mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-06 13:22:58 +00:00
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
35ef2edb3f | ||
|
|
ebcf866891 | ||
|
|
60c6d87b05 | ||
|
2aa38fe247 | ||
|
|
d19faa1627 | ||
|
|
e910f299b9 | ||
|
|
2ebf26854e | ||
|
7ff067937a | ||
|
|
2727b74cc7 |
@@ -5,6 +5,43 @@ Community Crypto Release Notes
|
||||
.. contents:: Topics
|
||||
|
||||
|
||||
v1.9.12
|
||||
=======
|
||||
|
||||
Release Summary
|
||||
---------------
|
||||
|
||||
Regular bugfix release.
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
|
||||
- certificate_complete_chain - allow multiple potential intermediate certificates to have the same subject (https://github.com/ansible-collections/community.crypto/issues/399, https://github.com/ansible-collections/community.crypto/pull/403).
|
||||
- x509_certificate - for the ``ownca`` provider, check whether the CA private key actually belongs to the CA certificate. This fix only covers the ``cryptography`` backend, not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - regenerate certificate when the CA's public key changes for ``provider=ownca``. This fix only covers the ``cryptography`` backend, not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - regenerate certificate when the CA's subject changes for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400, https://github.com/ansible-collections/community.crypto/pull/402).
|
||||
- x509_certificate - regenerate certificate when the private key changes for ``provider=selfsigned``. This fix only covers the ``cryptography`` backend, not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
|
||||
Known Issues
|
||||
------------
|
||||
|
||||
- x509_certificate - when using the ``ownca`` provider with the ``pyopenssl`` backend, changing the CA's public key does not cause regeneration of the certificate (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - when using the ``ownca`` provider with the ``pyopenssl`` backend, it is possible to specify a CA private key which is not related to the CA certificate (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - when using the ``selfsigned`` provider with the ``pyopenssl`` backend, changing the private key does not cause regeneration of the certificate (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
|
||||
v1.9.11
|
||||
=======
|
||||
|
||||
Release Summary
|
||||
---------------
|
||||
|
||||
Bugfix release.
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
|
||||
- openssh_cert - fixed false ``changed`` status for ``host`` certificates when using ``full_idempotence`` (https://github.com/ansible-collections/community.crypto/issues/395, https://github.com/ansible-collections/community.crypto/pull/396).
|
||||
|
||||
v1.9.10
|
||||
=======
|
||||
|
||||
|
||||
@@ -539,6 +539,52 @@ releases:
|
||||
- 1.9.10.yml
|
||||
- 388-luks_device-i18n.yml
|
||||
release_date: '2022-02-01'
|
||||
1.9.11:
|
||||
changes:
|
||||
bugfixes:
|
||||
- openssh_cert - fixed false ``changed`` status for ``host`` certificates when
|
||||
using ``full_idempotence`` (https://github.com/ansible-collections/community.crypto/issues/395,
|
||||
https://github.com/ansible-collections/community.crypto/pull/396).
|
||||
release_summary: Bugfix release.
|
||||
fragments:
|
||||
- 1.9.11.yml
|
||||
- 396-openssh_cert-host-cert-idempotence-fix.yml
|
||||
release_date: '2022-02-05'
|
||||
1.9.12:
|
||||
changes:
|
||||
bugfixes:
|
||||
- certificate_complete_chain - allow multiple potential intermediate certificates
|
||||
to have the same subject (https://github.com/ansible-collections/community.crypto/issues/399,
|
||||
https://github.com/ansible-collections/community.crypto/pull/403).
|
||||
- x509_certificate - for the ``ownca`` provider, check whether the CA private
|
||||
key actually belongs to the CA certificate. This fix only covers the ``cryptography``
|
||||
backend, not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - regenerate certificate when the CA's public key changes
|
||||
for ``provider=ownca``. This fix only covers the ``cryptography`` backend,
|
||||
not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - regenerate certificate when the CA's subject changes for
|
||||
``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400,
|
||||
https://github.com/ansible-collections/community.crypto/pull/402).
|
||||
- x509_certificate - regenerate certificate when the private key changes for
|
||||
``provider=selfsigned``. This fix only covers the ``cryptography`` backend,
|
||||
not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
known_issues:
|
||||
- x509_certificate - when using the ``ownca`` provider with the ``pyopenssl``
|
||||
backend, changing the CA's public key does not cause regeneration of the certificate
|
||||
(https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - when using the ``ownca`` provider with the ``pyopenssl``
|
||||
backend, it is possible to specify a CA private key which is not related to
|
||||
the CA certificate (https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
- x509_certificate - when using the ``selfsigned`` provider with the ``pyopenssl``
|
||||
backend, changing the private key does not cause regeneration of the certificate
|
||||
(https://github.com/ansible-collections/community.crypto/pull/407).
|
||||
release_summary: Regular bugfix release.
|
||||
fragments:
|
||||
- 1.9.12.yml
|
||||
- 402-x509_certificate-ownca-subject.yml
|
||||
- 403-certificate_complete_chain-same-subject.yml
|
||||
- 407-x509_certificate-signature.yml
|
||||
release_date: '2022-02-21'
|
||||
1.9.2:
|
||||
changes:
|
||||
release_summary: Bugfix release to fix the changelog. No other change compared
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
namespace: community
|
||||
name: crypto
|
||||
version: 1.9.10
|
||||
version: 1.9.12
|
||||
readme: README.md
|
||||
authors:
|
||||
- Ansible (github.com/ansible)
|
||||
|
||||
@@ -31,13 +31,36 @@ from ansible_collections.community.crypto.plugins.module_utils.version import Lo
|
||||
try:
|
||||
import cryptography
|
||||
from cryptography import x509
|
||||
from cryptography.exceptions import InvalidSignature
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
from cryptography.hazmat.primitives.asymmetric import padding
|
||||
import ipaddress
|
||||
except ImportError:
|
||||
# Error handled in the calling module.
|
||||
pass
|
||||
|
||||
try:
|
||||
import cryptography.hazmat.primitives.asymmetric.rsa
|
||||
except ImportError:
|
||||
pass
|
||||
try:
|
||||
import cryptography.hazmat.primitives.asymmetric.ec
|
||||
except ImportError:
|
||||
pass
|
||||
try:
|
||||
import cryptography.hazmat.primitives.asymmetric.dsa
|
||||
except ImportError:
|
||||
pass
|
||||
try:
|
||||
import cryptography.hazmat.primitives.asymmetric.ed25519
|
||||
except ImportError:
|
||||
pass
|
||||
try:
|
||||
import cryptography.hazmat.primitives.asymmetric.ed448
|
||||
except ImportError:
|
||||
pass
|
||||
|
||||
try:
|
||||
# This is a separate try/except since this is only present in cryptography 2.5 or newer
|
||||
from cryptography.hazmat.primitives.serialization.pkcs12 import (
|
||||
@@ -57,8 +80,13 @@ except ImportError:
|
||||
_load_pkcs12 = None
|
||||
|
||||
from .basic import (
|
||||
CRYPTOGRAPHY_HAS_DSA_SIGN,
|
||||
CRYPTOGRAPHY_HAS_EC_SIGN,
|
||||
CRYPTOGRAPHY_HAS_ED25519,
|
||||
CRYPTOGRAPHY_HAS_ED25519_SIGN,
|
||||
CRYPTOGRAPHY_HAS_ED448,
|
||||
CRYPTOGRAPHY_HAS_ED448_SIGN,
|
||||
CRYPTOGRAPHY_HAS_RSA_SIGN,
|
||||
OpenSSLObjectError,
|
||||
)
|
||||
|
||||
@@ -579,3 +607,40 @@ def _parse_pkcs12_legacy(pkcs12_bytes, passphrase=None):
|
||||
if maybe_name != backend._ffi.NULL:
|
||||
friendly_name = backend._ffi.string(maybe_name)
|
||||
return private_key, certificate, additional_certificates, friendly_name
|
||||
|
||||
|
||||
def cryptography_verify_signature(signature, data, hash_algorithm, signer_public_key):
|
||||
'''
|
||||
Check whether the given signature of the given data was signed by the given public key object.
|
||||
'''
|
||||
try:
|
||||
if CRYPTOGRAPHY_HAS_RSA_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey):
|
||||
signer_public_key.verify(signature, data, padding.PKCS1v15(), hash_algorithm)
|
||||
return True
|
||||
if CRYPTOGRAPHY_HAS_EC_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey):
|
||||
signer_public_key.verify(signature, data, cryptography.hazmat.primitives.asymmetric.ec.ECDSA(hash_algorithm))
|
||||
return True
|
||||
if CRYPTOGRAPHY_HAS_DSA_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey):
|
||||
signer_public_key.verify(signature, data, hash_algorithm)
|
||||
return True
|
||||
if CRYPTOGRAPHY_HAS_ED25519_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey):
|
||||
signer_public_key.verify(signature, data)
|
||||
return True
|
||||
if CRYPTOGRAPHY_HAS_ED448_SIGN and isinstance(signer_public_key, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey):
|
||||
signer_public_key.verify(signature, data)
|
||||
return True
|
||||
raise OpenSSLObjectError(u'Unsupported public key type {0}'.format(type(signer_public_key)))
|
||||
except InvalidSignature:
|
||||
return False
|
||||
|
||||
|
||||
def cryptography_verify_certificate_signature(certificate, signer_public_key):
|
||||
'''
|
||||
Check whether the given X509 certificate object was signed by the given public key object.
|
||||
'''
|
||||
return cryptography_verify_signature(
|
||||
certificate.signature,
|
||||
certificate.tbs_certificate_bytes,
|
||||
certificate.signature_hash_algorithm,
|
||||
signer_public_key
|
||||
)
|
||||
|
||||
@@ -28,8 +28,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
|
||||
cryptography_compare_public_keys,
|
||||
cryptography_key_needs_digest_for_signing,
|
||||
cryptography_serial_number_of_cert,
|
||||
cryptography_verify_certificate_signature,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
|
||||
@@ -107,6 +109,9 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
|
||||
except OpenSSLBadPassphraseError as exc:
|
||||
module.fail_json(msg=str(exc))
|
||||
|
||||
if not cryptography_compare_public_keys(self.ca_cert.public_key(), self.ca_private_key.public_key()):
|
||||
raise CertificateError('The CA private key does not belong to the CA certificate')
|
||||
|
||||
if cryptography_key_needs_digest_for_signing(self.ca_private_key):
|
||||
if self.digest is None:
|
||||
raise CertificateError(
|
||||
@@ -173,6 +178,16 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
|
||||
if super(OwnCACertificateBackendCryptography, self).needs_regeneration():
|
||||
return True
|
||||
|
||||
self._ensure_existing_certificate_loaded()
|
||||
|
||||
# Check whether certificate is signed by CA certificate
|
||||
if not cryptography_verify_certificate_signature(self.existing_certificate, self.ca_cert.public_key()):
|
||||
return True
|
||||
|
||||
# Check subject
|
||||
if self.ca_cert.subject != self.existing_certificate.issuer:
|
||||
return True
|
||||
|
||||
# Check AuthorityKeyIdentifier
|
||||
if self.create_authority_key_identifier:
|
||||
try:
|
||||
@@ -185,7 +200,6 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
|
||||
except cryptography.x509.ExtensionNotFound:
|
||||
expected_ext = x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_cert.public_key())
|
||||
|
||||
self._ensure_existing_certificate_loaded()
|
||||
try:
|
||||
ext = self.existing_certificate.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
|
||||
if ext.value != expected_ext:
|
||||
@@ -297,6 +311,18 @@ class OwnCACertificateBackendPyOpenSSL(CertificateBackend):
|
||||
"""Return bytes for self.cert."""
|
||||
return crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert)
|
||||
|
||||
def needs_regeneration(self):
|
||||
if super(OwnCACertificateBackendPyOpenSSL, self).needs_regeneration():
|
||||
return True
|
||||
|
||||
self._ensure_existing_certificate_loaded()
|
||||
|
||||
# Check subject
|
||||
if self.ca_cert.get_subject() != self.existing_certificate.get_issuer():
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
def dump(self, include_certificate):
|
||||
result = super(OwnCACertificateBackendPyOpenSSL, self).dump(include_certificate)
|
||||
result.update({
|
||||
|
||||
@@ -22,6 +22,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
|
||||
cryptography_key_needs_digest_for_signing,
|
||||
cryptography_serial_number_of_cert,
|
||||
cryptography_verify_certificate_signature,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
|
||||
@@ -134,6 +135,18 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
|
||||
"""Return bytes for self.cert."""
|
||||
return self.cert.public_bytes(Encoding.PEM)
|
||||
|
||||
def needs_regeneration(self):
|
||||
if super(SelfSignedCertificateBackendCryptography, self).needs_regeneration():
|
||||
return True
|
||||
|
||||
self._ensure_existing_certificate_loaded()
|
||||
|
||||
# Check whether certificate is signed by private key
|
||||
if not cryptography_verify_certificate_signature(self.existing_certificate, self.privatekey.public_key()):
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
def dump(self, include_certificate):
|
||||
result = super(SelfSignedCertificateBackendCryptography, self).dump(include_certificate)
|
||||
|
||||
|
||||
@@ -237,14 +237,16 @@ class CertificateSet(object):
|
||||
def __init__(self, module):
|
||||
self.module = module
|
||||
self.certificates = set()
|
||||
self.certificate_by_issuer = dict()
|
||||
self.certificates_by_issuer = dict()
|
||||
self.certificate_by_cert = dict()
|
||||
|
||||
def _load_file(self, path):
|
||||
certs = load_PEM_list(self.module, path, fail_on_error=False)
|
||||
for cert in certs:
|
||||
self.certificates.add(cert)
|
||||
self.certificate_by_issuer[cert.cert.subject] = cert
|
||||
if cert.cert.subject not in self.certificates_by_issuer:
|
||||
self.certificates_by_issuer[cert.cert.subject] = []
|
||||
self.certificates_by_issuer[cert.cert.subject].append(cert)
|
||||
self.certificate_by_cert[cert.cert] = cert
|
||||
|
||||
def load(self, path):
|
||||
@@ -263,8 +265,8 @@ class CertificateSet(object):
|
||||
'''
|
||||
Search for the parent (issuer) of a certificate. Return ``None`` if none was found.
|
||||
'''
|
||||
potential_parent = self.certificate_by_issuer.get(cert.cert.issuer)
|
||||
if potential_parent is not None:
|
||||
potential_parents = self.certificates_by_issuer.get(cert.cert.issuer, [])
|
||||
for potential_parent in potential_parents:
|
||||
if is_parent(self.module, cert, potential_parent):
|
||||
return potential_parent
|
||||
return None
|
||||
|
||||
@@ -379,7 +379,7 @@ class Certificate(OpensshModule):
|
||||
|
||||
def _is_fully_valid(self):
|
||||
return self._is_partially_valid() and all([
|
||||
self._compare_options(),
|
||||
self._compare_options() if self.original_data.type == 'user' else True,
|
||||
self.original_data.key_id == self.identifier,
|
||||
self.original_data.public_key == self._get_key_fingerprint(self.public_key),
|
||||
self.original_data.signing_key == self._get_key_fingerprint(self.signing_key),
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
dependencies:
|
||||
- prepare_jinja2_compat
|
||||
- setup_openssl
|
||||
- setup_remote_tmp_dir
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
####################################################################
|
||||
# WARNING: These are designed specifically for Ansible tests #
|
||||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
- name: Generate CSR for {{ certificate.name }}
|
||||
openssl_csr:
|
||||
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'
|
||||
subject: '{{ certificate.subject }}'
|
||||
useCommonNameForSAN: false
|
||||
|
||||
- name: Generate certificate for {{ certificate.name }}
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'
|
||||
provider: '{{ "selfsigned" if certificate.parent is not defined else "ownca" }}'
|
||||
ownca_path: '{{ (remote_tmp_dir ~ "/" ~ certificate.parent ~ ".pem") if certificate.parent is defined else omit }}'
|
||||
ownca_privatekey_path: '{{ (remote_tmp_dir ~ "/" ~ certificate.parent ~ ".key") if certificate.parent is defined else omit }}'
|
||||
@@ -0,0 +1,49 @@
|
||||
####################################################################
|
||||
# WARNING: These are designed specifically for Ansible tests #
|
||||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
- block:
|
||||
- name: Create private keys
|
||||
openssl_privatekey:
|
||||
path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
|
||||
size: '{{ default_rsa_key_size_certifiates }}'
|
||||
loop: '{{ certificates }}'
|
||||
|
||||
- name: Generate certificates
|
||||
include_tasks: create-single-certificate.yml
|
||||
loop: '{{ certificates }}'
|
||||
loop_control:
|
||||
loop_var: certificate
|
||||
|
||||
- name: Read certificates
|
||||
slurp:
|
||||
src: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
|
||||
loop: '{{ certificates }}'
|
||||
register: certificates_read
|
||||
|
||||
- name: Store read certificates
|
||||
set_fact:
|
||||
read_certificates: >-
|
||||
{{ certificates_read.results | map(attribute='content') | map('b64decode')
|
||||
| zip(certificates | map(attribute='name'))
|
||||
| list
|
||||
| items2dict(key_name=1, value_name=0) }}
|
||||
|
||||
vars:
|
||||
certificates:
|
||||
- name: a-root
|
||||
subject:
|
||||
commonName: root common name
|
||||
- name: b-intermediate
|
||||
subject:
|
||||
commonName: intermediate common name
|
||||
parent: a-root
|
||||
- name: c-intermediate
|
||||
subject:
|
||||
commonName: intermediate common name
|
||||
parent: a-root
|
||||
- name: d-leaf
|
||||
subject:
|
||||
commonName: leaf certificate
|
||||
parent: b-intermediate
|
||||
@@ -0,0 +1,44 @@
|
||||
####################################################################
|
||||
# WARNING: These are designed specifically for Ansible tests #
|
||||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
- name: Case A => works
|
||||
certificate_complete_chain:
|
||||
input_chain: "{{ read_certificates['d-leaf'] }}"
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/b-intermediate.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/a-root.pem'
|
||||
|
||||
- name: Case B => doesn't work, but this is expected
|
||||
failed_when: no
|
||||
register: caseb
|
||||
certificate_complete_chain:
|
||||
input_chain: "{{ read_certificates['d-leaf'] }}"
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/c-intermediate.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/a-root.pem'
|
||||
|
||||
- name: Assert that case B failed
|
||||
assert:
|
||||
that: "'Cannot complete chain' in caseb.msg"
|
||||
|
||||
- name: Case C => works
|
||||
certificate_complete_chain:
|
||||
input_chain: "{{ read_certificates['d-leaf'] }}"
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/c-intermediate.pem'
|
||||
- '{{ remote_tmp_dir }}/b-intermediate.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/a-root.pem'
|
||||
|
||||
- name: Case D => works as well after PR 403
|
||||
certificate_complete_chain:
|
||||
input_chain: "{{ read_certificates['d-leaf'] }}"
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/b-intermediate.pem'
|
||||
- '{{ remote_tmp_dir }}/c-intermediate.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/a-root.pem'
|
||||
@@ -0,0 +1,144 @@
|
||||
####################################################################
|
||||
# WARNING: These are designed specifically for Ansible tests #
|
||||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
- block:
|
||||
- name: Find root for cert 1 using directory
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ fullchain | trim }}'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots/'
|
||||
register: cert1_root
|
||||
- name: Verify root for cert 1
|
||||
assert:
|
||||
that:
|
||||
- cert1_root.complete_chain | join('') == (fullchain ~ root)
|
||||
- cert1_root.root == root
|
||||
vars:
|
||||
fullchain: "{{ lookup('file', 'cert1-fullchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find rootchain for cert 1 using intermediate and root PEM
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert1_rootchain
|
||||
- name: Verify rootchain for cert 1
|
||||
assert:
|
||||
that:
|
||||
- cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert1_rootchain.chain[:-1] | join('') == chain
|
||||
- cert1_rootchain.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert1.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert1-chain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find root for cert 2 using directory
|
||||
certificate_complete_chain:
|
||||
input_chain: "{{ fullchain | trim }}"
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots/'
|
||||
register: cert2_root
|
||||
- name: Verify root for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_root.complete_chain | join('') == (fullchain ~ root)
|
||||
- cert2_root.root == root
|
||||
vars:
|
||||
fullchain: "{{ lookup('file', 'cert2-fullchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find rootchain for cert 2 using intermediate and root PEM
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert2-chain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_rootchain
|
||||
- name: Verify rootchain for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert2_rootchain.chain[:-1] | join('') == chain
|
||||
- cert2_rootchain.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert2-chain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find alternate rootchain for cert 2 using intermediate and root PEM
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_rootchain_alt
|
||||
- name: Verify rootchain for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert2_rootchain_alt.chain[:-1] | join('') == chain
|
||||
- cert2_rootchain_alt.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find alternate rootchain for cert 2 when complete chain is already presented to the module
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert ~ chain ~ root }}'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_complete_chain
|
||||
- name: Verify rootchain for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert2_complete_chain.chain == []
|
||||
- cert2_complete_chain.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
|
||||
|
||||
- name: Check failure when no intermediate certificate can be found
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ lookup("file", "cert2.pem", rstrip=True) }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_no_intermediate
|
||||
ignore_errors: true
|
||||
- name: Verify failure
|
||||
assert:
|
||||
that:
|
||||
- cert2_no_intermediate is failed
|
||||
- "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')"
|
||||
|
||||
- name: Check failure when infinite loop is found
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ lookup("file", "cert2-fullchain.pem", rstrip=True) }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
|
||||
register: cert2_infinite_loop
|
||||
ignore_errors: true
|
||||
- name: Verify failure
|
||||
assert:
|
||||
that:
|
||||
- cert2_infinite_loop is failed
|
||||
- "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'"
|
||||
@@ -15,144 +15,13 @@
|
||||
src: '{{ role_path }}/files/'
|
||||
dest: '{{ remote_tmp_dir }}/files/'
|
||||
|
||||
- block:
|
||||
- name: Find root for cert 1 using directory
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ fullchain | trim }}'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots/'
|
||||
register: cert1_root
|
||||
- name: Verify root for cert 1
|
||||
assert:
|
||||
that:
|
||||
- cert1_root.complete_chain | join('') == (fullchain ~ root)
|
||||
- cert1_root.root == root
|
||||
vars:
|
||||
fullchain: "{{ lookup('file', 'cert1-fullchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}"
|
||||
- name: Run tests with copied certificates
|
||||
import_tasks: existing.yml
|
||||
|
||||
- block:
|
||||
- name: Find rootchain for cert 1 using intermediate and root PEM
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert1_rootchain
|
||||
- name: Verify rootchain for cert 1
|
||||
assert:
|
||||
that:
|
||||
- cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert1_rootchain.chain[:-1] | join('') == chain
|
||||
- cert1_rootchain.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert1.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert1-chain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}"
|
||||
- name: Create more certificates
|
||||
import_tasks: create.yml
|
||||
|
||||
- block:
|
||||
- name: Find root for cert 2 using directory
|
||||
certificate_complete_chain:
|
||||
input_chain: "{{ fullchain | trim }}"
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots/'
|
||||
register: cert2_root
|
||||
- name: Verify root for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_root.complete_chain | join('') == (fullchain ~ root)
|
||||
- cert2_root.root == root
|
||||
vars:
|
||||
fullchain: "{{ lookup('file', 'cert2-fullchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find rootchain for cert 2 using intermediate and root PEM
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert2-chain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_rootchain
|
||||
- name: Verify rootchain for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert2_rootchain.chain[:-1] | join('') == chain
|
||||
- cert2_rootchain.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert2-chain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find alternate rootchain for cert 2 using intermediate and root PEM
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_rootchain_alt
|
||||
- name: Verify rootchain for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert2_rootchain_alt.chain[:-1] | join('') == chain
|
||||
- cert2_rootchain_alt.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
|
||||
|
||||
- block:
|
||||
- name: Find alternate rootchain for cert 2 when complete chain is already presented to the module
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ cert ~ chain ~ root }}'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_complete_chain
|
||||
- name: Verify rootchain for cert 2
|
||||
assert:
|
||||
that:
|
||||
- cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root)
|
||||
- cert2_complete_chain.chain == []
|
||||
- cert2_complete_chain.root == root
|
||||
vars:
|
||||
cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
|
||||
chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}"
|
||||
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
|
||||
|
||||
- name: Check failure when no intermediate certificate can be found
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ lookup("file", "cert2.pem", rstrip=True) }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
register: cert2_no_intermediate
|
||||
ignore_errors: true
|
||||
- name: Verify failure
|
||||
assert:
|
||||
that:
|
||||
- cert2_no_intermediate is failed
|
||||
- "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')"
|
||||
|
||||
- name: Check failure when infinite loop is found
|
||||
certificate_complete_chain:
|
||||
input_chain: '{{ lookup("file", "cert2-fullchain.pem", rstrip=True) }}'
|
||||
intermediate_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/roots.pem'
|
||||
root_certificates:
|
||||
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
|
||||
register: cert2_infinite_loop
|
||||
ignore_errors: true
|
||||
- name: Verify failure
|
||||
assert:
|
||||
that:
|
||||
- cert2_infinite_loop is failed
|
||||
- "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'"
|
||||
- name: Run tests with created certificates
|
||||
import_tasks: created.yml
|
||||
|
||||
when: cryptography_version.stdout is version('1.5', '>=')
|
||||
|
||||
@@ -86,6 +86,27 @@
|
||||
regenerate: full_idempotence
|
||||
register: default_options
|
||||
|
||||
- name: Generate host cert full_idempotence
|
||||
openssh_cert:
|
||||
type: host
|
||||
path: "{{ certificate_path }}"
|
||||
public_key: "{{ public_key }}"
|
||||
signing_key: "{{ signing_key }}"
|
||||
valid_from: always
|
||||
valid_to: forever
|
||||
regenerate: full_idempotence
|
||||
|
||||
- name: Generate host cert full_idempotence again
|
||||
openssh_cert:
|
||||
type: host
|
||||
path: "{{ certificate_path }}"
|
||||
public_key: "{{ public_key }}"
|
||||
signing_key: "{{ signing_key }}"
|
||||
valid_from: always
|
||||
valid_to: forever
|
||||
regenerate: full_idempotence
|
||||
register: host_cert_full_idempotence
|
||||
|
||||
- name: Assert options results
|
||||
assert:
|
||||
that:
|
||||
@@ -95,6 +116,7 @@
|
||||
- explicit_extension_after is not changed
|
||||
- explicit_extension_and_directive is changed
|
||||
- default_options is not changed
|
||||
- host_cert_full_idempotence is not changed
|
||||
|
||||
- name: Remove certificate
|
||||
openssh_cert:
|
||||
|
||||
@@ -14,14 +14,20 @@
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
|
||||
openssl_csr:
|
||||
path: '{{ remote_tmp_dir }}/ca_csr.csr'
|
||||
path: '{{ item.path }}'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
subject:
|
||||
commonName: Example CA
|
||||
subject: '{{ item.subject }}'
|
||||
useCommonNameForSAN: no
|
||||
basic_constraints:
|
||||
- 'CA:TRUE'
|
||||
basic_constraints_critical: yes
|
||||
loop:
|
||||
- path: '{{ remote_tmp_dir }}/ca_csr.csr'
|
||||
subject:
|
||||
commonName: Example CA
|
||||
- path: '{{ remote_tmp_dir }}/ca_csr2.csr'
|
||||
subject:
|
||||
commonName: Example CA 2
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
|
||||
openssl_csr:
|
||||
@@ -62,6 +68,15 @@
|
||||
- result_check_mode is changed
|
||||
- result is changed
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate with different commonName
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/ca_cert2.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/ca_csr2.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: selfsigned
|
||||
selfsigned_digest: sha256
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
|
||||
@@ -110,6 +125,54 @@
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
check_mode: yes
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Copy ownca certificate to new file to check regeneration
|
||||
copy:
|
||||
src: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
||||
dest: '{{ item }}'
|
||||
remote_src: true
|
||||
loop:
|
||||
- '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
|
||||
- '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA subject
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert2.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
return_content: yes
|
||||
register: ownca_certificate_ca_subject_changed
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA key
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
||||
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
|
||||
ownca_privatekey_passphrase: hunter2
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
return_content: yes
|
||||
register: ownca_certificate_ca_key_changed
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Get certificate information
|
||||
community.crypto.x509_certificate_info:
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Get private key information
|
||||
community.crypto.openssl_privatekey_info:
|
||||
path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
register: result_privatekey
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Check ownca certificate
|
||||
x509_certificate:
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
||||
@@ -285,7 +348,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
backup: yes
|
||||
@@ -296,7 +359,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
backup: yes
|
||||
@@ -307,7 +370,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_backup.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
backup: yes
|
||||
@@ -335,7 +398,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_subject_key_identifier: always_create
|
||||
@@ -348,7 +411,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_subject_key_identifier: always_create
|
||||
@@ -361,7 +424,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_subject_key_identifier: never_create
|
||||
@@ -374,7 +437,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_subject_key_identifier: never_create
|
||||
@@ -387,7 +450,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_ski.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_subject_key_identifier: always_create
|
||||
@@ -400,7 +463,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_authority_key_identifier: yes
|
||||
@@ -413,7 +476,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_authority_key_identifier: yes
|
||||
@@ -426,7 +489,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_authority_key_identifier: no
|
||||
@@ -439,7 +502,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_authority_key_identifier: no
|
||||
@@ -452,7 +515,7 @@
|
||||
path: '{{ remote_tmp_dir }}/ownca_cert_aki.pem'
|
||||
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
|
||||
ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
|
||||
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
|
||||
provider: ownca
|
||||
ownca_digest: sha256
|
||||
ownca_create_authority_key_identifier: yes
|
||||
|
||||
@@ -31,6 +31,14 @@
|
||||
- ownca_certificate.notBefore == ownca_certificate_idempotence.notBefore
|
||||
- ownca_certificate.notAfter == ownca_certificate_idempotence.notAfter
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate regeneration
|
||||
assert:
|
||||
that:
|
||||
- ownca_certificate_ca_subject_changed is changed
|
||||
# ownca_certificate_ca_key_changed is not changed for the pyopenssl backend,
|
||||
# see https://github.com/ansible-collections/community.crypto/pull/406
|
||||
- ownca_certificate_ca_key_changed is changed or select_crypto_backend == 'pyopenssl'
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Read certificate
|
||||
slurp:
|
||||
src: '{{ remote_tmp_dir }}/ownca_cert.pem'
|
||||
|
||||
Reference in New Issue
Block a user