository: ansible-collections/community.crypto
+  branch: main
+  path_prefix: ''
+
+extra_links:
+  - description: Submit a bug report
+    url: https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=bug_report.md
+  - description: Request a feature
+    url: https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=feature_request.md
+
+communication:
+  matrix_rooms:
+    - topic: General usage and support questions
+      room: '#users:ansible.im'
+  irc_channels:
+    - topic: General usage and support questions
+      network: Libera
+      channel: '#ansible'
+  mailing_lists:
+    - topic: Ansible Project List
+      url: https://groups.google.com/g/ansible-project

docs/docsite/rst/guide_ownca.rst

@@ -0,0 +1,153 @@
+..
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _ansible_collections.community.crypto.docsite.guide_ownca:
+
+How to create a small CA
+========================
+
+The `community.crypto collection <https://galaxy.ansible.com/community/crypto>`_ offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create your own small CA and how to use it to sign certificates.
+
+In all examples, we assume that the CA's private key is password protected, where the password is provided in the ``secret_ca_passphrase`` variable.
+
+Set up the CA
+-------------
+
+Any certificate can be used as a CA certificate. You can create a self-signed certificate (see :ref:`ansible_collections.community.crypto.docsite.guide_selfsigned`), use another CA certificate to sign a new certificate (using the instructions below for signing a certificate), ask (and pay) a commercial CA to sign your CA certificate, etc.
+
+The following instructions show how to set up a simple self-signed CA certificate.
+
+.. code-block:: yaml+jinja
+
+    - name: Create private key with password protection
+      community.crypto.openssl_privatekey:
+        path: /path/to/ca-certificate.key
+        passphrase: "{{ secret_ca_passphrase }}"
+
+    - name: Create certificate signing request (CSR) for CA certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: /path/to/ca-certificate.key
+        privatekey_passphrase: "{{ secret_ca_passphrase }}"
+        common_name: Ansible CA
+        use_common_name_for_san: false  # since we do not specify SANs, don't use CN as a SAN
+        basic_constraints:
+          - 'CA:TRUE'
+        basic_constraints_critical: true
+        key_usage:
+          - keyCertSign
+        key_usage_critical: true
+      register: ca_csr
+
+    - name: Create self-signed CA certificate from CSR
+      community.crypto.x509_certificate:
+        path: /path/to/ca-certificate.pem
+        csr_content: "{{ ca_csr.csr }}"
+        privatekey_path: /path/to/ca-certificate.key
+        privatekey_passphrase: "{{ secret_ca_passphrase }}"
+        provider: selfsigned
+
+Use the CA to sign a certificate
+--------------------------------
+
+To sign a certificate, you must pass a CSR to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>` or :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`.
+
+In the following example, we assume that the certificate to sign (including its private key) are on ``server_1``, while our CA certificate is on ``server_2``. We do not want any key material to leave each respective server.
+
+.. code-block:: yaml+jinja
+
+    - name: Create private key for new certificate on server_1
+      community.crypto.openssl_privatekey:
+        path: /path/to/certificate.key
+      delegate_to: server_1
+      run_once: true
+
+    - name: Create certificate signing request (CSR) for new certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: /path/to/certificate.key
+        subject_alt_name:
+          - "DNS:ansible.com"
+          - "DNS:www.ansible.com"
+          - "DNS:docs.ansible.com"
+      delegate_to: server_1
+      run_once: true
+      register: csr
+
+    - name: Sign certificate with our CA
+      community.crypto.x509_certificate_pipe:
+        csr_content: "{{ csr.csr }}"
+        provider: ownca
+        ownca_path: /path/to/ca-certificate.pem
+        ownca_privatekey_path: /path/to/ca-certificate.key
+        ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
+        ownca_not_after: +365d  # valid for one year
+        ownca_not_before: "-1d"  # valid since yesterday
+      delegate_to: server_2
+      run_once: true
+      register: certificate
+
+    - name: Write certificate file on server_1
+      copy:
+        dest: /path/to/certificate.pem
+        content: "{{ certificate.certificate }}"
+      delegate_to: server_1
+      run_once: true
+
+Please note that the above procedure is **not idempotent**. The following extended example reads the existing certificate from ``server_1`` (if exists) and provides it to the :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`, and only writes the result back if it was changed:
+
+.. code-block:: yaml+jinja
+
+    - name: Create private key for new certificate on server_1
+      community.crypto.openssl_privatekey:
+        path: /path/to/certificate.key
+      delegate_to: server_1
+      run_once: true
+
+    - name: Create certificate signing request (CSR) for new certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: /path/to/certificate.key
+        subject_alt_name:
+          - "DNS:ansible.com"
+          - "DNS:www.ansible.com"
+          - "DNS:docs.ansible.com"
+      delegate_to: server_1
+      run_once: true
+      register: csr
+
+    - name: Check whether certificate exists
+      stat:
+        path: /path/to/certificate.pem
+      delegate_to: server_1
+      run_once: true
+      register: certificate_exists
+
+    - name: Read existing certificate if exists
+      slurp:
+        src: /path/to/certificate.pem
+      when: certificate_exists.stat.exists
+      delegate_to: server_1
+      run_once: true
+      register: certificate
+
+    - name: Sign certificate with our CA
+      community.crypto.x509_certificate_pipe:
+        content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
+        csr_content: "{{ csr.csr }}"
+        provider: ownca
+        ownca_path: /path/to/ca-certificate.pem
+        ownca_privatekey_path: /path/to/ca-certificate.key
+        ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
+        ownca_not_after: +365d  # valid for one year
+        ownca_not_before: "-1d"  # valid since yesterday
+      delegate_to: server_2
+      run_once: true
+      register: certificate
+
+    - name: Write certificate file on server_1
+      copy:
+        dest: /path/to/certificate.pem
+        content: "{{ certificate.certificate }}"
+      delegate_to: server_1
+      run_once: true
+      when: certificate is changed

docs/docsite/rst/guide_selfsigned.rst

@@ -0,0 +1,65 @@
+..
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _ansible_collections.community.crypto.docsite.guide_selfsigned:
+
+How to create self-signed certificates
+======================================
+
+The `community.crypto collection <https://galaxy.ansible.com/community/crypto>`_ offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.
+
+For creating any kind of certificate, you always have to start with a private key. You can use the :ref:`community.crypto.openssl_privatekey module <ansible_collections.community.crypto.openssl_privatekey_module>` to create a private key. If you only specify ``path``, the default parameters will be used. This will result in a 4096 bit RSA private key:
+
+.. code-block:: yaml+jinja
+
+    - name: Create private key (RSA, 4096 bits)
+      community.crypto.openssl_privatekey:
+        path: /path/to/certificate.key
+
+You can specify ``type`` to select another key type, ``size`` to select a different key size (only available for RSA and DSA keys), or ``passphrase`` if you want to store the key password-protected:
+
+.. code-block:: yaml+jinja
+
+    - name: Create private key (X25519) with password protection
+      community.crypto.openssl_privatekey:
+        path: /path/to/certificate.key
+        type: X25519
+        passphrase: changeme
+
+To create a very simple self-signed certificate with no specific information, you can proceed directly with the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`:
+
+.. code-block:: yaml+jinja
+
+    - name: Create simple self-signed certificate
+      community.crypto.x509_certificate:
+        path: /path/to/certificate.pem
+        privatekey_path: /path/to/certificate.key
+        provider: selfsigned
+
+(If you used ``passphrase`` for the private key, you have to provide ``privatekey_passphrase``.)
+
+You can use ``selfsigned_not_after`` to define when the certificate expires (default: in roughly 10 years), and ``selfsigned_not_before`` to define from when the certificate is valid (default: now).
+
+To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`. If you do not need the CSR file, you can use the :ref:`community.crypto.openssl_csr_pipe module <ansible_collections.community.crypto.openssl_csr_pipe_module>` as in the example below. (To store it to disk, use the :ref:`community.crypto.openssl_csr module <ansible_collections.community.crypto.openssl_csr_module>` instead.)
+
+.. code-block:: yaml+jinja
+
+    - name: Create certificate signing request (CSR) for self-signed certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: /path/to/certificate.key
+        common_name: ansible.com
+        organization_name: Ansible, Inc.
+        subject_alt_name:
+          - "DNS:ansible.com"
+          - "DNS:www.ansible.com"
+          - "DNS:docs.ansible.com"
+      register: csr
+
+    - name: Create self-signed certificate from CSR
+      community.crypto.x509_certificate:
+        path: /path/to/certificate.pem
+        csr_content: "{{ csr.csr }}"
+        privatekey_path: /path/to/certificate.key
+        provider: selfsigned

galaxy.yml

@@ -1,11 +1,24 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 namespace: community
 name: crypto
-version: 1.6.2
+version: 2.7.0
 readme: README.md
 authors:
   - Ansible (github.com/ansible)
 description: null
-license_file: COPYING
+license:
+  - GPL-3.0-or-later
+  - Apache-2.0
+  - BSD-2-Clause
+  - BSD-3-Clause
+  # TODO: galaxy-importer does not support this license type yet. Uncomment once this has been
+  #       fixed and the fix deployed (https://github.com/ansible/galaxy-importer/pull/175).
+  # - PSF-2.0
+#license_file: COPYING
 tags:
   - acme
   - certificate

meta/ee-bindep.txt

@@ -0,0 +1,14 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+cryptsetup [platform:dpkg]
+cryptsetup [platform:rpm]
+openssh-client [platform:dpkg]
+openssh-clients [platform:rpm]
+openssl [platform:dpkg]
+openssl [platform:rpm]
+python3-cryptography [platform:dpkg]
+python3-cryptography [platform:rpm]
+python3-openssl [platform:dpkg]
+python3-pyOpenSSL [platform:rpm]

meta/ee-requirements.txt

@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+PyYAML

meta/execution-environment.yml

@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: 1
+dependencies:
+  python: meta/ee-requirements.txt
+  system: meta/ee-bindep.txt

meta/runtime.yml

@@ -1,3 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 requires_ansible: '>=2.9.10'
 
 action_groups:
@@ -12,20 +17,19 @@ action_groups:
 plugin_routing:
   modules:
     acme_account_facts:
-      deprecation:
+      tombstone:
         removal_version: 2.0.0
         warning_text: The 'community.crypto.acme_account_facts' module has been renamed to 'community.crypto.acme_account_info'.
     openssl_certificate:
-      deprecation:
+      tombstone:
         removal_version: 2.0.0
         warning_text: The 'community.crypto.openssl_certificate' module has been renamed to 'community.crypto.x509_certificate'
     openssl_certificate_info:
-      deprecation:
+      tombstone:
         removal_version: 2.0.0
         warning_text: The 'community.crypto.openssl_certificate_info' module has been renamed to 'community.crypto.x509_certificate_info'
   module_utils:
     crypto.identify:
-      redirect: community.crypto.crypto.pem
-      deprecation:
+      tombstone:
         removal_version: 2.0.0
         warning_text: The 'crypto/identify.py' module_utils has been renamed 'crypto/pem.py'. Please update your imports

plugins/action/openssl_privatekey_pipe.py

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -9,7 +10,7 @@ __metaclass__ = type
 
 import base64
 
-from ansible.module_utils._text import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native, to_bytes
 
 from ansible_collections.community.crypto.plugins.plugin_utils.action_module import ActionModuleBase
 

plugins/doc_fragments/acme.py

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -23,9 +24,17 @@ notes:
      the L(Let's Encrypt,https://letsencrypt.org/) CA, the module can in
      principle be used with any CA providing an ACME endpoint, such as
      L(Buypass Go SSL,https://www.buypass.com/ssl/products/acme)."
+  - "So far, the ACME modules have only been tested by the developers against
+     Let's Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production),
+     and L(Pebble testing server,https://github.com/letsencrypt/Pebble). We have got
+     community feedback that they also work with Sectigo ACME Service for InCommon.
+     If you experience problems with another ACME server, please
+     L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose)
+     to help us supporting it. Feedback that an ACME server not mentioned does work
+     is also appreciated."
 requirements:
-  - python >= 2.6
   - either openssl or L(cryptography,https://cryptography.io/) >= 1.5
+  - ipaddress
 options:
   account_key_src:
     description:
@@ -33,7 +42,7 @@ options:
          key."
       - "Private keys can be created with the
          M(community.crypto.openssl_privatekey) or M(community.crypto.openssl_privatekey_pipe)
-         modules. If the requisites (pyOpenSSL or cryptography) are not available,
+         modules. If the requisite (cryptography) is not available,
          keys can also be created directly with the C(openssl) command line tool:
          RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys
          can be created with C(openssl ecparam -genkey ...). Any other tool creating
@@ -74,9 +83,9 @@ options:
       - "The ACME version of the endpoint."
       - "Must be C(1) for the classic Let's Encrypt and Buypass ACME endpoints,
          or C(2) for standardized ACME v2 endpoints."
-      - "The default value is C(1). Note that in community.crypto 2.0.0, this
-         option B(will be required) and will no longer have a default."
-      - "Please also note that we will deprecate ACME v1 support eventually."
+      - "The value C(1) is deprecated since community.crypto 2.0.0 and will be
+         removed from community.crypto 3.0.0."
+    required: true
     type: int
     choices: [ 1, 2 ]
   acme_directory:
@@ -86,41 +95,29 @@ options:
       - "For safety reasons the default is set to the Let's Encrypt staging
          server (for the ACME v1 protocol). This will create technically correct,
          but untrusted certificates."
-      - "The default value is C(https://acme-staging.api.letsencrypt.org/directory).
-         Note that in community.crypto 2.0.0, this option B(will be required) and
-         will no longer have a default. Note that the default is the Let's Encrypt
-         staging server for the ACME v1 protocol, which is deprecated and will
-         be disabled in May 2021 (see
-         L(here,https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/7)
-         for details)."
       - "For Let's Encrypt, all staging endpoints can be found here:
          U(https://letsencrypt.org/docs/staging-environment/). For Buypass, all
          endpoints can be found here:
          U(https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints)"
       - "For B(Let's Encrypt), the production directory URL for ACME v2 is
-         U(https://acme-v02.api.letsencrypt.org/directory).
-         (The production directory URL for ACME v1 is
-         U(https://acme-v01.api.letsencrypt.org/directory) and will be
-         disabled in July 2021.)"
+         U(https://acme-v02.api.letsencrypt.org/directory)."
       - "For B(Buypass), the production directory URL for ACME v2 and v1 is
          U(https://api.buypass.com/acme/directory)."
       - "For B(ZeroSSL), the production directory URL for ACME v2 is
          U(https://acme.zerossl.com/v2/DV90)."
-      - "B(Warning:) So far, the ACME modules have only been tested against Let's Encrypt
-         (staging and production), Buypass (staging and production), ZeroSSL (production),
-         and L(Pebble testing server,https://github.com/letsencrypt/Pebble). If you
-         experience problems with another ACME server, please
-         L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose)
-         to help us supporting it. Feedback that an ACME server not mentioned does work
-         is also appreciated."
+      - "For B(Sectigo), the production directory URL for ACME v2 is
+         U(https://acme-qa.secure.trust-provider.com/v2/DV)."
+      - The notes for this module contain a list of ACME services this module has
+        been tested against.
+    required: true
     type: str
   validate_certs:
     description:
       - Whether calls to the ACME directory will validate TLS certificates.
-      - "B(Warning:) Should B(only ever) be set to C(no) for testing purposes,
+      - "B(Warning:) Should B(only ever) be set to C(false) for testing purposes,
          for example when testing against a local Pebble server."
     type: bool
-    default: yes
+    default: true
   select_crypto_backend:
     description:
       - Determines which crypto backend to use.
@@ -132,4 +129,11 @@ options:
     type: str
     default: auto
     choices: [ auto, cryptography, openssl ]
+  request_timeout:
+    description:
+      - The time Ansible should wait for a response from the ACME API.
+      - This timeout is applied to all HTTP(S) requests (HEAD, GET, POST).
+    type: int
+    default: 10
+    version_added: 2.3.0
 '''

plugins/doc_fragments/ecs_credential.py

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 
 # Copyright (c), Entrust Datacard Corporation, 2019
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type

plugins/doc_fragments/module_certificate.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -14,18 +15,15 @@ class ModuleDocFragment(object):
     DOCUMENTATION = r'''
 description:
     - This module allows one to (re)generate OpenSSL certificates.
-    - It uses the pyOpenSSL or cryptography python library to interact with OpenSSL.
-    - If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements)
-      cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with C(select_crypto_backend)).
-      Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0.
+    - It uses the cryptography python library to interact with OpenSSL.
 requirements:
-    - PyOpenSSL >= 0.15 or cryptography >= 1.6 (if using C(selfsigned), C(ownca) or C(assertonly) provider)
+    - cryptography >= 1.6 (if using C(selfsigned) or C(ownca) provider)
 options:
     force:
         description:
             - Generate the certificate, even if it already exists.
         type: bool
-        default: no
+        default: false
 
     csr_path:
         description:
@@ -55,17 +53,22 @@ options:
             - This is required if the private key is password protected.
         type: str
 
+    ignore_timestamps:
+        description:
+            - Whether the "not before" and "not after" timestamps should be ignored for idempotency checks.
+            - It is better to keep the default value C(true) when using relative timestamps (like C(+0s) for now).
+        type: bool
+        default: true
+        version_added: 2.0.0
+
     select_crypto_backend:
         description:
             - Determines which crypto backend to use.
-            - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl).
-            - If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
+            - The default choice is C(auto), which tries to use C(cryptography) if available.
             - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
-            - Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0.
-              From that point on, only the C(cryptography) backend will be available.
         type: str
         default: auto
-        choices: [ auto, cryptography, pyopenssl ]
+        choices: [ auto, cryptography ]
 
 notes:
     - All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
@@ -107,9 +110,9 @@ options:
             - Include the intermediate certificate to the generated certificate
             - This is only used by the C(acme) provider.
             - Note that this is only available for older versions of C(acme-tiny).
-              New versions include the chain automatically, and setting I(acme_chain) to C(yes) results in an error.
+              New versions include the chain automatically, and setting I(acme_chain) to C(true) results in an error.
         type: bool
-        default: no
+        default: false
 
     acme_directory:
         description:
@@ -119,201 +122,6 @@ options:
         default: https://acme-v02.api.letsencrypt.org/directory
 '''
 
-    BACKEND_ASSERTONLY_DOCUMENTATION = r'''
-description:
-    - The C(assertonly) provider is intended for use cases where one is only interested in
-      checking properties of a supplied certificate. Please note that this provider has been
-      deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0. See the examples on how
-      to emulate C(assertonly) usage with M(community.crypto.x509_certificate_info),
-      M(community.crypto.openssl_csr_info), M(community.crypto.openssl_privatekey_info) and
-      M(ansible.builtin.assert). This also allows more flexible checks than
-      the ones offered by the C(assertonly) provider.
-    - Many properties that can be specified in this module are for validation of an
-      existing or newly generated certificate. The proper place to specify them, if you
-      want to receive a certificate with these properties is a CSR (Certificate Signing Request).
-options:
-    csr_path:
-        description:
-            - This is not required for the C(assertonly) provider.
-
-    csr_content:
-        description:
-            - This is not required for the C(assertonly) provider.
-
-    signature_algorithms:
-        description:
-            - A list of algorithms that you would accept the certificate to be signed with
-              (e.g. ['sha256WithRSAEncryption', 'sha512WithRSAEncryption']).
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: list
-        elements: str
-
-    issuer:
-        description:
-            - The key/value pairs that must be present in the issuer name field of the certificate.
-            - If you need to specify more than one value with the same key, use a list as value.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: dict
-
-    issuer_strict:
-        description:
-            - If set to C(yes), the I(issuer) field must contain only these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: bool
-        default: no
-
-    subject:
-        description:
-            - The key/value pairs that must be present in the subject name field of the certificate.
-            - If you need to specify more than one value with the same key, use a list as value.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: dict
-
-    subject_strict:
-        description:
-            - If set to C(yes), the I(subject) field must contain only these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: bool
-        default: no
-
-    has_expired:
-        description:
-            - Checks if the certificate is expired/not expired at the time the module is executed.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: bool
-        default: no
-
-    version:
-        description:
-            - The version of the certificate.
-            - Nowadays it should almost always be 3.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: int
-
-    valid_at:
-        description:
-            - The certificate must be valid at this point in time.
-            - The timestamp is formatted as an ASN.1 TIME.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: str
-
-    invalid_at:
-        description:
-            - The certificate must be invalid at this point in time.
-            - The timestamp is formatted as an ASN.1 TIME.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: str
-
-    not_before:
-        description:
-            - The certificate must start to become valid at this point in time.
-            - The timestamp is formatted as an ASN.1 TIME.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: str
-        aliases: [ notBefore ]
-
-    not_after:
-        description:
-            - The certificate must expire at this point in time.
-            - The timestamp is formatted as an ASN.1 TIME.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: str
-        aliases: [ notAfter ]
-
-    valid_in:
-        description:
-            - The certificate must still be valid at this relative time offset from now.
-            - Valid format is C([+-]timespec | number_of_seconds) where timespec can be an integer
-              + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using this parameter, this module is NOT idempotent.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: str
-
-    key_usage:
-        description:
-            - The I(key_usage) extension field must contain all these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: list
-        elements: str
-        aliases: [ keyUsage ]
-
-    key_usage_strict:
-        description:
-            - If set to C(yes), the I(key_usage) extension field must contain only these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: bool
-        default: no
-        aliases: [ keyUsage_strict ]
-
-    extended_key_usage:
-        description:
-            - The I(extended_key_usage) extension field must contain all these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: list
-        elements: str
-        aliases: [ extendedKeyUsage ]
-
-    extended_key_usage_strict:
-        description:
-            - If set to C(yes), the I(extended_key_usage) extension field must contain only these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: bool
-        default: no
-        aliases: [ extendedKeyUsage_strict ]
-
-    subject_alt_name:
-        description:
-            - The I(subject_alt_name) extension field must contain these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: list
-        elements: str
-        aliases: [ subjectAltName ]
-
-    subject_alt_name_strict:
-        description:
-            - If set to C(yes), the I(subject_alt_name) extension field must contain only these values.
-            - This is only used by the C(assertonly) provider.
-            - This option is deprecated since Ansible 2.9 and will be removed with the C(assertonly) provider in community.crypto 2.0.0.
-              For alternatives, see the example on replacing C(assertonly).
-        type: bool
-        default: no
-        aliases: [ subjectAltName_strict ]
-'''
-
     BACKEND_ENTRUST_DOCUMENTATION = r'''
 options:
     entrust_cert_type:
@@ -386,6 +194,7 @@ options:
             - The minimum certificate lifetime is 90 days, and maximum is three years.
             - If this value is not specified, the certificate will stop being valid 365 days the date of issue.
             - This is only used by the C(entrust) provider.
+            - Please note that this value is B(not) covered by the I(ignore_timestamps) option.
         type: str
         default: +365d
 
@@ -456,9 +265,11 @@ options:
             - Time can be specified either as relative time or as absolute timestamp.
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
-              + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
+              + C([w | d | h | m | s]) (for example C(+32w1d2h)).
             - If this value is not specified, the certificate will start being valid from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
+              This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
+              avoid relative timestamps when setting I(ignore_timestamps=false).
             - This is only used by the C(ownca) provider.
         type: str
         default: +0s
@@ -469,9 +280,11 @@ options:
             - Time can be specified either as relative time or as absolute timestamp.
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
-              + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
+              + C([w | d | h | m | s]) (for example C(+32w1d2h)).
             - If this value is not specified, the certificate will stop being valid 10 years from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
+              This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
+              avoid relative timestamps when setting I(ignore_timestamps=false).
             - This is only used by the C(ownca) provider.
             - On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer.
               Please see U(https://support.apple.com/en-us/HT210176) for more details.
@@ -501,7 +314,7 @@ options:
             - This is only used by the C(ownca) provider.
             - Note that this is only supported if the C(cryptography) backend is used!
         type: bool
-        default: yes
+        default: true
 '''
 
     BACKEND_SELFSIGNED_DOCUMENTATION = r'''
@@ -547,9 +360,11 @@ options:
             - Time can be specified either as relative time or as absolute timestamp.
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
-              + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
+              + C([w | d | h | m | s]) (for example C(+32w1d2h)).
             - If this value is not specified, the certificate will start being valid from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
+              This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
+              avoid relative timestamps when setting I(ignore_timestamps=false).
             - This is only used by the C(selfsigned) provider.
         type: str
         default: +0s
@@ -561,9 +376,11 @@ options:
             - Time can be specified either as relative time or as absolute timestamp.
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
-              + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
+              + C([w | d | h | m | s]) (for example C(+32w1d2h)).
             - If this value is not specified, the certificate will stop being valid 10 years from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
+              This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should
+              avoid relative timestamps when setting I(ignore_timestamps=false).
             - This is only used by the C(selfsigned) provider.
             - On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer.
               Please see U(https://support.apple.com/en-us/HT210176) for more details.

plugins/doc_fragments/module_csr.py

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 
-# Copyrigt: (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -15,13 +16,8 @@ description:
     - This module allows one to (re)generate OpenSSL certificate signing requests.
     - This module supports the subjectAltName, keyUsage, extendedKeyUsage, basicConstraints and OCSP Must Staple
       extensions.
-    - "The module can use the cryptography Python library, or the pyOpenSSL Python
-      library. By default, it tries to detect which one is available. This can be
-      overridden with the I(select_crypto_backend) option. Please note that the
-      PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0."
 requirements:
-    - Either cryptography >= 1.3
-    - Or pyOpenSSL >= 0.15
+    - cryptography >= 1.3
 options:
     digest:
         description:
@@ -48,14 +44,29 @@ options:
             - The version of the certificate signing request.
             - "The only allowed value according to L(RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1)
                is 1."
-            - This option will no longer accept unsupported values from community.crypto 2.0.0 on.
+            - This option no longer accepts unsupported values since community.crypto 2.0.0.
         type: int
         default: 1
+        choices:
+            - 1
     subject:
         description:
             - Key/value pairs that will be present in the subject name field of the certificate signing request.
             - If you need to specify more than one value with the same key, use a list as value.
+            - If the order of the components is important, use I(subject_ordered).
+            - Mutually exclusive with I(subject_ordered).
         type: dict
+    subject_ordered:
+        description:
+            - A list of dictionaries, where every dictionary must contain one key/value pair. This key/value pair
+              will be present in the subject name field of the certificate signing request.
+            - If you want to specify more than one value with the same key in a row, you can use a list as value.
+            - Mutually exclusive with I(subject), and any other subject field option, such as I(country_name),
+              I(state_or_province_name), I(locality_name), I(organization_name), I(organizational_unit_name),
+              I(common_name), or I(email_address).
+        type: list
+        elements: dict
+        version_added: 2.0.0
     country_name:
         description:
             - The countryName field of the certificate signing request subject.
@@ -94,9 +105,8 @@ options:
     subject_alt_name:
         description:
             - Subject Alternative Name (SAN) extension to attach to the certificate signing request.
-            - This can either be a 'comma separated string' or a YAML list.
-            - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
-              C(otherName) and the ones specific to your CA).
+            - Values must be prefixed by their options. (These are C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
+              C(otherName), and the ones specific to your CA).
             - Note that if no SAN is specified, but a common name, the common
               name will be added as a SAN except if C(useCommonNameForSAN) is
               set to I(false).
@@ -112,14 +122,14 @@ options:
         aliases: [ subjectAltName_critical ]
     use_common_name_for_san:
         description:
-            - If set to C(yes), the module will fill the common name in for
+            - If set to C(true), the module will fill the common name in for
               C(subject_alt_name) with C(DNS:) prefix if no SAN is specified.
         type: bool
-        default: yes
+        default: true
         aliases: [ useCommonNameForSAN ]
     key_usage:
         description:
-            - This defines the purpose (e.g. encipherment, signature, certificate signing)
+            - This defines the purpose (for example encipherment, signature, certificate signing)
               of the key contained in the certificate.
         type: list
         elements: str
@@ -132,7 +142,7 @@ options:
         aliases: [ keyUsage_critical ]
     extended_key_usage:
         description:
-            - Additional restrictions (e.g. client authentication, server authentication)
+            - Additional restrictions (for example client authentication, server authentication)
               on the allowed purposes for which the public key may be used.
         type: list
         elements: str
@@ -196,14 +206,11 @@ options:
     select_crypto_backend:
         description:
             - Determines which crypto backend to use.
-            - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl).
-            - If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
+            - The default choice is C(auto), which tries to use C(cryptography) if available.
             - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
-            - Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0.
-              From that point on, only the C(cryptography) backend will be available.
         type: str
         default: auto
-        choices: [ auto, cryptography, pyopenssl ]
+        choices: [ auto, cryptography ]
     create_subject_key_identifier:
         description:
             - Create the Subject Key Identifier from the public key.
@@ -212,7 +219,7 @@ options:
                certificates or for own CAs."
             - Note that this is only supported if the C(cryptography) backend is used!
         type: bool
-        default: no
+        default: false
     subject_key_identifier:
         description:
             - The subject key identifier as a hex string, where two bytes are separated by colons.
@@ -220,19 +227,18 @@ options:
             - "Please note that commercial CAs ignore this value, respectively use a value of their
                own choice. Specifying this option is mostly useful for self-signed certificates
                or for own CAs."
-            - Note that this option can only be used if I(create_subject_key_identifier) is C(no).
+            - Note that this option can only be used if I(create_subject_key_identifier) is C(false).
             - Note that this is only supported if the C(cryptography) backend is used!
         type: str
     authority_key_identifier:
         description:
             - The authority key identifier as a hex string, where two bytes are separated by colons.
             - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
-            - If specified, I(authority_cert_issuer) must also be specified.
             - "Please note that commercial CAs ignore this value, respectively use a value of their
                own choice. Specifying this option is mostly useful for self-signed certificates
                or for own CAs."
             - Note that this is only supported if the C(cryptography) backend is used!
-            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+            - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
               I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
         type: str
     authority_cert_issuer:
@@ -241,23 +247,24 @@ options:
             - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
               C(otherName) and the ones specific to your CA)
             - "Example: C(DNS:ca.example.org)"
-            - If specified, I(authority_key_identifier) must also be specified.
+            - If specified, I(authority_cert_serial_number) must also be specified.
             - "Please note that commercial CAs ignore this value, respectively use a value of their
                own choice. Specifying this option is mostly useful for self-signed certificates
                or for own CAs."
             - Note that this is only supported if the C(cryptography) backend is used!
-            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+            - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
               I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
         type: list
         elements: str
     authority_cert_serial_number:
         description:
             - The authority cert serial number.
+            - If specified, I(authority_cert_issuer) must also be specified.
             - Note that this is only supported if the C(cryptography) backend is used!
             - "Please note that commercial CAs ignore this value, respectively use a value of their
                own choice. Specifying this option is mostly useful for self-signed certificates
                or for own CAs."
-            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+            - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
               I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
         type: int
     crl_distribution_points:

plugins/doc_fragments/module_privatekey.py

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -17,18 +18,13 @@ description:
       L(ECC,https://en.wikipedia.org/wiki/Elliptic-curve_cryptography) or
       L(EdDSA,https://en.wikipedia.org/wiki/EdDSA) private keys.
     - Keys are generated in PEM format.
-    - "Please note that the module regenerates private keys if they don't match
+    - "Please note that the module regenerates private keys if they do not match
       the module's options. In particular, if you provide another passphrase
       (or specify none), change the keysize, etc., the private key will be
       regenerated. If you are concerned that this could B(overwrite your private key),
       consider using the I(backup) option."
-    - "The module can use the cryptography Python library, or the pyOpenSSL Python
-      library. By default, it tries to detect which one is available. This can be
-      overridden with the I(select_crypto_backend) option. Please note that the
-      PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0."
 requirements:
-    - Either cryptography >= 1.2.3 (older versions might work as well)
-    - Or pyOpenSSL
+    - cryptography >= 1.2.3 (older versions might work as well)
 options:
     size:
         description:
@@ -80,33 +76,25 @@ options:
         type: str
     cipher:
         description:
-            - The cipher to encrypt the private key. (Valid values can be found by
-              running `openssl list -cipher-algorithms` or `openssl list-cipher-algorithms`,
-              depending on your OpenSSL version.)
-            - When using the C(cryptography) backend, use C(auto).
+            - The cipher to encrypt the private key. Must be C(auto).
         type: str
     select_crypto_backend:
         description:
             - Determines which crypto backend to use.
-            - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl).
-            - If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
+            - The default choice is C(auto), which tries to use C(cryptography) if available.
             - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
-            - Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0.
-              From that point on, only the C(cryptography) backend will be available.
         type: str
         default: auto
-        choices: [ auto, cryptography, pyopenssl ]
+        choices: [ auto, cryptography ]
     format:
         description:
             - Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format)
               is used for all keys which support it. Please note that not every key can be exported in any format.
-            - The value C(auto) selects a fromat based on the key format. The value C(auto_ignore) does the same,
+            - The value C(auto) selects a format based on the key format. The value C(auto_ignore) does the same,
               but for existing private key files, it will not force a regenerate when its format is not the automatically
               selected one for generation.
             - Note that if the format for an existing private key mismatches, the key is B(regenerated) by default.
               To change this behavior, use the I(format_mismatch) option.
-            - The I(format) option is only supported by the C(cryptography) backend. The C(pyopenssl) backend will
-              fail if a value different from C(auto_ignore) is used.
         type: str
         default: auto_ignore
         choices: [ pkcs1, pkcs8, raw, auto, auto_ignore ]
@@ -124,12 +112,12 @@ options:
         description:
             - Allows to configure in which situations the module is allowed to regenerate private keys.
               The module will always generate a new key if the destination file does not exist.
-            - By default, the key will be regenerated when it doesn't match the module's options,
+            - By default, the key will be regenerated when it does not match the module's options,
               except when the key cannot be read or the passphrase does not match. Please note that
               this B(changed) for Ansible 2.10. For Ansible 2.9, the behavior was as if C(full_idempotence)
               is specified.
             - If set to C(never), the module will fail if the key cannot be read or the passphrase
-              isn't matching, and will never regenerate an existing key.
+              is not matching, and will never regenerate an existing key.
             - If set to C(fail), the module will fail if the key does not correspond to the module's
               options.
             - If set to C(partial_idempotence), the key will be regenerated if it does not conform to
@@ -141,7 +129,7 @@ options:
               is protected by an unknown passphrase, or when they key is not protected by a passphrase,
               but a passphrase is specified. Make sure you have a B(backup) when using this option!
             - If set to C(always), the module will always regenerate the key. This is equivalent to
-              setting I(force) to C(yes).
+              setting I(force) to C(true).
             - Note that if I(format_mismatch) is set to C(convert) and everything matches except the
               format, the key will always be converted, except if I(regenerate) is set to C(always).
         type: str

plugins/doc_fragments/module_privatekey_convert.py

@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard files documentation fragment
+    DOCUMENTATION = r'''
+requirements:
+    - cryptography >= 1.2.3 (older versions might work as well)
+options:
+    src_path:
+        description:
+            - Name of the file containing the OpenSSL private key to convert.
+            - Exactly one of I(src_path) or I(src_content) must be specified.
+        type: path
+    src_content:
+        description:
+            - The content of the file containing the OpenSSL private key to convert.
+            - Exactly one of I(src_path) or I(src_content) must be specified.
+        type: str
+    src_passphrase:
+        description:
+            - The passphrase for the private key to load.
+        type: str
+    dest_passphrase:
+        description:
+            - The passphrase for the private key to store.
+        type: str
+    format:
+        description:
+            - Determines which format the destination private key should be written in.
+            - Please note that not every key can be exported in any format, and that not every
+              format supports encryption.
+        type: str
+        choices: [ pkcs1, pkcs8, raw ]
+        required: true
+seealso:
+    - module: community.crypto.openssl_privatekey
+    - module: community.crypto.openssl_privatekey_pipe
+    - module: community.crypto.openssl_publickey
+'''

plugins/doc_fragments/name_encoding.py

@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+    DOCUMENTATION = r'''
+options:
+    name_encoding:
+        description:
+            - How to encode names (DNS names, URIs, email addresses) in return values.
+            - C(ignore) will use the encoding returned by the backend.
+            - C(idna) will convert all labels of domain names to IDNA encoding.
+              IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails.
+            - C(unicode) will convert all labels of domain names to Unicode.
+              IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails.
+            - B(Note) that C(idna) and C(unicode) require the L(idna Python library,https://pypi.org/project/idna/) to be installed.
+        type: str
+        default: ignore
+        choices:
+            - ignore
+            - idna
+            - unicode
+requirements:
+    - If I(name_encoding) is set to another value than C(ignore), the L(idna Python library,https://pypi.org/project/idna/) needs to be installed.
+'''

plugins/module_utils/_version.py

@@ -0,0 +1,345 @@
+# Vendored copy of distutils/version.py from CPython 3.9.5
+#
+# Implements multiple version numbering conventions for the
+# Python Module Distribution Utilities.
+#
+# Copyright (c) 2001-2022 Python Software Foundation.  All rights reserved.
+# PSF License (see LICENSES/PSF-2.0.txt or https://opensource.org/licenses/Python-2.0)
+# SPDX-License-Identifier: PSF-2.0
+#
+
+"""Provides classes to represent module version numbers (one class for
+each style of version numbering).  There are currently two such classes
+implemented: StrictVersion and LooseVersion.
+
+Every version number class implements the following interface:
+  * the 'parse' method takes a string and parses it to some internal
+    representation; if the string is an invalid version number,
+    'parse' raises a ValueError exception
+  * the class constructor takes an optional string argument which,
+    if supplied, is passed to 'parse'
+  * __str__ reconstructs the string that was passed to 'parse' (or
+    an equivalent string -- ie. one that will generate an equivalent
+    version number instance)
+  * __repr__ generates Python code to recreate the version number instance
+  * _cmp compares the current instance with either another instance
+    of the same class or a string (which will be parsed to an instance
+    of the same class, thus must follow the same rules)
+"""
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import re
+
+try:
+    RE_FLAGS = re.VERBOSE | re.ASCII
+except AttributeError:
+    RE_FLAGS = re.VERBOSE
+
+
+class Version:
+    """Abstract base class for version numbering classes.  Just provides
+    constructor (__init__) and reproducer (__repr__), because those
+    seem to be the same for all version numbering classes; and route
+    rich comparisons to _cmp.
+    """
+
+    def __init__(self, vstring=None):
+        if vstring:
+            self.parse(vstring)
+
+    def __repr__(self):
+        return "%s ('%s')" % (self.__class__.__name__, str(self))
+
+    def __eq__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c == 0
+
+    def __lt__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c < 0
+
+    def __le__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c <= 0
+
+    def __gt__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c > 0
+
+    def __ge__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c >= 0
+
+
+# Interface for version-number classes -- must be implemented
+# by the following classes (the concrete ones -- Version should
+# be treated as an abstract class).
+#    __init__ (string) - create and take same action as 'parse'
+#                        (string parameter is optional)
+#    parse (string)    - convert a string representation to whatever
+#                        internal representation is appropriate for
+#                        this style of version numbering
+#    __str__ (self)    - convert back to a string; should be very similar
+#                        (if not identical to) the string supplied to parse
+#    __repr__ (self)   - generate Python code to recreate
+#                        the instance
+#    _cmp (self, other) - compare two version numbers ('other' may
+#                        be an unparsed version string, or another
+#                        instance of your version class)
+
+
+class StrictVersion(Version):
+    """Version numbering for anal retentives and software idealists.
+    Implements the standard interface for version number classes as
+    described above.  A version number consists of two or three
+    dot-separated numeric components, with an optional "pre-release" tag
+    on the end.  The pre-release tag consists of the letter 'a' or 'b'
+    followed by a number.  If the numeric components of two version
+    numbers are equal, then one with a pre-release tag will always
+    be deemed earlier (lesser) than one without.
+
+    The following are valid version numbers (shown in the order that
+    would be obtained by sorting according to the supplied cmp function):
+
+        0.4       0.4.0  (these two are equivalent)
+        0.4.1
+        0.5a1
+        0.5b3
+        0.5
+        0.9.6
+        1.0
+        1.0.4a3
+        1.0.4b1
+        1.0.4
+
+    The following are examples of invalid version numbers:
+
+        1
+        2.7.2.2
+        1.3.a4
+        1.3pl1
+        1.3c4
+
+    The rationale for this version numbering system will be explained
+    in the distutils documentation.
+    """
+
+    version_re = re.compile(r'^(\d+) \. (\d+) (\. (\d+))? ([ab](\d+))?$',
+                            RE_FLAGS)
+
+    def parse(self, vstring):
+        match = self.version_re.match(vstring)
+        if not match:
+            raise ValueError("invalid version number '%s'" % vstring)
+
+        (major, minor, patch, prerelease, prerelease_num) = \
+            match.group(1, 2, 4, 5, 6)
+
+        if patch:
+            self.version = tuple(map(int, [major, minor, patch]))
+        else:
+            self.version = tuple(map(int, [major, minor])) + (0,)
+
+        if prerelease:
+            self.prerelease = (prerelease[0], int(prerelease_num))
+        else:
+            self.prerelease = None
+
+    def __str__(self):
+        if self.version[2] == 0:
+            vstring = '.'.join(map(str, self.version[0:2]))
+        else:
+            vstring = '.'.join(map(str, self.version))
+
+        if self.prerelease:
+            vstring = vstring + self.prerelease[0] + str(self.prerelease[1])
+
+        return vstring
+
+    def _cmp(self, other):
+        if isinstance(other, str):
+            other = StrictVersion(other)
+        elif not isinstance(other, StrictVersion):
+            return NotImplemented
+
+        if self.version != other.version:
+            # numeric versions don't match
+            # prerelease stuff doesn't matter
+            if self.version < other.version:
+                return -1
+            else:
+                return 1
+
+        # have to compare prerelease
+        # case 1: neither has prerelease; they're equal
+        # case 2: self has prerelease, other doesn't; other is greater
+        # case 3: self doesn't have prerelease, other does: self is greater
+        # case 4: both have prerelease: must compare them!
+
+        if (not self.prerelease and not other.prerelease):
+            return 0
+        elif (self.prerelease and not other.prerelease):
+            return -1
+        elif (not self.prerelease and other.prerelease):
+            return 1
+        elif (self.prerelease and other.prerelease):
+            if self.prerelease == other.prerelease:
+                return 0
+            elif self.prerelease < other.prerelease:
+                return -1
+            else:
+                return 1
+        else:
+            raise AssertionError("never get here")
+
+# end class StrictVersion
+
+# The rules according to Greg Stein:
+# 1) a version number has 1 or more numbers separated by a period or by
+#    sequences of letters. If only periods, then these are compared
+#    left-to-right to determine an ordering.
+# 2) sequences of letters are part of the tuple for comparison and are
+#    compared lexicographically
+# 3) recognize the numeric components may have leading zeroes
+#
+# The LooseVersion class below implements these rules: a version number
+# string is split up into a tuple of integer and string components, and
+# comparison is a simple tuple comparison.  This means that version
+# numbers behave in a predictable and obvious way, but a way that might
+# not necessarily be how people *want* version numbers to behave.  There
+# wouldn't be a problem if people could stick to purely numeric version
+# numbers: just split on period and compare the numbers as tuples.
+# However, people insist on putting letters into their version numbers;
+# the most common purpose seems to be:
+#   - indicating a "pre-release" version
+#     ('alpha', 'beta', 'a', 'b', 'pre', 'p')
+#   - indicating a post-release patch ('p', 'pl', 'patch')
+# but of course this can't cover all version number schemes, and there's
+# no way to know what a programmer means without asking him.
+#
+# The problem is what to do with letters (and other non-numeric
+# characters) in a version number.  The current implementation does the
+# obvious and predictable thing: keep them as strings and compare
+# lexically within a tuple comparison.  This has the desired effect if
+# an appended letter sequence implies something "post-release":
+# eg. "0.99" < "0.99pl14" < "1.0", and "5.001" < "5.001m" < "5.002".
+#
+# However, if letters in a version number imply a pre-release version,
+# the "obvious" thing isn't correct.  Eg. you would expect that
+# "1.5.1" < "1.5.2a2" < "1.5.2", but under the tuple/lexical comparison
+# implemented here, this just isn't so.
+#
+# Two possible solutions come to mind.  The first is to tie the
+# comparison algorithm to a particular set of semantic rules, as has
+# been done in the StrictVersion class above.  This works great as long
+# as everyone can go along with bondage and discipline.  Hopefully a
+# (large) subset of Python module programmers will agree that the
+# particular flavour of bondage and discipline provided by StrictVersion
+# provides enough benefit to be worth using, and will submit their
+# version numbering scheme to its domination.  The free-thinking
+# anarchists in the lot will never give in, though, and something needs
+# to be done to accommodate them.
+#
+# Perhaps a "moderately strict" version class could be implemented that
+# lets almost anything slide (syntactically), and makes some heuristic
+# assumptions about non-digits in version number strings.  This could
+# sink into special-case-hell, though; if I was as talented and
+# idiosyncratic as Larry Wall, I'd go ahead and implement a class that
+# somehow knows that "1.2.1" < "1.2.2a2" < "1.2.2" < "1.2.2pl3", and is
+# just as happy dealing with things like "2g6" and "1.13++".  I don't
+# think I'm smart enough to do it right though.
+#
+# In any case, I've coded the test suite for this module (see
+# ../test/test_version.py) specifically to fail on things like comparing
+# "1.2a2" and "1.2".  That's not because the *code* is doing anything
+# wrong, it's because the simple, obvious design doesn't match my
+# complicated, hairy expectations for real-world version numbers.  It
+# would be a snap to fix the test suite to say, "Yep, LooseVersion does
+# the Right Thing" (ie. the code matches the conception).  But I'd rather
+# have a conception that matches common notions about version numbers.
+
+
+class LooseVersion(Version):
+    """Version numbering for anarchists and software realists.
+    Implements the standard interface for version number classes as
+    described above.  A version number consists of a series of numbers,
+    separated by either periods or strings of letters.  When comparing
+    version numbers, the numeric components will be compared
+    numerically, and the alphabetic components lexically.  The following
+    are all valid version numbers, in no particular order:
+
+        1.5.1
+        1.5.2b2
+        161
+        3.10a
+        8.02
+        3.4j
+        1996.07.12
+        3.2.pl0
+        3.1.1.6
+        2g6
+        11g
+        0.960923
+        2.2beta29
+        1.13++
+        5.5.kw
+        2.0b1pl0
+
+    In fact, there is no such thing as an invalid version number under
+    this scheme; the rules for comparison are simple and predictable,
+    but may not always give the results you want (for some definition
+    of "want").
+    """
+
+    component_re = re.compile(r'(\d+ | [a-z]+ | \.)', re.VERBOSE)
+
+    def __init__(self, vstring=None):
+        if vstring:
+            self.parse(vstring)
+
+    def parse(self, vstring):
+        # I've given up on thinking I can reconstruct the version string
+        # from the parsed tuple -- so I just store the string here for
+        # use by __str__
+        self.vstring = vstring
+        components = [x for x in self.component_re.split(vstring) if x and x != '.']
+        for i, obj in enumerate(components):
+            try:
+                components[i] = int(obj)
+            except ValueError:
+                pass
+
+        self.version = components
+
+    def __str__(self):
+        return self.vstring
+
+    def __repr__(self):
+        return "LooseVersion ('%s')" % str(self)
+
+    def _cmp(self, other):
+        if isinstance(other, str):
+            other = LooseVersion(other)
+        elif not isinstance(other, LooseVersion):
+            return NotImplemented
+
+        if self.version == other.version:
+            return 0
+        if self.version < other.version:
+            return -1
+        if self.version > other.version:
+            return 1
+
+# end class LooseVersion

plugins/module_utils/acme/__init__.py

@@ -1,90 +0,0 @@
-# -*- coding: utf-8 -*-
-
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
-
-
-import base64
-import binascii
-import copy
-import datetime
-import hashlib
-import json
-import locale
-import os
-import re
-import shutil
-import sys
-import tempfile
-import traceback
-
-from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.urls import fetch_url
-from ansible.module_utils.six.moves.urllib.parse import unquote
-from ansible.module_utils._text import to_native, to_text, to_bytes
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.acme import (
-    get_default_argspec,
-    ACMEDirectory,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import (
-    CryptographyBackend,
-    CRYPTOGRAPHY_VERSION,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.backend_openssl_cli import (
-    OpenSSLCLIBackend,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme._compatibility import (
-    handle_standard_module_arguments,
-    set_crypto_backend,
-    HAS_CURRENT_CRYPTOGRAPHY,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme._compatibility import ACMELegacyAccount as ACMEAccount
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ModuleFailException
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.io import (
-    read_file,
-    write_file,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.utils import (
-    nopad_b64,
-    pem_to_der,
-    process_links,
-)
-
-
-def openssl_get_csr_identifiers(openssl_binary, module, csr_filename, csr_content=None):
-    module.deprecate(
-        'Please adjust your custom module/plugin to the ACME module_utils refactor '
-        '(https://github.com/ansible-collections/community.crypto/pull/184). The '
-        'compatibility layer will be removed in community.crypto 2.0.0, thus breaking '
-        'your code', version='2.0.0', collection_name='community.crypto')
-    return OpenSSLCLIBackend(module, openssl_binary=openssl_binary).get_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)
-
-
-def cryptography_get_csr_identifiers(module, csr_filename, csr_content=None):
-    module.deprecate(
-        'Please adjust your custom module/plugin to the ACME module_utils refactor '
-        '(https://github.com/ansible-collections/community.crypto/pull/184). The '
-        'compatibility layer will be removed in community.crypto 2.0.0, thus breaking '
-        'your code', version='2.0.0', collection_name='community.crypto')
-    return CryptographyBackend(module).get_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)
-
-
-def cryptography_get_cert_days(module, cert_file, now=None):
-    module.deprecate(
-        'Please adjust your custom module/plugin to the ACME module_utils refactor '
-        '(https://github.com/ansible-collections/community.crypto/pull/184). The '
-        'compatibility layer will be removed in community.crypto 2.0.0, thus breaking '
-        'your code', version='2.0.0', collection_name='community.crypto')
-    return CryptographyBackend(module).get_cert_days(cert_filename=cert_file, now=now)

plugins/module_utils/acme/_compatibility.py

@@ -1,267 +0,0 @@
-# -*- coding: utf-8 -*-
-
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
-
-
-import locale
-
-from ansible.module_utils.basic import missing_required_lib
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import HAS_CURRENT_CRYPTOGRAPHY as _ORIGINAL_HAS_CURRENT_CRYPTOGRAPHY
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import (
-    CryptographyBackend,
-    CRYPTOGRAPHY_VERSION,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.backend_openssl_cli import (
-    OpenSSLCLIBackend,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.acme import (
-    ACMEClient,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.account import (
-    ACMEAccount,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.challenges import (
-    create_key_authorization,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.acme.errors import (
-    KeyParsingError,
-)
-
-
-HAS_CURRENT_CRYPTOGRAPHY = _ORIGINAL_HAS_CURRENT_CRYPTOGRAPHY
-
-
-def set_crypto_backend(module):
-    '''
-    Sets which crypto backend to use (default: auto detection).
-
-    Does not care whether a new enough cryptoraphy is available or not. Must
-    be called before any real stuff is done which might evaluate
-    ``HAS_CURRENT_CRYPTOGRAPHY``.
-    '''
-    global HAS_CURRENT_CRYPTOGRAPHY
-
-    module.deprecate(
-        'Please adjust your custom module/plugin to the ACME module_utils refactor '
-        '(https://github.com/ansible-collections/community.crypto/pull/184). The '
-        'compatibility layer will be removed in community.crypto 2.0.0, thus breaking '
-        'your code', version='2.0.0', collection_name='community.crypto')
-
-    # Choose backend
-    backend = module.params['select_crypto_backend']
-    if backend == 'auto':
-        pass
-    elif backend == 'openssl':
-        HAS_CURRENT_CRYPTOGRAPHY = False
-    elif backend == 'cryptography':
-        if not _ORIGINAL_HAS_CURRENT_CRYPTOGRAPHY:
-            module.fail_json(msg=missing_required_lib('cryptography'))
-        HAS_CURRENT_CRYPTOGRAPHY = True
-    else:
-        module.fail_json(msg='Unknown crypto backend "{0}"!'.format(backend))
-    # Inform about choices
-    if HAS_CURRENT_CRYPTOGRAPHY:
-        module.debug('Using cryptography backend (library version {0})'.format(CRYPTOGRAPHY_VERSION))
-        return 'cryptography'
-    else:
-        module.debug('Using OpenSSL binary backend')
-        return 'openssl'
-
-
-def handle_standard_module_arguments(module, needs_acme_v2=False):
-    '''
-    Do standard module setup, argument handling and warning emitting.
-    '''
-    backend = set_crypto_backend(module)
-
-    if not module.params['validate_certs']:
-        module.warn(
-            'Disabling certificate validation for communications with ACME endpoint. '
-            'This should only be done for testing against a local ACME server for '
-            'development purposes, but *never* for production purposes.'
-        )
-
-    if module.params['acme_version'] is None:
-        module.params['acme_version'] = 1
-        module.deprecate("The option 'acme_version' will be required from community.crypto 2.0.0 on",
-                         version='2.0.0', collection_name='community.crypto')
-
-    if module.params['acme_directory'] is None:
-        module.params['acme_directory'] = 'https://acme-staging.api.letsencrypt.org/directory'
-        module.deprecate("The option 'acme_directory' will be required from community.crypto 2.0.0 on",
-                         version='2.0.0', collection_name='community.crypto')
-
-    if needs_acme_v2 and module.params['acme_version'] < 2:
-        module.fail_json(msg='The {0} module requires the ACME v2 protocol!'.format(module._name))
-
-    # AnsibleModule() changes the locale, so change it back to C because we rely on time.strptime() when parsing certificate dates.
-    module.run_command_environ_update = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C', LC_CTYPE='C')
-    locale.setlocale(locale.LC_ALL, 'C')
-
-    return backend
-
-
-def get_compatibility_backend(module):
-    if HAS_CURRENT_CRYPTOGRAPHY:
-        return CryptographyBackend(module)
-    else:
-        return OpenSSLCLIBackend(module)
-
-
-class ACMELegacyAccount(object):
-    '''
-    ACME account object. Handles the authorized communication with the
-    ACME server. Provides access to account bound information like
-    the currently active authorizations and valid certificates
-    '''
-
-    def __init__(self, module):
-        module.deprecate(
-            'Please adjust your custom module/plugin to the ACME module_utils refactor '
-            '(https://github.com/ansible-collections/community.crypto/pull/184). The '
-            'compatibility layer will be removed in community.crypto 2.0.0, thus breaking '
-            'your code', version='2.0.0', collection_name='community.crypto')
-        backend = get_compatibility_backend(module)
-        self.client = ACMEClient(module, backend)
-        self.account = ACMEAccount(self.client)
-        self.key = self.client.account_key_file
-        self.key_content = self.client.account_key_content
-        self.uri = self.client.account_uri
-        self.key_data = self.client.account_key_data
-        self.jwk = self.client.account_jwk
-        self.jws_header = self.client.account_jws_header
-        self.directory = self.client.directory
-
-    def get_keyauthorization(self, token):
-        '''
-        Returns the key authorization for the given token
-        https://tools.ietf.org/html/rfc8555#section-8.1
-        '''
-        return create_key_authorization(self.client, token)
-
-    def parse_key(self, key_file=None, key_content=None):
-        '''
-        Parses an RSA or Elliptic Curve key file in PEM format and returns a pair
-        (error, key_data).
-        '''
-        try:
-            return None, self.client.parse_key(key_file=key_file, key_content=key_content)
-        except KeyParsingError as e:
-            return e.msg, {}
-
-    def sign_request(self, protected, payload, key_data, encode_payload=True):
-        return self.client.sign_request(protected, payload, key_data, encode_payload=encode_payload)
-
-    def send_signed_request(self, url, payload, key_data=None, jws_header=None, parse_json_result=True, encode_payload=True):
-        '''
-        Sends a JWS signed HTTP POST request to the ACME server and returns
-        the response as dictionary
-        https://tools.ietf.org/html/rfc8555#section-6.2
-
-        If payload is None, a POST-as-GET is performed.
-        (https://tools.ietf.org/html/rfc8555#section-6.3)
-        '''
-        return self.client.send_signed_request(
-            url,
-            payload,
-            key_data=key_data,
-            jws_header=jws_header,
-            parse_json_result=parse_json_result,
-            encode_payload=encode_payload,
-            fail_on_error=False,
-        )
-
-    def get_request(self, uri, parse_json_result=True, headers=None, get_only=False, fail_on_error=True):
-        '''
-        Perform a GET-like request. Will try POST-as-GET for ACMEv2, with fallback
-        to GET if server replies with a status code of 405.
-        '''
-        return self.client.get_request(
-            uri,
-            parse_json_result=parse_json_result,
-            headers=headers,
-            get_only=get_only,
-            fail_on_error=fail_on_error,
-        )
-
-    def set_account_uri(self, uri):
-        '''
-        Set account URI. For ACME v2, it needs to be used to sending signed
-        requests.
-        '''
-        self.client.set_account_uri(uri)
-        self.uri = self.client.account_uri
-
-    def get_account_data(self):
-        '''
-        Retrieve account information. Can only be called when the account
-        URI is already known (such as after calling setup_account).
-        Return None if the account was deactivated, or a dict otherwise.
-        '''
-        return self.account.get_account_data()
-
-    def setup_account(self, contact=None, agreement=None, terms_agreed=False,
-                      allow_creation=True, remove_account_uri_if_not_exists=False,
-                      external_account_binding=None):
-        '''
-        Detect or create an account on the ACME server. For ACME v1,
-        as the only way (without knowing an account URI) to test if an
-        account exists is to try and create one with the provided account
-        key, this method will always result in an account being present
-        (except on error situations). For ACME v2, a new account will
-        only be created if ``allow_creation`` is set to True.
-
-        For ACME v2, ``check_mode`` is fully respected. For ACME v1, the
-        account might be created if it does not yet exist.
-
-        Return a pair ``(created, account_data)``. Here, ``created`` will
-        be ``True`` in case the account was created or would be created
-        (check mode). ``account_data`` will be the current account data,
-        or ``None`` if the account does not exist.
-
-        The account URI will be stored in ``self.uri``; if it is ``None``,
-        the account does not exist.
-
-        If specified, ``external_account_binding`` should be a dictionary
-        with keys ``kid``, ``alg`` and ``key``
-        (https://tools.ietf.org/html/rfc8555#section-7.3.4).
-
-        https://tools.ietf.org/html/rfc8555#section-7.3
-        '''
-        result = self.account.setup_account(
-            contact=contact,
-            agreement=agreement,
-            terms_agreed=terms_agreed,
-            allow_creation=allow_creation,
-            remove_account_uri_if_not_exists=remove_account_uri_if_not_exists,
-            external_account_binding=external_account_binding,
-        )
-        self.uri = self.client.account_uri
-        return result
-
-    def update_account(self, account_data, contact=None):
-        '''
-        Update an account on the ACME server. Check mode is fully respected.
-
-        The current account data must be provided as ``account_data``.
-
-        Return a pair ``(updated, account_data)``, where ``updated`` is
-        ``True`` in case something changed (contact info updated) or
-        would be changed (check mode), and ``account_data`` the updated
-        account data.
-
-        https://tools.ietf.org/html/rfc8555#section-7.3.2
-        '''
-        return self.account.update_account(account_data, contact=contact)

plugins/module_utils/acme/account.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -118,10 +119,10 @@ class ACMEAccount(object):
                 self.client.set_account_uri(info['location'])
             return False, result
         elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
-            # Account does not exist (and we didn't try to create it)
+            # Account does not exist (and we did not try to create it)
             return False, None
         elif info['status'] == 403 and result['type'] == 'urn:ietf:params:acme:error:unauthorized' and 'deactivated' in (result.get('detail') or ''):
-            # Account has been deactivated; currently works for Pebble; hasn't been
+            # Account has been deactivated; currently works for Pebble; has not been
             # implemented for Boulder (https://github.com/letsencrypt/boulder/issues/3971),
             # might need adjustment in error detection.
             if not allow_creation:

plugins/module_utils/acme/acme.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -12,10 +13,13 @@ import copy
 import datetime
 import json
 import locale
+import time
+import traceback
 
 from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_bytes
 from ansible.module_utils.urls import fetch_url
-from ansible.module_utils._text import to_bytes
+from ansible.module_utils.six import PY3
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.backend_openssl_cli import (
     OpenSSLCLIBackend,
@@ -38,6 +42,36 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.utils import
     nopad_b64,
 )
 
+try:
+    import ipaddress
+except ImportError:
+    HAS_IPADDRESS = False
+    IPADDRESS_IMPORT_ERROR = traceback.format_exc()
+else:
+    HAS_IPADDRESS = True
+    IPADDRESS_IMPORT_ERROR = None
+
+
+RETRY_STATUS_CODES = (408, 429, 503)
+
+
+def _decode_retry(module, response, info, retry_count):
+    if info['status'] not in RETRY_STATUS_CODES:
+        return False
+
+    if retry_count >= 5:
+        raise ACMEProtocolException(module, msg='Giving up after 5 retries', info=info, response=response)
+
+    # 429 and 503 should have a Retry-After header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After)
+    try:
+        retry_after = min(max(1, int(info.get('retry-after'))), 60)
+    except (TypeError, ValueError) as dummy:
+        retry_after = 10
+    module.log('Retrieved a %d HTTP status on %s, retrying in %s seconds' % (info['status'], info['url'], retry_after))
+
+    time.sleep(retry_after)
+    return True
+
 
 def _assert_fetch_url_success(module, response, info, allow_redirect=False, allow_client_error=True, allow_server_error=True):
     if info['status'] < 0:
@@ -73,6 +107,8 @@ class ACMEDirectory(object):
 
         self.directory, dummy = account.get_request(self.directory_root, get_only=True)
 
+        self.request_timeout = module.params['request_timeout']
+
         # Check whether self.version matches what we expect
         if self.version == 1:
             for key in ('new-reg', 'new-authz', 'new-cert'):
@@ -93,10 +129,15 @@ class ACMEDirectory(object):
         url = self.directory_root if self.version == 1 else self.directory['newNonce']
         if resource is not None:
             url = resource
-        dummy, info = fetch_url(self.module, url, method='HEAD')
-        if info['status'] not in (200, 204):
-            raise NetworkException("Failed to get replay-nonce, got status {0}".format(info['status']))
-        return info['replay-nonce']
+        retry_count = 0
+        while True:
+            response, info = fetch_url(self.module, url, method='HEAD', timeout=self.request_timeout)
+            if _decode_retry(self.module, response, info, retry_count):
+                retry_count += 1
+                continue
+            if info['status'] not in (200, 204):
+                raise NetworkException("Failed to get replay-nonce, got status {0}".format(info['status']))
+            return info['replay-nonce']
 
 
 class ACMEClient(object):
@@ -121,6 +162,8 @@ class ACMEClient(object):
         # Make sure empty string is treated as None.
         self.account_uri = module.params.get('account_uri') or None
 
+        self.request_timeout = module.params['request_timeout']
+
         self.account_key_data = None
         self.account_jwk = None
         self.account_jws_header = None
@@ -225,12 +268,20 @@ class ACMEClient(object):
             headers = {
                 'Content-Type': 'application/jose+json',
             }
-            resp, info = fetch_url(self.module, url, data=data, headers=headers, method='POST')
+            resp, info = fetch_url(self.module, url, data=data, headers=headers, method='POST', timeout=self.request_timeout)
+            if _decode_retry(self.module, resp, info, failed_tries):
+                failed_tries += 1
+                continue
             _assert_fetch_url_success(self.module, resp, info)
             result = {}
+
             try:
+                # In Python 2, reading from a closed response yields a TypeError.
+                # In Python 3, read() simply returns ''
+                if PY3 and resp.closed:
+                    raise TypeError
                 content = resp.read()
-            except AttributeError:
+            except (AttributeError, TypeError):
                 content = info.pop('body', None)
 
             if content or not parse_json_result:
@@ -279,13 +330,22 @@ class ACMEClient(object):
 
         if get_only:
             # Perform unauthenticated GET
-            resp, info = fetch_url(self.module, uri, method='GET', headers=headers)
+            retry_count = 0
+            while True:
+                resp, info = fetch_url(self.module, uri, method='GET', headers=headers, timeout=self.request_timeout)
+                if not _decode_retry(self.module, resp, info, retry_count):
+                    break
+                retry_count += 1
 
             _assert_fetch_url_success(self.module, resp, info)
 
             try:
+                # In Python 2, reading from a closed response yields a TypeError.
+                # In Python 3, read() simply returns ''
+                if PY3 and resp.closed:
+                    raise TypeError
                 content = resp.read()
-            except AttributeError:
+            except (AttributeError, TypeError):
                 content = info.pop('body', None)
 
         # Process result
@@ -319,14 +379,18 @@ def get_default_argspec():
         account_key_content=dict(type='str', no_log=True),
         account_key_passphrase=dict(type='str', no_log=True),
         account_uri=dict(type='str'),
-        acme_directory=dict(type='str'),
-        acme_version=dict(type='int', choices=[1, 2]),
+        acme_directory=dict(type='str', required=True),
+        acme_version=dict(type='int', required=True, choices=[1, 2]),
         validate_certs=dict(type='bool', default=True),
         select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
+        request_timeout=dict(type='int', default=10),
     )
 
 
 def create_backend(module, needs_acme_v2):
+    if not HAS_IPADDRESS:
+        module.fail_json(msg=missing_required_lib('ipaddress'), exception=IPADDRESS_IMPORT_ERROR)
+
     backend = module.params['select_crypto_backend']
 
     # Backend autodetect
@@ -353,19 +417,13 @@ def create_backend(module, needs_acme_v2):
             'development purposes, but *never* for production purposes.'
         )
 
-    if module.params['acme_version'] is None:
-        module.params['acme_version'] = 1
-        module.deprecate("The option 'acme_version' will be required from community.crypto 2.0.0 on",
-                         version='2.0.0', collection_name='community.crypto')
-
-    if module.params['acme_directory'] is None:
-        module.params['acme_directory'] = 'https://acme-staging.api.letsencrypt.org/directory'
-        module.deprecate("The option 'acme_directory' will be required from community.crypto 2.0.0 on",
-                         version='2.0.0', collection_name='community.crypto')
-
     if needs_acme_v2 and module.params['acme_version'] < 2:
         module.fail_json(msg='The {0} module requires the ACME v2 protocol!'.format(module._name))
 
+    if module.params['acme_version'] == 1:
+        module.deprecate("The value 1 for 'acme_version' is deprecated. Please switch to ACME v2",
+                         version='3.0.0', collection_name='community.crypto')
+
     # AnsibleModule() changes the locale, so change it back to C because we rely
     # on datetime.datetime.strptime() when parsing certificate dates.
     locale.setlocale(locale.LC_ALL, 'C')

plugins/module_utils/acme/backend_cryptography.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -14,7 +15,9 @@ import datetime
 import os
 import sys
 
-from ansible.module_utils._text import to_bytes, to_native
+from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.backends import (
     CryptoBackend,
@@ -41,6 +44,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
     cryptography_name_to_oid,
 )
 
+from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
+    extract_first_pem,
+)
+
 try:
     import cryptography
     import cryptography.hazmat.backends
@@ -53,7 +60,6 @@ try:
     import cryptography.hazmat.primitives.serialization
     import cryptography.x509
     import cryptography.x509.oid
-    from distutils.version import LooseVersion
     CRYPTOGRAPHY_VERSION = cryptography.__version__
     HAS_CURRENT_CRYPTOGRAPHY = (LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion('1.5'))
     if HAS_CURRENT_CRYPTOGRAPHY:
@@ -118,11 +124,11 @@ class CryptographyChainMatcher(ChainMatcher):
         self.issuer = []
         if criterium.subject:
             self.subject = [
-                (cryptography_name_to_oid(k), to_native(v)) for k, v in parse_name_field(criterium.subject)
+                (cryptography_name_to_oid(k), to_native(v)) for k, v in parse_name_field(criterium.subject, 'subject')
             ]
         if criterium.issuer:
             self.issuer = [
-                (cryptography_name_to_oid(k), to_native(v)) for k, v in parse_name_field(criterium.issuer)
+                (cryptography_name_to_oid(k), to_native(v)) for k, v in parse_name_field(criterium.issuer, 'issuer')
             ]
         self.subject_key_identifier = CryptographyChainMatcher._parse_key_identifier(
             criterium.subject_key_identifier, 'subject_key_identifier', criterium.index, module)
@@ -187,7 +193,7 @@ class CryptographyBackend(CryptoBackend):
         Parses an RSA or Elliptic Curve key file in PEM format and returns key_data.
         Raises KeyParsingError in case of errors.
         '''
-        # If key_content isn't given, read key_file
+        # If key_content is not given, read key_file
         if key_content is None:
             key_content = read_file(key_file)
         else:
@@ -357,6 +363,9 @@ class CryptographyBackend(CryptoBackend):
         if cert_content is None:
             return -1
 
+        # Make sure we have at most one PEM. Otherwise cryptography 36.0.0 will barf.
+        cert_content = to_bytes(extract_first_pem(to_text(cert_content)) or '')
+
         try:
             cert = cryptography.x509.load_pem_x509_certificate(cert_content, _cryptography_backend)
         except Exception as e:

plugins/module_utils/acme/backend_openssl_cli.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -16,7 +17,7 @@ import re
 import tempfile
 import traceback
 
-from ansible.module_utils._text import to_native, to_text, to_bytes
+from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.backends import (
     CryptoBackend,
@@ -29,7 +30,10 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.errors impor
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.utils import nopad_b64
 
-from ansible_collections.community.crypto.plugins.module_utils.compat import ipaddress as compat_ipaddress
+try:
+    import ipaddress
+except ImportError:
+    pass
 
 
 _OPENSSL_ENVIRONMENT_UPDATE = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C', LC_CTYPE='C')
@@ -49,7 +53,7 @@ class OpenSSLCLIBackend(CryptoBackend):
         '''
         if passphrase is not None:
             raise KeyParsingError('openssl backend does not support key passphrases')
-        # If key_file isn't given, but key_content, write that to a temporary file
+        # If key_file is not given, but key_content, write that to a temporary file
         if key_file is None:
             fd, tmpsrc = tempfile.mkstemp()
             self.module.add_cleanup_file(tmpsrc)  # Ansible will delete the file on exit
@@ -216,9 +220,9 @@ class OpenSSLCLIBackend(CryptoBackend):
     @staticmethod
     def _normalize_ip(ip):
         try:
-            return to_native(compat_ipaddress.ip_address(to_text(ip)).compressed)
+            return to_native(ipaddress.ip_address(to_text(ip)).compressed)
         except ValueError:
-            # We don't want to error out on something IPAddress() can't parse
+            # We do not want to error out on something IPAddress() cannot parse
             return ip
 
     def get_csr_identifiers(self, csr_filename=None, csr_content=None):
@@ -230,7 +234,7 @@ class OpenSSLCLIBackend(CryptoBackend):
         filename = csr_filename
         data = None
         if csr_content is not None:
-            filename = '-'
+            filename = '/dev/stdin'
             data = csr_content.encode('utf-8')
 
         openssl_csr_cmd = [self.openssl_binary, "req", "-in", filename, "-noout", "-text"]
@@ -267,7 +271,7 @@ class OpenSSLCLIBackend(CryptoBackend):
         filename = cert_filename
         data = None
         if cert_content is not None:
-            filename = '-'
+            filename = '/dev/stdin'
             data = cert_content.encode('utf-8')
             cert_filename_suffix = ''
         elif cert_filename is not None:

plugins/module_utils/acme/backends.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

plugins/module_utils/acme/certificates.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

plugins/module_utils/acme/challenges.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -14,9 +15,7 @@ import json
 import re
 import time
 
-from ansible.module_utils._text import to_bytes
-
-from ansible_collections.community.crypto.plugins.module_utils.compat import ipaddress as compat_ipaddress
+from ansible.module_utils.common.text.converters import to_bytes
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.utils import (
     nopad_b64,
@@ -28,6 +27,11 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.errors impor
     ModuleFailException,
 )
 
+try:
+    import ipaddress
+except ImportError:
+    pass
+
 
 def create_key_authorization(client, token):
     '''
@@ -110,7 +114,7 @@ class Challenge(object):
             # https://www.rfc-editor.org/rfc/rfc8737.html#section-3
             if identifier_type == 'ip':
                 # IPv4/IPv6 address: use reverse mapping (RFC1034, RFC3596)
-                resource = compat_ipaddress.ip_address(identifier).reverse_pointer
+                resource = ipaddress.ip_address(identifier).reverse_pointer
                 if not resource.endswith('.'):
                     resource += '.'
             else:

plugins/module_utils/acme/errors.py

@@ -1,14 +1,15 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
-from ansible.module_utils.six import binary_type
-from ansible.module_utils._text import to_text
+from ansible.module_utils.common.text.converters import to_text
+from ansible.module_utils.six import binary_type, PY3
 
 
 def format_error_problem(problem, subproblem_prefix=''):
@@ -52,8 +53,12 @@ class ACMEProtocolException(ModuleFailException):
         # Try to get hold of content, if response is given and content is not provided
         if content is None and content_json is None and response is not None:
             try:
+                # In Python 2, reading from a closed response yields a TypeError.
+                # In Python 3, read() simply returns ''
+                if PY3 and response.closed:
+                    raise TypeError
                 content = response.read()
-            except AttributeError:
+            except (AttributeError, TypeError):
                 content = info.pop('body', None)
 
         # Make sure that content_json is None or a dictionary

plugins/module_utils/acme/io.py

@@ -1,9 +1,10 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2013, Romeo Theriault <romeot () hawaii.edu>
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2013, Romeo Theriault <romeot () hawaii.edu>
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -14,7 +15,7 @@ import shutil
 import tempfile
 import traceback
 
-from ansible.module_utils._text import to_native
+from ansible.module_utils.common.text.converters import to_native
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ModuleFailException
 

plugins/module_utils/acme/orders.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

plugins/module_utils/acme/utils.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -13,7 +14,7 @@ import re
 import textwrap
 import traceback
 
-from ansible.module_utils._text import to_native
+from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.six.moves.urllib.parse import unquote
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ModuleFailException

plugins/module_utils/crypto/__init__.py

@@ -1,99 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
-
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
-
-
-# THIS FILE IS FOR COMPATIBILITY ONLY! YOU SHALL NOT IMPORT IT!
-#
-# This fill will be removed eventually, so if you're using it,
-# please stop doing so.
-
-from .basic import (
-    HAS_PYOPENSSL,
-    CRYPTOGRAPHY_HAS_X25519,
-    CRYPTOGRAPHY_HAS_X25519_FULL,
-    CRYPTOGRAPHY_HAS_X448,
-    CRYPTOGRAPHY_HAS_ED25519,
-    CRYPTOGRAPHY_HAS_ED448,
-    HAS_CRYPTOGRAPHY,
-    OpenSSLObjectError,
-    OpenSSLBadPassphraseError,
-)
-
-from .cryptography_crl import (
-    REVOCATION_REASON_MAP,
-    REVOCATION_REASON_MAP_INVERSE,
-    cryptography_decode_revoked_certificate,
-)
-
-from .cryptography_support import (
-    cryptography_get_extensions_from_cert,
-    cryptography_get_extensions_from_csr,
-    cryptography_name_to_oid,
-    cryptography_oid_to_name,
-    cryptography_get_name,
-    cryptography_decode_name,
-    cryptography_parse_key_usage_params,
-    cryptography_get_basic_constraints,
-    cryptography_key_needs_digest_for_signing,
-    cryptography_compare_public_keys,
-)
-
-from .pem import (
-    identify_private_key_format,
-)
-
-from .math import (
-    binary_exp_mod,
-    simple_gcd,
-    quick_is_not_prime,
-    count_bits,
-)
-
-from ._obj2txt import obj2txt as _obj2txt
-
-from ._objects_data import OID_MAP as _OID_MAP
-
-from ._objects import OID_LOOKUP as _OID_LOOKUP
-from ._objects import NORMALIZE_NAMES as _NORMALIZE_NAMES
-from ._objects import NORMALIZE_NAMES_SHORT as _NORMALIZE_NAMES_SHORT
-
-from .pyopenssl_support import (
-    pyopenssl_normalize_name,
-    pyopenssl_get_extensions_from_cert,
-    pyopenssl_get_extensions_from_csr,
-)
-
-from .support import (
-    get_fingerprint_of_bytes,
-    get_fingerprint,
-    load_privatekey,
-    load_certificate,
-    load_certificate_request,
-    parse_name_field,
-    convert_relative_to_datetime,
-    get_relative_time_option,
-    select_message_digest,
-    OpenSSLObject,
-)
-
-from ..io import (
-    load_file_if_exists,
-    write_file,
-)

plugins/module_utils/crypto/_asn1.py

@@ -1,14 +1,15 @@
 # -*- coding: utf-8 -*-
 
-# (c) 2020, Jordan Borean <jborean93@gmail.com>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2020, Jordan Borean <jborean93@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 import re
 
-from ansible.module_utils._text import to_bytes
+from ansible.module_utils.common.text.converters import to_bytes
 
 
 """

plugins/module_utils/crypto/_obj2txt.py

@@ -1,7 +1,17 @@
+# This code is part of Ansible, but is an independent component.
+# This particular file snippet, and this file snippet only, is licensed under the
+# Apache 2.0 License. Modules you write using this snippet, which is embedded
+# dynamically by Ansible, still belong to the author of the module, and may assign
+# their own license to the complete work.
+
 # This excerpt is dual licensed under the terms of the Apache License, Version
 # 2.0, and the BSD License. See the LICENSE file at
 # https://github.com/pyca/cryptography/blob/master/LICENSE for complete details.
 #
+# The Apache 2.0 license has been included as LICENSES/Apache-2.0.txt in this collection.
+# The BSD License license has been included as LICENSES/BSD-3-Clause.txt in this collection.
+# SPDX-License-Identifier: Apache-2.0 OR BSD-3-Clause
+#
 # Adapted from cryptography's hazmat/backends/openssl/decode_asn1.py
 #
 # Copyright (c) 2015, 2016 Paul Kehrer (@reaperhulk)
@@ -20,6 +30,10 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 
+# WARNING: this function no longer works with cryptography 35.0.0 and newer!
+#          It must **ONLY** be used in compatibility code for older
+#          cryptography versions!
+
 def obj2txt(openssl_lib, openssl_ffi, obj):
     # Set to 80 on the recommendation of
     # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values

plugins/module_utils/crypto/_objects.py

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2019, Felix Fontein <felix@fontein.de>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

plugins/module_utils/crypto/_objects_data.py

@@ -1,3 +1,9 @@
+# This code is part of Ansible, but is an independent component.
+# This particular file snippet, and this file snippet only, is licensed under the
+# Apache 2.0 License. Modules you write using this snippet, which is embedded
+# dynamically by Ansible, still belong to the author of the module, and may assign
+# their own license to the complete work.
+
 # This has been extracted from the OpenSSL project's objects.txt:
 #     https://github.com/openssl/openssl/blob/9537fe5757bb07761fa275d779bbd40bcf5530e4/crypto/objects/objects.txt
 # Extracted with https://gist.github.com/felixfontein/376748017ad65ead093d56a45a5bf376
@@ -5,7 +11,8 @@
 # In case the following data structure has any copyrightable content, note that it is licensed as follows:
 # Copyright (c) the OpenSSL contributors
 # Licensed under the Apache License 2.0
-# https://github.com/openssl/openssl/blob/master/LICENSE
+# SPDX-License-Identifier: Apache-2.0
+# https://github.com/openssl/openssl/blob/master/LICENSE.txt or LICENSES/Apache-2.0.txt
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

plugins/module_utils/crypto/basic.py

@@ -1,34 +1,15 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
-# (c) 2020, Felix Fontein <felix@fontein.de>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 
-from distutils.version import LooseVersion
-
-try:
-    import OpenSSL  # noqa
-    from OpenSSL import crypto  # noqa
-    HAS_PYOPENSSL = True
-except ImportError:
-    # Error handled in the calling module.
-    HAS_PYOPENSSL = False
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 try:
     import cryptography

plugins/module_utils/crypto/cryptography_crl.py

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2019, Felix Fontein <felix@fontein.de>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -95,12 +84,12 @@ def cryptography_decode_revoked_certificate(cert):
     return result
 
 
-def cryptography_dump_revoked(entry):
+def cryptography_dump_revoked(entry, idn_rewrite='ignore'):
     return {
         'serial_number': entry['serial_number'],
         'revocation_date': entry['revocation_date'].strftime(TIMESTAMP_FORMAT),
         'issuer':
-            [cryptography_decode_name(issuer) for issuer in entry['issuer']]
+            [cryptography_decode_name(issuer, idn_rewrite=idn_rewrite) for issuer in entry['issuer']]
             if entry['issuer'] is not None else None,
         'issuer_critical': entry['issuer_critical'],
         'reason': REVOCATION_REASON_MAP_INVERSE.get(entry['reason']) if entry['reason'] is not None else None,
@@ -116,7 +105,7 @@ def cryptography_get_signature_algorithm_oid_from_crl(crl):
     try:
         return crl.signature_algorithm_oid
     except AttributeError:
-        # Older cryptography versions don't have signature_algorithm_oid yet
+        # Older cryptography versions do not have signature_algorithm_oid yet
         dotted = obj2txt(
             crl._backend._lib,
             crl._backend._ffi,

plugins/module_utils/crypto/cryptography_support.py

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2019, Felix Fontein <felix@fontein.de>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -22,22 +11,88 @@ __metaclass__ = type
 import base64
 import binascii
 import re
+import sys
+import traceback
+
+from ansible.module_utils.common.text.converters import to_text, to_bytes
+from ansible.module_utils.six.moves.urllib.parse import urlparse, urlunparse, ParseResult
 
-from ansible.module_utils._text import to_text
 from ._asn1 import serialize_asn1_string_as_der
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 try:
     import cryptography
     from cryptography import x509
+    from cryptography.exceptions import InvalidSignature
+    from cryptography.hazmat.backends import default_backend
     from cryptography.hazmat.primitives import serialization
+    from cryptography.hazmat.primitives.asymmetric import padding
     import ipaddress
 except ImportError:
     # Error handled in the calling module.
     pass
 
+try:
+    import cryptography.hazmat.primitives.asymmetric.rsa
+except ImportError:
+    pass
+try:
+    import cryptography.hazmat.primitives.asymmetric.ec
+except ImportError:
+    pass
+try:
+    import cryptography.hazmat.primitives.asymmetric.dsa
+except ImportError:
+    pass
+try:
+    import cryptography.hazmat.primitives.asymmetric.ed25519
+except ImportError:
+    pass
+try:
+    import cryptography.hazmat.primitives.asymmetric.ed448
+except ImportError:
+    pass
+
+try:
+    # This is a separate try/except since this is only present in cryptography 2.5 or newer
+    from cryptography.hazmat.primitives.serialization.pkcs12 import (
+        load_key_and_certificates as _load_key_and_certificates,
+    )
+except ImportError:
+    # Error handled in the calling module.
+    _load_key_and_certificates = None
+
+try:
+    # This is a separate try/except since this is only present in cryptography 36.0.0 or newer
+    from cryptography.hazmat.primitives.serialization.pkcs12 import (
+        load_pkcs12 as _load_pkcs12,
+    )
+except ImportError:
+    # Error handled in the calling module.
+    _load_pkcs12 = None
+
+try:
+    import idna
+
+    HAS_IDNA = True
+except ImportError:
+    HAS_IDNA = False
+    IDNA_IMP_ERROR = traceback.format_exc()
+
+from ansible.module_utils.basic import missing_required_lib
+
 from .basic import (
+    CRYPTOGRAPHY_HAS_DSA_SIGN,
+    CRYPTOGRAPHY_HAS_EC_SIGN,
     CRYPTOGRAPHY_HAS_ED25519,
+    CRYPTOGRAPHY_HAS_ED25519_SIGN,
     CRYPTOGRAPHY_HAS_ED448,
+    CRYPTOGRAPHY_HAS_ED448_SIGN,
+    CRYPTOGRAPHY_HAS_RSA_SIGN,
+    CRYPTOGRAPHY_HAS_X25519,
+    CRYPTOGRAPHY_HAS_X25519_FULL,
+    CRYPTOGRAPHY_HAS_X448,
     OpenSSLObjectError,
 )
 
@@ -55,60 +110,114 @@ DOTTED_OID = re.compile(r'^\d+(?:\.\d+)+$')
 
 
 def cryptography_get_extensions_from_cert(cert):
-    # Since cryptography won't give us the DER value for an extension
-    # (that is only stored for unrecognized extensions), we have to re-do
-    # the extension parsing outselves.
     result = dict()
-    backend = cert._backend
-    x509_obj = cert._x509
+    try:
+        # Since cryptography will not give us the DER value for an extension
+        # (that is only stored for unrecognized extensions), we have to re-do
+        # the extension parsing outselves.
+        backend = default_backend()
+        try:
+            # For certain old versions of cryptography, backend is a MultiBackend object,
+            # which has no _lib attribute. In that case, revert to the old approach.
+            backend._lib
+        except AttributeError:
+            backend = cert._backend
+
+        x509_obj = cert._x509
+        # With cryptography 35.0.0, we can no longer use obj2txt. Unfortunately it still does
+        # not allow to get the raw value of an extension, so we have to use this ugly hack:
+        exts = list(cert.extensions)
+
+        for i in range(backend._lib.X509_get_ext_count(x509_obj)):
+            ext = backend._lib.X509_get_ext(x509_obj, i)
+            if ext == backend._ffi.NULL:
+                continue
+            crit = backend._lib.X509_EXTENSION_get_critical(ext)
+            data = backend._lib.X509_EXTENSION_get_data(ext)
+            backend.openssl_assert(data != backend._ffi.NULL)
+            der = backend._ffi.buffer(data.data, data.length)[:]
+            entry = dict(
+                critical=(crit == 1),
+                value=base64.b64encode(der),
+            )
+            try:
+                oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
+            except AttributeError:
+                oid = exts[i].oid.dotted_string
+            result[oid] = entry
+
+    except Exception:
+        # In case the above method breaks, we likely have cryptography 36.0.0 or newer.
+        # Use it's public_bytes() feature in that case. We will later switch this around
+        # so that this code will be the default, but for now this will act as a fallback
+        # since it will re-serialize de-serialized data, which can be different (if the
+        # original data was not canonicalized) from what was contained in the certificate.
+        for ext in cert.extensions:
+            result[ext.oid.dotted_string] = dict(
+                critical=ext.critical,
+                value=base64.b64encode(ext.value.public_bytes()),
+            )
 
-    for i in range(backend._lib.X509_get_ext_count(x509_obj)):
-        ext = backend._lib.X509_get_ext(x509_obj, i)
-        if ext == backend._ffi.NULL:
-            continue
-        crit = backend._lib.X509_EXTENSION_get_critical(ext)
-        data = backend._lib.X509_EXTENSION_get_data(ext)
-        backend.openssl_assert(data != backend._ffi.NULL)
-        der = backend._ffi.buffer(data.data, data.length)[:]
-        entry = dict(
-            critical=(crit == 1),
-            value=base64.b64encode(der),
-        )
-        oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
-        result[oid] = entry
     return result
 
 
 def cryptography_get_extensions_from_csr(csr):
-    # Since cryptography won't give us the DER value for an extension
-    # (that is only stored for unrecognized extensions), we have to re-do
-    # the extension parsing outselves.
     result = dict()
-    backend = csr._backend
+    try:
+        # Since cryptography will not give us the DER value for an extension
+        # (that is only stored for unrecognized extensions), we have to re-do
+        # the extension parsing outselves.
+        backend = default_backend()
+        try:
+            # For certain old versions of cryptography, backend is a MultiBackend object,
+            # which has no _lib attribute. In that case, revert to the old approach.
+            backend._lib
+        except AttributeError:
+            backend = csr._backend
 
-    extensions = backend._lib.X509_REQ_get_extensions(csr._x509_req)
-    extensions = backend._ffi.gc(
-        extensions,
-        lambda ext: backend._lib.sk_X509_EXTENSION_pop_free(
-            ext,
-            backend._ffi.addressof(backend._lib._original_lib, "X509_EXTENSION_free")
+        extensions = backend._lib.X509_REQ_get_extensions(csr._x509_req)
+        extensions = backend._ffi.gc(
+            extensions,
+            lambda ext: backend._lib.sk_X509_EXTENSION_pop_free(
+                ext,
+                backend._ffi.addressof(backend._lib._original_lib, "X509_EXTENSION_free")
+            )
         )
-    )
 
-    for i in range(backend._lib.sk_X509_EXTENSION_num(extensions)):
-        ext = backend._lib.sk_X509_EXTENSION_value(extensions, i)
-        if ext == backend._ffi.NULL:
-            continue
-        crit = backend._lib.X509_EXTENSION_get_critical(ext)
-        data = backend._lib.X509_EXTENSION_get_data(ext)
-        backend.openssl_assert(data != backend._ffi.NULL)
-        der = backend._ffi.buffer(data.data, data.length)[:]
-        entry = dict(
-            critical=(crit == 1),
-            value=base64.b64encode(der),
-        )
-        oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
-        result[oid] = entry
+        # With cryptography 35.0.0, we can no longer use obj2txt. Unfortunately it still does
+        # not allow to get the raw value of an extension, so we have to use this ugly hack:
+        exts = list(csr.extensions)
+
+        for i in range(backend._lib.sk_X509_EXTENSION_num(extensions)):
+            ext = backend._lib.sk_X509_EXTENSION_value(extensions, i)
+            if ext == backend._ffi.NULL:
+                continue
+            crit = backend._lib.X509_EXTENSION_get_critical(ext)
+            data = backend._lib.X509_EXTENSION_get_data(ext)
+            backend.openssl_assert(data != backend._ffi.NULL)
+            der = backend._ffi.buffer(data.data, data.length)[:]
+            entry = dict(
+                critical=(crit == 1),
+                value=base64.b64encode(der),
+            )
+            try:
+                oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
+            except AttributeError:
+                oid = exts[i].oid.dotted_string
+            result[oid] = entry
+
+    except Exception:
+        # In case the above method breaks, we likely have cryptography 36.0.0 or newer.
+        # Use it's public_bytes() feature in that case. We will later switch this around
+        # so that this code will be the default, but for now this will act as a fallback
+        # since it will re-serialize de-serialized data, which can be different (if the
+        # original data was not canonicalized) from what was contained in the CSR.
+        for ext in csr.extensions:
+            result[ext.oid.dotted_string] = dict(
+                critical=ext.critical,
+                value=base64.b64encode(ext.value.public_bytes()),
+            )
+
     return result
 
 
@@ -152,34 +261,68 @@ def _parse_hex(bytesstr):
     return data
 
 
-DN_COMPONENT_START_RE = re.compile(r'^ *([a-zA-z0-9]+) *= *')
+DN_COMPONENT_START_RE = re.compile(b'^ *([a-zA-z0-9.]+) *= *')
+DN_HEX_LETTER = b'0123456789abcdef'
 
 
-def _parse_dn_component(name, sep=',', sep_str='\\', decode_remainder=True):
+if sys.version_info[0] < 3:
+    _int_to_byte = chr
+else:
+    def _int_to_byte(value):
+        return bytes((value, ))
+
+
+def _parse_dn_component(name, sep=b',', decode_remainder=True):
     m = DN_COMPONENT_START_RE.match(name)
     if not m:
-        raise OpenSSLObjectError('cannot start part in "{0}"'.format(name))
-    oid = cryptography_name_to_oid(m.group(1))
+        raise OpenSSLObjectError(u'cannot start part in "{0}"'.format(to_text(name)))
+    oid = cryptography_name_to_oid(to_text(m.group(1)))
     idx = len(m.group(0))
     decoded_name = []
+    sep_str = sep + b'\\'
     if decode_remainder:
         length = len(name)
-        while idx < length:
-            i = idx
-            while i < length and name[i] not in sep_str:
-                i += 1
-            if i > idx:
-                decoded_name.append(name[idx:i])
-                idx = i
-            while idx + 1 < length and name[idx] == '\\':
-                decoded_name.append(name[idx + 1])
+        if length > idx and name[idx:idx + 1] == b'#':
+            # Decoding a hex string
+            idx += 1
+            while idx + 1 < length:
+                ch1 = name[idx:idx + 1]
+                ch2 = name[idx + 1:idx + 2]
+                idx1 = DN_HEX_LETTER.find(ch1.lower())
+                idx2 = DN_HEX_LETTER.find(ch2.lower())
+                if idx1 < 0 or idx2 < 0:
+                    raise OpenSSLObjectError(u'Invalid hex sequence entry "{0}"'.format(to_text(ch1 + ch2)))
                 idx += 2
-            if idx < length and name[idx] == sep:
-                break
+                decoded_name.append(_int_to_byte(idx1 * 16 + idx2))
+        else:
+            # Decoding a regular string
+            while idx < length:
+                i = idx
+                while i < length and name[i:i + 1] not in sep_str:
+                    i += 1
+                if i > idx:
+                    decoded_name.append(name[idx:i])
+                    idx = i
+                while idx + 1 < length and name[idx:idx + 1] == b'\\':
+                    ch = name[idx + 1:idx + 2]
+                    idx1 = DN_HEX_LETTER.find(ch.lower())
+                    if idx1 >= 0:
+                        if idx + 2 >= length:
+                            raise OpenSSLObjectError(u'Hex escape sequence "\\{0}" incomplete at end of string'.format(to_text(ch)))
+                        ch2 = name[idx + 2:idx + 3]
+                        idx2 = DN_HEX_LETTER.find(ch2.lower())
+                        if idx2 < 0:
+                            raise OpenSSLObjectError(u'Hex escape sequence "\\{0}" has invalid second letter'.format(to_text(ch + ch2)))
+                        ch = _int_to_byte(idx1 * 16 + idx2)
+                        idx += 1
+                    idx += 2
+                    decoded_name.append(ch)
+                if idx < length and name[idx:idx + 1] == sep:
+                    break
     else:
         decoded_name.append(name[idx:])
         idx = len(name)
-    return x509.NameAttribute(oid, ''.join(decoded_name)), name[idx:]
+    return x509.NameAttribute(oid, to_text(b''.join(decoded_name))), name[idx:]
 
 
 def _parse_dn(name):
@@ -190,21 +333,20 @@ def _parse_dn(name):
     '''
     original_name = name
     name = name.lstrip()
-    sep = ','
-    if name.startswith('/'):
-        sep = '/'
+    sep = b','
+    if name.startswith(b'/'):
+        sep = b'/'
         name = name[1:]
-    sep_str = sep + '\\'
     result = []
     while name:
         try:
-            attribute, name = _parse_dn_component(name, sep=sep, sep_str=sep_str)
+            attribute, name = _parse_dn_component(name, sep=sep)
         except OpenSSLObjectError as e:
-            raise OpenSSLObjectError('Error while parsing distinguished name "{0}": {1}'.format(original_name, e))
+            raise OpenSSLObjectError(u'Error while parsing distinguished name "{0}": {1}'.format(to_text(original_name), e))
         result.append(attribute)
         if name:
-            if name[0] != sep or len(name) < 2:
-                raise OpenSSLObjectError('Error while parsing distinguished name "{0}": unexpected end of string'.format(original_name))
+            if name[0:1] != sep or len(name) < 2:
+                raise OpenSSLObjectError(u'Error while parsing distinguished name "{0}": unexpected end of string'.format(to_text(original_name)))
             name = name[1:]
     return result
 
@@ -213,12 +355,86 @@ def cryptography_parse_relative_distinguished_name(rdn):
     names = []
     for part in rdn:
         try:
-            names.append(_parse_dn_component(to_text(part), decode_remainder=False)[0])
+            names.append(_parse_dn_component(to_bytes(part), decode_remainder=False)[0])
         except OpenSSLObjectError as e:
-            raise OpenSSLObjectError('Error while parsing relative distinguished name "{0}": {1}'.format(part, e))
+            raise OpenSSLObjectError(u'Error while parsing relative distinguished name "{0}": {1}'.format(part, e))
     return cryptography.x509.RelativeDistinguishedName(names)
 
 
+def _is_ascii(value):
+    '''Check whether the Unicode string `value` contains only ASCII characters.'''
+    try:
+        value.encode("ascii")
+        return True
+    except UnicodeEncodeError:
+        return False
+
+
+def _adjust_idn(value, idn_rewrite):
+    if idn_rewrite == 'ignore' or not value:
+        return value
+    if idn_rewrite == 'idna' and _is_ascii(value):
+        return value
+    if idn_rewrite not in ('idna', 'unicode'):
+        raise ValueError('Invalid value for idn_rewrite: "{0}"'.format(idn_rewrite))
+    if not HAS_IDNA:
+        raise OpenSSLObjectError(
+            missing_required_lib('idna', reason='to transform {what} DNS name "{name}" to {dest}'.format(
+                name=value,
+                what='IDNA' if idn_rewrite == 'unicode' else 'Unicode',
+                dest='Unicode' if idn_rewrite == 'unicode' else 'IDNA',
+            )))
+    # Since IDNA does not like '*' or empty labels (except one empty label at the end),
+    # we split and let IDNA only handle labels that are neither empty or '*'.
+    parts = value.split(u'.')
+    for index, part in enumerate(parts):
+        if part in (u'', u'*'):
+            continue
+        try:
+            if idn_rewrite == 'idna':
+                parts[index] = idna.encode(part).decode('ascii')
+            elif idn_rewrite == 'unicode' and part.startswith(u'xn--'):
+                parts[index] = idna.decode(part)
+        except idna.IDNAError as exc2008:
+            try:
+                if idn_rewrite == 'idna':
+                    parts[index] = part.encode('idna').decode('ascii')
+                elif idn_rewrite == 'unicode' and part.startswith(u'xn--'):
+                    parts[index] = part.encode('ascii').decode('idna')
+            except Exception as exc2003:
+                raise OpenSSLObjectError(
+                    u'Error while transforming part "{part}" of {what} DNS name "{name}" to {dest}.'
+                    u' IDNA2008 transformation resulted in "{exc2008}", IDNA2003 transformation resulted in "{exc2003}".'.format(
+                        part=part,
+                        name=value,
+                        what='IDNA' if idn_rewrite == 'unicode' else 'Unicode',
+                        dest='Unicode' if idn_rewrite == 'unicode' else 'IDNA',
+                        exc2003=exc2003,
+                        exc2008=exc2008,
+                    ))
+    return u'.'.join(parts)
+
+
+def _adjust_idn_email(value, idn_rewrite):
+    idx = value.find(u'@')
+    if idx < 0:
+        return value
+    return u'{0}@{1}'.format(value[:idx], _adjust_idn(value[idx + 1:], idn_rewrite))
+
+
+def _adjust_idn_url(value, idn_rewrite):
+    url = urlparse(value)
+    host = _adjust_idn(url.hostname, idn_rewrite)
+    if url.username is not None and url.password is not None:
+        host = u'{0}:{1}@{2}'.format(url.username, url.password, host)
+    elif url.username is not None:
+        host = u'{0}@{1}'.format(url.username, host)
+    if url.port is not None:
+        host = u'{0}:{1}'.format(host, url.port)
+    return urlunparse(
+        ParseResult(scheme=url.scheme, netloc=host, path=url.path, params=url.params, query=url.query, fragment=url.fragment))
+
+
 def cryptography_get_name(name, what='Subject Alternative Name'):
     '''
     Given a name string, returns a cryptography x509.GeneralName object.
@@ -226,16 +442,16 @@ def cryptography_get_name(name, what='Subject Alternative Name'):
     '''
     try:
         if name.startswith('DNS:'):
-            return x509.DNSName(to_text(name[4:]))
+            return x509.DNSName(_adjust_idn(to_text(name[4:]), 'idna'))
         if name.startswith('IP:'):
             address = to_text(name[3:])
             if '/' in address:
                 return x509.IPAddress(ipaddress.ip_network(address))
             return x509.IPAddress(ipaddress.ip_address(address))
         if name.startswith('email:'):
-            return x509.RFC822Name(to_text(name[6:]))
+            return x509.RFC822Name(_adjust_idn_email(to_text(name[6:]), 'idna'))
         if name.startswith('URI:'):
-            return x509.UniformResourceIdentifier(to_text(name[4:]))
+            return x509.UniformResourceIdentifier(_adjust_idn_url(to_text(name[4:]), 'idna'))
         if name.startswith('RID:'):
             m = re.match(r'^([0-9]+(?:\.[0-9]+)*)$', to_text(name[4:]))
             if not m:
@@ -259,7 +475,7 @@ def cryptography_get_name(name, what='Subject Alternative Name'):
             b_value = serialize_asn1_string_as_der(value)
             return x509.OtherName(x509.ObjectIdentifier(oid), b_value)
         if name.startswith('dirName:'):
-            return x509.DirectoryName(x509.Name(_parse_dn(to_text(name[8:]))))
+            return x509.DirectoryName(x509.Name(reversed(_parse_dn(to_bytes(name[8:])))))
     except Exception as e:
         raise OpenSSLObjectError('Cannot parse {what} "{name}": {error}'.format(name=name, what=what, error=e))
     if ':' not in name:
@@ -271,38 +487,45 @@ def _dn_escape_value(value):
     '''
     Escape Distinguished Name's attribute value.
     '''
-    value = value.replace('\\', '\\\\')
-    for ch in [',', '#', '+', '<', '>', ';', '"', '=', '/']:
-        value = value.replace(ch, '\\%s' % ch)
-    if value.startswith(' '):
-        value = r'\ ' + value[1:]
+    value = value.replace(u'\\', u'\\\\')
+    for ch in [u',', u'+', u'<', u'>', u';', u'"']:
+        value = value.replace(ch, u'\\%s' % ch)
+    value = value.replace(u'\0', u'\\00')
+    if value.startswith((u' ', u'#')):
+        value = u'\\%s' % value[0] + value[1:]
+    if value.endswith(u' '):
+        value = value[:-1] + u'\\ '
     return value
 
 
-def cryptography_decode_name(name):
+def cryptography_decode_name(name, idn_rewrite='ignore'):
     '''
     Given a cryptography x509.GeneralName object, returns a string.
     Raises an OpenSSLObjectError if the name is not supported.
     '''
+    if idn_rewrite not in ('ignore', 'idna', 'unicode'):
+        raise AssertionError('idn_rewrite must be one of "ignore", "idna", or "unicode"')
     if isinstance(name, x509.DNSName):
-        return 'DNS:{0}'.format(name.value)
+        return u'DNS:{0}'.format(_adjust_idn(name.value, idn_rewrite))
     if isinstance(name, x509.IPAddress):
         if isinstance(name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network)):
-            return 'IP:{0}/{1}'.format(name.value.network_address.compressed, name.value.prefixlen)
-        return 'IP:{0}'.format(name.value.compressed)
+            return u'IP:{0}/{1}'.format(name.value.network_address.compressed, name.value.prefixlen)
+        return u'IP:{0}'.format(name.value.compressed)
     if isinstance(name, x509.RFC822Name):
-        return 'email:{0}'.format(name.value)
+        return u'email:{0}'.format(_adjust_idn_email(name.value, idn_rewrite))
     if isinstance(name, x509.UniformResourceIdentifier):
-        return 'URI:{0}'.format(name.value)
+        return u'URI:{0}'.format(_adjust_idn_url(name.value, idn_rewrite))
     if isinstance(name, x509.DirectoryName):
-        return 'dirName:' + ''.join([
-            '/{0}={1}'.format(cryptography_oid_to_name(attribute.oid, short=True), _dn_escape_value(attribute.value))
-            for attribute in name.value
+        # According to https://datatracker.ietf.org/doc/html/rfc4514.html#section-2.1 the
+        # list needs to be reversed, and joined by commas
+        return u'dirName:' + ','.join([
+            u'{0}={1}'.format(to_text(cryptography_oid_to_name(attribute.oid, short=True)), _dn_escape_value(attribute.value))
+            for attribute in reversed(list(name.value))
         ])
     if isinstance(name, x509.RegisteredID):
-        return 'RID:{0}'.format(name.value.dotted_string)
+        return u'RID:{0}'.format(name.value.dotted_string)
     if isinstance(name, x509.OtherName):
-        return 'otherName:{0};{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
+        return u'otherName:{0};{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
     raise OpenSSLObjectError('Cannot decode name "{0}"'.format(name))
 
 
@@ -392,32 +615,75 @@ def cryptography_key_needs_digest_for_signing(key):
     return True
 
 
+def _compare_public_keys(key1, key2, clazz):
+    a = isinstance(key1, clazz)
+    b = isinstance(key2, clazz)
+    if not (a or b):
+        return None
+    if not a or not b:
+        return False
+    a = key1.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
+    b = key2.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
+    return a == b
+
+
 def cryptography_compare_public_keys(key1, key2):
     '''Tests whether two public keys are the same.
 
     Needs special logic for Ed25519 and Ed448 keys, since they do not have public_numbers().
     '''
     if CRYPTOGRAPHY_HAS_ED25519:
-        a = isinstance(key1, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey)
-        b = isinstance(key2, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey)
-        if a or b:
-            if not a or not b:
-                return False
-            a = key1.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
-            b = key2.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
-            return a == b
+        res = _compare_public_keys(key1, key2, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey)
+        if res is not None:
+            return res
     if CRYPTOGRAPHY_HAS_ED448:
-        a = isinstance(key1, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey)
-        b = isinstance(key2, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey)
-        if a or b:
-            if not a or not b:
-                return False
-            a = key1.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
-            b = key2.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
-            return a == b
+        res = _compare_public_keys(key1, key2, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey)
+        if res is not None:
+            return res
     return key1.public_numbers() == key2.public_numbers()
 
 
+def _compare_private_keys(key1, key2, clazz, has_no_private_bytes=False):
+    a = isinstance(key1, clazz)
+    b = isinstance(key2, clazz)
+    if not (a or b):
+        return None
+    if not a or not b:
+        return False
+    if has_no_private_bytes:
+        # We do not have the private_bytes() function - compare associated public keys
+        return cryptography_compare_public_keys(a.public_key(), b.public_key())
+    encryption_algorithm = cryptography.hazmat.primitives.serialization.NoEncryption()
+    a = key1.private_bytes(serialization.Encoding.Raw, serialization.PrivateFormat.Raw, encryption_algorithm=encryption_algorithm)
+    b = key2.private_bytes(serialization.Encoding.Raw, serialization.PrivateFormat.Raw, encryption_algorithm=encryption_algorithm)
+    return a == b
+
+
+def cryptography_compare_private_keys(key1, key2):
+    '''Tests whether two private keys are the same.
+
+    Needs special logic for Ed25519, X25519, and Ed448 keys, since they do not have private_numbers().
+    '''
+    if CRYPTOGRAPHY_HAS_ED25519:
+        res = _compare_private_keys(key1, key2, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey)
+        if res is not None:
+            return res
+    if CRYPTOGRAPHY_HAS_X25519:
+        res = _compare_private_keys(
+            key1, key2, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey, has_no_private_bytes=not CRYPTOGRAPHY_HAS_X25519_FULL)
+        if res is not None:
+            return res
+    if CRYPTOGRAPHY_HAS_ED448:
+        res = _compare_private_keys(key1, key2, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey)
+        if res is not None:
+            return res
+    if CRYPTOGRAPHY_HAS_X448:
+        res = _compare_private_keys(key1, key2, cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey)
+        if res is not None:
+            return res
+    return key1.private_numbers() == key2.private_numbers()
+
+
 def cryptography_serial_number_of_cert(cert):
     '''Returns cert.serial_number.
 
@@ -428,3 +694,116 @@ def cryptography_serial_number_of_cert(cert):
     except AttributeError:
         # The property was called "serial" before cryptography 1.4
         return cert.serial
+
+
+def parse_pkcs12(pkcs12_bytes, passphrase=None):
+    '''Returns a tuple (private_key, certificate, additional_certificates, friendly_name).
+    '''
+    if _load_pkcs12 is None and _load_key_and_certificates is None:
+        raise ValueError('neither load_pkcs12() nor load_key_and_certificates() present in the current cryptography version')
+
+    if passphrase is not None:
+        passphrase = to_bytes(passphrase)
+
+    # Main code for cryptography 36.0.0 and forward
+    if _load_pkcs12 is not None:
+        return _parse_pkcs12_36_0_0(pkcs12_bytes, passphrase)
+
+    if LooseVersion(cryptography.__version__) >= LooseVersion('35.0'):
+        return _parse_pkcs12_35_0_0(pkcs12_bytes, passphrase)
+
+    return _parse_pkcs12_legacy(pkcs12_bytes, passphrase)
+
+
+def _parse_pkcs12_36_0_0(pkcs12_bytes, passphrase=None):
+    # Requires cryptography 36.0.0 or newer
+    pkcs12 = _load_pkcs12(pkcs12_bytes, passphrase)
+    additional_certificates = [cert.certificate for cert in pkcs12.additional_certs]
+    private_key = pkcs12.key
+    certificate = None
+    friendly_name = None
+    if pkcs12.cert:
+        certificate = pkcs12.cert.certificate
+        friendly_name = pkcs12.cert.friendly_name
+    return private_key, certificate, additional_certificates, friendly_name
+
+
+def _parse_pkcs12_35_0_0(pkcs12_bytes, passphrase=None):
+    # Backwards compatibility code for cryptography 35.x
+    private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase)
+
+    friendly_name = None
+    if certificate:
+        # See https://github.com/pyca/cryptography/issues/5760#issuecomment-842687238
+        backend = default_backend()
+
+        # This code basically does what load_key_and_certificates() does, but without error-checking.
+        # Since load_key_and_certificates succeeded, it should not fail.
+        pkcs12 = backend._ffi.gc(
+            backend._lib.d2i_PKCS12_bio(backend._bytes_to_bio(pkcs12_bytes).bio, backend._ffi.NULL),
+            backend._lib.PKCS12_free)
+        certificate_x509_ptr = backend._ffi.new("X509 **")
+        with backend._zeroed_null_terminated_buf(to_bytes(passphrase) if passphrase is not None else None) as passphrase_buffer:
+            backend._lib.PKCS12_parse(
+                pkcs12,
+                passphrase_buffer,
+                backend._ffi.new("EVP_PKEY **"),
+                certificate_x509_ptr,
+                backend._ffi.new("Cryptography_STACK_OF_X509 **"))
+        if certificate_x509_ptr[0] != backend._ffi.NULL:
+            maybe_name = backend._lib.X509_alias_get0(certificate_x509_ptr[0], backend._ffi.NULL)
+            if maybe_name != backend._ffi.NULL:
+                friendly_name = backend._ffi.string(maybe_name)
+
+    return private_key, certificate, additional_certificates, friendly_name
+
+
+def _parse_pkcs12_legacy(pkcs12_bytes, passphrase=None):
+    # Backwards compatibility code for cryptography < 35.0.0
+    private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase)
+
+    friendly_name = None
+    if certificate:
+        # See https://github.com/pyca/cryptography/issues/5760#issuecomment-842687238
+        backend = certificate._backend
+        maybe_name = backend._lib.X509_alias_get0(certificate._x509, backend._ffi.NULL)
+        if maybe_name != backend._ffi.NULL:
+            friendly_name = backend._ffi.string(maybe_name)
+    return private_key, certificate, additional_certificates, friendly_name
+
+
+def cryptography_verify_signature(signature, data, hash_algorithm, signer_public_key):
+    '''
+    Check whether the given signature of the given data was signed by the given public key object.
+    '''
+    try:
+        if CRYPTOGRAPHY_HAS_RSA_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey):
+            signer_public_key.verify(signature, data, padding.PKCS1v15(), hash_algorithm)
+            return True
+        if CRYPTOGRAPHY_HAS_EC_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey):
+            signer_public_key.verify(signature, data, cryptography.hazmat.primitives.asymmetric.ec.ECDSA(hash_algorithm))
+            return True
+        if CRYPTOGRAPHY_HAS_DSA_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey):
+            signer_public_key.verify(signature, data, hash_algorithm)
+            return True
+        if CRYPTOGRAPHY_HAS_ED25519_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey):
+            signer_public_key.verify(signature, data)
+            return True
+        if CRYPTOGRAPHY_HAS_ED448_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey):
+            signer_public_key.verify(signature, data)
+            return True
+        raise OpenSSLObjectError(u'Unsupported public key type {0}'.format(type(signer_public_key)))
+    except InvalidSignature:
+        return False
+
+
+def cryptography_verify_certificate_signature(certificate, signer_public_key):
+    '''
+    Check whether the given X509 certificate object was signed by the given public key object.
+    '''
+    return cryptography_verify_signature(
+        certificate.signature,
+        certificate.tbs_certificate_bytes,
+        certificate.signature_hash_algorithm,
+        signer_public_key
+    )

plugins/module_utils/crypto/math.py

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2019, Felix Fontein <felix@fontein.de>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -50,7 +39,7 @@ def quick_is_not_prime(n):
     '''Does some quick checks to see if we can poke a hole into the primality of n.
 
     A result of `False` does **not** mean that the number is prime; it just means
-    that we couldn't detect quickly whether it is not prime.
+    that we could not detect quickly whether it is not prime.
     '''
     if n <= 2:
         return True

plugins/module_utils/crypto/module_backends/certificate.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -11,11 +12,11 @@ __metaclass__ = type
 import abc
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.common import ArgumentSpec
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
@@ -33,19 +34,11 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
     cryptography_compare_public_keys,
 )
 
-MINIMAL_CRYPTOGRAPHY_VERSION = '1.6'
-MINIMAL_PYOPENSSL_VERSION = '0.15'
+from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import (
+    get_certificate_info,
+)
 
-PYOPENSSL_IMP_ERR = None
-try:
-    import OpenSSL
-    from OpenSSL import crypto
-    PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
-    PYOPENSSL_IMP_ERR = traceback.format_exc()
-    PYOPENSSL_FOUND = False
-else:
-    PYOPENSSL_FOUND = True
+MINIMAL_CRYPTOGRAPHY_VERSION = '1.6'
 
 CRYPTOGRAPHY_IMP_ERR = None
 CRYPTOGRAPHY_VERSION = None
@@ -71,6 +64,7 @@ class CertificateBackend(object):
         self.backend = backend
 
         self.force = module.params['force']
+        self.ignore_timestamps = module.params['ignore_timestamps']
         self.privatekey_path = module.params['privatekey_path']
         self.privatekey_content = module.params['privatekey_content']
         if self.privatekey_content is not None:
@@ -95,6 +89,19 @@ class CertificateBackend(object):
         self.check_csr_subject = True
         self.check_csr_extensions = True
 
+        self.diff_before = self._get_info(None)
+        self.diff_after = self._get_info(None)
+
+    def _get_info(self, data):
+        if data is None:
+            return dict()
+        try:
+            result = get_certificate_info(self.module, self.backend, data, prefer_one_fingerprint=True)
+            result['can_parse_certificate'] = True
+            return result
+        except Exception as exc:
+            return dict(can_parse_certificate=False)
+
     @abc.abstractmethod
     def generate_certificate(self):
         """(Re-)Generate certificate."""
@@ -108,6 +115,7 @@ class CertificateBackend(object):
     def set_existing(self, certificate_bytes):
         """Set existing certificate bytes. None indicates that the key does not exist."""
         self.existing_certificate_bytes = certificate_bytes
+        self.diff_after = self.diff_before = self._get_info(self.existing_certificate_bytes)
 
     def has_existing(self):
         """Query whether an existing certificate is/has been there."""
@@ -155,43 +163,12 @@ class CertificateBackend(object):
 
     def _check_privatekey(self):
         """Check whether provided parameters match, assuming self.existing_certificate and self.privatekey have been populated."""
-        if self.backend == 'pyopenssl':
-            ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_2_METHOD)
-            ctx.use_privatekey(self.privatekey)
-            ctx.use_certificate(self.existing_certificate)
-            try:
-                ctx.check_privatekey()
-                return True
-            except OpenSSL.SSL.Error:
-                return False
-        elif self.backend == 'cryptography':
+        if self.backend == 'cryptography':
             return cryptography_compare_public_keys(self.existing_certificate.public_key(), self.privatekey.public_key())
 
     def _check_csr(self):
         """Check whether provided parameters match, assuming self.existing_certificate and self.csr have been populated."""
-        if self.backend == 'pyopenssl':
-            # Verify that CSR is signed by certificate's private key
-            try:
-                self.csr.verify(self.existing_certificate.get_pubkey())
-            except OpenSSL.crypto.Error:
-                return False
-            # Check subject
-            if self.check_csr_subject and self.csr.get_subject() != self.existing_certificate.get_subject():
-                return False
-            # Check extensions
-            if not self.check_csr_extensions:
-                return True
-            csr_extensions = self.csr.get_extensions()
-            cert_extension_count = self.existing_certificate.get_extension_count()
-            if len(csr_extensions) != cert_extension_count:
-                return False
-            for extension_number in range(0, cert_extension_count):
-                cert_extension = self.existing_certificate.get_extension(extension_number)
-                csr_extension = filter(lambda extension: extension.get_short_name() == cert_extension.get_short_name(), csr_extensions)
-                if cert_extension.get_data() != list(csr_extension)[0].get_data():
-                    return False
-            return True
-        elif self.backend == 'cryptography':
+        if self.backend == 'cryptography':
             # Verify that CSR is signed by certificate's private key
             if not self.csr.is_signature_valid:
                 return False
@@ -226,10 +203,6 @@ class CertificateBackend(object):
 
     def _check_subject_key_identifier(self):
         """Check whether Subject Key Identifier matches, assuming self.existing_certificate has been populated."""
-        if self.backend != 'cryptography':
-            # We do not support SKI with pyOpenSSL backend
-            return True
-
         # Get hold of certificate's SKI
         try:
             ext = self.existing_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
@@ -247,12 +220,12 @@ class CertificateBackend(object):
             if ext.value.digest != x509.SubjectKeyIdentifier.from_public_key(self.existing_certificate.public_key()).digest:
                 return False
         else:
-            # If CSR had SKI and we didn't ignore it ('create_if_not_provided'), compare SKIs
+            # If CSR had SKI and we did not ignore it ('create_if_not_provided'), compare SKIs
             if ext.value.digest != csr_ext.value.digest:
                 return False
         return True
 
-    def needs_regeneration(self):
+    def needs_regeneration(self, not_before=None, not_after=None):
         """Check whether a regeneration is necessary."""
         if self.force or self.existing_certificate_bytes is None:
             return True
@@ -276,6 +249,15 @@ class CertificateBackend(object):
         if self.create_subject_key_identifier != 'never_create' and not self._check_subject_key_identifier():
             return True
 
+        # Check not before
+        if not_before is not None and not self.ignore_timestamps:
+            if self.existing_certificate.not_valid_before != not_before:
+                return True
+
+        # Check not after
+        if not_after is not None and not self.ignore_timestamps:
+            if self.existing_certificate.not_valid_after != not_after:
+                return True
         return False
 
     def dump(self, include_certificate):
@@ -284,13 +266,19 @@ class CertificateBackend(object):
             'privatekey': self.privatekey_path,
             'csr': self.csr_path
         }
+        # Get hold of certificate bytes
+        certificate_bytes = self.existing_certificate_bytes
+        if self.cert is not None:
+            certificate_bytes = self.get_certificate_data()
+        self.diff_after = self._get_info(certificate_bytes)
         if include_certificate:
-            # Get hold of certificate bytes
-            certificate_bytes = self.existing_certificate_bytes
-            if self.cert is not None:
-                certificate_bytes = self.get_certificate_data()
             # Store result
             result['certificate'] = certificate_bytes.decode('utf-8') if certificate_bytes else None
+
+        result['diff'] = dict(
+            before=self.diff_before,
+            after=self.diff_after,
+        )
         return result
 
 
@@ -304,10 +292,6 @@ class CertificateProvider(object):
     def needs_version_two_certs(self, module):
         """Whether the provider needs to create a version 2 certificate."""
 
-    def needs_pyopenssl_get_extensions(self, module):
-        """Whether the provider needs to use get_extensions() with pyOpenSSL."""
-        return True
-
     @abc.abstractmethod
     def create_backend(self, module, backend):
         """Create an implementation for a backend.
@@ -328,45 +312,22 @@ def select_backend(module, backend, provider):
     if backend == 'auto':
         # Detect what backend we can use
         can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
-        can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
 
         # If cryptography is available we'll use it
         if can_use_cryptography:
             backend = 'cryptography'
-        elif can_use_pyopenssl:
-            backend = 'pyopenssl'
-
-        if provider.needs_version_two_certs(module):
-            module.warn('crypto backend forced to pyopenssl. The cryptography library does not support v2 certificates')
-            backend = 'pyopenssl'
 
         # Fail if no backend has been found
         if backend == 'auto':
-            module.fail_json(msg=("Can't detect any of the required Python libraries "
-                                  "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
-                                      MINIMAL_CRYPTOGRAPHY_VERSION,
-                                      MINIMAL_PYOPENSSL_VERSION))
+            module.fail_json(msg=("Cannot detect the required Python library "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
 
-    if backend == 'pyopenssl':
-        module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated',
-                         version='2.0.0', collection_name='community.crypto')
-
-        if not PYOPENSSL_FOUND:
-            module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
-                             exception=PYOPENSSL_IMP_ERR)
-        if provider.needs_pyopenssl_get_extensions(module):
-            try:
-                getattr(crypto.X509Req, 'get_extensions')
-            except AttributeError:
-                module.fail_json(msg='You need to have PyOpenSSL>=0.15')
-
-    elif backend == 'cryptography':
+    if backend == 'cryptography':
         if not CRYPTOGRAPHY_FOUND:
             module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
                              exception=CRYPTOGRAPHY_IMP_ERR)
         if provider.needs_version_two_certs(module):
-            module.fail_json(msg='The cryptography backend does not support v2 certificates, '
-                                 'use select_crypto_backend=pyopenssl for v2 certificates')
+            module.fail_json(msg='The cryptography backend does not support v2 certificates')
 
     return provider.create_backend(module, backend)
 
@@ -378,7 +339,8 @@ def get_certificate_argument_spec():
             force=dict(type='bool', default=False,),
             csr_path=dict(type='path'),
             csr_content=dict(type='str'),
-            select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
+            ignore_timestamps=dict(type='bool', default=True),
+            select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography']),
 
             # General properties of a certificate
             privatekey_path=dict(type='path'),

plugins/module_utils/crypto/module_backends/certificate_acme.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -12,7 +13,7 @@ import os
 import tempfile
 import traceback
 
-from ansible.module_utils._text import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native, to_bytes
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
     CertificateError,

plugins/module_utils/crypto/module_backends/certificate_assertonly.py

@@ -1,664 +0,0 @@
-# -*- coding: utf-8 -*-
-
-# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
-
-
-import abc
-import datetime
-
-from ansible.module_utils._text import to_native, to_bytes, to_text
-
-from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
-    parse_name_field,
-    get_relative_time_option,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
-    cryptography_compare_public_keys,
-    cryptography_get_name,
-    cryptography_name_to_oid,
-    cryptography_parse_key_usage_params,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.crypto.pyopenssl_support import (
-    pyopenssl_normalize_name_attribute,
-)
-
-from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
-    CertificateBackend,
-    CertificateProvider,
-)
-
-try:
-    import OpenSSL
-    from OpenSSL import crypto
-except ImportError:
-    pass
-
-try:
-    import cryptography
-    from cryptography import x509
-    from cryptography.x509 import NameAttribute, Name
-except ImportError:
-    pass
-
-
-def compare_sets(subset, superset, equality=False):
-    if equality:
-        return set(subset) == set(superset)
-    else:
-        return all(x in superset for x in subset)
-
-
-def compare_dicts(subset, superset, equality=False):
-    if equality:
-        return subset == superset
-    else:
-        return all(superset.get(x) == v for x, v in subset.items())
-
-
-NO_EXTENSION = 'no extension'
-
-
-class AssertOnlyCertificateBackend(CertificateBackend):
-    def __init__(self, module, backend):
-        super(AssertOnlyCertificateBackend, self).__init__(module, backend)
-
-        self.signature_algorithms = module.params['signature_algorithms']
-        if module.params['subject']:
-            self.subject = parse_name_field(module.params['subject'])
-        else:
-            self.subject = []
-        self.subject_strict = module.params['subject_strict']
-        if module.params['issuer']:
-            self.issuer = parse_name_field(module.params['issuer'])
-        else:
-            self.issuer = []
-        self.issuer_strict = module.params['issuer_strict']
-        self.has_expired = module.params['has_expired']
-        self.version = module.params['version']
-        self.key_usage = module.params['key_usage']
-        self.key_usage_strict = module.params['key_usage_strict']
-        self.extended_key_usage = module.params['extended_key_usage']
-        self.extended_key_usage_strict = module.params['extended_key_usage_strict']
-        self.subject_alt_name = module.params['subject_alt_name']
-        self.subject_alt_name_strict = module.params['subject_alt_name_strict']
-        self.not_before = module.params['not_before']
-        self.not_after = module.params['not_after']
-        self.valid_at = module.params['valid_at']
-        self.invalid_at = module.params['invalid_at']
-        self.valid_in = module.params['valid_in']
-        if self.valid_in and not self.valid_in.startswith("+") and not self.valid_in.startswith("-"):
-            try:
-                int(self.valid_in)
-            except ValueError:
-                module.fail_json(msg='The supplied value for "valid_in" (%s) is not an integer or a valid timespec' % self.valid_in)
-            self.valid_in = "+" + self.valid_in + "s"
-
-        # Load objects
-        self._ensure_private_key_loaded()
-        self._ensure_csr_loaded()
-
-    @abc.abstractmethod
-    def _validate_privatekey(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_csr_signature(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_csr_subject(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_csr_extensions(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_signature_algorithms(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_subject(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_issuer(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_has_expired(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_version(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_key_usage(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_extended_key_usage(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_subject_alt_name(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_not_before(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_not_after(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_valid_at(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_invalid_at(self):
-        pass
-
-    @abc.abstractmethod
-    def _validate_valid_in(self):
-        pass
-
-    def assertonly(self):
-        messages = []
-        if self.privatekey_path is not None or self.privatekey_content is not None:
-            if not self._validate_privatekey():
-                messages.append(
-                    'Certificate %s and private key %s do not match' %
-                    (self.path, self.privatekey_path or '(provided in module options)')
-                )
-
-        if self.csr_path is not None or self.csr_content is not None:
-            if not self._validate_csr_signature():
-                messages.append(
-                    'Certificate %s and CSR %s do not match: private key mismatch' %
-                    (self.path, self.csr_path or '(provided in module options)')
-                )
-            if not self._validate_csr_subject():
-                messages.append(
-                    'Certificate %s and CSR %s do not match: subject mismatch' %
-                    (self.path, self.csr_path or '(provided in module options)')
-                )
-            if not self._validate_csr_extensions():
-                messages.append(
-                    'Certificate %s and CSR %s do not match: extensions mismatch' %
-                    (self.path, self.csr_path or '(provided in module options)')
-                )
-
-        if self.signature_algorithms is not None:
-            wrong_alg = self._validate_signature_algorithms()
-            if wrong_alg:
-                messages.append(
-                    'Invalid signature algorithm (got %s, expected one of %s)' %
-                    (wrong_alg, self.signature_algorithms)
-                )
-
-        if self.subject is not None:
-            failure = self._validate_subject()
-            if failure:
-                dummy, cert_subject = failure
-                messages.append(
-                    'Invalid subject component (got %s, expected all of %s to be present)' %
-                    (cert_subject, self.subject)
-                )
-
-        if self.issuer is not None:
-            failure = self._validate_issuer()
-            if failure:
-                dummy, cert_issuer = failure
-                messages.append(
-                    'Invalid issuer component (got %s, expected all of %s to be present)' % (cert_issuer, self.issuer)
-                )
-
-        if self.has_expired is not None:
-            cert_expired = self._validate_has_expired()
-            if cert_expired != self.has_expired:
-                messages.append(
-                    'Certificate expiration check failed (certificate expiration is %s, expected %s)' %
-                    (cert_expired, self.has_expired)
-                )
-
-        if self.version is not None:
-            cert_version = self._validate_version()
-            if cert_version != self.version:
-                messages.append(
-                    'Invalid certificate version number (got %s, expected %s)' %
-                    (cert_version, self.version)
-                )
-
-        if self.key_usage is not None:
-            failure = self._validate_key_usage()
-            if failure == NO_EXTENSION:
-                messages.append('Found no keyUsage extension')
-            elif failure:
-                dummy, cert_key_usage = failure
-                messages.append(
-                    'Invalid keyUsage components (got %s, expected all of %s to be present)' %
-                    (cert_key_usage, self.key_usage)
-                )
-
-        if self.extended_key_usage is not None:
-            failure = self._validate_extended_key_usage()
-            if failure == NO_EXTENSION:
-                messages.append('Found no extendedKeyUsage extension')
-            elif failure:
-                dummy, ext_cert_key_usage = failure
-                messages.append(
-                    'Invalid extendedKeyUsage component (got %s, expected all of %s to be present)' % (ext_cert_key_usage, self.extended_key_usage)
-                )
-
-        if self.subject_alt_name is not None:
-            failure = self._validate_subject_alt_name()
-            if failure == NO_EXTENSION:
-                messages.append('Found no subjectAltName extension')
-            elif failure:
-                dummy, cert_san = failure
-                messages.append(
-                    'Invalid subjectAltName component (got %s, expected all of %s to be present)' %
-                    (cert_san, self.subject_alt_name)
-                )
-
-        if self.not_before is not None:
-            cert_not_valid_before = self._validate_not_before()
-            if cert_not_valid_before != get_relative_time_option(self.not_before, 'not_before', backend=self.backend):
-                messages.append(
-                    'Invalid not_before component (got %s, expected %s to be present)' %
-                    (cert_not_valid_before, self.not_before)
-                )
-
-        if self.not_after is not None:
-            cert_not_valid_after = self._validate_not_after()
-            if cert_not_valid_after != get_relative_time_option(self.not_after, 'not_after', backend=self.backend):
-                messages.append(
-                    'Invalid not_after component (got %s, expected %s to be present)' %
-                    (cert_not_valid_after, self.not_after)
-                )
-
-        if self.valid_at is not None:
-            not_before, valid_at, not_after = self._validate_valid_at()
-            if not (not_before <= valid_at <= not_after):
-                messages.append(
-                    'Certificate is not valid for the specified date (%s) - not_before: %s - not_after: %s' %
-                    (self.valid_at, not_before, not_after)
-                )
-
-        if self.invalid_at is not None:
-            not_before, invalid_at, not_after = self._validate_invalid_at()
-            if not_before <= invalid_at <= not_after:
-                messages.append(
-                    'Certificate is not invalid for the specified date (%s) - not_before: %s - not_after: %s' %
-                    (self.invalid_at, not_before, not_after)
-                )
-
-        if self.valid_in is not None:
-            not_before, valid_in, not_after = self._validate_valid_in()
-            if not not_before <= valid_in <= not_after:
-                messages.append(
-                    'Certificate is not valid in %s from now (that would be %s) - not_before: %s - not_after: %s' %
-                    (self.valid_in, valid_in, not_before, not_after)
-                )
-        return messages
-
-    def needs_regeneration(self):
-        self._ensure_existing_certificate_loaded()
-        if self.existing_certificate is None:
-            self.messages = ['Certificate not provided']
-        else:
-            self.messages = self.assertonly()
-
-        return len(self.messages) != 0
-
-    def generate_certificate(self):
-        self.module.fail_json(msg=' | '.join(self.messages))
-
-    def get_certificate_data(self):
-        return self.existing_certificate_bytes
-
-
-class AssertOnlyCertificateBackendCryptography(AssertOnlyCertificateBackend):
-    """Validate the supplied cert, using the cryptography backend"""
-    def __init__(self, module):
-        super(AssertOnlyCertificateBackendCryptography, self).__init__(module, 'cryptography')
-
-    def _validate_privatekey(self):
-        return cryptography_compare_public_keys(self.existing_certificate.public_key(), self.privatekey.public_key())
-
-    def _validate_csr_signature(self):
-        if not self.csr.is_signature_valid:
-            return False
-        return cryptography_compare_public_keys(self.csr.public_key(), self.existing_certificate.public_key())
-
-    def _validate_csr_subject(self):
-        return self.csr.subject == self.existing_certificate.subject
-
-    def _validate_csr_extensions(self):
-        cert_exts = self.existing_certificate.extensions
-        csr_exts = self.csr.extensions
-        if len(cert_exts) != len(csr_exts):
-            return False
-        for cert_ext in cert_exts:
-            try:
-                csr_ext = csr_exts.get_extension_for_oid(cert_ext.oid)
-                if cert_ext != csr_ext:
-                    return False
-            except cryptography.x509.ExtensionNotFound as dummy:
-                return False
-        return True
-
-    def _validate_signature_algorithms(self):
-        if self.existing_certificate.signature_algorithm_oid._name not in self.signature_algorithms:
-            return self.existing_certificate.signature_algorithm_oid._name
-
-    def _validate_subject(self):
-        expected_subject = Name([NameAttribute(oid=cryptography_name_to_oid(sub[0]), value=to_text(sub[1]))
-                                 for sub in self.subject])
-        cert_subject = self.existing_certificate.subject
-        if not compare_sets(expected_subject, cert_subject, self.subject_strict):
-            return expected_subject, cert_subject
-
-    def _validate_issuer(self):
-        expected_issuer = Name([NameAttribute(oid=cryptography_name_to_oid(iss[0]), value=to_text(iss[1]))
-                                for iss in self.issuer])
-        cert_issuer = self.existing_certificate.issuer
-        if not compare_sets(expected_issuer, cert_issuer, self.issuer_strict):
-            return self.issuer, cert_issuer
-
-    def _validate_has_expired(self):
-        cert_not_after = self.existing_certificate.not_valid_after
-        cert_expired = cert_not_after < datetime.datetime.utcnow()
-        return cert_expired
-
-    def _validate_version(self):
-        if self.existing_certificate.version == x509.Version.v1:
-            return 1
-        if self.existing_certificate.version == x509.Version.v3:
-            return 3
-        return "unknown"
-
-    def _validate_key_usage(self):
-        try:
-            current_key_usage = self.existing_certificate.extensions.get_extension_for_class(x509.KeyUsage).value
-            test_key_usage = dict(
-                digital_signature=current_key_usage.digital_signature,
-                content_commitment=current_key_usage.content_commitment,
-                key_encipherment=current_key_usage.key_encipherment,
-                data_encipherment=current_key_usage.data_encipherment,
-                key_agreement=current_key_usage.key_agreement,
-                key_cert_sign=current_key_usage.key_cert_sign,
-                crl_sign=current_key_usage.crl_sign,
-                encipher_only=False,
-                decipher_only=False
-            )
-            if test_key_usage['key_agreement']:
-                test_key_usage.update(dict(
-                    encipher_only=current_key_usage.encipher_only,
-                    decipher_only=current_key_usage.decipher_only
-                ))
-
-            key_usages = cryptography_parse_key_usage_params(self.key_usage)
-            if not compare_dicts(key_usages, test_key_usage, self.key_usage_strict):
-                return self.key_usage, [k for k, v in test_key_usage.items() if v is True]
-
-        except cryptography.x509.ExtensionNotFound:
-            # This is only bad if the user specified a non-empty list
-            if self.key_usage:
-                return NO_EXTENSION
-
-    def _validate_extended_key_usage(self):
-        try:
-            current_ext_keyusage = self.existing_certificate.extensions.get_extension_for_class(x509.ExtendedKeyUsage).value
-            usages = [cryptography_name_to_oid(usage) for usage in self.extended_key_usage]
-            expected_ext_keyusage = x509.ExtendedKeyUsage(usages)
-            if not compare_sets(expected_ext_keyusage, current_ext_keyusage, self.extended_key_usage_strict):
-                return [eku.value for eku in expected_ext_keyusage], [eku.value for eku in current_ext_keyusage]
-
-        except cryptography.x509.ExtensionNotFound:
-            # This is only bad if the user specified a non-empty list
-            if self.extended_key_usage:
-                return NO_EXTENSION
-
-    def _validate_subject_alt_name(self):
-        try:
-            current_san = self.existing_certificate.extensions.get_extension_for_class(x509.SubjectAlternativeName).value
-            expected_san = [cryptography_get_name(san) for san in self.subject_alt_name]
-            if not compare_sets(expected_san, current_san, self.subject_alt_name_strict):
-                return self.subject_alt_name, current_san
-        except cryptography.x509.ExtensionNotFound:
-            # This is only bad if the user specified a non-empty list
-            if self.subject_alt_name:
-                return NO_EXTENSION
-
-    def _validate_not_before(self):
-        return self.existing_certificate.not_valid_before
-
-    def _validate_not_after(self):
-        return self.existing_certificate.not_valid_after
-
-    def _validate_valid_at(self):
-        rt = get_relative_time_option(self.valid_at, 'valid_at', backend=self.backend)
-        return self.existing_certificate.not_valid_before, rt, self.existing_certificate.not_valid_after
-
-    def _validate_invalid_at(self):
-        rt = get_relative_time_option(self.invalid_at, 'invalid_at', backend=self.backend)
-        return self.existing_certificate.not_valid_before, rt, self.existing_certificate.not_valid_after
-
-    def _validate_valid_in(self):
-        valid_in_date = get_relative_time_option(self.valid_in, "valid_in", backend=self.backend)
-        return self.existing_certificate.not_valid_before, valid_in_date, self.existing_certificate.not_valid_after
-
-
-class AssertOnlyCertificateBackendPyOpenSSL(AssertOnlyCertificateBackend):
-    """validate the supplied certificate."""
-
-    def __init__(self, module):
-        super(AssertOnlyCertificateBackendPyOpenSSL, self).__init__(module, 'pyopenssl')
-
-        # Ensure inputs are properly sanitized before comparison.
-        for param in ['signature_algorithms', 'key_usage', 'extended_key_usage',
-                      'subject_alt_name', 'subject', 'issuer', 'not_before',
-                      'not_after', 'valid_at', 'invalid_at']:
-            attr = getattr(self, param)
-            if isinstance(attr, list) and attr:
-                if isinstance(attr[0], str):
-                    setattr(self, param, [to_bytes(item) for item in attr])
-                elif isinstance(attr[0], tuple):
-                    setattr(self, param, [(to_bytes(item[0]), to_bytes(item[1])) for item in attr])
-            elif isinstance(attr, tuple):
-                setattr(self, param, dict((to_bytes(k), to_bytes(v)) for (k, v) in attr.items()))
-            elif isinstance(attr, dict):
-                setattr(self, param, dict((to_bytes(k), to_bytes(v)) for (k, v) in attr.items()))
-            elif isinstance(attr, str):
-                setattr(self, param, to_bytes(attr))
-
-    def _validate_privatekey(self):
-        ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_2_METHOD)
-        ctx.use_privatekey(self.privatekey)
-        ctx.use_certificate(self.existing_certificate)
-        try:
-            ctx.check_privatekey()
-            return True
-        except OpenSSL.SSL.Error:
-            return False
-
-    def _validate_csr_signature(self):
-        try:
-            self.csr.verify(self.existing_certificate.get_pubkey())
-        except OpenSSL.crypto.Error:
-            return False
-
-    def _validate_csr_subject(self):
-        if self.csr.get_subject() != self.existing_certificate.get_subject():
-            return False
-
-    def _validate_csr_extensions(self):
-        csr_extensions = self.csr.get_extensions()
-        cert_extension_count = self.existing_certificate.get_extension_count()
-        if len(csr_extensions) != cert_extension_count:
-            return False
-        for extension_number in range(0, cert_extension_count):
-            cert_extension = self.existing_certificate.get_extension(extension_number)
-            csr_extension = filter(lambda extension: extension.get_short_name() == cert_extension.get_short_name(), csr_extensions)
-            if cert_extension.get_data() != list(csr_extension)[0].get_data():
-                return False
-        return True
-
-    def _validate_signature_algorithms(self):
-        if self.existing_certificate.get_signature_algorithm() not in self.signature_algorithms:
-            return self.existing_certificate.get_signature_algorithm()
-
-    def _validate_subject(self):
-        expected_subject = [(OpenSSL._util.lib.OBJ_txt2nid(sub[0]), sub[1]) for sub in self.subject]
-        cert_subject = self.existing_certificate.get_subject().get_components()
-        current_subject = [(OpenSSL._util.lib.OBJ_txt2nid(sub[0]), sub[1]) for sub in cert_subject]
-        if not compare_sets(expected_subject, current_subject, self.subject_strict):
-            return expected_subject, current_subject
-
-    def _validate_issuer(self):
-        expected_issuer = [(OpenSSL._util.lib.OBJ_txt2nid(iss[0]), iss[1]) for iss in self.issuer]
-        cert_issuer = self.existing_certificate.get_issuer().get_components()
-        current_issuer = [(OpenSSL._util.lib.OBJ_txt2nid(iss[0]), iss[1]) for iss in cert_issuer]
-        if not compare_sets(expected_issuer, current_issuer, self.issuer_strict):
-            return self.issuer, cert_issuer
-
-    def _validate_has_expired(self):
-        # The following 3 lines are the same as the current PyOpenSSL code for cert.has_expired().
-        # Older version of PyOpenSSL have a buggy implementation,
-        # to avoid issues with those we added the code from a more recent release here.
-
-        time_string = to_native(self.existing_certificate.get_notAfter())
-        not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
-        cert_expired = not_after < datetime.datetime.utcnow()
-        return cert_expired
-
-    def _validate_version(self):
-        # Version numbers in certs are off by one:
-        # v1: 0, v2: 1, v3: 2 ...
-        return self.existing_certificate.get_version() + 1
-
-    def _validate_key_usage(self):
-        found = False
-        for extension_idx in range(0, self.existing_certificate.get_extension_count()):
-            extension = self.existing_certificate.get_extension(extension_idx)
-            if extension.get_short_name() == b'keyUsage':
-                found = True
-                expected_extension = crypto.X509Extension(b"keyUsage", False, b', '.join(self.key_usage))
-                key_usage = [usage.strip() for usage in to_text(expected_extension, errors='surrogate_or_strict').split(',')]
-                current_ku = [usage.strip() for usage in to_text(extension, errors='surrogate_or_strict').split(',')]
-                if not compare_sets(key_usage, current_ku, self.key_usage_strict):
-                    return self.key_usage, str(extension).split(', ')
-        if not found:
-            # This is only bad if the user specified a non-empty list
-            if self.key_usage:
-                return NO_EXTENSION
-
-    def _validate_extended_key_usage(self):
-        found = False
-        for extension_idx in range(0, self.existing_certificate.get_extension_count()):
-            extension = self.existing_certificate.get_extension(extension_idx)
-            if extension.get_short_name() == b'extendedKeyUsage':
-                found = True
-                extKeyUsage = [OpenSSL._util.lib.OBJ_txt2nid(keyUsage) for keyUsage in self.extended_key_usage]
-                current_xku = [OpenSSL._util.lib.OBJ_txt2nid(usage.strip()) for usage in
-                               to_bytes(extension, errors='surrogate_or_strict').split(b',')]
-                if not compare_sets(extKeyUsage, current_xku, self.extended_key_usage_strict):
-                    return self.extended_key_usage, str(extension).split(', ')
-        if not found:
-            # This is only bad if the user specified a non-empty list
-            if self.extended_key_usage:
-                return NO_EXTENSION
-
-    def _validate_subject_alt_name(self):
-        found = False
-        for extension_idx in range(0, self.existing_certificate.get_extension_count()):
-            extension = self.existing_certificate.get_extension(extension_idx)
-            if extension.get_short_name() == b'subjectAltName':
-                found = True
-                l_altnames = [pyopenssl_normalize_name_attribute(altname.strip()) for altname in
-                              to_text(extension, errors='surrogate_or_strict').split(', ')]
-                sans = [pyopenssl_normalize_name_attribute(to_text(san, errors='surrogate_or_strict')) for san in self.subject_alt_name]
-                if not compare_sets(sans, l_altnames, self.subject_alt_name_strict):
-                    return self.subject_alt_name, l_altnames
-        if not found:
-            # This is only bad if the user specified a non-empty list
-            if self.subject_alt_name:
-                return NO_EXTENSION
-
-    def _validate_not_before(self):
-        return self.existing_certificate.get_notBefore()
-
-    def _validate_not_after(self):
-        return self.existing_certificate.get_notAfter()
-
-    def _validate_valid_at(self):
-        rt = get_relative_time_option(self.valid_at, "valid_at", backend=self.backend)
-        rt = to_bytes(rt, errors='surrogate_or_strict')
-        return self.existing_certificate.get_notBefore(), rt, self.existing_certificate.get_notAfter()
-
-    def _validate_invalid_at(self):
-        rt = get_relative_time_option(self.invalid_at, "invalid_at", backend=self.backend)
-        rt = to_bytes(rt, errors='surrogate_or_strict')
-        return self.existing_certificate.get_notBefore(), rt, self.existing_certificate.get_notAfter()
-
-    def _validate_valid_in(self):
-        valid_in_asn1 = get_relative_time_option(self.valid_in, "valid_in", backend=self.backend)
-        valid_in_date = to_bytes(valid_in_asn1, errors='surrogate_or_strict')
-        return self.existing_certificate.get_notBefore(), valid_in_date, self.existing_certificate.get_notAfter()
-
-
-class AssertOnlyCertificateProvider(CertificateProvider):
-    def validate_module_args(self, module):
-        module.deprecate("The 'assertonly' provider is deprecated; please see the examples of "
-                         "the 'x509_certificate' module on how to replace it with other modules",
-                         version='2.0.0', collection_name='community.crypto')
-
-    def needs_version_two_certs(self, module):
-        return False
-
-    def create_backend(self, module, backend):
-        if backend == 'cryptography':
-            return AssertOnlyCertificateBackendCryptography(module)
-        if backend == 'pyopenssl':
-            return AssertOnlyCertificateBackendPyOpenSSL(module)
-
-
-def add_assertonly_provider_to_argument_spec(argument_spec):
-    argument_spec.argument_spec['provider']['choices'].append('assertonly')
-    argument_spec.argument_spec.update(dict(
-        signature_algorithms=dict(type='list', elements='str', removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        subject=dict(type='dict', removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        subject_strict=dict(type='bool', default=False, removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        issuer=dict(type='dict', removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        issuer_strict=dict(type='bool', default=False, removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        has_expired=dict(type='bool', default=False, removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        version=dict(type='int', removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        key_usage=dict(type='list', elements='str', aliases=['keyUsage'],
-                       removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        key_usage_strict=dict(type='bool', default=False, aliases=['keyUsage_strict'],
-                              removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        extended_key_usage=dict(type='list', elements='str', aliases=['extendedKeyUsage'],
-                                removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        extended_key_usage_strict=dict(type='bool', default=False, aliases=['extendedKeyUsage_strict'],
-                                       removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        subject_alt_name=dict(type='list', elements='str', aliases=['subjectAltName'],
-                              removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        subject_alt_name_strict=dict(type='bool', default=False, aliases=['subjectAltName_strict'],
-                                     removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        not_before=dict(type='str', aliases=['notBefore'], removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        not_after=dict(type='str', aliases=['notAfter'], removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        valid_at=dict(type='str', removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        invalid_at=dict(type='str', removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-        valid_in=dict(type='str', removed_in_version='2.0.0', removed_from_collection='community.crypto'),
-    ))

plugins/module_utils/crypto/module_backends/certificate_entrust.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -12,7 +13,7 @@ import datetime
 import time
 import os
 
-from ansible.module_utils._text import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native, to_bytes
 
 from ansible_collections.community.crypto.plugins.module_utils.ecs.api import ECSClient, RestOperationException, SessionConfigurationException
 
@@ -58,18 +59,7 @@ class EntrustCertificateBackend(CertificateBackend):
         # We want to always force behavior of trying to use the organization provided in the CSR.
         # To that end we need to parse out the organization from the CSR.
         self.csr_org = None
-        if self.backend == 'pyopenssl':
-            csr_subject = self.csr.get_subject()
-            csr_subject_components = csr_subject.get_components()
-            for k, v in csr_subject_components:
-                if k.upper() == 'O':
-                    # Entrust does not support multiple validated organizations in a single certificate
-                    if self.csr_org is not None:
-                        self.module.fail_json(msg=("Entrust provider does not currently support multiple validated organizations. Multiple organizations "
-                                                   "found in Subject DN: '{0}'. ".format(csr_subject)))
-                    else:
-                        self.csr_org = v
-        elif self.backend == 'cryptography':
+        if self.backend == 'cryptography':
             csr_subject_orgs = self.csr.subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)
             if len(csr_subject_orgs) == 1:
                 self.csr_org = csr_subject_orgs[0].value
@@ -162,11 +152,7 @@ class EntrustCertificateBackend(CertificateBackend):
         if self.existing_certificate:
             serial_number = None
             expiry = None
-            if self.backend == 'pyopenssl':
-                serial_number = "{0:X}".format(self.existing_certificate.get_serial_number())
-                time_string = to_native(self.existing_certificate.get_notAfter())
-                expiry = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
-            elif self.backend == 'cryptography':
+            if self.backend == 'cryptography':
                 serial_number = "{0:X}".format(cryptography_serial_number_of_cert(self.existing_certificate))
                 expiry = self.existing_certificate.not_valid_after
 

plugins/module_utils/crypto/module_backends/certificate_info.py

@@ -0,0 +1,395 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import abc
+import binascii
+import datetime
+import traceback
+
+from ansible.module_utils import six
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_native
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
+    load_certificate,
+    get_fingerprint_of_bytes,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    cryptography_decode_name,
+    cryptography_get_extensions_from_cert,
+    cryptography_oid_to_name,
+    cryptography_serial_number_of_cert,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import (
+    get_publickey_info,
+)
+
+MINIMAL_CRYPTOGRAPHY_VERSION = '1.6'
+
+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    import cryptography
+    from cryptography import x509
+    from cryptography.hazmat.primitives import serialization
+    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    CRYPTOGRAPHY_FOUND = False
+else:
+    CRYPTOGRAPHY_FOUND = True
+
+
+TIMESTAMP_FORMAT = "%Y%m%d%H%M%SZ"
+
+
+@six.add_metaclass(abc.ABCMeta)
+class CertificateInfoRetrieval(object):
+    def __init__(self, module, backend, content):
+        # content must be a bytes string
+        self.module = module
+        self.backend = backend
+        self.content = content
+
+    @abc.abstractmethod
+    def _get_der_bytes(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_signature_algorithm(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_subject_ordered(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_issuer_ordered(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_version(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_key_usage(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_extended_key_usage(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_basic_constraints(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_ocsp_must_staple(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_subject_alt_name(self):
+        pass
+
+    @abc.abstractmethod
+    def get_not_before(self):
+        pass
+
+    @abc.abstractmethod
+    def get_not_after(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_public_key_pem(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_public_key_object(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_subject_key_identifier(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_authority_key_identifier(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_serial_number(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_all_extensions(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_ocsp_uri(self):
+        pass
+
+    def get_info(self, prefer_one_fingerprint=False):
+        result = dict()
+        self.cert = load_certificate(None, content=self.content, backend=self.backend)
+
+        result['signature_algorithm'] = self._get_signature_algorithm()
+        subject = self._get_subject_ordered()
+        issuer = self._get_issuer_ordered()
+        result['subject'] = dict()
+        for k, v in subject:
+            result['subject'][k] = v
+        result['subject_ordered'] = subject
+        result['issuer'] = dict()
+        for k, v in issuer:
+            result['issuer'][k] = v
+        result['issuer_ordered'] = issuer
+        result['version'] = self._get_version()
+        result['key_usage'], result['key_usage_critical'] = self._get_key_usage()
+        result['extended_key_usage'], result['extended_key_usage_critical'] = self._get_extended_key_usage()
+        result['basic_constraints'], result['basic_constraints_critical'] = self._get_basic_constraints()
+        result['ocsp_must_staple'], result['ocsp_must_staple_critical'] = self._get_ocsp_must_staple()
+        result['subject_alt_name'], result['subject_alt_name_critical'] = self._get_subject_alt_name()
+
+        not_before = self.get_not_before()
+        not_after = self.get_not_after()
+        result['not_before'] = not_before.strftime(TIMESTAMP_FORMAT)
+        result['not_after'] = not_after.strftime(TIMESTAMP_FORMAT)
+        result['expired'] = not_after < datetime.datetime.utcnow()
+
+        result['public_key'] = self._get_public_key_pem()
+
+        public_key_info = get_publickey_info(
+            self.module,
+            self.backend,
+            key=self._get_public_key_object(),
+            prefer_one_fingerprint=prefer_one_fingerprint)
+        result.update({
+            'public_key_type': public_key_info['type'],
+            'public_key_data': public_key_info['public_data'],
+            'public_key_fingerprints': public_key_info['fingerprints'],
+        })
+
+        result['fingerprints'] = get_fingerprint_of_bytes(
+            self._get_der_bytes(), prefer_one=prefer_one_fingerprint)
+
+        ski = self._get_subject_key_identifier()
+        if ski is not None:
+            ski = to_native(binascii.hexlify(ski))
+            ski = ':'.join([ski[i:i + 2] for i in range(0, len(ski), 2)])
+        result['subject_key_identifier'] = ski
+
+        aki, aci, acsn = self._get_authority_key_identifier()
+        if aki is not None:
+            aki = to_native(binascii.hexlify(aki))
+            aki = ':'.join([aki[i:i + 2] for i in range(0, len(aki), 2)])
+        result['authority_key_identifier'] = aki
+        result['authority_cert_issuer'] = aci
+        result['authority_cert_serial_number'] = acsn
+
+        result['serial_number'] = self._get_serial_number()
+        result['extensions_by_oid'] = self._get_all_extensions()
+        result['ocsp_uri'] = self._get_ocsp_uri()
+
+        return result
+
+
+class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval):
+    """Validate the supplied cert, using the cryptography backend"""
+    def __init__(self, module, content):
+        super(CertificateInfoRetrievalCryptography, self).__init__(module, 'cryptography', content)
+        self.name_encoding = module.params.get('name_encoding', 'ignore')
+
+    def _get_der_bytes(self):
+        return self.cert.public_bytes(serialization.Encoding.DER)
+
+    def _get_signature_algorithm(self):
+        return cryptography_oid_to_name(self.cert.signature_algorithm_oid)
+
+    def _get_subject_ordered(self):
+        result = []
+        for attribute in self.cert.subject:
+            result.append([cryptography_oid_to_name(attribute.oid), attribute.value])
+        return result
+
+    def _get_issuer_ordered(self):
+        result = []
+        for attribute in self.cert.issuer:
+            result.append([cryptography_oid_to_name(attribute.oid), attribute.value])
+        return result
+
+    def _get_version(self):
+        if self.cert.version == x509.Version.v1:
+            return 1
+        if self.cert.version == x509.Version.v3:
+            return 3
+        return "unknown"
+
+    def _get_key_usage(self):
+        try:
+            current_key_ext = self.cert.extensions.get_extension_for_class(x509.KeyUsage)
+            current_key_usage = current_key_ext.value
+            key_usage = dict(
+                digital_signature=current_key_usage.digital_signature,
+                content_commitment=current_key_usage.content_commitment,
+                key_encipherment=current_key_usage.key_encipherment,
+                data_encipherment=current_key_usage.data_encipherment,
+                key_agreement=current_key_usage.key_agreement,
+                key_cert_sign=current_key_usage.key_cert_sign,
+                crl_sign=current_key_usage.crl_sign,
+                encipher_only=False,
+                decipher_only=False,
+            )
+            if key_usage['key_agreement']:
+                key_usage.update(dict(
+                    encipher_only=current_key_usage.encipher_only,
+                    decipher_only=current_key_usage.decipher_only
+                ))
+
+            key_usage_names = dict(
+                digital_signature='Digital Signature',
+                content_commitment='Non Repudiation',
+                key_encipherment='Key Encipherment',
+                data_encipherment='Data Encipherment',
+                key_agreement='Key Agreement',
+                key_cert_sign='Certificate Sign',
+                crl_sign='CRL Sign',
+                encipher_only='Encipher Only',
+                decipher_only='Decipher Only',
+            )
+            return sorted([
+                key_usage_names[name] for name, value in key_usage.items() if value
+            ]), current_key_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_extended_key_usage(self):
+        try:
+            ext_keyusage_ext = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
+            return sorted([
+                cryptography_oid_to_name(eku) for eku in ext_keyusage_ext.value
+            ]), ext_keyusage_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_basic_constraints(self):
+        try:
+            ext_keyusage_ext = self.cert.extensions.get_extension_for_class(x509.BasicConstraints)
+            result = []
+            result.append('CA:{0}'.format('TRUE' if ext_keyusage_ext.value.ca else 'FALSE'))
+            if ext_keyusage_ext.value.path_length is not None:
+                result.append('pathlen:{0}'.format(ext_keyusage_ext.value.path_length))
+            return sorted(result), ext_keyusage_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_ocsp_must_staple(self):
+        try:
+            try:
+                # This only works with cryptography >= 2.1
+                tlsfeature_ext = self.cert.extensions.get_extension_for_class(x509.TLSFeature)
+                value = cryptography.x509.TLSFeatureType.status_request in tlsfeature_ext.value
+            except AttributeError:
+                # Fallback for cryptography < 2.1
+                oid = x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.1.24")
+                tlsfeature_ext = self.cert.extensions.get_extension_for_oid(oid)
+                value = tlsfeature_ext.value.value == b"\x30\x03\x02\x01\x05"
+            return value, tlsfeature_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_subject_alt_name(self):
+        try:
+            san_ext = self.cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
+            result = [cryptography_decode_name(san, idn_rewrite=self.name_encoding) for san in san_ext.value]
+            return result, san_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def get_not_before(self):
+        return self.cert.not_valid_before
+
+    def get_not_after(self):
+        return self.cert.not_valid_after
+
+    def _get_public_key_pem(self):
+        return self.cert.public_key().public_bytes(
+            serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
+
+    def _get_public_key_object(self):
+        return self.cert.public_key()
+
+    def _get_subject_key_identifier(self):
+        try:
+            ext = self.cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+            return ext.value.digest
+        except cryptography.x509.ExtensionNotFound:
+            return None
+
+    def _get_authority_key_identifier(self):
+        try:
+            ext = self.cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
+            issuer = None
+            if ext.value.authority_cert_issuer is not None:
+                issuer = [cryptography_decode_name(san, idn_rewrite=self.name_encoding) for san in ext.value.authority_cert_issuer]
+            return ext.value.key_identifier, issuer, ext.value.authority_cert_serial_number
+        except cryptography.x509.ExtensionNotFound:
+            return None, None, None
+
+    def _get_serial_number(self):
+        return cryptography_serial_number_of_cert(self.cert)
+
+    def _get_all_extensions(self):
+        return cryptography_get_extensions_from_cert(self.cert)
+
+    def _get_ocsp_uri(self):
+        try:
+            ext = self.cert.extensions.get_extension_for_class(x509.AuthorityInformationAccess)
+            for desc in ext.value:
+                if desc.access_method == x509.oid.AuthorityInformationAccessOID.OCSP:
+                    if isinstance(desc.access_location, x509.UniformResourceIdentifier):
+                        return desc.access_location.value
+        except x509.ExtensionNotFound as dummy:
+            pass
+        return None
+
+
+def get_certificate_info(module, backend, content, prefer_one_fingerprint=False):
+    if backend == 'cryptography':
+        info = CertificateInfoRetrievalCryptography(module, content)
+    return info.get_info(prefer_one_fingerprint=prefer_one_fingerprint)
+
+
+def select_backend(module, backend, content):
+    if backend == 'auto':
+        # Detection what is possible
+        can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
+
+        # Try cryptography
+        if can_use_cryptography:
+            backend = 'cryptography'
+
+        # Success?
+        if backend == 'auto':
+            module.fail_json(msg=("Cannot detect any of the required Python libraries "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
+
+    if backend == 'cryptography':
+        if not CRYPTOGRAPHY_FOUND:
+            module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                             exception=CRYPTOGRAPHY_IMP_ERR)
+        return backend, CertificateInfoRetrievalCryptography(module, content)
+    else:
+        raise ValueError('Unsupported value for backend: {0}'.format(backend))

plugins/module_utils/crypto/module_backends/certificate_ownca.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -10,10 +11,9 @@ __metaclass__ = type
 
 import os
 
-from distutils.version import LooseVersion
 from random import randrange
 
-from ansible.module_utils._text import to_bytes
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     OpenSSLBadPassphraseError,
@@ -27,8 +27,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    cryptography_compare_public_keys,
     cryptography_key_needs_digest_for_signing,
     cryptography_serial_number_of_cert,
+    cryptography_verify_certificate_signature,
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
@@ -38,11 +40,6 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
     CertificateProvider,
 )
 
-try:
-    from OpenSSL import crypto
-except ImportError:
-    pass
-
 try:
     import cryptography
     from cryptography import x509
@@ -106,6 +103,9 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
         except OpenSSLBadPassphraseError as exc:
             module.fail_json(msg=str(exc))
 
+        if not cryptography_compare_public_keys(self.ca_cert.public_key(), self.ca_private_key.public_key()):
+            raise CertificateError('The CA private key does not belong to the CA certificate')
+
         if cryptography_key_needs_digest_for_signing(self.ca_private_key):
             if self.digest is None:
                 raise CertificateError(
@@ -169,7 +169,17 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
         return self.cert.public_bytes(Encoding.PEM)
 
     def needs_regeneration(self):
-        if super(OwnCACertificateBackendCryptography, self).needs_regeneration():
+        if super(OwnCACertificateBackendCryptography, self).needs_regeneration(not_before=self.notBefore, not_after=self.notAfter):
+            return True
+
+        self._ensure_existing_certificate_loaded()
+
+        # Check whether certificate is signed by CA certificate
+        if not cryptography_verify_certificate_signature(self.existing_certificate, self.ca_cert.public_key()):
+            return True
+
+        # Check subject
+        if self.ca_cert.subject != self.existing_certificate.issuer:
             return True
 
         # Check AuthorityKeyIdentifier
@@ -184,7 +194,6 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
             except cryptography.x509.ExtensionNotFound:
                 expected_ext = x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_cert.public_key())
 
-            self._ensure_existing_certificate_loaded()
             try:
                 ext = self.existing_certificate.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
                 if ext.value != expected_ext:
@@ -227,100 +236,6 @@ def generate_serial_number():
             return result
 
 
-class OwnCACertificateBackendPyOpenSSL(CertificateBackend):
-    def __init__(self, module):
-        super(OwnCACertificateBackendPyOpenSSL, self).__init__(module, 'pyopenssl')
-
-        self.notBefore = get_relative_time_option(self.module.params['ownca_not_before'], 'ownca_not_before', backend=self.backend)
-        self.notAfter = get_relative_time_option(self.module.params['ownca_not_after'], 'ownca_not_after', backend=self.backend)
-        self.digest = self.module.params['ownca_digest']
-        self.version = self.module.params['ownca_version']
-        self.serial_number = generate_serial_number()
-        if self.module.params['ownca_create_subject_key_identifier'] != 'create_if_not_provided':
-            self.module.fail_json(msg='ownca_create_subject_key_identifier cannot be used with the pyOpenSSL backend!')
-        if self.module.params['ownca_create_authority_key_identifier']:
-            self.module.warn('ownca_create_authority_key_identifier is ignored by the pyOpenSSL backend!')
-        self.ca_cert_path = self.module.params['ownca_path']
-        self.ca_cert_content = self.module.params['ownca_content']
-        if self.ca_cert_content is not None:
-            self.ca_cert_content = self.ca_cert_content.encode('utf-8')
-        self.ca_privatekey_path = self.module.params['ownca_privatekey_path']
-        self.ca_privatekey_content = self.module.params['ownca_privatekey_content']
-        if self.ca_privatekey_content is not None:
-            self.ca_privatekey_content = self.ca_privatekey_content.encode('utf-8')
-        self.ca_privatekey_passphrase = self.module.params['ownca_privatekey_passphrase']
-
-        if self.csr_content is None and not os.path.exists(self.csr_path):
-            raise CertificateError(
-                'The certificate signing request file {0} does not exist'.format(self.csr_path)
-            )
-        if self.ca_cert_content is None and not os.path.exists(self.ca_cert_path):
-            raise CertificateError(
-                'The CA certificate file {0} does not exist'.format(self.ca_cert_path)
-            )
-        if self.ca_privatekey_content is None and not os.path.exists(self.ca_privatekey_path):
-            raise CertificateError(
-                'The CA private key file {0} does not exist'.format(self.ca_privatekey_path)
-            )
-
-        self._ensure_csr_loaded()
-        self.ca_cert = load_certificate(
-            path=self.ca_cert_path,
-            content=self.ca_cert_content,
-        )
-        try:
-            self.ca_privatekey = load_privatekey(
-                path=self.ca_privatekey_path,
-                content=self.ca_privatekey_content,
-                passphrase=self.ca_privatekey_passphrase
-            )
-        except OpenSSLBadPassphraseError as exc:
-            self.module.fail_json(msg=str(exc))
-
-    def generate_certificate(self):
-        """(Re-)Generate certificate."""
-        cert = crypto.X509()
-        cert.set_serial_number(self.serial_number)
-        cert.set_notBefore(to_bytes(self.notBefore))
-        cert.set_notAfter(to_bytes(self.notAfter))
-        cert.set_subject(self.csr.get_subject())
-        cert.set_issuer(self.ca_cert.get_subject())
-        cert.set_version(self.version - 1)
-        cert.set_pubkey(self.csr.get_pubkey())
-        cert.add_extensions(self.csr.get_extensions())
-
-        cert.sign(self.ca_privatekey, self.digest)
-        self.cert = cert
-
-    def get_certificate_data(self):
-        """Return bytes for self.cert."""
-        return crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert)
-
-    def dump(self, include_certificate):
-        result = super(OwnCACertificateBackendPyOpenSSL, self).dump(include_certificate)
-        result.update({
-            'ca_cert': self.ca_cert_path,
-            'ca_privatekey': self.ca_privatekey_path,
-        })
-
-        if self.module.check_mode:
-            result.update({
-                'notBefore': self.notBefore,
-                'notAfter': self.notAfter,
-                'serial_number': self.serial_number,
-            })
-        else:
-            if self.cert is None:
-                self.cert = self.existing_certificate
-            result.update({
-                'notBefore': self.cert.get_notBefore(),
-                'notAfter': self.cert.get_notAfter(),
-                'serial_number': self.cert.get_serial_number(),
-            })
-
-        return result
-
-
 class OwnCACertificateProvider(CertificateProvider):
     def validate_module_args(self, module):
         if module.params['ownca_path'] is None and module.params['ownca_content'] is None:
@@ -334,8 +249,6 @@ class OwnCACertificateProvider(CertificateProvider):
     def create_backend(self, module, backend):
         if backend == 'cryptography':
             return OwnCACertificateBackendCryptography(module)
-        if backend == 'pyopenssl':
-            return OwnCACertificateBackendPyOpenSSL(module)
 
 
 def add_ownca_provider_to_argument_spec(argument_spec):

plugins/module_utils/crypto/module_backends/certificate_selfsigned.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -12,8 +13,6 @@ import os
 
 from random import randrange
 
-from ansible.module_utils._text import to_bytes
-
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     get_relative_time_option,
     select_message_digest,
@@ -22,6 +21,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
     cryptography_key_needs_digest_for_signing,
     cryptography_serial_number_of_cert,
+    cryptography_verify_certificate_signature,
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
@@ -30,11 +30,6 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
     CertificateProvider,
 )
 
-try:
-    from OpenSSL import crypto
-except ImportError:
-    pass
-
 try:
     import cryptography
     from cryptography import x509
@@ -134,6 +129,18 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
         """Return bytes for self.cert."""
         return self.cert.public_bytes(Encoding.PEM)
 
+    def needs_regeneration(self):
+        if super(SelfSignedCertificateBackendCryptography, self).needs_regeneration(not_before=self.notBefore, not_after=self.notAfter):
+            return True
+
+        self._ensure_existing_certificate_loaded()
+
+        # Check whether certificate is signed by private key
+        if not cryptography_verify_certificate_signature(self.existing_certificate, self.privatekey.public_key()):
+            return True
+
+        return False
+
     def dump(self, include_certificate):
         result = super(SelfSignedCertificateBackendCryptography, self).dump(include_certificate)
 
@@ -163,76 +170,6 @@ def generate_serial_number():
             return result
 
 
-class SelfSignedCertificateBackendPyOpenSSL(CertificateBackend):
-    def __init__(self, module):
-        super(SelfSignedCertificateBackendPyOpenSSL, self).__init__(module, 'pyopenssl')
-
-        if module.params['selfsigned_create_subject_key_identifier'] != 'create_if_not_provided':
-            module.fail_json(msg='selfsigned_create_subject_key_identifier cannot be used with the pyOpenSSL backend!')
-        self.notBefore = get_relative_time_option(module.params['selfsigned_not_before'], 'selfsigned_not_before', backend=self.backend)
-        self.notAfter = get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after', backend=self.backend)
-        self.digest = module.params['selfsigned_digest']
-        self.version = module.params['selfsigned_version']
-        self.serial_number = generate_serial_number()
-
-        if self.csr_path is not None and not os.path.exists(self.csr_path):
-            raise CertificateError(
-                'The certificate signing request file {0} does not exist'.format(self.csr_path)
-            )
-        if self.privatekey_content is None and not os.path.exists(self.privatekey_path):
-            raise CertificateError(
-                'The private key file {0} does not exist'.format(self.privatekey_path)
-            )
-
-        self._ensure_private_key_loaded()
-
-        self._ensure_csr_loaded()
-        if self.csr is None:
-            # Create empty CSR on the fly
-            self.csr = crypto.X509Req()
-            self.csr.set_pubkey(self.privatekey)
-            self.csr.sign(self.privatekey, self.digest)
-
-    def generate_certificate(self):
-        """(Re-)Generate certificate."""
-        cert = crypto.X509()
-        cert.set_serial_number(self.serial_number)
-        cert.set_notBefore(to_bytes(self.notBefore))
-        cert.set_notAfter(to_bytes(self.notAfter))
-        cert.set_subject(self.csr.get_subject())
-        cert.set_issuer(self.csr.get_subject())
-        cert.set_version(self.version - 1)
-        cert.set_pubkey(self.csr.get_pubkey())
-        cert.add_extensions(self.csr.get_extensions())
-
-        cert.sign(self.privatekey, self.digest)
-        self.cert = cert
-
-    def get_certificate_data(self):
-        """Return bytes for self.cert."""
-        return crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert)
-
-    def dump(self, include_certificate):
-        result = super(SelfSignedCertificateBackendPyOpenSSL, self).dump(include_certificate)
-
-        if self.module.check_mode:
-            result.update({
-                'notBefore': self.notBefore,
-                'notAfter': self.notAfter,
-                'serial_number': self.serial_number,
-            })
-        else:
-            if self.cert is None:
-                self.cert = self.existing_certificate
-            result.update({
-                'notBefore': self.cert.get_notBefore(),
-                'notAfter': self.cert.get_notAfter(),
-                'serial_number': self.cert.get_serial_number(),
-            })
-
-        return result
-
-
 class SelfSignedCertificateProvider(CertificateProvider):
     def validate_module_args(self, module):
         if module.params['privatekey_path'] is None and module.params['privatekey_content'] is None:
@@ -244,8 +181,6 @@ class SelfSignedCertificateProvider(CertificateProvider):
     def create_backend(self, module, backend):
         if backend == 'cryptography':
             return SelfSignedCertificateBackendCryptography(module)
-        if backend == 'pyopenssl':
-            return SelfSignedCertificateBackendPyOpenSSL(module)
 
 
 def add_selfsigned_provider_to_argument_spec(argument_spec):

plugins/module_utils/crypto/module_backends/common.py

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

plugins/module_utils/crypto/module_backends/crl_info.py

@@ -0,0 +1,102 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import traceback
+
+from ansible.module_utils.basic import missing_required_lib
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    cryptography_oid_to_name,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_crl import (
+    TIMESTAMP_FORMAT,
+    cryptography_decode_revoked_certificate,
+    cryptography_dump_revoked,
+    cryptography_get_signature_algorithm_oid_from_crl,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
+    identify_pem_format,
+)
+
+# crypto_utils
+
+MINIMAL_CRYPTOGRAPHY_VERSION = '1.2'
+
+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    import cryptography
+    from cryptography import x509
+    from cryptography.hazmat.backends import default_backend
+    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    CRYPTOGRAPHY_FOUND = False
+else:
+    CRYPTOGRAPHY_FOUND = True
+
+
+class CRLInfoRetrieval(object):
+    def __init__(self, module, content, list_revoked_certificates=True):
+        # content must be a bytes string
+        self.module = module
+        self.content = content
+        self.list_revoked_certificates = list_revoked_certificates
+        self.name_encoding = module.params.get('name_encoding', 'ignore')
+
+    def get_info(self):
+        self.crl_pem = identify_pem_format(self.content)
+        try:
+            if self.crl_pem:
+                self.crl = x509.load_pem_x509_crl(self.content, default_backend())
+            else:
+                self.crl = x509.load_der_x509_crl(self.content, default_backend())
+        except ValueError as e:
+            self.module.fail_json(msg='Error while decoding CRL: {0}'.format(e))
+
+        result = {
+            'changed': False,
+            'format': 'pem' if self.crl_pem else 'der',
+            'last_update': None,
+            'next_update': None,
+            'digest': None,
+            'issuer_ordered': None,
+            'issuer': None,
+        }
+
+        result['last_update'] = self.crl.last_update.strftime(TIMESTAMP_FORMAT)
+        result['next_update'] = self.crl.next_update.strftime(TIMESTAMP_FORMAT)
+        result['digest'] = cryptography_oid_to_name(cryptography_get_signature_algorithm_oid_from_crl(self.crl))
+        issuer = []
+        for attribute in self.crl.issuer:
+            issuer.append([cryptography_oid_to_name(attribute.oid), attribute.value])
+        result['issuer_ordered'] = issuer
+        result['issuer'] = {}
+        for k, v in issuer:
+            result['issuer'][k] = v
+        if self.list_revoked_certificates:
+            result['revoked_certificates'] = []
+            for cert in self.crl:
+                entry = cryptography_decode_revoked_certificate(cert)
+                result['revoked_certificates'].append(cryptography_dump_revoked(entry, idn_rewrite=self.name_encoding))
+
+        return result
+
+
+def get_crl_info(module, content, list_revoked_certificates=True):
+    if not CRYPTOGRAPHY_FOUND:
+        module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                         exception=CRYPTOGRAPHY_IMP_ERR)
+
+    info = CRLInfoRetrieval(module, content, list_revoked_certificates=list_revoked_certificates)
+    return info.get_info()

plugins/module_utils/crypto/module_backends/csr.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright: (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -12,11 +13,11 @@ import abc
 import binascii
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils._text import to_bytes, to_text
+from ansible.module_utils.common.text.converters import to_native, to_text
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     OpenSSLObjectError,
@@ -27,6 +28,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     load_privatekey,
     load_certificate_request,
     parse_name_field,
+    parse_ordered_name_field,
     select_message_digest,
 )
 
@@ -43,36 +45,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
     REVOCATION_REASON_MAP,
 )
 
-from ansible_collections.community.crypto.plugins.module_utils.crypto.pyopenssl_support import (
-    pyopenssl_normalize_name_attribute,
-    pyopenssl_parse_name_constraints,
+from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.csr_info import (
+    get_csr_info,
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.common import ArgumentSpec
 
 
-MINIMAL_PYOPENSSL_VERSION = '0.15'
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.3'
 
-PYOPENSSL_IMP_ERR = None
-try:
-    import OpenSSL
-    from OpenSSL import crypto
-    PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
-    PYOPENSSL_IMP_ERR = traceback.format_exc()
-    PYOPENSSL_FOUND = False
-else:
-    PYOPENSSL_FOUND = True
-    if OpenSSL.SSL.OPENSSL_VERSION_NUMBER >= 0x10100000:
-        # OpenSSL 1.1.0 or newer
-        OPENSSL_MUST_STAPLE_NAME = b"tlsfeature"
-        OPENSSL_MUST_STAPLE_VALUE = b"status_request"
-    else:
-        # OpenSSL 1.0.x or older
-        OPENSSL_MUST_STAPLE_NAME = b"1.3.6.1.5.5.7.1.24"
-        OPENSSL_MUST_STAPLE_VALUE = b"DER:30:03:02:01:05"
-
 CRYPTOGRAPHY_IMP_ERR = None
 try:
     import cryptography
@@ -140,6 +121,7 @@ class CertificateSigningRequestBackend(object):
         if self.create_subject_key_identifier and self.subject_key_identifier is not None:
             module.fail_json(msg='subject_key_identifier cannot be specified if create_subject_key_identifier is true')
 
+        self.ordered_subject = False
         self.subject = [
             ('C', module.params['country_name']),
             ('ST', module.params['state_or_province_name']),
@@ -149,11 +131,19 @@ class CertificateSigningRequestBackend(object):
             ('CN', module.params['common_name']),
             ('emailAddress', module.params['email_address']),
         ]
-
-        if module.params['subject']:
-            self.subject = self.subject + parse_name_field(module.params['subject'])
         self.subject = [(entry[0], entry[1]) for entry in self.subject if entry[1]]
 
+        try:
+            if module.params['subject']:
+                self.subject = self.subject + parse_name_field(module.params['subject'], 'subject')
+            if module.params['subject_ordered']:
+                if self.subject:
+                    raise CertificateSigningRequestError('subject_ordered cannot be combined with any other subject field')
+                self.subject = parse_ordered_name_field(module.params['subject_ordered'], 'subject_ordered')
+                self.ordered_subject = True
+        except ValueError as exc:
+            raise CertificateSigningRequestError(to_native(exc))
+
         self.using_common_name_for_san = False
         if not self.subjectAltName and module.params['use_common_name_for_san']:
             for sub in self.subject:
@@ -177,6 +167,20 @@ class CertificateSigningRequestBackend(object):
         self.existing_csr = None
         self.existing_csr_bytes = None
 
+        self.diff_before = self._get_info(None)
+        self.diff_after = self._get_info(None)
+
+    def _get_info(self, data):
+        if data is None:
+            return dict()
+        try:
+            result = get_csr_info(
+                self.module, self.backend, data, validate_signature=False, prefer_one_fingerprint=True)
+            result['can_parse_csr'] = True
+            return result
+        except Exception as exc:
+            return dict(can_parse_csr=False)
+
     @abc.abstractmethod
     def generate_csr(self):
         """(Re-)Generate CSR."""
@@ -190,6 +194,7 @@ class CertificateSigningRequestBackend(object):
     def set_existing(self, csr_bytes):
         """Set existing CSR bytes. None indicates that the CSR does not exist."""
         self.existing_csr_bytes = csr_bytes
+        self.diff_after = self.diff_before = self._get_info(self.existing_csr_bytes)
 
     def has_existing(self):
         """Query whether an existing CSR is/has been there."""
@@ -238,184 +243,22 @@ class CertificateSigningRequestBackend(object):
             'name_constraints_permitted': self.name_constraints_permitted,
             'name_constraints_excluded': self.name_constraints_excluded,
         }
+        # Get hold of CSR bytes
+        csr_bytes = self.existing_csr_bytes
+        if self.csr is not None:
+            csr_bytes = self.get_csr_data()
+        self.diff_after = self._get_info(csr_bytes)
         if include_csr:
-            # Get hold of CSR bytes
-            csr_bytes = self.existing_csr_bytes
-            if self.csr is not None:
-                csr_bytes = self.get_csr_data()
             # Store result
             result['csr'] = csr_bytes.decode('utf-8') if csr_bytes else None
+
+        result['diff'] = dict(
+            before=self.diff_before,
+            after=self.diff_after,
+        )
         return result
 
 
-# Implementation with using pyOpenSSL
-class CertificateSigningRequestPyOpenSSLBackend(CertificateSigningRequestBackend):
-    def __init__(self, module):
-        for o in ('create_subject_key_identifier', ):
-            if module.params[o]:
-                module.fail_json(msg='You cannot use {0} with the pyOpenSSL backend!'.format(o))
-        for o in ('subject_key_identifier', 'authority_key_identifier', 'authority_cert_issuer', 'authority_cert_serial_number', 'crl_distribution_points'):
-            if module.params[o] is not None:
-                module.fail_json(msg='You cannot use {0} with the pyOpenSSL backend!'.format(o))
-        super(CertificateSigningRequestPyOpenSSLBackend, self).__init__(module, 'pyopenssl')
-
-    def generate_csr(self):
-        """(Re-)Generate CSR."""
-        self._ensure_private_key_loaded()
-
-        req = crypto.X509Req()
-        req.set_version(self.version - 1)
-        subject = req.get_subject()
-        for entry in self.subject:
-            if entry[1] is not None:
-                # Workaround for https://github.com/pyca/pyopenssl/issues/165
-                nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0]))
-                if nid == 0:
-                    raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(entry[0]))
-                res = OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0)
-                if res == 0:
-                    raise CertificateSigningRequestError('Invalid value for subject field identifier "{0}": {1}'.format(entry[0], entry[1]))
-
-        extensions = []
-        if self.subjectAltName:
-            altnames = ', '.join(self.subjectAltName)
-            try:
-                extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
-            except OpenSSL.crypto.Error as e:
-                raise CertificateSigningRequestError(
-                    'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
-                        ', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
-                    )
-                )
-
-        if self.keyUsage:
-            usages = ', '.join(self.keyUsage)
-            extensions.append(crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii')))
-
-        if self.extendedKeyUsage:
-            usages = ', '.join(self.extendedKeyUsage)
-            extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii')))
-
-        if self.basicConstraints:
-            usages = ', '.join(self.basicConstraints)
-            extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii')))
-
-        if self.name_constraints_permitted or self.name_constraints_excluded:
-            usages = ', '.join(
-                ['permitted;{0}'.format(name) for name in self.name_constraints_permitted] +
-                ['excluded;{0}'.format(name) for name in self.name_constraints_excluded]
-            )
-            extensions.append(crypto.X509Extension(b"nameConstraints", self.name_constraints_critical, usages.encode('ascii')))
-
-        if self.ocspMustStaple:
-            extensions.append(crypto.X509Extension(OPENSSL_MUST_STAPLE_NAME, self.ocspMustStaple_critical, OPENSSL_MUST_STAPLE_VALUE))
-
-        if extensions:
-            req.add_extensions(extensions)
-
-        req.set_pubkey(self.privatekey)
-        req.sign(self.privatekey, self.digest)
-        self.csr = req
-
-    def get_csr_data(self):
-        """Return bytes for self.csr."""
-        return crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.csr)
-
-    def _check_csr(self):
-        def _check_subject(csr):
-            subject = [(OpenSSL._util.lib.OBJ_txt2nid(to_bytes(sub[0])), to_bytes(sub[1])) for sub in self.subject]
-            current_subject = [(OpenSSL._util.lib.OBJ_txt2nid(to_bytes(sub[0])), to_bytes(sub[1])) for sub in csr.get_subject().get_components()]
-            if not set(subject) == set(current_subject):
-                return False
-
-            return True
-
-        def _check_subjectAltName(extensions):
-            altnames_ext = next((ext for ext in extensions if ext.get_short_name() == b'subjectAltName'), '')
-            altnames = [pyopenssl_normalize_name_attribute(altname.strip()) for altname in
-                        to_text(altnames_ext, errors='surrogate_or_strict').split(',') if altname.strip()]
-            if self.subjectAltName:
-                if (set(altnames) != set([pyopenssl_normalize_name_attribute(to_text(name)) for name in self.subjectAltName]) or
-                        altnames_ext.get_critical() != self.subjectAltName_critical):
-                    return False
-            else:
-                if altnames:
-                    return False
-
-            return True
-
-        def _check_keyUsage_(extensions, extName, expected, critical):
-            usages_ext = [ext for ext in extensions if ext.get_short_name() == extName]
-            if (not usages_ext and expected) or (usages_ext and not expected):
-                return False
-            elif not usages_ext and not expected:
-                return True
-            else:
-                current = [OpenSSL._util.lib.OBJ_txt2nid(to_bytes(usage.strip())) for usage in str(usages_ext[0]).split(',')]
-                expected = [OpenSSL._util.lib.OBJ_txt2nid(to_bytes(usage)) for usage in expected]
-                return set(current) == set(expected) and usages_ext[0].get_critical() == critical
-
-        def _check_keyUsage(extensions):
-            usages_ext = [ext for ext in extensions if ext.get_short_name() == b'keyUsage']
-            if (not usages_ext and self.keyUsage) or (usages_ext and not self.keyUsage):
-                return False
-            elif not usages_ext and not self.keyUsage:
-                return True
-            else:
-                # OpenSSL._util.lib.OBJ_txt2nid() always returns 0 for all keyUsage values
-                # (since keyUsage has a fixed bitfield for these values and is not extensible).
-                # Therefore, we create an extension for the wanted values, and compare the
-                # data of the extensions (which is the serialized bitfield).
-                expected_ext = crypto.X509Extension(b"keyUsage", False, ', '.join(self.keyUsage).encode('ascii'))
-                return usages_ext[0].get_data() == expected_ext.get_data() and usages_ext[0].get_critical() == self.keyUsage_critical
-
-        def _check_extenededKeyUsage(extensions):
-            return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical)
-
-        def _check_basicConstraints(extensions):
-            return _check_keyUsage_(extensions, b'basicConstraints', self.basicConstraints, self.basicConstraints_critical)
-
-        def _check_nameConstraints(extensions):
-            nc_ext = next((ext for ext in extensions if ext.get_short_name() == b'nameConstraints'), '')
-            permitted, excluded = pyopenssl_parse_name_constraints(nc_ext)
-            if self.name_constraints_permitted or self.name_constraints_excluded:
-                if set(permitted) != set([pyopenssl_normalize_name_attribute(to_text(name)) for name in self.name_constraints_permitted]):
-                    return False
-                if set(excluded) != set([pyopenssl_normalize_name_attribute(to_text(name)) for name in self.name_constraints_excluded]):
-                    return False
-                if nc_ext.get_critical() != self.name_constraints_critical:
-                    return False
-            else:
-                if permitted or excluded:
-                    return False
-
-            return True
-
-        def _check_ocspMustStaple(extensions):
-            oms_ext = [ext for ext in extensions if to_bytes(ext.get_short_name()) == OPENSSL_MUST_STAPLE_NAME and to_bytes(ext) == OPENSSL_MUST_STAPLE_VALUE]
-            if OpenSSL.SSL.OPENSSL_VERSION_NUMBER < 0x10100000:
-                # Older versions of libssl don't know about OCSP Must Staple
-                oms_ext.extend([ext for ext in extensions if ext.get_short_name() == b'UNDEF' and ext.get_data() == b'\x30\x03\x02\x01\x05'])
-            if self.ocspMustStaple:
-                return len(oms_ext) > 0 and oms_ext[0].get_critical() == self.ocspMustStaple_critical
-            else:
-                return len(oms_ext) == 0
-
-        def _check_extensions(csr):
-            extensions = csr.get_extensions()
-            return (_check_subjectAltName(extensions) and _check_keyUsage(extensions) and
-                    _check_extenededKeyUsage(extensions) and _check_basicConstraints(extensions) and
-                    _check_ocspMustStaple(extensions) and _check_nameConstraints(extensions))
-
-        def _check_signature(csr):
-            try:
-                return csr.verify(self.privatekey)
-            except crypto.Error:
-                return False
-
-        return _check_subject(self.existing_csr) and _check_extensions(self.existing_csr) and _check_signature(self.existing_csr)
-
-
 def parse_crl_distribution_points(module, crl_distribution_points):
     result = []
     for index, parse_crl_distribution_point in enumerate(crl_distribution_points):
@@ -503,8 +346,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
         if self.name_constraints_permitted or self.name_constraints_excluded:
             try:
                 csr = csr.add_extension(cryptography.x509.NameConstraints(
-                    [cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted],
-                    [cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded],
+                    [cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted] or None,
+                    [cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded] or None,
                 ), critical=self.name_constraints_critical)
             except TypeError as e:
                 raise OpenSSLObjectError('Error while parsing name constraint: {0}'.format(e))
@@ -567,9 +410,12 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
     def _check_csr(self):
         """Check whether provided parameters, assuming self.existing_csr and self.privatekey have been populated."""
         def _check_subject(csr):
-            subject = [(cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.subject]
+            subject = [(cryptography_name_to_oid(entry[0]), to_text(entry[1])) for entry in self.subject]
             current_subject = [(sub.oid, sub.value) for sub in csr.subject]
-            return set(subject) == set(current_subject)
+            if self.ordered_subject:
+                return subject == current_subject
+            else:
+                return set(subject) == set(current_subject)
 
         def _find_extension(extensions, exttype):
             return next(
@@ -579,8 +425,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
 
         def _check_subjectAltName(extensions):
             current_altnames_ext = _find_extension(extensions, cryptography.x509.SubjectAlternativeName)
-            current_altnames = [str(altname) for altname in current_altnames_ext.value] if current_altnames_ext else []
-            altnames = [str(cryptography_get_name(altname)) for altname in self.subjectAltName] if self.subjectAltName else []
+            current_altnames = [to_text(altname) for altname in current_altnames_ext.value] if current_altnames_ext else []
+            altnames = [to_text(cryptography_get_name(altname)) for altname in self.subjectAltName] if self.subjectAltName else []
             if set(altnames) != set(current_altnames):
                 return False
             if altnames:
@@ -653,10 +499,10 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
 
         def _check_nameConstraints(extensions):
             current_nc_ext = _find_extension(extensions, cryptography.x509.NameConstraints)
-            current_nc_perm = [str(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
-            current_nc_excl = [str(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []
-            nc_perm = [str(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
-            nc_excl = [str(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
+            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees or []] if current_nc_ext else []
+            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees or []] if current_nc_ext else []
+            nc_perm = [to_text(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
+            nc_excl = [to_text(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
             if set(nc_perm) != set(current_nc_perm) or set(nc_excl) != set(current_nc_excl):
                 return False
             if nc_perm or nc_excl:
@@ -685,9 +531,9 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
                 aci = None
                 csr_aci = None
                 if self.authority_cert_issuer is not None:
-                    aci = [str(cryptography_get_name(n, 'authority cert issuer')) for n in self.authority_cert_issuer]
+                    aci = [to_text(cryptography_get_name(n, 'authority cert issuer')) for n in self.authority_cert_issuer]
                 if ext.value.authority_cert_issuer is not None:
-                    csr_aci = [str(n) for n in ext.value.authority_cert_issuer]
+                    csr_aci = [to_text(n) for n in ext.value.authority_cert_issuer]
                 return (ext.value.key_identifier == self.authority_key_identifier
                         and csr_aci == aci
                         and ext.value.authority_cert_serial_number == self.authority_cert_serial_number)
@@ -729,42 +575,20 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
 
 
 def select_backend(module, backend):
-    if module.params['version'] != 1:
-        module.deprecate('The version option will only support allowed values from community.crypto 2.0.0 on. '
-                         'Currently, only the value 1 is allowed by RFC 2986',
-                         version='2.0.0', collection_name='community.crypto')
-
     if backend == 'auto':
         # Detection what is possible
         can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
-        can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
 
-        # First try cryptography, then pyOpenSSL
+        # Try cryptography
         if can_use_cryptography:
             backend = 'cryptography'
-        elif can_use_pyopenssl:
-            backend = 'pyopenssl'
 
         # Success?
         if backend == 'auto':
-            module.fail_json(msg=("Can't detect any of the required Python libraries "
-                                  "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
-                                      MINIMAL_CRYPTOGRAPHY_VERSION,
-                                      MINIMAL_PYOPENSSL_VERSION))
+            module.fail_json(msg=("Cannot detect any of the required Python libraries "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
 
-    if backend == 'pyopenssl':
-        if not PYOPENSSL_FOUND:
-            module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
-                             exception=PYOPENSSL_IMP_ERR)
-        try:
-            getattr(crypto.X509Req, 'get_extensions')
-        except AttributeError:
-            module.fail_json(msg='You need to have PyOpenSSL>=0.15 to generate CSRs')
-
-        module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated',
-                         version='2.0.0', collection_name='community.crypto')
-        return backend, CertificateSigningRequestPyOpenSSLBackend(module)
-    elif backend == 'cryptography':
+    if backend == 'cryptography':
         if not CRYPTOGRAPHY_FOUND:
             module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
                              exception=CRYPTOGRAPHY_IMP_ERR)
@@ -780,8 +604,9 @@ def get_csr_argument_spec():
             privatekey_path=dict(type='path'),
             privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
-            version=dict(type='int', default=1),
+            version=dict(type='int', default=1, choices=[1]),
             subject=dict(type='dict'),
+            subject_ordered=dict(type='list', elements='dict'),
             country_name=dict(type='str', aliases=['C', 'countryName']),
             state_or_province_name=dict(type='str', aliases=['ST', 'stateOrProvinceName']),
             locality_name=dict(type='str', aliases=['L', 'localityName']),
@@ -828,13 +653,14 @@ def get_csr_argument_spec():
                 ),
                 mutually_exclusive=[('full_name', 'relative_name')]
             ),
-            select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
+            select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography']),
         ),
         required_together=[
             ['authority_cert_issuer', 'authority_cert_serial_number'],
         ],
         mutually_exclusive=[
             ['privatekey_path', 'privatekey_content'],
+            ['subject', 'subject_ordered'],
         ],
         required_one_of=[
             ['privatekey_path', 'privatekey_content'],

plugins/module_utils/crypto/module_backends/csr_info.py

@@ -0,0 +1,334 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import abc
+import binascii
+import traceback
+
+from ansible.module_utils import six
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_native
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
+    load_certificate_request,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    cryptography_decode_name,
+    cryptography_get_extensions_from_csr,
+    cryptography_oid_to_name,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import (
+    get_publickey_info,
+)
+
+MINIMAL_CRYPTOGRAPHY_VERSION = '1.3'
+
+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    import cryptography
+    from cryptography import x509
+    from cryptography.hazmat.primitives import serialization
+    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    CRYPTOGRAPHY_FOUND = False
+else:
+    CRYPTOGRAPHY_FOUND = True
+
+
+TIMESTAMP_FORMAT = "%Y%m%d%H%M%SZ"
+
+
+@six.add_metaclass(abc.ABCMeta)
+class CSRInfoRetrieval(object):
+    def __init__(self, module, backend, content, validate_signature):
+        # content must be a bytes string
+        self.module = module
+        self.backend = backend
+        self.content = content
+        self.validate_signature = validate_signature
+
+    @abc.abstractmethod
+    def _get_subject_ordered(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_key_usage(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_extended_key_usage(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_basic_constraints(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_ocsp_must_staple(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_subject_alt_name(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_name_constraints(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_public_key_pem(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_public_key_object(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_subject_key_identifier(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_authority_key_identifier(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_all_extensions(self):
+        pass
+
+    @abc.abstractmethod
+    def _is_signature_valid(self):
+        pass
+
+    def get_info(self, prefer_one_fingerprint=False):
+        result = dict()
+        self.csr = load_certificate_request(None, content=self.content, backend=self.backend)
+
+        subject = self._get_subject_ordered()
+        result['subject'] = dict()
+        for k, v in subject:
+            result['subject'][k] = v
+        result['subject_ordered'] = subject
+        result['key_usage'], result['key_usage_critical'] = self._get_key_usage()
+        result['extended_key_usage'], result['extended_key_usage_critical'] = self._get_extended_key_usage()
+        result['basic_constraints'], result['basic_constraints_critical'] = self._get_basic_constraints()
+        result['ocsp_must_staple'], result['ocsp_must_staple_critical'] = self._get_ocsp_must_staple()
+        result['subject_alt_name'], result['subject_alt_name_critical'] = self._get_subject_alt_name()
+        (
+            result['name_constraints_permitted'],
+            result['name_constraints_excluded'],
+            result['name_constraints_critical'],
+        ) = self._get_name_constraints()
+
+        result['public_key'] = self._get_public_key_pem()
+
+        public_key_info = get_publickey_info(
+            self.module,
+            self.backend,
+            key=self._get_public_key_object(),
+            prefer_one_fingerprint=prefer_one_fingerprint)
+        result.update({
+            'public_key_type': public_key_info['type'],
+            'public_key_data': public_key_info['public_data'],
+            'public_key_fingerprints': public_key_info['fingerprints'],
+        })
+
+        ski = self._get_subject_key_identifier()
+        if ski is not None:
+            ski = to_native(binascii.hexlify(ski))
+            ski = ':'.join([ski[i:i + 2] for i in range(0, len(ski), 2)])
+        result['subject_key_identifier'] = ski
+
+        aki, aci, acsn = self._get_authority_key_identifier()
+        if aki is not None:
+            aki = to_native(binascii.hexlify(aki))
+            aki = ':'.join([aki[i:i + 2] for i in range(0, len(aki), 2)])
+        result['authority_key_identifier'] = aki
+        result['authority_cert_issuer'] = aci
+        result['authority_cert_serial_number'] = acsn
+
+        result['extensions_by_oid'] = self._get_all_extensions()
+
+        result['signature_valid'] = self._is_signature_valid()
+        if self.validate_signature and not result['signature_valid']:
+            self.module.fail_json(
+                msg='CSR signature is invalid!',
+                **result
+            )
+        return result
+
+
+class CSRInfoRetrievalCryptography(CSRInfoRetrieval):
+    """Validate the supplied CSR, using the cryptography backend"""
+    def __init__(self, module, content, validate_signature):
+        super(CSRInfoRetrievalCryptography, self).__init__(module, 'cryptography', content, validate_signature)
+        self.name_encoding = module.params.get('name_encoding', 'ignore')
+
+    def _get_subject_ordered(self):
+        result = []
+        for attribute in self.csr.subject:
+            result.append([cryptography_oid_to_name(attribute.oid), attribute.value])
+        return result
+
+    def _get_key_usage(self):
+        try:
+            current_key_ext = self.csr.extensions.get_extension_for_class(x509.KeyUsage)
+            current_key_usage = current_key_ext.value
+            key_usage = dict(
+                digital_signature=current_key_usage.digital_signature,
+                content_commitment=current_key_usage.content_commitment,
+                key_encipherment=current_key_usage.key_encipherment,
+                data_encipherment=current_key_usage.data_encipherment,
+                key_agreement=current_key_usage.key_agreement,
+                key_cert_sign=current_key_usage.key_cert_sign,
+                crl_sign=current_key_usage.crl_sign,
+                encipher_only=False,
+                decipher_only=False,
+            )
+            if key_usage['key_agreement']:
+                key_usage.update(dict(
+                    encipher_only=current_key_usage.encipher_only,
+                    decipher_only=current_key_usage.decipher_only
+                ))
+
+            key_usage_names = dict(
+                digital_signature='Digital Signature',
+                content_commitment='Non Repudiation',
+                key_encipherment='Key Encipherment',
+                data_encipherment='Data Encipherment',
+                key_agreement='Key Agreement',
+                key_cert_sign='Certificate Sign',
+                crl_sign='CRL Sign',
+                encipher_only='Encipher Only',
+                decipher_only='Decipher Only',
+            )
+            return sorted([
+                key_usage_names[name] for name, value in key_usage.items() if value
+            ]), current_key_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_extended_key_usage(self):
+        try:
+            ext_keyusage_ext = self.csr.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
+            return sorted([
+                cryptography_oid_to_name(eku) for eku in ext_keyusage_ext.value
+            ]), ext_keyusage_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_basic_constraints(self):
+        try:
+            ext_keyusage_ext = self.csr.extensions.get_extension_for_class(x509.BasicConstraints)
+            result = ['CA:{0}'.format('TRUE' if ext_keyusage_ext.value.ca else 'FALSE')]
+            if ext_keyusage_ext.value.path_length is not None:
+                result.append('pathlen:{0}'.format(ext_keyusage_ext.value.path_length))
+            return sorted(result), ext_keyusage_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_ocsp_must_staple(self):
+        try:
+            try:
+                # This only works with cryptography >= 2.1
+                tlsfeature_ext = self.csr.extensions.get_extension_for_class(x509.TLSFeature)
+                value = cryptography.x509.TLSFeatureType.status_request in tlsfeature_ext.value
+            except AttributeError:
+                # Fallback for cryptography < 2.1
+                oid = x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.1.24")
+                tlsfeature_ext = self.csr.extensions.get_extension_for_oid(oid)
+                value = tlsfeature_ext.value.value == b"\x30\x03\x02\x01\x05"
+            return value, tlsfeature_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_subject_alt_name(self):
+        try:
+            san_ext = self.csr.extensions.get_extension_for_class(x509.SubjectAlternativeName)
+            result = [cryptography_decode_name(san, idn_rewrite=self.name_encoding) for san in san_ext.value]
+            return result, san_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, False
+
+    def _get_name_constraints(self):
+        try:
+            nc_ext = self.csr.extensions.get_extension_for_class(x509.NameConstraints)
+            permitted = [cryptography_decode_name(san, idn_rewrite=self.name_encoding) for san in nc_ext.value.permitted_subtrees or []]
+            excluded = [cryptography_decode_name(san, idn_rewrite=self.name_encoding) for san in nc_ext.value.excluded_subtrees or []]
+            return permitted, excluded, nc_ext.critical
+        except cryptography.x509.ExtensionNotFound:
+            return None, None, False
+
+    def _get_public_key_pem(self):
+        return self.csr.public_key().public_bytes(
+            serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
+
+    def _get_public_key_object(self):
+        return self.csr.public_key()
+
+    def _get_subject_key_identifier(self):
+        try:
+            ext = self.csr.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+            return ext.value.digest
+        except cryptography.x509.ExtensionNotFound:
+            return None
+
+    def _get_authority_key_identifier(self):
+        try:
+            ext = self.csr.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
+            issuer = None
+            if ext.value.authority_cert_issuer is not None:
+                issuer = [cryptography_decode_name(san, idn_rewrite=self.name_encoding) for san in ext.value.authority_cert_issuer]
+            return ext.value.key_identifier, issuer, ext.value.authority_cert_serial_number
+        except cryptography.x509.ExtensionNotFound:
+            return None, None, None
+
+    def _get_all_extensions(self):
+        return cryptography_get_extensions_from_csr(self.csr)
+
+    def _is_signature_valid(self):
+        return self.csr.is_signature_valid
+
+
+def get_csr_info(module, backend, content, validate_signature=True, prefer_one_fingerprint=False):
+    if backend == 'cryptography':
+        info = CSRInfoRetrievalCryptography(module, content, validate_signature=validate_signature)
+    return info.get_info(prefer_one_fingerprint=prefer_one_fingerprint)
+
+
+def select_backend(module, backend, content, validate_signature=True):
+    if backend == 'auto':
+        # Detection what is possible
+        can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
+
+        # Try cryptography
+        if can_use_cryptography:
+            backend = 'cryptography'
+
+        # Success?
+        if backend == 'auto':
+            module.fail_json(msg=("Cannot detect the required Python library "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
+
+    if backend == 'cryptography':
+        if not CRYPTOGRAPHY_FOUND:
+            module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                             exception=CRYPTOGRAPHY_IMP_ERR)
+        return backend, CSRInfoRetrievalCryptography(module, content, validate_signature=validate_signature)
+    else:
+        raise ValueError('Unsupported value for backend: {0}'.format(backend))

plugins/module_utils/crypto/module_backends/privatekey.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright: (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
-# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -12,11 +13,11 @@ import abc
 import base64
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils._text import to_bytes
+from ansible.module_utils.common.text.converters import to_bytes
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     CRYPTOGRAPHY_HAS_X25519,
@@ -25,11 +26,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.basic impo
     CRYPTOGRAPHY_HAS_ED25519,
     CRYPTOGRAPHY_HAS_ED448,
     OpenSSLObjectError,
-    OpenSSLBadPassphraseError,
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
-    load_privatekey,
     get_fingerprint_of_privatekey,
 )
 
@@ -37,23 +36,17 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import
     identify_private_key_format,
 )
 
+from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.privatekey_info import (
+    PrivateKeyConsistencyError,
+    PrivateKeyParseError,
+    get_privatekey_info,
+)
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.common import ArgumentSpec
 
 
-MINIMAL_PYOPENSSL_VERSION = '0.6'
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.2.3'
 
-PYOPENSSL_IMP_ERR = None
-try:
-    import OpenSSL
-    from OpenSSL import crypto
-    PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
-    PYOPENSSL_IMP_ERR = traceback.format_exc()
-    PYOPENSSL_FOUND = False
-else:
-    PYOPENSSL_FOUND = True
-
 CRYPTOGRAPHY_IMP_ERR = None
 try:
     import cryptography
@@ -102,6 +95,25 @@ class PrivateKeyBackend:
         self.existing_private_key = None
         self.existing_private_key_bytes = None
 
+        self.diff_before = self._get_info(None)
+        self.diff_after = self._get_info(None)
+
+    def _get_info(self, data):
+        if data is None:
+            return dict()
+        result = dict(can_parse_key=False)
+        try:
+            result.update(get_privatekey_info(
+                self.module, self.backend, data, passphrase=self.passphrase,
+                return_private_key_data=False, prefer_one_fingerprint=True))
+        except PrivateKeyConsistencyError as exc:
+            result.update(exc.result)
+        except PrivateKeyParseError as exc:
+            result.update(exc.result)
+        except Exception as exc:
+            pass
+        return result
+
     @abc.abstractmethod
     def generate_private_key(self):
         """(Re-)Generate private key."""
@@ -125,6 +137,7 @@ class PrivateKeyBackend:
     def set_existing(self, privatekey_bytes):
         """Set existing private key bytes. None indicates that the key does not exist."""
         self.existing_private_key_bytes = privatekey_bytes
+        self.diff_after = self.diff_before = self._get_info(self.existing_private_key_bytes)
 
     def has_existing(self):
         """Query whether an existing private key is/has been there."""
@@ -162,7 +175,7 @@ class PrivateKeyBackend:
                 return True
             self.module.fail_json(msg='Unable to read the key. The key is protected with a another passphrase / no passphrase or broken.'
                                   ' Will not proceed. To force regeneration, call the module with `generate`'
-                                  ' set to `full_idempotence` or `always`, or with `force=yes`.')
+                                  ' set to `full_idempotence` or `always`, or with `force=true`.')
         self._ensure_existing_private_key_loaded()
         if self.regenerate != 'never':
             if not self._check_size_and_type():
@@ -170,7 +183,7 @@ class PrivateKeyBackend:
                     return True
                 self.module.fail_json(msg='Key has wrong type and/or size.'
                                       ' Will not proceed. To force regeneration, call the module with `generate`'
-                                      ' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=yes`.')
+                                      ' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`.')
         # During generation step, regenerate if format does not match and format_mismatch == 'regenerate'
         if self.format_mismatch == 'regenerate' and self.regenerate != 'never':
             if not self._check_format():
@@ -178,7 +191,7 @@ class PrivateKeyBackend:
                     return True
                 self.module.fail_json(msg='Key has wrong format.'
                                       ' Will not proceed. To force regeneration, call the module with `generate`'
-                                      ' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=yes`.'
+                                      ' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`.'
                                       ' To convert the key, set `format_mismatch` to `convert`.')
         return False
 
@@ -215,11 +228,12 @@ class PrivateKeyBackend:
         }
         if self.type == 'ECC':
             result['curve'] = self.curve
+        # Get hold of private key bytes
+        pk_bytes = self.existing_private_key_bytes
+        if self.private_key is not None:
+            pk_bytes = self.get_private_key_data()
+        self.diff_after = self._get_info(pk_bytes)
         if include_key:
-            # Get hold of private key bytes
-            pk_bytes = self.existing_private_key_bytes
-            if self.private_key is not None:
-                pk_bytes = self.get_private_key_data()
             # Store result
             if pk_bytes:
                 if identify_private_key_format(pk_bytes) == 'raw':
@@ -229,64 +243,13 @@ class PrivateKeyBackend:
             else:
                 result['privatekey'] = None
 
+        result['diff'] = dict(
+            before=self.diff_before,
+            after=self.diff_after,
+        )
         return result
 
 
-# Implementation with using pyOpenSSL
-class PrivateKeyPyOpenSSLBackend(PrivateKeyBackend):
-
-    def __init__(self, module):
-        super(PrivateKeyPyOpenSSLBackend, self).__init__(module=module, backend='pyopenssl')
-
-        if self.type == 'RSA':
-            self.openssl_type = crypto.TYPE_RSA
-        elif self.type == 'DSA':
-            self.openssl_type = crypto.TYPE_DSA
-        else:
-            self.module.fail_json(msg="PyOpenSSL backend only supports RSA and DSA keys.")
-
-        if self.format != 'auto_ignore':
-            self.module.fail_json(msg="PyOpenSSL backend only supports auto_ignore format.")
-
-    def generate_private_key(self):
-        """(Re-)Generate private key."""
-        self.private_key = crypto.PKey()
-        try:
-            self.private_key.generate_key(self.openssl_type, self.size)
-        except (TypeError, ValueError) as exc:
-            raise PrivateKeyError(exc)
-
-    def _ensure_existing_private_key_loaded(self):
-        if self.existing_private_key is None and self.has_existing():
-            try:
-                self.existing_private_key = load_privatekey(
-                    None, self.passphrase, content=self.existing_private_key_bytes, backend=self.backend)
-            except OpenSSLBadPassphraseError as exc:
-                raise PrivateKeyError(exc)
-
-    def get_private_key_data(self):
-        """Return bytes for self.private_key"""
-        if self.cipher and self.passphrase:
-            return crypto.dump_privatekey(crypto.FILETYPE_PEM, self.private_key,
-                                          self.cipher, to_bytes(self.passphrase))
-        else:
-            return crypto.dump_privatekey(crypto.FILETYPE_PEM, self.private_key)
-
-    def _check_passphrase(self):
-        try:
-            load_privatekey(None, self.passphrase, content=self.existing_private_key_bytes, backend=self.backend)
-            return True
-        except Exception as dummy:
-            return False
-
-    def _check_size_and_type(self):
-        return self.size == self.existing_private_key.bits() and self.openssl_type == self.existing_private_key.type()
-
-    def _check_format(self):
-        # Not supported by this backend
-        return True
-
-
 # Implementation with using cryptography
 class PrivateKeyCryptographyBackend(PrivateKeyBackend):
 
@@ -519,36 +482,16 @@ def select_backend(module, backend):
     if backend == 'auto':
         # Detection what is possible
         can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
-        can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
 
         # Decision
-        if module.params['cipher'] and module.params['passphrase'] and module.params['cipher'] != 'auto':
-            # First try pyOpenSSL, then cryptography
-            if can_use_pyopenssl:
-                backend = 'pyopenssl'
-            elif can_use_cryptography:
-                backend = 'cryptography'
-        else:
-            # First try cryptography, then pyOpenSSL
-            if can_use_cryptography:
-                backend = 'cryptography'
-            elif can_use_pyopenssl:
-                backend = 'pyopenssl'
+        if can_use_cryptography:
+            backend = 'cryptography'
 
         # Success?
         if backend == 'auto':
-            module.fail_json(msg=("Can't detect any of the required Python libraries "
-                                  "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
-                                      MINIMAL_CRYPTOGRAPHY_VERSION,
-                                      MINIMAL_PYOPENSSL_VERSION))
-    if backend == 'pyopenssl':
-        if not PYOPENSSL_FOUND:
-            module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
-                             exception=PYOPENSSL_IMP_ERR)
-        module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated',
-                         version='2.0.0', collection_name='community.crypto')
-        return backend, PrivateKeyPyOpenSSLBackend(module)
-    elif backend == 'cryptography':
+            module.fail_json(msg=("Cannot detect the required Python library "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
+    if backend == 'cryptography':
         if not CRYPTOGRAPHY_FOUND:
             module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
                              exception=CRYPTOGRAPHY_IMP_ERR)
@@ -574,7 +517,7 @@ def get_privatekey_argument_spec():
             cipher=dict(type='str'),
             format=dict(type='str', default='auto_ignore', choices=['pkcs1', 'pkcs8', 'raw', 'auto', 'auto_ignore']),
             format_mismatch=dict(type='str', default='regenerate', choices=['regenerate', 'convert']),
-            select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'),
+            select_crypto_backend=dict(type='str', choices=['auto', 'cryptography'], default='auto'),
             regenerate=dict(
                 type='str',
                 default='full_idempotence',

plugins/module_utils/crypto/module_backends/privatekey_convert.py

@@ -0,0 +1,236 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import abc
+import traceback
+
+from ansible.module_utils import six
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_bytes
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+from ansible_collections.community.crypto.plugins.module_utils.io import (
+    load_file,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
+    CRYPTOGRAPHY_HAS_X25519,
+    CRYPTOGRAPHY_HAS_X448,
+    CRYPTOGRAPHY_HAS_ED25519,
+    CRYPTOGRAPHY_HAS_ED448,
+    OpenSSLObjectError,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    cryptography_compare_private_keys,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
+    identify_private_key_format,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.common import ArgumentSpec
+
+
+MINIMAL_CRYPTOGRAPHY_VERSION = '1.2.3'
+
+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    import cryptography
+    import cryptography.exceptions
+    import cryptography.hazmat.backends
+    import cryptography.hazmat.primitives.serialization
+    import cryptography.hazmat.primitives.asymmetric.rsa
+    import cryptography.hazmat.primitives.asymmetric.dsa
+    import cryptography.hazmat.primitives.asymmetric.ec
+    import cryptography.hazmat.primitives.asymmetric.utils
+    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    CRYPTOGRAPHY_FOUND = False
+else:
+    CRYPTOGRAPHY_FOUND = True
+
+
+class PrivateKeyError(OpenSSLObjectError):
+    pass
+
+
+# From the object called `module`, only the following properties are used:
+#
+#  - module.params[]
+#  - module.warn(msg: str)
+#  - module.fail_json(msg: str, **kwargs)
+
+
+@six.add_metaclass(abc.ABCMeta)
+class PrivateKeyConvertBackend:
+    def __init__(self, module, backend):
+        self.module = module
+        self.src_path = module.params['src_path']
+        self.src_content = module.params['src_content']
+        self.src_passphrase = module.params['src_passphrase']
+        self.format = module.params['format']
+        self.dest_passphrase = module.params['dest_passphrase']
+        self.backend = backend
+
+        self.src_private_key = None
+        if self.src_path is not None:
+            self.src_private_key_bytes = load_file(self.src_path, module)
+        else:
+            self.src_private_key_bytes = self.src_content.encode('utf-8')
+
+        self.dest_private_key = None
+        self.dest_private_key_bytes = None
+
+    @abc.abstractmethod
+    def get_private_key_data(self):
+        """Return bytes for self.src_private_key in output format."""
+        pass
+
+    def set_existing_destination(self, privatekey_bytes):
+        """Set existing private key bytes. None indicates that the key does not exist."""
+        self.dest_private_key_bytes = privatekey_bytes
+
+    def has_existing_destination(self):
+        """Query whether an existing private key is/has been there."""
+        return self.dest_private_key_bytes is not None
+
+    @abc.abstractmethod
+    def _load_private_key(self, data, passphrase, current_hint=None):
+        """Check whether data cna be loaded as a private key with the provided passphrase. Return tuple (type, private_key)."""
+        pass
+
+    def needs_conversion(self):
+        """Check whether a conversion is necessary. Must only be called if needs_regeneration() returned False."""
+        dummy, self.src_private_key = self._load_private_key(self.src_private_key_bytes, self.src_passphrase)
+
+        if not self.has_existing_destination():
+            return True
+
+        try:
+            format, self.dest_private_key = self._load_private_key(self.dest_private_key_bytes, self.dest_passphrase, current_hint=self.src_private_key)
+        except Exception:
+            return True
+
+        return format != self.format or not cryptography_compare_private_keys(self.dest_private_key, self.src_private_key)
+
+    def dump(self):
+        """Serialize the object into a dictionary."""
+        return {}
+
+
+# Implementation with using cryptography
+class PrivateKeyConvertCryptographyBackend(PrivateKeyConvertBackend):
+    def __init__(self, module):
+        super(PrivateKeyConvertCryptographyBackend, self).__init__(module=module, backend='cryptography')
+
+        self.cryptography_backend = cryptography.hazmat.backends.default_backend()
+
+    def get_private_key_data(self):
+        """Return bytes for self.src_private_key in output format"""
+        # Select export format and encoding
+        try:
+            export_encoding = cryptography.hazmat.primitives.serialization.Encoding.PEM
+            if self.format == 'pkcs1':
+                # "TraditionalOpenSSL" format is PKCS1
+                export_format = cryptography.hazmat.primitives.serialization.PrivateFormat.TraditionalOpenSSL
+            elif self.format == 'pkcs8':
+                export_format = cryptography.hazmat.primitives.serialization.PrivateFormat.PKCS8
+            elif self.format == 'raw':
+                export_format = cryptography.hazmat.primitives.serialization.PrivateFormat.Raw
+                export_encoding = cryptography.hazmat.primitives.serialization.Encoding.Raw
+        except AttributeError:
+            self.module.fail_json(msg='Cryptography backend does not support the selected output format "{0}"'.format(self.format))
+
+        # Select key encryption
+        encryption_algorithm = cryptography.hazmat.primitives.serialization.NoEncryption()
+        if self.dest_passphrase:
+            encryption_algorithm = cryptography.hazmat.primitives.serialization.BestAvailableEncryption(to_bytes(self.dest_passphrase))
+
+        # Serialize key
+        try:
+            return self.src_private_key.private_bytes(
+                encoding=export_encoding,
+                format=export_format,
+                encryption_algorithm=encryption_algorithm
+            )
+        except ValueError as dummy:
+            self.module.fail_json(
+                msg='Cryptography backend cannot serialize the private key in the required format "{0}"'.format(self.format)
+            )
+        except Exception as dummy:
+            self.module.fail_json(
+                msg='Error while serializing the private key in the required format "{0}"'.format(self.format),
+                exception=traceback.format_exc()
+            )
+
+    def _load_private_key(self, data, passphrase, current_hint=None):
+        try:
+            # Interpret bytes depending on format.
+            format = identify_private_key_format(data)
+            if format == 'raw':
+                if passphrase is not None:
+                    raise PrivateKeyError('Cannot load raw key with passphrase')
+                if len(data) == 56 and CRYPTOGRAPHY_HAS_X448:
+                    return format, cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.from_private_bytes(data)
+                if len(data) == 57 and CRYPTOGRAPHY_HAS_ED448:
+                    return format, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey.from_private_bytes(data)
+                if len(data) == 32:
+                    if CRYPTOGRAPHY_HAS_X25519 and not CRYPTOGRAPHY_HAS_ED25519:
+                        return format, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(data)
+                    if CRYPTOGRAPHY_HAS_ED25519 and not CRYPTOGRAPHY_HAS_X25519:
+                        return format, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(data)
+                    if CRYPTOGRAPHY_HAS_X25519 and CRYPTOGRAPHY_HAS_ED25519:
+                        if isinstance(current_hint, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey):
+                            try:
+                                return format, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(data)
+                            except Exception:
+                                return format, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(data)
+                        else:
+                            try:
+                                return format, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(data)
+                            except Exception:
+                                return format, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(data)
+                raise PrivateKeyError('Cannot load raw key')
+            else:
+                return format, cryptography.hazmat.primitives.serialization.load_pem_private_key(
+                    data,
+                    None if passphrase is None else to_bytes(passphrase),
+                    backend=self.cryptography_backend
+                )
+        except Exception as e:
+            raise PrivateKeyError(e)
+
+
+def select_backend(module):
+    if not CRYPTOGRAPHY_FOUND:
+        module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                         exception=CRYPTOGRAPHY_IMP_ERR)
+    return PrivateKeyConvertCryptographyBackend(module)
+
+
+def get_privatekey_argument_spec():
+    return ArgumentSpec(
+        argument_spec=dict(
+            src_path=dict(type='path'),
+            src_content=dict(type='str'),
+            src_passphrase=dict(type='str', no_log=True),
+            dest_passphrase=dict(type='str', no_log=True),
+            format=dict(type='str', required=True, choices=['pkcs1', 'pkcs8', 'raw']),
+        ),
+        mutually_exclusive=[
+            ['src_path', 'src_content'],
+        ],
+        required_one_of=[
+            ['src_path', 'src_content'],
+        ],
+    )

plugins/module_utils/crypto/module_backends/privatekey_info.py

@@ -0,0 +1,287 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
+# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import abc
+import traceback
+
+from ansible.module_utils import six
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_native, to_bytes
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
+    CRYPTOGRAPHY_HAS_ED25519,
+    CRYPTOGRAPHY_HAS_ED448,
+    OpenSSLObjectError,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
+    load_privatekey,
+    get_fingerprint_of_bytes,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.math import (
+    binary_exp_mod,
+    quick_is_not_prime,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import (
+    _get_cryptography_public_key_info,
+)
+
+
+MINIMAL_CRYPTOGRAPHY_VERSION = '1.2.3'
+
+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    import cryptography
+    from cryptography.hazmat.primitives import serialization
+    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    CRYPTOGRAPHY_FOUND = False
+else:
+    CRYPTOGRAPHY_FOUND = True
+
+SIGNATURE_TEST_DATA = b'1234'
+
+
+def _get_cryptography_private_key_info(key, need_private_key_data=False):
+    key_type, key_public_data = _get_cryptography_public_key_info(key.public_key())
+    key_private_data = dict()
+    if need_private_key_data:
+        if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey):
+            private_numbers = key.private_numbers()
+            key_private_data['p'] = private_numbers.p
+            key_private_data['q'] = private_numbers.q
+            key_private_data['exponent'] = private_numbers.d
+        elif isinstance(key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey):
+            private_numbers = key.private_numbers()
+            key_private_data['x'] = private_numbers.x
+        elif isinstance(key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey):
+            private_numbers = key.private_numbers()
+            key_private_data['multiplier'] = private_numbers.private_value
+    return key_type, key_public_data, key_private_data
+
+
+def _check_dsa_consistency(key_public_data, key_private_data):
+    # Get parameters
+    p = key_public_data.get('p')
+    q = key_public_data.get('q')
+    g = key_public_data.get('g')
+    y = key_public_data.get('y')
+    x = key_private_data.get('x')
+    for v in (p, q, g, y, x):
+        if v is None:
+            return None
+    # Make sure that g is not 0, 1 or -1 in Z/pZ
+    if g < 2 or g >= p - 1:
+        return False
+    # Make sure that x is in range
+    if x < 1 or x >= q:
+        return False
+    # Check whether q divides p-1
+    if (p - 1) % q != 0:
+        return False
+    # Check that g**q mod p == 1
+    if binary_exp_mod(g, q, p) != 1:
+        return False
+    # Check whether g**x mod p == y
+    if binary_exp_mod(g, x, p) != y:
+        return False
+    # Check (quickly) whether p or q are not primes
+    if quick_is_not_prime(q) or quick_is_not_prime(p):
+        return False
+    return True
+
+
+def _is_cryptography_key_consistent(key, key_public_data, key_private_data):
+    if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey):
+        return bool(key._backend._lib.RSA_check_key(key._rsa_cdata))
+    if isinstance(key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey):
+        result = _check_dsa_consistency(key_public_data, key_private_data)
+        if result is not None:
+            return result
+        try:
+            signature = key.sign(SIGNATURE_TEST_DATA, cryptography.hazmat.primitives.hashes.SHA256())
+        except AttributeError:
+            # sign() was added in cryptography 1.5, but we support older versions
+            return None
+        try:
+            key.public_key().verify(
+                signature,
+                SIGNATURE_TEST_DATA,
+                cryptography.hazmat.primitives.hashes.SHA256()
+            )
+            return True
+        except cryptography.exceptions.InvalidSignature:
+            return False
+    if isinstance(key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey):
+        try:
+            signature = key.sign(
+                SIGNATURE_TEST_DATA,
+                cryptography.hazmat.primitives.asymmetric.ec.ECDSA(cryptography.hazmat.primitives.hashes.SHA256())
+            )
+        except AttributeError:
+            # sign() was added in cryptography 1.5, but we support older versions
+            return None
+        try:
+            key.public_key().verify(
+                signature,
+                SIGNATURE_TEST_DATA,
+                cryptography.hazmat.primitives.asymmetric.ec.ECDSA(cryptography.hazmat.primitives.hashes.SHA256())
+            )
+            return True
+        except cryptography.exceptions.InvalidSignature:
+            return False
+    has_simple_sign_function = False
+    if CRYPTOGRAPHY_HAS_ED25519 and isinstance(key, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey):
+        has_simple_sign_function = True
+    if CRYPTOGRAPHY_HAS_ED448 and isinstance(key, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey):
+        has_simple_sign_function = True
+    if has_simple_sign_function:
+        signature = key.sign(SIGNATURE_TEST_DATA)
+        try:
+            key.public_key().verify(signature, SIGNATURE_TEST_DATA)
+            return True
+        except cryptography.exceptions.InvalidSignature:
+            return False
+    # For X25519 and X448, there's no test yet.
+    return None
+
+
+class PrivateKeyConsistencyError(OpenSSLObjectError):
+    def __init__(self, msg, result):
+        super(PrivateKeyConsistencyError, self).__init__(msg)
+        self.error_message = msg
+        self.result = result
+
+
+class PrivateKeyParseError(OpenSSLObjectError):
+    def __init__(self, msg, result):
+        super(PrivateKeyParseError, self).__init__(msg)
+        self.error_message = msg
+        self.result = result
+
+
+@six.add_metaclass(abc.ABCMeta)
+class PrivateKeyInfoRetrieval(object):
+    def __init__(self, module, backend, content, passphrase=None, return_private_key_data=False, check_consistency=False):
+        # content must be a bytes string
+        self.module = module
+        self.backend = backend
+        self.content = content
+        self.passphrase = passphrase
+        self.return_private_key_data = return_private_key_data
+        self.check_consistency = check_consistency
+
+    @abc.abstractmethod
+    def _get_public_key(self, binary):
+        pass
+
+    @abc.abstractmethod
+    def _get_key_info(self, need_private_key_data=False):
+        pass
+
+    @abc.abstractmethod
+    def _is_key_consistent(self, key_public_data, key_private_data):
+        pass
+
+    def get_info(self, prefer_one_fingerprint=False):
+        result = dict(
+            can_parse_key=False,
+            key_is_consistent=None,
+        )
+        priv_key_detail = self.content
+        try:
+            self.key = load_privatekey(
+                path=None,
+                content=priv_key_detail,
+                passphrase=to_bytes(self.passphrase) if self.passphrase is not None else self.passphrase,
+                backend=self.backend
+            )
+            result['can_parse_key'] = True
+        except OpenSSLObjectError as exc:
+            raise PrivateKeyParseError(to_native(exc), result)
+
+        result['public_key'] = self._get_public_key(binary=False)
+        pk = self._get_public_key(binary=True)
+        result['public_key_fingerprints'] = get_fingerprint_of_bytes(
+            pk, prefer_one=prefer_one_fingerprint) if pk is not None else dict()
+
+        key_type, key_public_data, key_private_data = self._get_key_info(
+            need_private_key_data=self.return_private_key_data or self.check_consistency)
+        result['type'] = key_type
+        result['public_data'] = key_public_data
+        if self.return_private_key_data:
+            result['private_data'] = key_private_data
+
+        if self.check_consistency:
+            result['key_is_consistent'] = self._is_key_consistent(key_public_data, key_private_data)
+            if result['key_is_consistent'] is False:
+                # Only fail when it is False, to avoid to fail on None (which means "we do not know")
+                msg = (
+                    "Private key is not consistent! (See "
+                    "https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html)"
+                )
+                raise PrivateKeyConsistencyError(msg, result)
+        return result
+
+
+class PrivateKeyInfoRetrievalCryptography(PrivateKeyInfoRetrieval):
+    """Validate the supplied private key, using the cryptography backend"""
+    def __init__(self, module, content, **kwargs):
+        super(PrivateKeyInfoRetrievalCryptography, self).__init__(module, 'cryptography', content, **kwargs)
+
+    def _get_public_key(self, binary):
+        return self.key.public_key().public_bytes(
+            serialization.Encoding.DER if binary else serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+
+    def _get_key_info(self, need_private_key_data=False):
+        return _get_cryptography_private_key_info(self.key, need_private_key_data=need_private_key_data)
+
+    def _is_key_consistent(self, key_public_data, key_private_data):
+        return _is_cryptography_key_consistent(self.key, key_public_data, key_private_data)
+
+
+def get_privatekey_info(module, backend, content, passphrase=None, return_private_key_data=False, prefer_one_fingerprint=False):
+    if backend == 'cryptography':
+        info = PrivateKeyInfoRetrievalCryptography(
+            module, content, passphrase=passphrase, return_private_key_data=return_private_key_data)
+    return info.get_info(prefer_one_fingerprint=prefer_one_fingerprint)
+
+
+def select_backend(module, backend, content, passphrase=None, return_private_key_data=False, check_consistency=False):
+    if backend == 'auto':
+        # Detection what is possible
+        can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
+
+        # Try cryptography
+        if can_use_cryptography:
+            backend = 'cryptography'
+
+        # Success?
+        if backend == 'auto':
+            module.fail_json(msg=("Cannot detect the required Python library "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
+
+    if backend == 'cryptography':
+        if not CRYPTOGRAPHY_FOUND:
+            module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                             exception=CRYPTOGRAPHY_IMP_ERR)
+        return backend, PrivateKeyInfoRetrievalCryptography(
+            module, content, passphrase=passphrase, return_private_key_data=return_private_key_data, check_consistency=check_consistency)
+    else:
+        raise ValueError('Unsupported value for backend: {0}'.format(backend))

plugins/module_utils/crypto/module_backends/publickey_info.py

@@ -0,0 +1,168 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2020-2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import abc
+import traceback
+
+from ansible.module_utils import six
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_native
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
+    CRYPTOGRAPHY_HAS_X25519,
+    CRYPTOGRAPHY_HAS_X448,
+    CRYPTOGRAPHY_HAS_ED25519,
+    CRYPTOGRAPHY_HAS_ED448,
+    OpenSSLObjectError,
+)
+
+from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
+    get_fingerprint_of_bytes,
+    load_publickey,
+)
+
+
+MINIMAL_CRYPTOGRAPHY_VERSION = '1.2.3'
+
+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    import cryptography
+    from cryptography.hazmat.primitives import serialization
+    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    CRYPTOGRAPHY_FOUND = False
+else:
+    CRYPTOGRAPHY_FOUND = True
+
+
+def _get_cryptography_public_key_info(key):
+    key_public_data = dict()
+    if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey):
+        key_type = 'RSA'
+        public_numbers = key.public_numbers()
+        key_public_data['size'] = key.key_size
+        key_public_data['modulus'] = public_numbers.n
+        key_public_data['exponent'] = public_numbers.e
+    elif isinstance(key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey):
+        key_type = 'DSA'
+        parameter_numbers = key.parameters().parameter_numbers()
+        public_numbers = key.public_numbers()
+        key_public_data['size'] = key.key_size
+        key_public_data['p'] = parameter_numbers.p
+        key_public_data['q'] = parameter_numbers.q
+        key_public_data['g'] = parameter_numbers.g
+        key_public_data['y'] = public_numbers.y
+    elif CRYPTOGRAPHY_HAS_X25519 and isinstance(key, cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey):
+        key_type = 'X25519'
+    elif CRYPTOGRAPHY_HAS_X448 and isinstance(key, cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey):
+        key_type = 'X448'
+    elif CRYPTOGRAPHY_HAS_ED25519 and isinstance(key, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey):
+        key_type = 'Ed25519'
+    elif CRYPTOGRAPHY_HAS_ED448 and isinstance(key, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey):
+        key_type = 'Ed448'
+    elif isinstance(key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey):
+        key_type = 'ECC'
+        public_numbers = key.public_numbers()
+        key_public_data['curve'] = key.curve.name
+        key_public_data['x'] = public_numbers.x
+        key_public_data['y'] = public_numbers.y
+        key_public_data['exponent_size'] = key.curve.key_size
+    else:
+        key_type = 'unknown ({0})'.format(type(key))
+    return key_type, key_public_data
+
+
+class PublicKeyParseError(OpenSSLObjectError):
+    def __init__(self, msg, result):
+        super(PublicKeyParseError, self).__init__(msg)
+        self.error_message = msg
+        self.result = result
+
+
+@six.add_metaclass(abc.ABCMeta)
+class PublicKeyInfoRetrieval(object):
+    def __init__(self, module, backend, content=None, key=None):
+        # content must be a bytes string
+        self.module = module
+        self.backend = backend
+        self.content = content
+        self.key = key
+
+    @abc.abstractmethod
+    def _get_public_key(self, binary):
+        pass
+
+    @abc.abstractmethod
+    def _get_key_info(self):
+        pass
+
+    def get_info(self, prefer_one_fingerprint=False):
+        result = dict()
+        if self.key is None:
+            try:
+                self.key = load_publickey(content=self.content, backend=self.backend)
+            except OpenSSLObjectError as e:
+                raise PublicKeyParseError(to_native(e))
+
+        pk = self._get_public_key(binary=True)
+        result['fingerprints'] = get_fingerprint_of_bytes(
+            pk, prefer_one=prefer_one_fingerprint) if pk is not None else dict()
+
+        key_type, key_public_data = self._get_key_info()
+        result['type'] = key_type
+        result['public_data'] = key_public_data
+        return result
+
+
+class PublicKeyInfoRetrievalCryptography(PublicKeyInfoRetrieval):
+    """Validate the supplied public key, using the cryptography backend"""
+    def __init__(self, module, content=None, key=None):
+        super(PublicKeyInfoRetrievalCryptography, self).__init__(module, 'cryptography', content=content, key=key)
+
+    def _get_public_key(self, binary):
+        return self.key.public_bytes(
+            serialization.Encoding.DER if binary else serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+
+    def _get_key_info(self):
+        return _get_cryptography_public_key_info(self.key)
+
+
+def get_publickey_info(module, backend, content=None, key=None, prefer_one_fingerprint=False):
+    if backend == 'cryptography':
+        info = PublicKeyInfoRetrievalCryptography(module, content=content, key=key)
+    return info.get_info(prefer_one_fingerprint=prefer_one_fingerprint)
+
+
+def select_backend(module, backend, content=None, key=None):
+    if backend == 'auto':
+        # Detection what is possible
+        can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
+
+        # Try cryptography
+        if can_use_cryptography:
+            backend = 'cryptography'
+
+        # Success?
+        if backend == 'auto':
+            module.fail_json(msg=("Cannot detect any of the required Python libraries "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
+
+    if backend == 'cryptography':
+        if not CRYPTOGRAPHY_FOUND:
+            module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                             exception=CRYPTOGRAPHY_IMP_ERR)
+        return backend, PublicKeyInfoRetrievalCryptography(module, content=content, key=key)
+    else:
+        raise ValueError('Unsupported value for backend: {0}'.format(backend))

plugins/module_utils/crypto/openssh.py

@@ -1,36 +1,13 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
-
-import re
-
-
-def parse_openssh_version(version_string):
-    """Parse the version output of ssh -V and return version numbers that can be compared"""
-
-    parsed_result = re.match(
-        r"^.*openssh_(?P<version>[0-9.]+)(p?[0-9]+)[^0-9]*.*$", version_string.lower()
-    )
-    if parsed_result is not None:
-        version = parsed_result.group("version").strip()
-    else:
-        version = None
-
-    return version
+# This import is only to maintain backwards compatibility
+from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
+    parse_openssh_version
+)

plugins/module_utils/crypto/pem.py

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2019, Felix Fontein <felix@fontein.de>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -72,3 +61,13 @@ def split_pem_list(text, keep_inbetween=False):
                     result.append(''.join(current))
                     current = [] if keep_inbetween else None
     return result
+
+
+def extract_first_pem(text):
+    '''
+    Given one PEM or multiple concatenated PEM objects, return only the first one, or None if there is none.
+    '''
+    all_pems = split_pem_list(text)
+    if not all_pems:
+        return None
+    return all_pems[0]

plugins/module_utils/crypto/pyopenssl_support.py

@@ -1,154 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# (c) 2019, Felix Fontein <felix@fontein.de>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
-
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
-
-
-import base64
-
-from ansible.module_utils._text import to_bytes, to_text
-
-from ansible_collections.community.crypto.plugins.module_utils.compat import ipaddress as compat_ipaddress
-
-try:
-    import OpenSSL
-except ImportError:
-    # Error handled in the calling module.
-    pass
-
-from ._objects import (
-    NORMALIZE_NAMES_SHORT,
-    NORMALIZE_NAMES,
-)
-
-from ._obj2txt import obj2txt
-
-from .basic import (
-    OpenSSLObjectError,
-)
-
-
-def pyopenssl_normalize_name(name, short=False):
-    nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(name))
-    if nid != 0:
-        b_name = OpenSSL._util.lib.OBJ_nid2ln(nid)
-        name = to_text(OpenSSL._util.ffi.string(b_name))
-    if short:
-        return NORMALIZE_NAMES_SHORT.get(name, name)
-    else:
-        return NORMALIZE_NAMES.get(name, name)
-
-
-def pyopenssl_normalize_name_attribute(san):
-    # apparently openssl returns 'IP address' not 'IP' as specifier when converting the subjectAltName to string
-    # although it won't accept this specifier when generating the CSR. (https://github.com/openssl/openssl/issues/4004)
-    if san.startswith('IP Address:'):
-        san = 'IP:' + san[len('IP Address:'):]
-    if san.startswith('IP:'):
-        address = san[3:]
-        if '/' in address:
-            ip = compat_ipaddress.ip_network(address)
-            san = 'IP:{0}/{1}'.format(ip.network_address.compressed, ip.prefixlen)
-        else:
-            ip = compat_ipaddress.ip_address(address)
-            san = 'IP:{0}'.format(ip.compressed)
-    if san.startswith('Registered ID:'):
-        san = 'RID:' + san[len('Registered ID:'):]
-    # Some versions of OpenSSL apparently forgot the colon. Happens in CI with Ubuntu 16.04 and FreeBSD 11.1
-    if san.startswith('Registered ID'):
-        san = 'RID:' + san[len('Registered ID'):]
-    return san
-
-
-def pyopenssl_get_extensions_from_cert(cert):
-    # While pyOpenSSL allows us to get an extension's DER value, it won't
-    # give us the dotted string for an OID. So we have to do some magic to
-    # get hold of it.
-    result = dict()
-    ext_count = cert.get_extension_count()
-    for i in range(0, ext_count):
-        ext = cert.get_extension(i)
-        entry = dict(
-            critical=bool(ext.get_critical()),
-            value=base64.b64encode(ext.get_data()),
-        )
-        oid = obj2txt(
-            OpenSSL._util.lib,
-            OpenSSL._util.ffi,
-            OpenSSL._util.lib.X509_EXTENSION_get_object(ext._extension)
-        )
-        # This could also be done a bit simpler:
-        #
-        #   oid = obj2txt(OpenSSL._util.lib, OpenSSL._util.ffi, OpenSSL._util.lib.OBJ_nid2obj(ext._nid))
-        #
-        # Unfortunately this gives the wrong result in case the linked OpenSSL
-        # doesn't know the OID. That's why we have to get the OID dotted string
-        # similarly to how cryptography does it.
-        result[oid] = entry
-    return result
-
-
-def pyopenssl_get_extensions_from_csr(csr):
-    # While pyOpenSSL allows us to get an extension's DER value, it won't
-    # give us the dotted string for an OID. So we have to do some magic to
-    # get hold of it.
-    result = dict()
-    for ext in csr.get_extensions():
-        entry = dict(
-            critical=bool(ext.get_critical()),
-            value=base64.b64encode(ext.get_data()),
-        )
-        oid = obj2txt(
-            OpenSSL._util.lib,
-            OpenSSL._util.ffi,
-            OpenSSL._util.lib.X509_EXTENSION_get_object(ext._extension)
-        )
-        # This could also be done a bit simpler:
-        #
-        #   oid = obj2txt(OpenSSL._util.lib, OpenSSL._util.ffi, OpenSSL._util.lib.OBJ_nid2obj(ext._nid))
-        #
-        # Unfortunately this gives the wrong result in case the linked OpenSSL
-        # doesn't know the OID. That's why we have to get the OID dotted string
-        # similarly to how cryptography does it.
-        result[oid] = entry
-    return result
-
-
-def pyopenssl_parse_name_constraints(name_constraints_extension):
-    lines = to_text(name_constraints_extension, errors='surrogate_or_strict').splitlines()
-    exclude = None
-    excluded = []
-    permitted = []
-    for line in lines:
-        if line.startswith(' ') or line.startswith('\t'):
-            name = pyopenssl_normalize_name_attribute(line.strip())
-            if exclude is True:
-                excluded.append(name)
-            elif exclude is False:
-                permitted.append(name)
-            else:
-                raise OpenSSLObjectError('Unexpected nameConstraint line: "{0}"'.format(line))
-        else:
-            line_lc = line.lower()
-            if line_lc.startswith('exclud'):
-                exclude = True
-            elif line_lc.startswith('includ') or line_lc.startswith('permitt'):
-                exclude = False
-            else:
-                raise OpenSSLObjectError('Cannot parse nameConstraint line: "{0}"'.format(line))
-    return permitted, excluded

plugins/module_utils/crypto/support.py

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -27,12 +16,12 @@ import os
 import re
 
 from ansible.module_utils import six
-from ansible.module_utils._text import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native, to_bytes
 
 try:
     from OpenSSL import crypto
     HAS_PYOPENSSL = True
-except ImportError:
+except (ImportError, AttributeError):
     # Error handled in the calling module.
     HAS_PYOPENSSL = False
 
@@ -52,7 +41,14 @@ from .basic import (
 )
 
 
-def get_fingerprint_of_bytes(source):
+# This list of preferred fingerprints is used when prefer_one=True is supplied to the
+# fingerprinting methods.
+PREFERRED_FINGERPRINTS = (
+    'sha256', 'sha3_256', 'sha512', 'sha3_512', 'sha384', 'sha3_384', 'sha1', 'md5'
+)
+
+
+def get_fingerprint_of_bytes(source, prefer_one=False):
     """Generate the fingerprint of the given bytes."""
 
     fingerprint = {}
@@ -65,6 +61,12 @@ def get_fingerprint_of_bytes(source):
         except AttributeError:
             return None
 
+    if prefer_one:
+        # Sort algorithms to have the ones in PREFERRED_FINGERPRINTS at the beginning
+        prefered_algorithms = [algorithm for algorithm in PREFERRED_FINGERPRINTS if algorithm in algorithms]
+        prefered_algorithms += sorted([algorithm for algorithm in algorithms if algorithm not in PREFERRED_FINGERPRINTS])
+        algorithms = prefered_algorithms
+
     for algo in algorithms:
         f = getattr(hashlib, algo)
         try:
@@ -79,46 +81,33 @@ def get_fingerprint_of_bytes(source):
         except TypeError:
             pubkey_digest = h.hexdigest(32)
         fingerprint[algo] = ':'.join(pubkey_digest[i:i + 2] for i in range(0, len(pubkey_digest), 2))
+        if prefer_one:
+            break
 
     return fingerprint
 
 
-def get_fingerprint_of_privatekey(privatekey, backend='pyopenssl'):
+def get_fingerprint_of_privatekey(privatekey, backend='cryptography', prefer_one=False):
     """Generate the fingerprint of the public key. """
 
-    if backend == 'pyopenssl':
-        try:
-            publickey = crypto.dump_publickey(crypto.FILETYPE_ASN1, privatekey)
-        except AttributeError:
-            # If PyOpenSSL < 16.0 crypto.dump_publickey() will fail.
-            try:
-                bio = crypto._new_mem_buf()
-                rc = crypto._lib.i2d_PUBKEY_bio(bio, privatekey._pkey)
-                if rc != 1:
-                    crypto._raise_current_error()
-                publickey = crypto._bio_to_string(bio)
-            except AttributeError:
-                # By doing this we prevent the code from raising an error
-                # yet we return no value in the fingerprint hash.
-                return None
-    elif backend == 'cryptography':
+    if backend == 'cryptography':
         publickey = privatekey.public_key().public_bytes(
             serialization.Encoding.DER,
             serialization.PublicFormat.SubjectPublicKeyInfo
         )
 
-    return get_fingerprint_of_bytes(publickey)
+    return get_fingerprint_of_bytes(publickey, prefer_one=prefer_one)
 
 
-def get_fingerprint(path, passphrase=None, content=None, backend='pyopenssl'):
+def get_fingerprint(path, passphrase=None, content=None, backend='cryptography', prefer_one=False):
     """Generate the fingerprint of the public key. """
 
     privatekey = load_privatekey(path, passphrase=passphrase, content=content, check_passphrase=False, backend=backend)
 
-    return get_fingerprint_of_privatekey(privatekey, backend=backend)
+    return get_fingerprint_of_privatekey(privatekey, backend=backend, prefer_one=prefer_one)
 
 
-def load_privatekey(path, passphrase=None, check_passphrase=True, content=None, backend='pyopenssl'):
+def load_privatekey(path, passphrase=None, check_passphrase=True, content=None, backend='cryptography'):
     """Load the specified OpenSSL private key.
 
     The content can also be specified via content; in that case,
@@ -162,13 +151,13 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, content=None,
                                        to_bytes('y' if passphrase == 'x' else 'x'))
                 if passphrase is not None:
                     # Since we can load the key without an exception, the
-                    # key isn't password-protected
+                    # key is not password-protected
                     raise OpenSSLBadPassphraseError('Passphrase provided, but private key is not password-protected!')
             except crypto.Error as e:
                 if passphrase is None and len(e.args) > 0 and len(e.args[0]) > 0:
                     if e.args[0][0][2] in ('bad decrypt', 'bad password read'):
                         # The key is obviously protected by the empty string.
-                        # Don't do this at home (if it's possible at all)...
+                        # Do not do this at home (if it's possible at all)...
                         raise OpenSSLBadPassphraseError('No passphrase provided, but private key is password-protected!')
     elif backend == 'cryptography':
         try:
@@ -183,7 +172,24 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, content=None,
     return result
 
 
-def load_certificate(path, content=None, backend='pyopenssl'):
+def load_publickey(path=None, content=None, backend=None):
+    if content is None:
+        if path is None:
+            raise OpenSSLObjectError('Must provide either path or content')
+        try:
+            with open(path, 'rb') as b_priv_key_fh:
+                content = b_priv_key_fh.read()
+        except (IOError, OSError) as exc:
+            raise OpenSSLObjectError(exc)
+
+    if backend == 'cryptography':
+        try:
+            return serialization.load_pem_public_key(content, backend=cryptography_backend())
+        except Exception as e:
+            raise OpenSSLObjectError('Error while deserializing key: {0}'.format(e))
+
+
+def load_certificate(path, content=None, backend='cryptography'):
     """Load the specified certificate."""
 
     try:
@@ -203,7 +209,7 @@ def load_certificate(path, content=None, backend='pyopenssl'):
             raise OpenSSLObjectError(exc)
 
 
-def load_certificate_request(path, content=None, backend='pyopenssl'):
+def load_certificate_request(path, content=None, backend='cryptography'):
     """Load the specified certificate signing request."""
     try:
         if content is None:
@@ -213,25 +219,50 @@ def load_certificate_request(path, content=None, backend='pyopenssl'):
             csr_content = content
     except (IOError, OSError) as exc:
         raise OpenSSLObjectError(exc)
-    if backend == 'pyopenssl':
-        return crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content)
-    elif backend == 'cryptography':
+    if backend == 'cryptography':
         try:
             return x509.load_pem_x509_csr(csr_content, cryptography_backend())
         except ValueError as exc:
             raise OpenSSLObjectError(exc)
 
 
-def parse_name_field(input_dict):
+def parse_name_field(input_dict, name_field_name=None):
+    """Take a dict with key: value or key: list_of_values mappings and return a list of tuples"""
+    error_str = '{key}' if name_field_name is None else '{key} in {name}'
+
+    result = []
+    for key, value in input_dict.items():
+        if isinstance(value, list):
+            for entry in value:
+                if not isinstance(entry, six.string_types):
+                    raise TypeError(('Values %s must be strings' % error_str).format(key=key, name=name_field_name))
+                if not entry:
+                    raise ValueError(('Values for %s must not be empty strings' % error_str).format(key=key))
+                result.append((key, entry))
+        elif isinstance(value, six.string_types):
+            if not value:
+                raise ValueError(('Value for %s must not be an empty string' % error_str).format(key=key))
+            result.append((key, value))
+        else:
+            raise TypeError(('Value for %s must be either a string or a list of strings' % error_str).format(key=key))
+    return result
+
+
+def parse_ordered_name_field(input_list, name_field_name):
     """Take a dict with key: value or key: list_of_values mappings and return a list of tuples"""
 
     result = []
-    for key in input_dict:
-        if isinstance(input_dict[key], list):
-            for entry in input_dict[key]:
-                result.append((key, entry))
-        else:
-            result.append((key, input_dict[key]))
+    for index, entry in enumerate(input_list):
+        if len(entry) != 1:
+            raise ValueError(
+                'Entry #{index} in {name} must be a dictionary with exactly one key-value pair'.format(
+                    name=name_field_name, index=index + 1))
+        try:
+            result.extend(parse_name_field(entry, name_field_name=name_field_name))
+        except (TypeError, ValueError) as exc:
+            raise ValueError(
+                'Error while processing entry #{index} in {name}: {error}'.format(
+                    name=name_field_name, index=index + 1, error=exc))
     return result
 
 
@@ -285,9 +316,7 @@ def get_relative_time_option(input_string, input_name, backend='cryptography'):
         elif backend == 'cryptography':
             return result_datetime
     # Absolute time
-    if backend == 'pyopenssl':
-        return input_string
-    elif backend == 'cryptography':
+    if backend == 'cryptography':
         for date_fmt in ['%Y%m%d%H%M%SZ', '%Y%m%d%H%MZ', '%Y%m%d%H%M%S%z', '%Y%m%d%H%M%z']:
             try:
                 return datetime.datetime.strptime(result, date_fmt)
@@ -334,6 +363,8 @@ class OpenSSLObject(object):
 
         def _check_perms(module):
             file_args = module.load_file_common_arguments(module.params)
+            if module.check_file_absent_if_check_mode(file_args['path']):
+                return False
             return not module.set_fs_attributes_if_different(file_args, False)
 
         if not perms_required:

plugins/module_utils/ecs/api.py

@@ -7,25 +7,8 @@
 # their own license to the complete work.
 #
 # Copyright (c), Entrust Datacard Corporation, 2019
-# Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
-
-# Redistribution and use in source and binary forms, with or without modification,
-# are permitted provided that the following conditions are met:
-#    1. Redistributions of source code must retain the above copyright notice,
-#       this list of conditions and the following disclaimer.
-#    2. Redistributions in binary form must reproduce the above copyright notice,
-#       this list of conditions and the following disclaimer in the documentation
-#       and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+# Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
+# SPDX-License-Identifier: BSD-2-Clause
 
 from __future__ import absolute_import, division, print_function
 
@@ -34,10 +17,9 @@ __metaclass__ = type
 import json
 import os
 import re
-import time
 import traceback
 
-from ansible.module_utils._text import to_text, to_native
+from ansible.module_utils.common.text.converters import to_text, to_native
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.six.moves.urllib.parse import urlencode
 from ansible.module_utils.six.moves.urllib.error import HTTPError
@@ -105,7 +87,7 @@ def bind(instance, method, operation_spec):
     def binding_scope_fn(*args, **kwargs):
         return method(instance, *args, **kwargs)
 
-    # Make sure we don't confuse users; add the proper name and documentation to the function.
+    # Make sure we do not confuse users; add the proper name and documentation to the function.
     # Users can use !help(<function>) to get help on the function from interactive python or pdb
     operation_name = operation_spec.get("operationId").split("Using")[0]
     binding_scope_fn.__name__ = str(operation_name)

plugins/module_utils/io.py

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-# (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -24,6 +13,19 @@ import os
 import tempfile
 
 
+def load_file(path, module=None):
+    '''
+    Load the file as a bytes string.
+    '''
+    try:
+        with open(path, 'rb') as f:
+            return f.read()
+    except Exception as exc:
+        if module is None:
+            raise
+        module.fail_json('Error while loading {0} - {1}'.format(path, str(exc)))
+
+
 def load_file_if_exists(path, module=None, ignore_errors=False):
     '''
     Load the file as a bytes string. If the file does not exist, ``None`` is returned.
@@ -92,7 +94,8 @@ def write_file(module, content, default_mode=None, path=None):
         # Move tempfile to final destination
         module.atomic_move(tmp_name, file_args['path'])
         # Try to update permissions again
-        module.set_fs_attributes_if_different(file_args, False)
+        if not module.check_file_absent_if_check_mode(file_args['path']):
+            module.set_fs_attributes_if_different(file_args, False)
     except Exception as e:
         try:
             os.remove(tmp_name)

plugins/module_utils/openssh/backends/common.py

@@ -0,0 +1,346 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+import abc
+import os
+import stat
+import traceback
+
+from ansible.module_utils import six
+
+from ansible.module_utils.common.text.converters import to_native
+from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
+    parse_openssh_version,
+)
+
+
+def restore_on_failure(f):
+    def backup_and_restore(module, path, *args, **kwargs):
+        backup_file = module.backup_local(path) if os.path.exists(path) else None
+
+        try:
+            f(module, path, *args, **kwargs)
+        except Exception:
+            if backup_file is not None:
+                module.atomic_move(backup_file, path)
+            raise
+        else:
+            module.add_cleanup_file(backup_file)
+
+    return backup_and_restore
+
+
+@restore_on_failure
+def safe_atomic_move(module, path, destination):
+    module.atomic_move(path, destination)
+
+
+def _restore_all_on_failure(f):
+    def backup_and_restore(self, sources_and_destinations, *args, **kwargs):
+        backups = [(d, self.module.backup_local(d)) for s, d in sources_and_destinations if os.path.exists(d)]
+
+        try:
+            f(self, sources_and_destinations, *args, **kwargs)
+        except Exception:
+            for destination, backup in backups:
+                self.module.atomic_move(backup, destination)
+            raise
+        else:
+            for destination, backup in backups:
+                self.module.add_cleanup_file(backup)
+    return backup_and_restore
+
+
+@six.add_metaclass(abc.ABCMeta)
+class OpensshModule(object):
+    def __init__(self, module):
+        self.module = module
+
+        self.changed = False
+        self.check_mode = self.module.check_mode
+
+    def execute(self):
+        try:
+            self._execute()
+        except Exception as e:
+            self.module.fail_json(
+                msg="unexpected error occurred: %s" % to_native(e),
+                exception=traceback.format_exc(),
+            )
+
+        self.module.exit_json(**self.result)
+
+    @abc.abstractmethod
+    def _execute(self):
+        pass
+
+    @property
+    def result(self):
+        result = self._result
+
+        result['changed'] = self.changed
+
+        if self.module._diff:
+            result['diff'] = self.diff
+
+        return result
+
+    @property
+    @abc.abstractmethod
+    def _result(self):
+        pass
+
+    @property
+    @abc.abstractmethod
+    def diff(self):
+        pass
+
+    @staticmethod
+    def skip_if_check_mode(f):
+        def wrapper(self, *args, **kwargs):
+            if not self.check_mode:
+                f(self, *args, **kwargs)
+        return wrapper
+
+    @staticmethod
+    def trigger_change(f):
+        def wrapper(self, *args, **kwargs):
+            f(self, *args, **kwargs)
+            self.changed = True
+        return wrapper
+
+    def _check_if_base_dir(self, path):
+        base_dir = os.path.dirname(path) or '.'
+        if not os.path.isdir(base_dir):
+            self.module.fail_json(
+                name=base_dir,
+                msg='The directory %s does not exist or the file is not a directory' % base_dir
+            )
+
+    def _get_ssh_version(self):
+        ssh_bin = self.module.get_bin_path('ssh')
+        if not ssh_bin:
+            return ""
+        return parse_openssh_version(self.module.run_command([ssh_bin, '-V', '-q'])[2].strip())
+
+    @_restore_all_on_failure
+    def _safe_secure_move(self, sources_and_destinations):
+        """Moves a list of files from 'source' to 'destination' and restores 'destination' from backup upon failure.
+           If 'destination' does not already exist, then 'source' permissions are preserved to prevent
+           exposing protected data ('atomic_move' uses the 'destination' base directory mask for
+           permissions if 'destination' does not already exists).
+        """
+        for source, destination in sources_and_destinations:
+            if os.path.exists(destination):
+                self.module.atomic_move(source, destination)
+            else:
+                self.module.preserved_copy(source, destination)
+
+    def _update_permissions(self, path):
+        file_args = self.module.load_file_common_arguments(self.module.params)
+        file_args['path'] = path
+
+        if not self.module.check_file_absent_if_check_mode(path):
+            self.changed = self.module.set_fs_attributes_if_different(file_args, self.changed)
+        else:
+            self.changed = True
+
+
+class KeygenCommand(object):
+    def __init__(self, module):
+        self._bin_path = module.get_bin_path('ssh-keygen', True)
+        self._run_command = module.run_command
+
+    def generate_certificate(self, certificate_path, identifier, options, pkcs11_provider, principals,
+                             serial_number, signature_algorithm, signing_key_path, type,
+                             time_parameters, use_agent, **kwargs):
+        args = [self._bin_path, '-s', signing_key_path, '-P', '', '-I', identifier]
+
+        if options:
+            for option in options:
+                args.extend(['-O', option])
+        if pkcs11_provider:
+            args.extend(['-D', pkcs11_provider])
+        if principals:
+            args.extend(['-n', ','.join(principals)])
+        if serial_number is not None:
+            args.extend(['-z', str(serial_number)])
+        if type == 'host':
+            args.extend(['-h'])
+        if use_agent:
+            args.extend(['-U'])
+        if time_parameters.validity_string:
+            args.extend(['-V', time_parameters.validity_string])
+        if signature_algorithm:
+            args.extend(['-t', signature_algorithm])
+        args.append(certificate_path)
+
+        return self._run_command(args, **kwargs)
+
+    def generate_keypair(self, private_key_path, size, type, comment, **kwargs):
+        args = [
+            self._bin_path,
+            '-q',
+            '-N', '',
+            '-b', str(size),
+            '-t', type,
+            '-f', private_key_path,
+            '-C', comment or ''
+        ]
+
+        # "y" must be entered in response to the "overwrite" prompt
+        data = 'y' if os.path.exists(private_key_path) else None
+
+        return self._run_command(args, data=data, **kwargs)
+
+    def get_certificate_info(self, certificate_path, **kwargs):
+        return self._run_command([self._bin_path, '-L', '-f', certificate_path], **kwargs)
+
+    def get_matching_public_key(self, private_key_path, **kwargs):
+        return self._run_command([self._bin_path, '-P', '', '-y', '-f', private_key_path], **kwargs)
+
+    def get_private_key(self, private_key_path, **kwargs):
+        return self._run_command([self._bin_path, '-l', '-f', private_key_path], **kwargs)
+
+    def update_comment(self, private_key_path, comment, **kwargs):
+        if os.path.exists(private_key_path) and not os.access(private_key_path, os.W_OK):
+            try:
+                os.chmod(private_key_path, stat.S_IWUSR + stat.S_IRUSR)
+            except (IOError, OSError) as e:
+                raise e("The private key at %s is not writeable preventing a comment update" % private_key_path)
+
+        return self._run_command([self._bin_path, '-q', '-o', '-c', '-C', comment, '-f', private_key_path], **kwargs)
+
+
+class PrivateKey(object):
+    def __init__(self, size, key_type, fingerprint, format=''):
+        self._size = size
+        self._type = key_type
+        self._fingerprint = fingerprint
+        self._format = format
+
+    @property
+    def size(self):
+        return self._size
+
+    @property
+    def type(self):
+        return self._type
+
+    @property
+    def fingerprint(self):
+        return self._fingerprint
+
+    @property
+    def format(self):
+        return self._format
+
+    @classmethod
+    def from_string(cls, string):
+        properties = string.split()
+
+        return cls(
+            size=int(properties[0]),
+            key_type=properties[-1][1:-1].lower(),
+            fingerprint=properties[1],
+        )
+
+    def to_dict(self):
+        return {
+            'size': self._size,
+            'type': self._type,
+            'fingerprint': self._fingerprint,
+            'format': self._format,
+        }
+
+
+class PublicKey(object):
+    def __init__(self, type_string, data, comment):
+        self._type_string = type_string
+        self._data = data
+        self._comment = comment
+
+    def __eq__(self, other):
+        if not isinstance(other, type(self)):
+            return NotImplemented
+
+        return all([
+            self._type_string == other._type_string,
+            self._data == other._data,
+            (self._comment == other._comment) if self._comment is not None and other._comment is not None else True
+        ])
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __str__(self):
+        return "%s %s" % (self._type_string, self._data)
+
+    @property
+    def comment(self):
+        return self._comment
+
+    @comment.setter
+    def comment(self, value):
+        self._comment = value
+
+    @property
+    def data(self):
+        return self._data
+
+    @property
+    def type_string(self):
+        return self._type_string
+
+    @classmethod
+    def from_string(cls, string):
+        properties = string.strip('\n').split(' ', 2)
+
+        return cls(
+            type_string=properties[0],
+            data=properties[1],
+            comment=properties[2] if len(properties) > 2 else ""
+        )
+
+    @classmethod
+    def load(cls, path):
+        try:
+            with open(path, 'r') as f:
+                properties = f.read().strip(' \n').split(' ', 2)
+        except (IOError, OSError):
+            raise
+
+        if len(properties) < 2:
+            return None
+
+        return cls(
+            type_string=properties[0],
+            data=properties[1],
+            comment='' if len(properties) <= 2 else properties[2],
+        )
+
+    def to_dict(self):
+        return {
+            'comment': self._comment,
+            'public_key': self._data,
+        }
+
+
+def parse_private_key_format(path):
+    with open(path, 'r') as file:
+        header = file.readline().strip()
+
+    if header == '-----BEGIN OPENSSH PRIVATE KEY-----':
+        return 'SSH'
+    elif header == '-----BEGIN PRIVATE KEY-----':
+        return 'PKCS8'
+    elif header == '-----BEGIN RSA PRIVATE KEY-----':
+        return 'PKCS1'
+
+    return ''

plugins/module_utils/openssh/backends/keypair_backend.py

@@ -0,0 +1,480 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2018, David Kainz <dkainz@mgit.at> <dave.jokain@gmx.at>
+# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+import abc
+import os
+
+from ansible.module_utils import six
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography import (
+    HAS_OPENSSH_SUPPORT,
+    HAS_OPENSSH_PRIVATE_FORMAT,
+    InvalidCommentError,
+    InvalidPassphraseError,
+    InvalidPrivateKeyFileError,
+    OpenSSHError,
+    OpensshKeypair,
+)
+from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.common import (
+    KeygenCommand,
+    OpensshModule,
+    PrivateKey,
+    PublicKey,
+    parse_private_key_format,
+)
+from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
+    any_in,
+    file_mode,
+    secure_write,
+)
+
+
+@six.add_metaclass(abc.ABCMeta)
+class KeypairBackend(OpensshModule):
+
+    def __init__(self, module):
+        super(KeypairBackend, self).__init__(module)
+
+        self.comment = self.module.params['comment']
+        self.private_key_path = self.module.params['path']
+        self.public_key_path = self.private_key_path + '.pub'
+        self.regenerate = self.module.params['regenerate'] if not self.module.params['force'] else 'always'
+        self.state = self.module.params['state']
+        self.type = self.module.params['type']
+
+        self.size = self._get_size(self.module.params['size'])
+        self._validate_path()
+
+        self.original_private_key = None
+        self.original_public_key = None
+        self.private_key = None
+        self.public_key = None
+
+    def _get_size(self, size):
+        if self.type in ('rsa', 'rsa1'):
+            result = 4096 if size is None else size
+            if result < 1024:
+                return self.module.fail_json(
+                    msg="For RSA keys, the minimum size is 1024 bits and the default is 4096 bits. " +
+                        "Attempting to use bit lengths under 1024 will cause the module to fail."
+                )
+        elif self.type == 'dsa':
+            result = 1024 if size is None else size
+            if result != 1024:
+                return self.module.fail_json(msg="DSA keys must be exactly 1024 bits as specified by FIPS 186-2.")
+        elif self.type == 'ecdsa':
+            result = 256 if size is None else size
+            if result not in (256, 384, 521):
+                return self.module.fail_json(
+                    msg="For ECDSA keys, size determines the key length by selecting from one of " +
+                        "three elliptic curve sizes: 256, 384 or 521 bits. " +
+                        "Attempting to use bit lengths other than these three values for ECDSA keys will " +
+                        "cause this module to fail."
+                )
+        elif self.type == 'ed25519':
+            # User input is ignored for `key size` when `key type` is ed25519
+            result = 256
+        else:
+            return self.module.fail_json(msg="%s is not a valid value for key type" % self.type)
+
+        return result
+
+    def _validate_path(self):
+        self._check_if_base_dir(self.private_key_path)
+
+        if os.path.isdir(self.private_key_path):
+            self.module.fail_json(msg='%s is a directory. Please specify a path to a file.' % self.private_key_path)
+
+    def _execute(self):
+        self.original_private_key = self._load_private_key()
+        self.original_public_key = self._load_public_key()
+
+        if self.state == 'present':
+            self._validate_key_load()
+
+            if self._should_generate():
+                self._generate()
+            elif not self._public_key_valid():
+                self._restore_public_key()
+
+            self.private_key = self._load_private_key()
+            self.public_key = self._load_public_key()
+
+            for path in (self.private_key_path, self.public_key_path):
+                self._update_permissions(path)
+        else:
+            if self._should_remove():
+                self._remove()
+
+    def _load_private_key(self):
+        result = None
+        if self._private_key_exists():
+            try:
+                result = self._get_private_key()
+            except Exception:
+                pass
+
+        return result
+
+    def _private_key_exists(self):
+        return os.path.exists(self.private_key_path)
+
+    @abc.abstractmethod
+    def _get_private_key(self):
+        pass
+
+    def _load_public_key(self):
+        result = None
+        if self._public_key_exists():
+            try:
+                result = PublicKey.load(self.public_key_path)
+            except (IOError, OSError):
+                pass
+        return result
+
+    def _public_key_exists(self):
+        return os.path.exists(self.public_key_path)
+
+    def _validate_key_load(self):
+        if (self._private_key_exists()
+                and self.regenerate in ('never', 'fail', 'partial_idempotence')
+                and (self.original_private_key is None or not self._private_key_readable())):
+            self.module.fail_json(
+                msg="Unable to read the key. The key is protected with a passphrase or broken. " +
+                    "Will not proceed. To force regeneration, call the module with `generate` " +
+                    "set to `full_idempotence` or `always`, or with `force=true`."
+            )
+
+    @abc.abstractmethod
+    def _private_key_readable(self):
+        pass
+
+    def _should_generate(self):
+        if self.regenerate == 'never':
+            return self.original_private_key is None
+        elif self.regenerate == 'fail':
+            if not self._private_key_valid():
+                self.module.fail_json(
+                    msg="Key has wrong type and/or size. Will not proceed. " +
+                        "To force regeneration, call the module with `generate` set to " +
+                        "`partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
+                )
+            return self.original_private_key is None
+        elif self.regenerate in ('partial_idempotence', 'full_idempotence'):
+            return not self._private_key_valid()
+        else:
+            return True
+
+    def _private_key_valid(self):
+        if self.original_private_key is None:
+            return False
+
+        return all([
+            self.size == self.original_private_key.size,
+            self.type == self.original_private_key.type,
+            self._private_key_valid_backend(),
+        ])
+
+    @abc.abstractmethod
+    def _private_key_valid_backend(self):
+        pass
+
+    @OpensshModule.trigger_change
+    @OpensshModule.skip_if_check_mode
+    def _generate(self):
+        temp_private_key, temp_public_key = self._generate_temp_keypair()
+
+        try:
+            self._safe_secure_move([(temp_private_key, self.private_key_path), (temp_public_key, self.public_key_path)])
+        except OSError as e:
+            self.module.fail_json(msg=to_native(e))
+
+    def _generate_temp_keypair(self):
+        temp_private_key = os.path.join(self.module.tmpdir, os.path.basename(self.private_key_path))
+        temp_public_key = temp_private_key + '.pub'
+
+        try:
+            self._generate_keypair(temp_private_key)
+        except (IOError, OSError) as e:
+            self.module.fail_json(msg=to_native(e))
+
+        for f in (temp_private_key, temp_public_key):
+            self.module.add_cleanup_file(f)
+
+        return temp_private_key, temp_public_key
+
+    @abc.abstractmethod
+    def _generate_keypair(self, private_key_path):
+        pass
+
+    def _public_key_valid(self):
+        if self.original_public_key is None:
+            return False
+
+        valid_public_key = self._get_public_key()
+        valid_public_key.comment = self.comment
+
+        return self.original_public_key == valid_public_key
+
+    @abc.abstractmethod
+    def _get_public_key(self):
+        pass
+
+    @OpensshModule.trigger_change
+    @OpensshModule.skip_if_check_mode
+    def _restore_public_key(self):
+        try:
+            temp_public_key = self._create_temp_public_key(str(self._get_public_key()) + '\n')
+            self._safe_secure_move([
+                (temp_public_key, self.public_key_path)
+            ])
+        except (IOError, OSError):
+            self.module.fail_json(
+                msg="The public key is missing or does not match the private key. " +
+                    "Unable to regenerate the public key."
+            )
+
+        if self.comment:
+            self._update_comment()
+
+    def _create_temp_public_key(self, content):
+        temp_public_key = os.path.join(self.module.tmpdir, os.path.basename(self.public_key_path))
+
+        default_permissions = 0o644
+        existing_permissions = file_mode(self.public_key_path)
+
+        try:
+            secure_write(temp_public_key, existing_permissions or default_permissions, to_bytes(content))
+        except (IOError, OSError) as e:
+            self.module.fail_json(msg=to_native(e))
+        self.module.add_cleanup_file(temp_public_key)
+
+        return temp_public_key
+
+    @abc.abstractmethod
+    def _update_comment(self):
+        pass
+
+    def _should_remove(self):
+        return self._private_key_exists() or self._public_key_exists()
+
+    @OpensshModule.trigger_change
+    @OpensshModule.skip_if_check_mode
+    def _remove(self):
+        try:
+            if self._private_key_exists():
+                os.remove(self.private_key_path)
+            if self._public_key_exists():
+                os.remove(self.public_key_path)
+        except (IOError, OSError) as e:
+            self.module.fail_json(msg=to_native(e))
+
+    @property
+    def _result(self):
+        private_key = self.private_key or self.original_private_key
+        public_key = self.public_key or self.original_public_key
+
+        return {
+            'size': self.size,
+            'type': self.type,
+            'filename': self.private_key_path,
+            'fingerprint': private_key.fingerprint if private_key else '',
+            'public_key': str(public_key) if public_key else '',
+            'comment': public_key.comment if public_key else '',
+        }
+
+    @property
+    def diff(self):
+        before = self.original_private_key.to_dict() if self.original_private_key else {}
+        before.update(self.original_public_key.to_dict() if self.original_public_key else {})
+
+        after = self.private_key.to_dict() if self.private_key else {}
+        after.update(self.public_key.to_dict() if self.public_key else {})
+
+        return {
+            'before': before,
+            'after': after,
+        }
+
+
+class KeypairBackendOpensshBin(KeypairBackend):
+    def __init__(self, module):
+        super(KeypairBackendOpensshBin, self).__init__(module)
+
+        if self.module.params['private_key_format'] != 'auto':
+            self.module.fail_json(
+                msg="'auto' is the only valid option for " +
+                    "'private_key_format' when 'backend' is not 'cryptography'"
+            )
+
+        self.ssh_keygen = KeygenCommand(self.module)
+
+    def _generate_keypair(self, private_key_path):
+        self.ssh_keygen.generate_keypair(private_key_path, self.size, self.type, self.comment)
+
+    def _get_private_key(self):
+        private_key_content = self.ssh_keygen.get_private_key(self.private_key_path)[1]
+        return PrivateKey.from_string(private_key_content)
+
+    def _get_public_key(self):
+        public_key_content = self.ssh_keygen.get_matching_public_key(self.private_key_path)[1]
+        return PublicKey.from_string(public_key_content)
+
+    def _private_key_readable(self):
+        rc, stdout, stderr = self.ssh_keygen.get_matching_public_key(self.private_key_path)
+        return not (rc == 255 or any_in(stderr, 'is not a public key file', 'incorrect passphrase', 'load failed'))
+
+    def _update_comment(self):
+        try:
+            self.ssh_keygen.update_comment(self.private_key_path, self.comment)
+        except (IOError, OSError) as e:
+            self.module.fail_json(msg=to_native(e))
+
+    def _private_key_valid_backend(self):
+        return True
+
+
+class KeypairBackendCryptography(KeypairBackend):
+    def __init__(self, module):
+        super(KeypairBackendCryptography, self).__init__(module)
+
+        if self.type == 'rsa1':
+            self.module.fail_json(msg="RSA1 keys are not supported by the cryptography backend")
+
+        self.passphrase = to_bytes(module.params['passphrase']) if module.params['passphrase'] else None
+        self.private_key_format = self._get_key_format(module.params['private_key_format'])
+
+    def _get_key_format(self, key_format):
+        result = 'SSH'
+
+        if key_format == 'auto':
+            # Default to OpenSSH 7.8 compatibility when OpenSSH is not installed
+            ssh_version = self._get_ssh_version() or "7.8"
+
+            if LooseVersion(ssh_version) < LooseVersion("7.8") and self.type != 'ed25519':
+                # OpenSSH made SSH formatted private keys available in version 6.5,
+                # but still defaulted to PKCS1 format with the exception of ed25519 keys
+                result = 'PKCS1'
+
+            if result == 'SSH' and not HAS_OPENSSH_PRIVATE_FORMAT:
+                self.module.fail_json(
+                    msg=missing_required_lib(
+                        'cryptography >= 3.0',
+                        reason="to load/dump private keys in the default OpenSSH format for OpenSSH >= 7.8 " +
+                               "or for ed25519 keys"
+                    )
+                )
+        else:
+            result = key_format.upper()
+
+        return result
+
+    def _generate_keypair(self, private_key_path):
+        keypair = OpensshKeypair.generate(
+            keytype=self.type,
+            size=self.size,
+            passphrase=self.passphrase,
+            comment=self.comment or '',
+        )
+
+        encoded_private_key = OpensshKeypair.encode_openssh_privatekey(
+            keypair.asymmetric_keypair, self.private_key_format
+        )
+        secure_write(private_key_path, 0o600, encoded_private_key)
+
+        public_key_path = private_key_path + '.pub'
+        secure_write(public_key_path, 0o644, keypair.public_key)
+
+    def _get_private_key(self):
+        keypair = OpensshKeypair.load(path=self.private_key_path, passphrase=self.passphrase, no_public_key=True)
+
+        return PrivateKey(
+            size=keypair.size,
+            key_type=keypair.key_type,
+            fingerprint=keypair.fingerprint,
+            format=parse_private_key_format(self.private_key_path)
+        )
+
+    def _get_public_key(self):
+        try:
+            keypair = OpensshKeypair.load(path=self.private_key_path, passphrase=self.passphrase, no_public_key=True)
+        except OpenSSHError:
+            # Simulates the null output of ssh-keygen
+            return ""
+
+        return PublicKey.from_string(to_text(keypair.public_key))
+
+    def _private_key_readable(self):
+        try:
+            OpensshKeypair.load(path=self.private_key_path, passphrase=self.passphrase, no_public_key=True)
+        except (InvalidPrivateKeyFileError, InvalidPassphraseError):
+            return False
+
+        # Cryptography >= 3.0 uses a SSH key loader which does not raise an exception when a passphrase is provided
+        # when loading an unencrypted key
+        if self.passphrase:
+            try:
+                OpensshKeypair.load(path=self.private_key_path, passphrase=None, no_public_key=True)
+            except (InvalidPrivateKeyFileError, InvalidPassphraseError):
+                return True
+            else:
+                return False
+
+        return True
+
+    def _update_comment(self):
+        keypair = OpensshKeypair.load(path=self.private_key_path, passphrase=self.passphrase, no_public_key=True)
+        try:
+            keypair.comment = self.comment
+        except InvalidCommentError as e:
+            self.module.fail_json(msg=to_native(e))
+
+        try:
+            temp_public_key = self._create_temp_public_key(keypair.public_key + b'\n')
+            self._safe_secure_move([(temp_public_key, self.public_key_path)])
+        except (IOError, OSError) as e:
+            self.module.fail_json(msg=to_native(e))
+
+    def _private_key_valid_backend(self):
+        # avoids breaking behavior and prevents
+        # automatic conversions with OpenSSH upgrades
+        if self.module.params['private_key_format'] == 'auto':
+            return True
+
+        return self.private_key_format == self.original_private_key.format
+
+
+def select_backend(module, backend):
+    can_use_cryptography = HAS_OPENSSH_SUPPORT
+    can_use_opensshbin = bool(module.get_bin_path('ssh-keygen'))
+
+    if backend == 'auto':
+        if can_use_opensshbin and not module.params['passphrase']:
+            backend = 'opensshbin'
+        elif can_use_cryptography:
+            backend = 'cryptography'
+        else:
+            module.fail_json(msg="Cannot find either the OpenSSH binary in the PATH " +
+                                 "or cryptography >= 2.6 installed on this system")
+
+    if backend == 'opensshbin':
+        if not can_use_opensshbin:
+            module.fail_json(msg="Cannot find the OpenSSH binary in the PATH")
+        return backend, KeypairBackendOpensshBin(module)
+    elif backend == 'cryptography':
+        if not can_use_cryptography:
+            module.fail_json(msg=missing_required_lib("cryptography >= 2.6"))
+        return backend, KeypairBackendCryptography(module)
+    else:
+        raise ValueError('Unsupported value for backend: {0}'.format(backend))

plugins/module_utils/openssh/certificate.py

@@ -0,0 +1,666 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+# Protocol References
+# -------------------
+# https://datatracker.ietf.org/doc/html/rfc4251
+# https://datatracker.ietf.org/doc/html/rfc4253
+# https://datatracker.ietf.org/doc/html/rfc5656
+# https://datatracker.ietf.org/doc/html/rfc8032
+# https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD
+#
+# Inspired by:
+# ------------
+# https://github.com/pyca/cryptography/blob/main/src/cryptography/hazmat/primitives/serialization/ssh.py
+# https://github.com/paramiko/paramiko/blob/master/paramiko/message.py
+
+import abc
+import binascii
+import os
+from base64 import b64encode
+from datetime import datetime
+from hashlib import sha256
+
+from ansible.module_utils import six
+from ansible.module_utils.common.text.converters import to_text
+from ansible_collections.community.crypto.plugins.module_utils.crypto.support import convert_relative_to_datetime
+from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
+    OpensshParser,
+    _OpensshWriter,
+)
+
+# See https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD
+_USER_TYPE = 1
+_HOST_TYPE = 2
+
+_SSH_TYPE_STRINGS = {
+    'rsa': b"ssh-rsa",
+    'dsa': b"ssh-dss",
+    'ecdsa-nistp256': b"ecdsa-sha2-nistp256",
+    'ecdsa-nistp384': b"ecdsa-sha2-nistp384",
+    'ecdsa-nistp521': b"ecdsa-sha2-nistp521",
+    'ed25519': b"ssh-ed25519",
+}
+_CERT_SUFFIX_V01 = b"-cert-v01@openssh.com"
+
+# See https://datatracker.ietf.org/doc/html/rfc5656#section-6.1
+_ECDSA_CURVE_IDENTIFIERS = {
+    'ecdsa-nistp256': b'nistp256',
+    'ecdsa-nistp384': b'nistp384',
+    'ecdsa-nistp521': b'nistp521',
+}
+_ECDSA_CURVE_IDENTIFIERS_LOOKUP = {
+    b'nistp256': 'ecdsa-nistp256',
+    b'nistp384': 'ecdsa-nistp384',
+    b'nistp521': 'ecdsa-nistp521',
+}
+
+_ALWAYS = datetime(1970, 1, 1)
+_FOREVER = datetime.max
+
+_CRITICAL_OPTIONS = (
+    'force-command',
+    'source-address',
+    'verify-required',
+)
+
+_DIRECTIVES = (
+    'clear',
+    'no-x11-forwarding',
+    'no-agent-forwarding',
+    'no-port-forwarding',
+    'no-pty',
+    'no-user-rc',
+)
+
+_EXTENSIONS = (
+    'permit-x11-forwarding',
+    'permit-agent-forwarding',
+    'permit-port-forwarding',
+    'permit-pty',
+    'permit-user-rc'
+)
+
+if six.PY3:
+    long = int
+
+
+class OpensshCertificateTimeParameters(object):
+    def __init__(self, valid_from, valid_to):
+        self._valid_from = self.to_datetime(valid_from)
+        self._valid_to = self.to_datetime(valid_to)
+
+        if self._valid_from > self._valid_to:
+            raise ValueError("Valid from: %s must not be greater than Valid to: %s" % (valid_from, valid_to))
+
+    def __eq__(self, other):
+        if not isinstance(other, type(self)):
+            return NotImplemented
+        else:
+            return self._valid_from == other._valid_from and self._valid_to == other._valid_to
+
+    def __ne__(self, other):
+        return not self == other
+
+    @property
+    def validity_string(self):
+        if not (self._valid_from == _ALWAYS and self._valid_to == _FOREVER):
+            return "%s:%s" % (
+                self.valid_from(date_format='openssh'), self.valid_to(date_format='openssh')
+            )
+        return ""
+
+    def valid_from(self, date_format):
+        return self.format_datetime(self._valid_from, date_format)
+
+    def valid_to(self, date_format):
+        return self.format_datetime(self._valid_to, date_format)
+
+    def within_range(self, valid_at):
+        if valid_at is not None:
+            valid_at_datetime = self.to_datetime(valid_at)
+            return self._valid_from <= valid_at_datetime <= self._valid_to
+        return True
+
+    @staticmethod
+    def format_datetime(dt, date_format):
+        if date_format in ('human_readable', 'openssh'):
+            if dt == _ALWAYS:
+                result = 'always'
+            elif dt == _FOREVER:
+                result = 'forever'
+            else:
+                result = dt.isoformat() if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S")
+        elif date_format == 'timestamp':
+            td = dt - _ALWAYS
+            result = int((td.microseconds + (td.seconds + td.days * 24 * 3600) * 10 ** 6) / 10 ** 6)
+        else:
+            raise ValueError("%s is not a valid format" % date_format)
+        return result
+
+    @staticmethod
+    def to_datetime(time_string_or_timestamp):
+        try:
+            if isinstance(time_string_or_timestamp, six.string_types):
+                result = OpensshCertificateTimeParameters._time_string_to_datetime(time_string_or_timestamp.strip())
+            elif isinstance(time_string_or_timestamp, (long, int)):
+                result = OpensshCertificateTimeParameters._timestamp_to_datetime(time_string_or_timestamp)
+            else:
+                raise ValueError(
+                    "Value must be of type (str, unicode, int, long) not %s" % type(time_string_or_timestamp)
+                )
+        except ValueError:
+            raise
+        return result
+
+    @staticmethod
+    def _timestamp_to_datetime(timestamp):
+        if timestamp == 0x0:
+            result = _ALWAYS
+        elif timestamp == 0xFFFFFFFFFFFFFFFF:
+            result = _FOREVER
+        else:
+            try:
+                result = datetime.utcfromtimestamp(timestamp)
+            except OverflowError as e:
+                raise ValueError
+        return result
+
+    @staticmethod
+    def _time_string_to_datetime(time_string):
+        result = None
+        if time_string == 'always':
+            result = _ALWAYS
+        elif time_string == 'forever':
+            result = _FOREVER
+        elif is_relative_time_string(time_string):
+            result = convert_relative_to_datetime(time_string)
+        else:
+            for time_format in ("%Y-%m-%d", "%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S"):
+                try:
+                    result = datetime.strptime(time_string, time_format)
+                except ValueError:
+                    pass
+            if result is None:
+                raise ValueError
+        return result
+
+
+class OpensshCertificateOption(object):
+    def __init__(self, option_type, name, data):
+        if option_type not in ('critical', 'extension'):
+            raise ValueError("type must be either 'critical' or 'extension'")
+
+        if not isinstance(name, six.string_types):
+            raise TypeError("name must be a string not %s" % type(name))
+
+        if not isinstance(data, six.string_types):
+            raise TypeError("data must be a string not %s" % type(data))
+
+        self._option_type = option_type
+        self._name = name.lower()
+        self._data = data
+
+    def __eq__(self, other):
+        if not isinstance(other, type(self)):
+            return NotImplemented
+
+        return all([
+            self._option_type == other._option_type,
+            self._name == other._name,
+            self._data == other._data,
+        ])
+
+    def __hash__(self):
+        return hash((self._option_type, self._name, self._data))
+
+    def __ne__(self, other):
+        return not self == other
+
+    def __str__(self):
+        if self._data:
+            return "%s=%s" % (self._name, self._data)
+        return self._name
+
+    @property
+    def data(self):
+        return self._data
+
+    @property
+    def name(self):
+        return self._name
+
+    @property
+    def type(self):
+        return self._option_type
+
+    @classmethod
+    def from_string(cls, option_string):
+        if not isinstance(option_string, six.string_types):
+            raise ValueError("option_string must be a string not %s" % type(option_string))
+        option_type = None
+
+        if ':' in option_string:
+            option_type, value = option_string.strip().split(':', 1)
+            if '=' in value:
+                name, data = value.split('=', 1)
+            else:
+                name, data = value, ''
+        elif '=' in option_string:
+            name, data = option_string.strip().split('=', 1)
+        else:
+            name, data = option_string.strip(), ''
+
+        return cls(
+            option_type=option_type or get_option_type(name.lower()),
+            name=name,
+            data=data
+        )
+
+
+@six.add_metaclass(abc.ABCMeta)
+class OpensshCertificateInfo:
+    """Encapsulates all certificate information which is signed by a CA key"""
+    def __init__(self,
+                 nonce=None,
+                 serial=None,
+                 cert_type=None,
+                 key_id=None,
+                 principals=None,
+                 valid_after=None,
+                 valid_before=None,
+                 critical_options=None,
+                 extensions=None,
+                 reserved=None,
+                 signing_key=None):
+        self.nonce = nonce
+        self.serial = serial
+        self._cert_type = cert_type
+        self.key_id = key_id
+        self.principals = principals
+        self.valid_after = valid_after
+        self.valid_before = valid_before
+        self.critical_options = critical_options
+        self.extensions = extensions
+        self.reserved = reserved
+        self.signing_key = signing_key
+
+        self.type_string = None
+
+    @property
+    def cert_type(self):
+        if self._cert_type == _USER_TYPE:
+            return 'user'
+        elif self._cert_type == _HOST_TYPE:
+            return 'host'
+        else:
+            return ''
+
+    @cert_type.setter
+    def cert_type(self, cert_type):
+        if cert_type == 'user' or cert_type == _USER_TYPE:
+            self._cert_type = _USER_TYPE
+        elif cert_type == 'host' or cert_type == _HOST_TYPE:
+            self._cert_type = _HOST_TYPE
+        else:
+            raise ValueError("%s is not a valid certificate type" % cert_type)
+
+    def signing_key_fingerprint(self):
+        return fingerprint(self.signing_key)
+
+    @abc.abstractmethod
+    def public_key_fingerprint(self):
+        pass
+
+    @abc.abstractmethod
+    def parse_public_numbers(self, parser):
+        pass
+
+
+class OpensshRSACertificateInfo(OpensshCertificateInfo):
+    def __init__(self, e=None, n=None, **kwargs):
+        super(OpensshRSACertificateInfo, self).__init__(**kwargs)
+        self.type_string = _SSH_TYPE_STRINGS['rsa'] + _CERT_SUFFIX_V01
+        self.e = e
+        self.n = n
+
+    # See https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
+    def public_key_fingerprint(self):
+        if any([self.e is None, self.n is None]):
+            return b''
+
+        writer = _OpensshWriter()
+        writer.string(_SSH_TYPE_STRINGS['rsa'])
+        writer.mpint(self.e)
+        writer.mpint(self.n)
+
+        return fingerprint(writer.bytes())
+
+    def parse_public_numbers(self, parser):
+        self.e = parser.mpint()
+        self.n = parser.mpint()
+
+
+class OpensshDSACertificateInfo(OpensshCertificateInfo):
+    def __init__(self, p=None, q=None, g=None, y=None, **kwargs):
+        super(OpensshDSACertificateInfo, self).__init__(**kwargs)
+        self.type_string = _SSH_TYPE_STRINGS['dsa'] + _CERT_SUFFIX_V01
+        self.p = p
+        self.q = q
+        self.g = g
+        self.y = y
+
+    # See https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
+    def public_key_fingerprint(self):
+        if any([self.p is None, self.q is None, self.g is None, self.y is None]):
+            return b''
+
+        writer = _OpensshWriter()
+        writer.string(_SSH_TYPE_STRINGS['dsa'])
+        writer.mpint(self.p)
+        writer.mpint(self.q)
+        writer.mpint(self.g)
+        writer.mpint(self.y)
+
+        return fingerprint(writer.bytes())
+
+    def parse_public_numbers(self, parser):
+        self.p = parser.mpint()
+        self.q = parser.mpint()
+        self.g = parser.mpint()
+        self.y = parser.mpint()
+
+
+class OpensshECDSACertificateInfo(OpensshCertificateInfo):
+    def __init__(self, curve=None, public_key=None, **kwargs):
+        super(OpensshECDSACertificateInfo, self).__init__(**kwargs)
+        self._curve = None
+        if curve is not None:
+            self.curve = curve
+
+        self.public_key = public_key
+
+    @property
+    def curve(self):
+        return self._curve
+
+    @curve.setter
+    def curve(self, curve):
+        if curve in _ECDSA_CURVE_IDENTIFIERS.values():
+            self._curve = curve
+            self.type_string = _SSH_TYPE_STRINGS[_ECDSA_CURVE_IDENTIFIERS_LOOKUP[curve]] + _CERT_SUFFIX_V01
+        else:
+            raise ValueError(
+                "Curve must be one of %s" % (b','.join(list(_ECDSA_CURVE_IDENTIFIERS.values()))).decode('UTF-8')
+            )
+
+    # See https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
+    def public_key_fingerprint(self):
+        if any([self.curve is None, self.public_key is None]):
+            return b''
+
+        writer = _OpensshWriter()
+        writer.string(_SSH_TYPE_STRINGS[_ECDSA_CURVE_IDENTIFIERS_LOOKUP[self.curve]])
+        writer.string(self.curve)
+        writer.string(self.public_key)
+
+        return fingerprint(writer.bytes())
+
+    def parse_public_numbers(self, parser):
+        self.curve = parser.string()
+        self.public_key = parser.string()
+
+
+class OpensshED25519CertificateInfo(OpensshCertificateInfo):
+    def __init__(self, pk=None, **kwargs):
+        super(OpensshED25519CertificateInfo, self).__init__(**kwargs)
+        self.type_string = _SSH_TYPE_STRINGS['ed25519'] + _CERT_SUFFIX_V01
+        self.pk = pk
+
+    def public_key_fingerprint(self):
+        if self.pk is None:
+            return b''
+
+        writer = _OpensshWriter()
+        writer.string(_SSH_TYPE_STRINGS['ed25519'])
+        writer.string(self.pk)
+
+        return fingerprint(writer.bytes())
+
+    def parse_public_numbers(self, parser):
+        self.pk = parser.string()
+
+
+# See https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD
+class OpensshCertificate(object):
+    """Encapsulates a formatted OpenSSH certificate including signature and signing key"""
+    def __init__(self, cert_info, signature):
+
+        self._cert_info = cert_info
+        self.signature = signature
+
+    @classmethod
+    def load(cls, path):
+        if not os.path.exists(path):
+            raise ValueError("%s is not a valid path." % path)
+
+        try:
+            with open(path, 'rb') as cert_file:
+                data = cert_file.read()
+        except (IOError, OSError) as e:
+            raise ValueError("%s cannot be opened for reading: %s" % (path, e))
+
+        try:
+            format_identifier, b64_cert = data.split(b' ')[:2]
+            cert = binascii.a2b_base64(b64_cert)
+        except (binascii.Error, ValueError):
+            raise ValueError("Certificate not in OpenSSH format")
+
+        for key_type, string in _SSH_TYPE_STRINGS.items():
+            if format_identifier == string + _CERT_SUFFIX_V01:
+                pub_key_type = key_type
+                break
+        else:
+            raise ValueError("Invalid certificate format identifier: %s" % format_identifier)
+
+        parser = OpensshParser(cert)
+
+        if format_identifier != parser.string():
+            raise ValueError("Certificate formats do not match")
+
+        try:
+            cert_info = cls._parse_cert_info(pub_key_type, parser)
+            signature = parser.string()
+        except (TypeError, ValueError) as e:
+            raise ValueError("Invalid certificate data: %s" % e)
+
+        if parser.remaining_bytes():
+            raise ValueError(
+                "%s bytes of additional data was not parsed while loading %s" % (parser.remaining_bytes(), path)
+            )
+
+        return cls(
+            cert_info=cert_info,
+            signature=signature,
+        )
+
+    @property
+    def type_string(self):
+        return to_text(self._cert_info.type_string)
+
+    @property
+    def nonce(self):
+        return self._cert_info.nonce
+
+    @property
+    def public_key(self):
+        return to_text(self._cert_info.public_key_fingerprint())
+
+    @property
+    def serial(self):
+        return self._cert_info.serial
+
+    @property
+    def type(self):
+        return self._cert_info.cert_type
+
+    @property
+    def key_id(self):
+        return to_text(self._cert_info.key_id)
+
+    @property
+    def principals(self):
+        return [to_text(p) for p in self._cert_info.principals]
+
+    @property
+    def valid_after(self):
+        return self._cert_info.valid_after
+
+    @property
+    def valid_before(self):
+        return self._cert_info.valid_before
+
+    @property
+    def critical_options(self):
+        return [
+            OpensshCertificateOption('critical', to_text(n), to_text(d)) for n, d in self._cert_info.critical_options
+        ]
+
+    @property
+    def extensions(self):
+        return [OpensshCertificateOption('extension', to_text(n), to_text(d)) for n, d in self._cert_info.extensions]
+
+    @property
+    def reserved(self):
+        return self._cert_info.reserved
+
+    @property
+    def signing_key(self):
+        return to_text(self._cert_info.signing_key_fingerprint())
+
+    @property
+    def signature_type(self):
+        signature_data = OpensshParser.signature_data(self.signature)
+        return to_text(signature_data['signature_type'])
+
+    @staticmethod
+    def _parse_cert_info(pub_key_type, parser):
+        cert_info = get_cert_info_object(pub_key_type)
+        cert_info.nonce = parser.string()
+        cert_info.parse_public_numbers(parser)
+        cert_info.serial = parser.uint64()
+        cert_info.cert_type = parser.uint32()
+        cert_info.key_id = parser.string()
+        cert_info.principals = parser.string_list()
+        cert_info.valid_after = parser.uint64()
+        cert_info.valid_before = parser.uint64()
+        cert_info.critical_options = parser.option_list()
+        cert_info.extensions = parser.option_list()
+        cert_info.reserved = parser.string()
+        cert_info.signing_key = parser.string()
+
+        return cert_info
+
+    def to_dict(self):
+        time_parameters = OpensshCertificateTimeParameters(
+            valid_from=self.valid_after,
+            valid_to=self.valid_before
+        )
+        return {
+            'type_string': self.type_string,
+            'nonce': self.nonce,
+            'serial': self.serial,
+            'cert_type': self.type,
+            'identifier': self.key_id,
+            'principals': self.principals,
+            'valid_after': time_parameters.valid_from(date_format='human_readable'),
+            'valid_before': time_parameters.valid_to(date_format='human_readable'),
+            'critical_options': [str(critical_option) for critical_option in self.critical_options],
+            'extensions': [str(extension) for extension in self.extensions],
+            'reserved': self.reserved,
+            'public_key': self.public_key,
+            'signing_key': self.signing_key,
+        }
+
+
+def apply_directives(directives):
+    if any(d not in _DIRECTIVES for d in directives):
+        raise ValueError("directives must be one of %s" % ", ".join(_DIRECTIVES))
+
+    directive_to_option = {
+        'no-x11-forwarding': OpensshCertificateOption('extension', 'permit-x11-forwarding', ''),
+        'no-agent-forwarding': OpensshCertificateOption('extension', 'permit-agent-forwarding', ''),
+        'no-port-forwarding': OpensshCertificateOption('extension', 'permit-port-forwarding', ''),
+        'no-pty': OpensshCertificateOption('extension', 'permit-pty', ''),
+        'no-user-rc': OpensshCertificateOption('extension', 'permit-user-rc', ''),
+    }
+
+    if 'clear' in directives:
+        return []
+    else:
+        return list(set(default_options()) - set(directive_to_option[d] for d in directives))
+
+
+def default_options():
+    return [OpensshCertificateOption('extension', name, '') for name in _EXTENSIONS]
+
+
+def fingerprint(public_key):
+    """Generates a SHA256 hash and formats output to resemble ``ssh-keygen``"""
+    h = sha256()
+    h.update(public_key)
+    return b'SHA256:' + b64encode(h.digest()).rstrip(b'=')
+
+
+def get_cert_info_object(key_type):
+    if key_type == 'rsa':
+        cert_info = OpensshRSACertificateInfo()
+    elif key_type == 'dsa':
+        cert_info = OpensshDSACertificateInfo()
+    elif key_type in ('ecdsa-nistp256', 'ecdsa-nistp384', 'ecdsa-nistp521'):
+        cert_info = OpensshECDSACertificateInfo()
+    elif key_type == 'ed25519':
+        cert_info = OpensshED25519CertificateInfo()
+    else:
+        raise ValueError("%s is not a valid key type" % key_type)
+
+    return cert_info
+
+
+def get_option_type(name):
+    if name in _CRITICAL_OPTIONS:
+        result = 'critical'
+    elif name in _EXTENSIONS:
+        result = 'extension'
+    else:
+        raise ValueError("%s is not a valid option. " % name +
+                         "Custom options must start with 'critical:' or 'extension:' to indicate type")
+    return result
+
+
+def is_relative_time_string(time_string):
+    return time_string.startswith("+") or time_string.startswith("-")
+
+
+def parse_option_list(option_list):
+    critical_options = []
+    directives = []
+    extensions = []
+
+    for option in option_list:
+        if option.lower() in _DIRECTIVES:
+            directives.append(option.lower())
+        else:
+            option_object = OpensshCertificateOption.from_string(option)
+            if option_object.type == 'critical':
+                critical_options.append(option_object)
+            else:
+                extensions.append(option_object)
+
+    return critical_options, list(set(extensions + apply_directives(directives)))

plugins/module_utils/openssh/cryptography.py

@@ -0,0 +1,685 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+import os
+from base64 import b64encode, b64decode
+from getpass import getuser
+from socket import gethostname
+
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
+try:
+    from cryptography import __version__ as CRYPTOGRAPHY_VERSION
+    from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm
+    from cryptography.hazmat.backends.openssl import backend
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa, padding
+    from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
+
+    if LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion("3.0"):
+        HAS_OPENSSH_PRIVATE_FORMAT = True
+    else:
+        HAS_OPENSSH_PRIVATE_FORMAT = False
+
+    HAS_OPENSSH_SUPPORT = True
+
+    _ALGORITHM_PARAMETERS = {
+        'rsa': {
+            'default_size': 2048,
+            'valid_sizes': range(1024, 16384),
+            'signer_params': {
+                'padding': padding.PSS(
+                    mgf=padding.MGF1(hashes.SHA256()),
+                    salt_length=padding.PSS.MAX_LENGTH,
+                ),
+                'algorithm': hashes.SHA256(),
+            },
+        },
+        'dsa': {
+            'default_size': 1024,
+            'valid_sizes': [1024],
+            'signer_params': {
+                'algorithm': hashes.SHA256(),
+            },
+        },
+        'ed25519': {
+            'default_size': 256,
+            'valid_sizes': [256],
+            'signer_params': {},
+        },
+        'ecdsa': {
+            'default_size': 256,
+            'valid_sizes': [256, 384, 521],
+            'signer_params': {
+                'signature_algorithm': ec.ECDSA(hashes.SHA256()),
+            },
+            'curves': {
+                256: ec.SECP256R1(),
+                384: ec.SECP384R1(),
+                521: ec.SECP521R1(),
+            }
+        }
+    }
+except ImportError:
+    HAS_OPENSSH_PRIVATE_FORMAT = False
+    HAS_OPENSSH_SUPPORT = False
+    CRYPTOGRAPHY_VERSION = "0.0"
+    _ALGORITHM_PARAMETERS = {}
+
+_TEXT_ENCODING = 'UTF-8'
+
+
+class OpenSSHError(Exception):
+    pass
+
+
+class InvalidAlgorithmError(OpenSSHError):
+    pass
+
+
+class InvalidCommentError(OpenSSHError):
+    pass
+
+
+class InvalidDataError(OpenSSHError):
+    pass
+
+
+class InvalidPrivateKeyFileError(OpenSSHError):
+    pass
+
+
+class InvalidPublicKeyFileError(OpenSSHError):
+    pass
+
+
+class InvalidKeyFormatError(OpenSSHError):
+    pass
+
+
+class InvalidKeySizeError(OpenSSHError):
+    pass
+
+
+class InvalidKeyTypeError(OpenSSHError):
+    pass
+
+
+class InvalidPassphraseError(OpenSSHError):
+    pass
+
+
+class InvalidSignatureError(OpenSSHError):
+    pass
+
+
+class AsymmetricKeypair(object):
+    """Container for newly generated asymmetric key pairs or those loaded from existing files"""
+
+    @classmethod
+    def generate(cls, keytype='rsa', size=None, passphrase=None):
+        """Returns an Asymmetric_Keypair object generated with the supplied parameters
+           or defaults to an unencrypted RSA-2048 key
+
+           :keytype: One of rsa, dsa, ecdsa, ed25519
+           :size: The key length for newly generated keys
+           :passphrase: Secret of type Bytes used to encrypt the private key being generated
+        """
+
+        if keytype not in _ALGORITHM_PARAMETERS.keys():
+            raise InvalidKeyTypeError(
+                "%s is not a valid keytype. Valid keytypes are %s" % (
+                    keytype, ", ".join(_ALGORITHM_PARAMETERS.keys())
+                )
+            )
+
+        if not size:
+            size = _ALGORITHM_PARAMETERS[keytype]['default_size']
+        else:
+            if size not in _ALGORITHM_PARAMETERS[keytype]['valid_sizes']:
+                raise InvalidKeySizeError(
+                    "%s is not a valid key size for %s keys" % (size, keytype)
+                )
+
+        if passphrase:
+            encryption_algorithm = get_encryption_algorithm(passphrase)
+        else:
+            encryption_algorithm = serialization.NoEncryption()
+
+        if keytype == 'rsa':
+            privatekey = rsa.generate_private_key(
+                # Public exponent should always be 65537 to prevent issues
+                # if improper padding is used during signing
+                public_exponent=65537,
+                key_size=size,
+                backend=backend,
+            )
+        elif keytype == 'dsa':
+            privatekey = dsa.generate_private_key(
+                key_size=size,
+                backend=backend,
+            )
+        elif keytype == 'ed25519':
+            privatekey = Ed25519PrivateKey.generate()
+        elif keytype == 'ecdsa':
+            privatekey = ec.generate_private_key(
+                _ALGORITHM_PARAMETERS['ecdsa']['curves'][size],
+                backend=backend,
+            )
+
+        publickey = privatekey.public_key()
+
+        return cls(
+            keytype=keytype,
+            size=size,
+            privatekey=privatekey,
+            publickey=publickey,
+            encryption_algorithm=encryption_algorithm
+        )
+
+    @classmethod
+    def load(cls, path, passphrase=None, private_key_format='PEM', public_key_format='PEM', no_public_key=False):
+        """Returns an Asymmetric_Keypair object loaded from the supplied file path
+
+           :path: A path to an existing private key to be loaded
+           :passphrase: Secret of type bytes used to decrypt the private key being loaded
+           :private_key_format: Format of private key to be loaded
+           :public_key_format: Format of public key to be loaded
+           :no_public_key: Set 'True' to only load a private key and automatically populate the matching public key
+        """
+
+        if passphrase:
+            encryption_algorithm = get_encryption_algorithm(passphrase)
+        else:
+            encryption_algorithm = serialization.NoEncryption()
+
+        privatekey = load_privatekey(path, passphrase, private_key_format)
+        if no_public_key:
+            publickey = privatekey.public_key()
+        else:
+            publickey = load_publickey(path + '.pub', public_key_format)
+
+        # Ed25519 keys are always of size 256 and do not have a key_size attribute
+        if isinstance(privatekey, Ed25519PrivateKey):
+            size = _ALGORITHM_PARAMETERS['ed25519']['default_size']
+        else:
+            size = privatekey.key_size
+
+        if isinstance(privatekey, rsa.RSAPrivateKey):
+            keytype = 'rsa'
+        elif isinstance(privatekey, dsa.DSAPrivateKey):
+            keytype = 'dsa'
+        elif isinstance(privatekey, ec.EllipticCurvePrivateKey):
+            keytype = 'ecdsa'
+        elif isinstance(privatekey, Ed25519PrivateKey):
+            keytype = 'ed25519'
+        else:
+            raise InvalidKeyTypeError("Key type '%s' is not supported" % type(privatekey))
+
+        return cls(
+            keytype=keytype,
+            size=size,
+            privatekey=privatekey,
+            publickey=publickey,
+            encryption_algorithm=encryption_algorithm
+        )
+
+    def __init__(self, keytype, size, privatekey, publickey, encryption_algorithm):
+        """
+           :keytype: One of rsa, dsa, ecdsa, ed25519
+           :size: The key length for the private key of this key pair
+           :privatekey: Private key object of this key pair
+           :publickey: Public key object of this key pair
+           :encryption_algorithm: Hashed secret used to encrypt the private key of this key pair
+        """
+
+        self.__size = size
+        self.__keytype = keytype
+        self.__privatekey = privatekey
+        self.__publickey = publickey
+        self.__encryption_algorithm = encryption_algorithm
+
+        try:
+            self.verify(self.sign(b'message'), b'message')
+        except InvalidSignatureError:
+            raise InvalidPublicKeyFileError(
+                "The private key and public key of this keypair do not match"
+            )
+
+    def __eq__(self, other):
+        if not isinstance(other, AsymmetricKeypair):
+            return NotImplemented
+
+        return (compare_publickeys(self.public_key, other.public_key) and
+                compare_encryption_algorithms(self.encryption_algorithm, other.encryption_algorithm))
+
+    def __ne__(self, other):
+        return not self == other
+
+    @property
+    def private_key(self):
+        """Returns the private key of this key pair"""
+
+        return self.__privatekey
+
+    @property
+    def public_key(self):
+        """Returns the public key of this key pair"""
+
+        return self.__publickey
+
+    @property
+    def size(self):
+        """Returns the size of the private key of this key pair"""
+
+        return self.__size
+
+    @property
+    def key_type(self):
+        """Returns the key type of this key pair"""
+
+        return self.__keytype
+
+    @property
+    def encryption_algorithm(self):
+        """Returns the key encryption algorithm of this key pair"""
+
+        return self.__encryption_algorithm
+
+    def sign(self, data):
+        """Returns signature of data signed with the private key of this key pair
+
+           :data: byteslike data to sign
+        """
+
+        try:
+            signature = self.__privatekey.sign(
+                data,
+                **_ALGORITHM_PARAMETERS[self.__keytype]['signer_params']
+            )
+        except TypeError as e:
+            raise InvalidDataError(e)
+
+        return signature
+
+    def verify(self, signature, data):
+        """Verifies that the signature associated with the provided data was signed
+           by the private key of this key pair.
+
+           :signature: signature to verify
+           :data: byteslike data signed by the provided signature
+        """
+        try:
+            return self.__publickey.verify(
+                signature,
+                data,
+                **_ALGORITHM_PARAMETERS[self.__keytype]['signer_params']
+            )
+        except InvalidSignature:
+            raise InvalidSignatureError
+
+    def update_passphrase(self, passphrase=None):
+        """Updates the encryption algorithm of this key pair
+
+           :passphrase: Byte secret used to encrypt this key pair
+        """
+
+        if passphrase:
+            self.__encryption_algorithm = get_encryption_algorithm(passphrase)
+        else:
+            self.__encryption_algorithm = serialization.NoEncryption()
+
+
+class OpensshKeypair(object):
+    """Container for OpenSSH encoded asymmetric key pairs"""
+
+    @classmethod
+    def generate(cls, keytype='rsa', size=None, passphrase=None, comment=None):
+        """Returns an Openssh_Keypair object generated using the supplied parameters or defaults to a RSA-2048 key
+
+           :keytype: One of rsa, dsa, ecdsa, ed25519
+           :size: The key length for newly generated keys
+           :passphrase: Secret of type Bytes used to encrypt the newly generated private key
+           :comment: Comment for a newly generated OpenSSH public key
+        """
+
+        if comment is None:
+            comment = "%s@%s" % (getuser(), gethostname())
+
+        asym_keypair = AsymmetricKeypair.generate(keytype, size, passphrase)
+        openssh_privatekey = cls.encode_openssh_privatekey(asym_keypair, 'SSH')
+        openssh_publickey = cls.encode_openssh_publickey(asym_keypair, comment)
+        fingerprint = calculate_fingerprint(openssh_publickey)
+
+        return cls(
+            asym_keypair=asym_keypair,
+            openssh_privatekey=openssh_privatekey,
+            openssh_publickey=openssh_publickey,
+            fingerprint=fingerprint,
+            comment=comment,
+        )
+
+    @classmethod
+    def load(cls, path, passphrase=None, no_public_key=False):
+        """Returns an Openssh_Keypair object loaded from the supplied file path
+
+           :path: A path to an existing private key to be loaded
+           :passphrase: Secret used to decrypt the private key being loaded
+           :no_public_key: Set 'True' to only load a private key and automatically populate the matching public key
+        """
+
+        if no_public_key:
+            comment = ""
+        else:
+            comment = extract_comment(path + '.pub')
+
+        asym_keypair = AsymmetricKeypair.load(path, passphrase, 'SSH', 'SSH', no_public_key)
+        openssh_privatekey = cls.encode_openssh_privatekey(asym_keypair, 'SSH')
+        openssh_publickey = cls.encode_openssh_publickey(asym_keypair, comment)
+        fingerprint = calculate_fingerprint(openssh_publickey)
+
+        return cls(
+            asym_keypair=asym_keypair,
+            openssh_privatekey=openssh_privatekey,
+            openssh_publickey=openssh_publickey,
+            fingerprint=fingerprint,
+            comment=comment,
+        )
+
+    @staticmethod
+    def encode_openssh_privatekey(asym_keypair, key_format):
+        """Returns an OpenSSH encoded private key for a given keypair
+
+           :asym_keypair: Asymmetric_Keypair from the private key is extracted
+           :key_format: Format of the encoded private key.
+        """
+
+        if key_format == 'SSH':
+            # Default to PEM format if SSH not available
+            if not HAS_OPENSSH_PRIVATE_FORMAT:
+                privatekey_format = serialization.PrivateFormat.PKCS8
+            else:
+                privatekey_format = serialization.PrivateFormat.OpenSSH
+        elif key_format == 'PKCS8':
+            privatekey_format = serialization.PrivateFormat.PKCS8
+        elif key_format == 'PKCS1':
+            if asym_keypair.key_type == 'ed25519':
+                raise InvalidKeyFormatError("ed25519 keys cannot be represented in PKCS1 format")
+            privatekey_format = serialization.PrivateFormat.TraditionalOpenSSL
+        else:
+            raise InvalidKeyFormatError("The accepted private key formats are SSH, PKCS8, and PKCS1")
+
+        encoded_privatekey = asym_keypair.private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=privatekey_format,
+            encryption_algorithm=asym_keypair.encryption_algorithm
+        )
+
+        return encoded_privatekey
+
+    @staticmethod
+    def encode_openssh_publickey(asym_keypair, comment):
+        """Returns an OpenSSH encoded public key for a given keypair
+
+           :asym_keypair: Asymmetric_Keypair from the public key is extracted
+           :comment: Comment to apply to the end of the returned OpenSSH encoded public key
+        """
+        encoded_publickey = asym_keypair.public_key.public_bytes(
+            encoding=serialization.Encoding.OpenSSH,
+            format=serialization.PublicFormat.OpenSSH,
+        )
+
+        validate_comment(comment)
+
+        encoded_publickey += (" %s" % comment).encode(encoding=_TEXT_ENCODING) if comment else b''
+
+        return encoded_publickey
+
+    def __init__(self, asym_keypair, openssh_privatekey, openssh_publickey, fingerprint, comment):
+        """
+           :asym_keypair: An Asymmetric_Keypair object from which the OpenSSH encoded keypair is derived
+           :openssh_privatekey: An OpenSSH encoded private key
+           :openssh_privatekey: An OpenSSH encoded public key
+           :fingerprint: The fingerprint of the OpenSSH encoded public key of this keypair
+           :comment: Comment applied to the OpenSSH public key of this keypair
+        """
+
+        self.__asym_keypair = asym_keypair
+        self.__openssh_privatekey = openssh_privatekey
+        self.__openssh_publickey = openssh_publickey
+        self.__fingerprint = fingerprint
+        self.__comment = comment
+
+    def __eq__(self, other):
+        if not isinstance(other, OpensshKeypair):
+            return NotImplemented
+
+        return self.asymmetric_keypair == other.asymmetric_keypair and self.comment == other.comment
+
+    @property
+    def asymmetric_keypair(self):
+        """Returns the underlying asymmetric key pair of this OpenSSH encoded key pair"""
+
+        return self.__asym_keypair
+
+    @property
+    def private_key(self):
+        """Returns the OpenSSH formatted private key of this key pair"""
+
+        return self.__openssh_privatekey
+
+    @property
+    def public_key(self):
+        """Returns the OpenSSH formatted public key of this key pair"""
+
+        return self.__openssh_publickey
+
+    @property
+    def size(self):
+        """Returns the size of the private key of this key pair"""
+
+        return self.__asym_keypair.size
+
+    @property
+    def key_type(self):
+        """Returns the key type of this key pair"""
+
+        return self.__asym_keypair.key_type
+
+    @property
+    def fingerprint(self):
+        """Returns the fingerprint (SHA256 Hash) of the public key of this key pair"""
+
+        return self.__fingerprint
+
+    @property
+    def comment(self):
+        """Returns the comment applied to the OpenSSH formatted public key of this key pair"""
+
+        return self.__comment
+
+    @comment.setter
+    def comment(self, comment):
+        """Updates the comment applied to the OpenSSH formatted public key of this key pair
+
+           :comment: Text to update the OpenSSH public key comment
+        """
+
+        validate_comment(comment)
+
+        self.__comment = comment
+        encoded_comment = (" %s" % self.__comment).encode(encoding=_TEXT_ENCODING) if self.__comment else b''
+        self.__openssh_publickey = b' '.join(self.__openssh_publickey.split(b' ', 2)[:2]) + encoded_comment
+        return self.__openssh_publickey
+
+    def update_passphrase(self, passphrase):
+        """Updates the passphrase used to encrypt the private key of this keypair
+
+           :passphrase: Text secret used for encryption
+        """
+
+        self.__asym_keypair.update_passphrase(passphrase)
+        self.__openssh_privatekey = OpensshKeypair.encode_openssh_privatekey(self.__asym_keypair, 'SSH')
+
+
+def load_privatekey(path, passphrase, key_format):
+    privatekey_loaders = {
+        'PEM': serialization.load_pem_private_key,
+        'DER': serialization.load_der_private_key,
+    }
+
+    # OpenSSH formatted private keys are not available in Cryptography <3.0
+    if hasattr(serialization, 'load_ssh_private_key'):
+        privatekey_loaders['SSH'] = serialization.load_ssh_private_key
+    else:
+        privatekey_loaders['SSH'] = serialization.load_pem_private_key
+
+    try:
+        privatekey_loader = privatekey_loaders[key_format]
+    except KeyError:
+        raise InvalidKeyFormatError(
+            "%s is not a valid key format (%s)" % (
+                key_format,
+                ','.join(privatekey_loaders.keys())
+            )
+        )
+
+    if not os.path.exists(path):
+        raise InvalidPrivateKeyFileError("No file was found at %s" % path)
+
+    try:
+        with open(path, 'rb') as f:
+            content = f.read()
+
+            privatekey = privatekey_loader(
+                data=content,
+                password=passphrase,
+                backend=backend,
+            )
+
+    except ValueError as e:
+        # Revert to PEM if key could not be loaded in SSH format
+        if key_format == 'SSH':
+            try:
+                privatekey = privatekey_loaders['PEM'](
+                    data=content,
+                    password=passphrase,
+                    backend=backend,
+                )
+            except ValueError as e:
+                raise InvalidPrivateKeyFileError(e)
+            except TypeError as e:
+                raise InvalidPassphraseError(e)
+            except UnsupportedAlgorithm as e:
+                raise InvalidAlgorithmError(e)
+        else:
+            raise InvalidPrivateKeyFileError(e)
+    except TypeError as e:
+        raise InvalidPassphraseError(e)
+    except UnsupportedAlgorithm as e:
+        raise InvalidAlgorithmError(e)
+
+    return privatekey
+
+
+def load_publickey(path, key_format):
+    publickey_loaders = {
+        'PEM': serialization.load_pem_public_key,
+        'DER': serialization.load_der_public_key,
+        'SSH': serialization.load_ssh_public_key,
+    }
+
+    try:
+        publickey_loader = publickey_loaders[key_format]
+    except KeyError:
+        raise InvalidKeyFormatError(
+            "%s is not a valid key format (%s)" % (
+                key_format,
+                ','.join(publickey_loaders.keys())
+            )
+        )
+
+    if not os.path.exists(path):
+        raise InvalidPublicKeyFileError("No file was found at %s" % path)
+
+    try:
+        with open(path, 'rb') as f:
+            content = f.read()
+
+            publickey = publickey_loader(
+                data=content,
+                backend=backend,
+            )
+    except ValueError as e:
+        raise InvalidPublicKeyFileError(e)
+    except UnsupportedAlgorithm as e:
+        raise InvalidAlgorithmError(e)
+
+    return publickey
+
+
+def compare_publickeys(pk1, pk2):
+    a = isinstance(pk1, Ed25519PublicKey)
+    b = isinstance(pk2, Ed25519PublicKey)
+    if a or b:
+        if not a or not b:
+            return False
+        a = pk1.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
+        b = pk2.public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw)
+        return a == b
+    else:
+        return pk1.public_numbers() == pk2.public_numbers()
+
+
+def compare_encryption_algorithms(ea1, ea2):
+    if isinstance(ea1, serialization.NoEncryption) and isinstance(ea2, serialization.NoEncryption):
+        return True
+    elif (isinstance(ea1, serialization.BestAvailableEncryption) and
+          isinstance(ea2, serialization.BestAvailableEncryption)):
+        return ea1.password == ea2.password
+    else:
+        return False
+
+
+def get_encryption_algorithm(passphrase):
+    try:
+        return serialization.BestAvailableEncryption(passphrase)
+    except ValueError as e:
+        raise InvalidPassphraseError(e)
+
+
+def validate_comment(comment):
+    if not hasattr(comment, 'encode'):
+        raise InvalidCommentError("%s cannot be encoded to text" % comment)
+
+
+def extract_comment(path):
+
+    if not os.path.exists(path):
+        raise InvalidPublicKeyFileError("No file was found at %s" % path)
+
+    try:
+        with open(path, 'rb') as f:
+            fields = f.read().split(b' ', 2)
+            if len(fields) == 3:
+                comment = fields[2].decode(_TEXT_ENCODING)
+            else:
+                comment = ""
+    except (IOError, OSError) as e:
+        raise InvalidPublicKeyFileError(e)
+
+    return comment
+
+
+def calculate_fingerprint(openssh_publickey):
+    digest = hashes.Hash(hashes.SHA256(), backend=backend)
+    decoded_pubkey = b64decode(openssh_publickey.split(b' ')[1])
+    digest.update(decoded_pubkey)
+
+    return 'SHA256:%s' % b64encode(digest.finalize()).decode(encoding=_TEXT_ENCODING).rstrip('=')

plugins/module_utils/openssh/utils.py

@@ -0,0 +1,392 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
+# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+import os
+import re
+from contextlib import contextmanager
+from struct import Struct
+
+from ansible.module_utils.six import PY3
+
+# Protocol References
+# -------------------
+# https://datatracker.ietf.org/doc/html/rfc4251
+# https://datatracker.ietf.org/doc/html/rfc4253
+# https://datatracker.ietf.org/doc/html/rfc5656
+# https://datatracker.ietf.org/doc/html/rfc8032
+#
+# Inspired by:
+# ------------
+# https://github.com/pyca/cryptography/blob/main/src/cryptography/hazmat/primitives/serialization/ssh.py
+# https://github.com/paramiko/paramiko/blob/master/paramiko/message.py
+
+if PY3:
+    long = int
+
+# 0 (False) or 1 (True) encoded as a single byte
+_BOOLEAN = Struct(b'?')
+# Unsigned 8-bit integer in network-byte-order
+_UBYTE = Struct(b'!B')
+_UBYTE_MAX = 0xFF
+# Unsigned 32-bit integer in network-byte-order
+_UINT32 = Struct(b'!I')
+# Unsigned 32-bit little endian integer
+_UINT32_LE = Struct(b'<I')
+_UINT32_MAX = 0xFFFFFFFF
+# Unsigned 64-bit integer in network-byte-order
+_UINT64 = Struct(b'!Q')
+_UINT64_MAX = 0xFFFFFFFFFFFFFFFF
+
+
+def any_in(sequence, *elements):
+    return any(e in sequence for e in elements)
+
+
+def file_mode(path):
+    if not os.path.exists(path):
+        return 0o000
+    return os.stat(path).st_mode & 0o777
+
+
+def parse_openssh_version(version_string):
+    """Parse the version output of ssh -V and return version numbers that can be compared"""
+
+    parsed_result = re.match(
+        r"^.*openssh_(?P<version>[0-9.]+)(p?[0-9]+)[^0-9]*.*$", version_string.lower()
+    )
+    if parsed_result is not None:
+        version = parsed_result.group("version").strip()
+    else:
+        version = None
+
+    return version
+
+
+@contextmanager
+def secure_open(path, mode):
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode)
+    try:
+        yield fd
+    finally:
+        os.close(fd)
+
+
+def secure_write(path, mode, content):
+    with secure_open(path, mode) as fd:
+        os.write(fd, content)
+
+
+# See https://datatracker.ietf.org/doc/html/rfc4251#section-5 for SSH data types
+class OpensshParser(object):
+    """Parser for OpenSSH encoded objects"""
+    BOOLEAN_OFFSET = 1
+    UINT32_OFFSET = 4
+    UINT64_OFFSET = 8
+
+    def __init__(self, data):
+        if not isinstance(data, (bytes, bytearray)):
+            raise TypeError("Data must be bytes-like not %s" % type(data))
+
+        self._data = memoryview(data) if PY3 else data
+        self._pos = 0
+
+    def boolean(self):
+        next_pos = self._check_position(self.BOOLEAN_OFFSET)
+
+        value = _BOOLEAN.unpack(self._data[self._pos:next_pos])[0]
+        self._pos = next_pos
+        return value
+
+    def uint32(self):
+        next_pos = self._check_position(self.UINT32_OFFSET)
+
+        value = _UINT32.unpack(self._data[self._pos:next_pos])[0]
+        self._pos = next_pos
+        return value
+
+    def uint64(self):
+        next_pos = self._check_position(self.UINT64_OFFSET)
+
+        value = _UINT64.unpack(self._data[self._pos:next_pos])[0]
+        self._pos = next_pos
+        return value
+
+    def string(self):
+        length = self.uint32()
+
+        next_pos = self._check_position(length)
+
+        value = self._data[self._pos:next_pos]
+        self._pos = next_pos
+        # Cast to bytes is required as a memoryview slice is itself a memoryview
+        return value if not PY3 else bytes(value)
+
+    def mpint(self):
+        return self._big_int(self.string(), "big", signed=True)
+
+    def name_list(self):
+        raw_string = self.string()
+        return raw_string.decode('ASCII').split(',')
+
+    # Convenience function, but not an official data type from SSH
+    def string_list(self):
+        result = []
+        raw_string = self.string()
+
+        if raw_string:
+            parser = OpensshParser(raw_string)
+            while parser.remaining_bytes():
+                result.append(parser.string())
+
+        return result
+
+    # Convenience function, but not an official data type from SSH
+    def option_list(self):
+        result = []
+        raw_string = self.string()
+
+        if raw_string:
+            parser = OpensshParser(raw_string)
+
+            while parser.remaining_bytes():
+                name = parser.string()
+                data = parser.string()
+                if data:
+                    # data is doubly-encoded
+                    data = OpensshParser(data).string()
+                result.append((name, data))
+
+        return result
+
+    def seek(self, offset):
+        self._pos = self._check_position(offset)
+
+        return self._pos
+
+    def remaining_bytes(self):
+        return len(self._data) - self._pos
+
+    def _check_position(self, offset):
+        if self._pos + offset > len(self._data):
+            raise ValueError("Insufficient data remaining at position: %s" % self._pos)
+        elif self._pos + offset < 0:
+            raise ValueError("Position cannot be less than zero.")
+        else:
+            return self._pos + offset
+
+    @classmethod
+    def signature_data(cls, signature_string):
+        signature_data = {}
+
+        parser = cls(signature_string)
+        signature_type = parser.string()
+        signature_blob = parser.string()
+
+        blob_parser = cls(signature_blob)
+        if signature_type in (b'ssh-rsa', b'rsa-sha2-256', b'rsa-sha2-512'):
+            # https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
+            # https://datatracker.ietf.org/doc/html/rfc8332#section-3
+            signature_data['s'] = cls._big_int(signature_blob, "big")
+        elif signature_type == b'ssh-dss':
+            # https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
+            signature_data['r'] = cls._big_int(signature_blob[:20], "big")
+            signature_data['s'] = cls._big_int(signature_blob[20:], "big")
+        elif signature_type in (b'ecdsa-sha2-nistp256', b'ecdsa-sha2-nistp384', b'ecdsa-sha2-nistp521'):
+            # https://datatracker.ietf.org/doc/html/rfc5656#section-3.1.2
+            signature_data['r'] = blob_parser.mpint()
+            signature_data['s'] = blob_parser.mpint()
+        elif signature_type == b'ssh-ed25519':
+            # https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.2
+            signature_data['R'] = cls._big_int(signature_blob[:32], "little")
+            signature_data['S'] = cls._big_int(signature_blob[32:], "little")
+        else:
+            raise ValueError("%s is not a valid signature type" % signature_type)
+
+        signature_data['signature_type'] = signature_type
+
+        return signature_data
+
+    @classmethod
+    def _big_int(cls, raw_string, byte_order, signed=False):
+        if byte_order not in ("big", "little"):
+            raise ValueError("Byte_order must be one of (big, little) not %s" % byte_order)
+
+        if PY3:
+            return int.from_bytes(raw_string, byte_order, signed=signed)
+
+        result = 0
+        byte_length = len(raw_string)
+
+        if byte_length > 0:
+            # Check sign-bit
+            msb = raw_string[0] if byte_order == "big" else raw_string[-1]
+            negative = bool(ord(msb) & 0x80)
+            # Match pad value for two's complement
+            pad = b'\xFF' if signed and negative else b'\x00'
+            # The definition of ``mpint`` enforces that unnecessary bytes are not encoded so they are added back
+            pad_length = (4 - byte_length % 4)
+            if pad_length < 4:
+                raw_string = pad * pad_length + raw_string if byte_order == "big" else raw_string + pad * pad_length
+                byte_length += pad_length
+            # Accumulate arbitrary precision integer bytes in the appropriate order
+            if byte_order == "big":
+                for i in range(0, byte_length, cls.UINT32_OFFSET):
+                    left_shift = result << cls.UINT32_OFFSET * 8
+                    result = left_shift + _UINT32.unpack(raw_string[i:i + cls.UINT32_OFFSET])[0]
+            else:
+                for i in range(byte_length, 0, -cls.UINT32_OFFSET):
+                    left_shift = result << cls.UINT32_OFFSET * 8
+                    result = left_shift + _UINT32_LE.unpack(raw_string[i - cls.UINT32_OFFSET:i])[0]
+            # Adjust for two's complement
+            if signed and negative:
+                result -= 1 << (8 * byte_length)
+
+        return result
+
+
+class _OpensshWriter(object):
+    """Writes SSH encoded values to a bytes-like buffer
+
+    .. warning::
+        This class is a private API and must not be exported outside of the openssh module_utils.
+        It is not to be used to construct Openssh objects, but rather as a utility to assist
+        in validating parsed material.
+    """
+    def __init__(self, buffer=None):
+        if buffer is not None:
+            if not isinstance(buffer, (bytes, bytearray)):
+                raise TypeError("Buffer must be a bytes-like object not %s" % type(buffer))
+        else:
+            buffer = bytearray()
+
+        self._buff = buffer
+
+    def boolean(self, value):
+        if not isinstance(value, bool):
+            raise TypeError("Value must be of type bool not %s" % type(value))
+
+        self._buff.extend(_BOOLEAN.pack(value))
+
+        return self
+
+    def uint32(self, value):
+        if not isinstance(value, int):
+            raise TypeError("Value must be of type int not %s" % type(value))
+        if value < 0 or value > _UINT32_MAX:
+            raise ValueError("Value must be a positive integer less than %s" % _UINT32_MAX)
+
+        self._buff.extend(_UINT32.pack(value))
+
+        return self
+
+    def uint64(self, value):
+        if not isinstance(value, (long, int)):
+            raise TypeError("Value must be of type (long, int) not %s" % type(value))
+        if value < 0 or value > _UINT64_MAX:
+            raise ValueError("Value must be a positive integer less than %s" % _UINT64_MAX)
+
+        self._buff.extend(_UINT64.pack(value))
+
+        return self
+
+    def string(self, value):
+        if not isinstance(value, (bytes, bytearray)):
+            raise TypeError("Value must be bytes-like not %s" % type(value))
+        self.uint32(len(value))
+        self._buff.extend(value)
+
+        return self
+
+    def mpint(self, value):
+        if not isinstance(value, (int, long)):
+            raise TypeError("Value must be of type (long, int) not %s" % type(value))
+
+        self.string(self._int_to_mpint(value))
+
+        return self
+
+    def name_list(self, value):
+        if not isinstance(value, list):
+            raise TypeError("Value must be a list of byte strings not %s" % type(value))
+
+        try:
+            self.string(','.join(value).encode('ASCII'))
+        except UnicodeEncodeError as e:
+            raise ValueError("Name-list's must consist of US-ASCII characters: %s" % e)
+
+        return self
+
+    def string_list(self, value):
+        if not isinstance(value, list):
+            raise TypeError("Value must be a list of byte string not %s" % type(value))
+
+        writer = _OpensshWriter()
+        for s in value:
+            writer.string(s)
+
+        self.string(writer.bytes())
+
+        return self
+
+    def option_list(self, value):
+        if not isinstance(value, list) or (value and not isinstance(value[0], tuple)):
+            raise TypeError("Value must be a list of tuples")
+
+        writer = _OpensshWriter()
+        for name, data in value:
+            writer.string(name)
+            # SSH option data is encoded twice though this behavior is not documented
+            writer.string(_OpensshWriter().string(data).bytes() if data else bytes())
+
+        self.string(writer.bytes())
+
+        return self
+
+    @staticmethod
+    def _int_to_mpint(num):
+        if PY3:
+            byte_length = (num.bit_length() + 7) // 8
+            try:
+                result = num.to_bytes(byte_length, "big", signed=True)
+            # Handles values which require \x00 or \xFF to pad sign-bit
+            except OverflowError:
+                result = num.to_bytes(byte_length + 1, "big", signed=True)
+        else:
+            result = bytes()
+            # 0 and -1 are treated as special cases since they are used as sentinels for all other values
+            if num == 0:
+                result += b'\x00'
+            elif num == -1:
+                result += b'\xFF'
+            elif num > 0:
+                while num >> 32:
+                    result = _UINT32.pack(num & _UINT32_MAX) + result
+                    num = num >> 32
+                # Pack last 4 bytes individually to discard insignificant bytes
+                while num:
+                    result = _UBYTE.pack(num & _UBYTE_MAX) + result
+                    num = num >> 8
+                # Zero pad final byte if most-significant bit is 1 as per mpint definition
+                if ord(result[0]) & 0x80:
+                    result = b'\x00' + result
+            else:
+                while (num >> 32) < -1:
+                    result = _UINT32.pack(num & _UINT32_MAX) + result
+                    num = num >> 32
+                while num < -1:
+                    result = _UBYTE.pack(num & _UBYTE_MAX) + result
+                    num = num >> 8
+                if not ord(result[0]) & 0x80:
+                    result = b'\xFF' + result
+
+        return result
+
+    def bytes(self):
+        return bytes(self._buff)

plugins/module_utils/version.py

@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""Provide version object to compare version numbers."""
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+# Once we drop support for Ansible 2.9, ansible-base 2.10, and ansible-core 2.11, we can
+# remove the _version.py file, and replace the following import by
+#
+#     from ansible.module_utils.compat.version import LooseVersion
+
+from ._version import LooseVersion

plugins/modules/acme_account.py

@@ -1,8 +1,9 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 
-# (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
@@ -56,7 +57,7 @@ options:
     description:
       - "Whether account creation is allowed (when state is C(present))."
     type: bool
-    default: yes
+    default: true
   contact:
     description:
       - "A list of contact URLs."
@@ -73,7 +74,7 @@ options:
       - "Boolean indicating whether you agree to the terms of service document."
       - "ACME servers can require this to be true."
     type: bool
-    default: no
+    default: false
   new_account_key_src:
     description:
       - "Path to a file containing the ACME account RSA or Elliptic Curve key to change to."
@@ -128,16 +129,16 @@ EXAMPLES = '''
   community.crypto.acme_account:
     account_key_src: /etc/pki/cert/private/account.key
     state: present
-    terms_agreed: yes
+    terms_agreed: true
     contact:
     - mailto:me@example.com
     - mailto:myself@example.org
 
-- name: Make sure account has given email address. Don't create account if it doesn't exist
+- name: Make sure account has given email address. Do not create account if it does not exist
   community.crypto.acme_account:
     account_key_src: /etc/pki/cert/private/account.key
     state: present
-    allow_creation: no
+    allow_creation: false
     contact:
     - mailto:me@example.com
 

plugins/modules/acme_account_facts.py

@@ -1 +0,0 @@
-acme_account_info.py