Release 1.9.19.

* Only access C.STRING_CONVERSION_ACTION for old ansible-base / Ansible versions.

* Always use self.__xxx instead of xxx directly.

(cherry picked from commit b3f589df62)

Co-authored-by: Felix Fontein <felix@fontein.de>

.azure-pipelines/azure-pipelines.yml

@@ -41,25 +41,25 @@ variables:
 resources:
   containers:
     - container: default
-      image: quay.io/ansible/azure-pipelines-test-container:1.9.0
+      image: quay.io/ansible/azure-pipelines-test-container:3.0.0
 
 pool: Standard
 
 stages:
 ### Sanity & units
-  - stage: Ansible_devel
-    displayName: Sanity & Units devel
+  - stage: Ansible_2_13
+    displayName: Sanity & Units 2.13
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
         parameters:
           targets:
             - name: Sanity
-              test: 'devel/sanity/1'
+              test: '2.13/sanity/1'
             - name: Sanity Extra # Only on devel
-              test: 'devel/sanity/extra'
+              test: '2.13/sanity/extra'
             - name: Units
-              test: 'devel/units/1'
+              test: '2.13/units/1'
   - stage: Ansible_2_12
     displayName: Sanity & Units 2.12
     dependsOn: []
@@ -105,13 +105,13 @@ stages:
             - name: Units
               test: '2.9/units/1'
 ### Docker
-  - stage: Docker_devel
-    displayName: Docker devel
+  - stage: Docker_2_13
+    displayName: Docker 2.13
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
         parameters:
-          testFormat: devel/linux/{0}/1
+          testFormat: 2.13/linux/{0}/1
           targets:
             - name: CentOS 7
               test: centos7
@@ -193,13 +193,13 @@ stages:
               test: ubuntu1804
 
 ### Remote
-  - stage: Remote_devel
-    displayName: Remote devel
+  - stage: Remote_2_13
+    displayName: Remote 2.13
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
         parameters:
-          testFormat: devel/{0}/1
+          testFormat: 2.13/{0}/1
           targets:
             - name: macOS 12.0
               test: macos/12.0
@@ -219,8 +219,8 @@ stages:
         parameters:
           testFormat: 2.12/{0}/1
           targets:
-            - name: macOS 11.1
-              test: macos/11.1
+            # - name: macOS 11.1
+            #   test: macos/11.1
             - name: RHEL 8.4
               test: rhel/8.4
             - name: FreeBSD 13.0
@@ -249,10 +249,8 @@ stages:
           targets:
             - name: OS X 10.11
               test: osx/10.11
-            - name: macOS 10.15
-              test: macos/10.15
-            - name: FreeBSD 12.1
-              test: freebsd/12.1
+            # - name: macOS 10.15
+            #   test: macos/10.15
   - stage: Remote_2_9
     displayName: Remote 2.9
     dependsOn: []
@@ -264,20 +262,20 @@ stages:
             - name: 'RHEL 7.8'
               test: 'rhel/7.8'
 ### cloud
-  - stage: Cloud_devel
-    displayName: Cloud devel
+  - stage: Cloud_2_13
+    displayName: Cloud 2.13
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
         parameters:
           nameFormat: Python {0}
-          testFormat: devel/cloud/{0}/1
+          testFormat: 2.13/cloud/{0}/1
           targets:
             - test: 2.7
             - test: 3.5
             - test: 3.6
             - test: 3.7
-            - test: 3.8
+            # - test: 3.8
             - test: 3.9
             - test: "3.10"
   - stage: Cloud_2_12
@@ -320,29 +318,29 @@ stages:
           nameFormat: Python {0}
           testFormat: 2.9/cloud/{0}/1
           targets:
-            - test: 3.5
+            - test: 2.7
 
   ## Finally
 
   - stage: Summary
     condition: succeededOrFailed()
     dependsOn:
-      - Ansible_devel
+      - Ansible_2_13
       - Ansible_2_12
       - Ansible_2_11
       - Ansible_2_10
       - Ansible_2_9
-      - Remote_devel
+      - Remote_2_13
       - Remote_2_12
       - Remote_2_11
       - Remote_2_10
       - Remote_2_9
-      - Docker_devel
+      - Docker_2_13
       - Docker_2_12
       - Docker_2_11
       - Docker_2_10
       - Docker_2_9
-      - Cloud_devel
+      - Cloud_2_13
       - Cloud_2_12
       - Cloud_2_11
       - Cloud_2_10

.azure-pipelines/scripts/aggregate-coverage.sh

@@ -9,6 +9,10 @@ PATH="${PWD}/bin:${PATH}"
 
 mkdir "${agent_temp_directory}/coverage/"
 
+if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
+    exit
+fi
+
 options=(--venv --venv-system-site-packages --color -v)
 
 ansible-test coverage combine --group-by command --export "${agent_temp_directory}/coverage/" "${options[@]}"

.azure-pipelines/scripts/report-coverage.sh

@@ -5,6 +5,10 @@ set -o pipefail -eu
 
 PATH="${PWD}/bin:${PATH}"
 
+if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
+    exit
+fi
+
 if ! ansible-test --help >/dev/null 2>&1; then
     # Install the devel version of ansible-test for generating code coverage reports.
     # This is only used by Ansible Collections, which are typically tested against multiple Ansible versions (in separate jobs).

Apache-2.0.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

CHANGELOG.rst

@@ -5,6 +5,89 @@ Community Crypto Release Notes
 .. contents:: Topics
 
 
+v1.9.19
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core (https://github.com/ansible-collections/community.crypto/pull/515).
+
+v1.9.18
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486, https://github.com/ansible-collections/community.crypto/pull/487).
+
+v1.9.17
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py`` and ``plugins/module_utils/crypto/_objects_data.py``.
+- openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees must be a non-empty list or None' if only one of ``name_constraints_permitted`` and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481).
+- x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473, https://github.com/ansible-collections/community.crypto/pull/474).
+
+v1.9.16
+=======
+
+Release Summary
+---------------
+
+Maintenance and bugfix release.
+
+Bugfixes
+--------
+
+- Include ``simplified_bsd.txt`` license file for the ECS module utils.
+- certificate_complete_chain - do not stop execution if an unsupported signature algorithm is encountered; warn instead (https://github.com/ansible-collections/community.crypto/pull/457).
+
+v1.9.15
+=======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``.
+
+v1.9.14
+=======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (https://github.com/ansible-collections/community.crypto/pull/446).
+- openssh_* modules - fix exception handling to report traceback to users for enhanced traceability (https://github.com/ansible-collections/community.crypto/pull/417).
+- x509_crl - fix crash when ``issuer`` for a revoked certificate is specified (https://github.com/ansible-collections/community.crypto/pull/441).
+
 v1.9.13
 =======
 

PSF-license.txt

@@ -0,0 +1,48 @@
+PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
+--------------------------------------------
+
+1. This LICENSE AGREEMENT is between the Python Software Foundation
+("PSF"), and the Individual or Organization ("Licensee") accessing and
+otherwise using this software ("Python") in source or binary form and
+its associated documentation.
+
+2. Subject to the terms and conditions of this License Agreement, PSF hereby
+grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce,
+analyze, test, perform and/or display publicly, prepare derivative works,
+distribute, and otherwise use Python alone or in any derivative version,
+provided, however, that PSF's License Agreement and PSF's notice of copyright,
+i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;
+All Rights Reserved" are retained in Python alone or in any derivative version
+prepared by Licensee.
+
+3. In the event Licensee prepares a derivative work that is based on
+or incorporates Python or any part thereof, and wants to make
+the derivative work available to others as provided herein, then
+Licensee hereby agrees to include in any such work a brief summary of
+the changes made to Python.
+
+4. PSF is making Python available to Licensee on an "AS IS"
+basis.  PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
+IMPLIED.  BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND
+DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS
+FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT
+INFRINGE ANY THIRD PARTY RIGHTS.
+
+5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON
+FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS
+A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,
+OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
+
+6. This License Agreement will automatically terminate upon a material
+breach of its terms and conditions.
+
+7. Nothing in this License Agreement shall be deemed to create any
+relationship of agency, partnership, or joint venture between PSF and
+Licensee.  This License Agreement does not grant permission to use PSF
+trademarks or trade name in a trademark sense to endorse or promote
+products or services of Licensee, or any third party.
+
+8. By copying, installing or otherwise using Python, Licensee
+agrees to be bound by the terms and conditions of this License
+Agreement.

README.md

@@ -11,7 +11,7 @@ Please note that this collection does **not** support Windows targets.
 
 ## Tested with Ansible
 
-Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11 and ansible-core 2.12 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
+Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12 and ansible-core 2.13 releases. Ansible versions before 2.9.10 are not supported.
 
 ## External requirements
 

changelogs/changelog.yaml

@@ -595,6 +595,81 @@ releases:
     - 1.9.13.yml
     - 410-luks_device-lsblk-parsing.yml
     release_date: '2022-03-04'
+  1.9.14:
+    changes:
+      bugfixes:
+      - Make collection more robust when PyOpenSSL is used with an incompatible cryptography
+        version (https://github.com/ansible-collections/community.crypto/pull/446).
+      - openssh_* modules - fix exception handling to report traceback to users for
+        enhanced traceability (https://github.com/ansible-collections/community.crypto/pull/417).
+      - x509_crl - fix crash when ``issuer`` for a revoked certificate is specified
+        (https://github.com/ansible-collections/community.crypto/pull/441).
+      release_summary: Regular bugfix release.
+    fragments:
+    - 1.9.14.yml
+    - 417-openssh_modules-fix-exception-reporting.yml
+    - 441-x509-crl-cert-issuer.yml
+    - 446-fix.yml
+    release_date: '2022-05-09'
+  1.9.15:
+    changes:
+      bugfixes:
+      - Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``.
+      release_summary: Maintenance release.
+    fragments:
+    - 1.9.15.yml
+    - psf-license.yml
+    release_date: '2022-05-16'
+  1.9.16:
+    changes:
+      bugfixes:
+      - Include ``simplified_bsd.txt`` license file for the ECS module utils.
+      - certificate_complete_chain - do not stop execution if an unsupported signature
+        algorithm is encountered; warn instead (https://github.com/ansible-collections/community.crypto/pull/457).
+      release_summary: Maintenance and bugfix release.
+    fragments:
+    - 1.9.16.yml
+    - 457-certificate_complete_chain-unsupported-algorithm.yml
+    - simplified-bsd-license.yml
+    release_date: '2022-06-02'
+  1.9.17:
+    changes:
+      bugfixes:
+      - Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py``
+        and ``plugins/module_utils/crypto/_objects_data.py``.
+      - openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees
+        must be a non-empty list or None' if only one of ``name_constraints_permitted``
+        and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481).
+      - x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473,
+        https://github.com/ansible-collections/community.crypto/pull/474).
+      release_summary: Bugfix release.
+    fragments:
+    - 1.9.17.yml
+    - 474-x509_crl-ed25519-ed448.yml
+    - 481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml
+    - apache-license.yml
+    release_date: '2022-06-17'
+  1.9.18:
+    changes:
+      bugfixes:
+      - openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying
+        to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486,
+        https://github.com/ansible-collections/community.crypto/pull/487).
+      release_summary: Bugfix release.
+    fragments:
+    - 1.9.18.yml
+    - 487-openssl_pkcs12-other-certs-crash.yml
+    release_date: '2022-07-09'
+  1.9.19:
+    changes:
+      bugfixes:
+      - openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core
+        (https://github.com/ansible-collections/community.crypto/pull/515).
+      release_summary: Bugfix release.
+    fragments:
+    - 1.9.19.yml
+    - 515-action-module-compat.yml
+    release_date: '2022-11-01'
   1.9.2:
     changes:
       release_summary: Bugfix release to fix the changelog. No other change compared

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: community
 name: crypto
-version: 1.9.13
+version: 1.9.19
 readme: README.md
 authors:
   - Ansible (github.com/ansible)

plugins/module_utils/_version.py

@@ -3,7 +3,7 @@
 # Implements multiple version numbering conventions for the
 # Python Module Distribution Utilities.
 #
-# PSF License (see licenses/PSF-license.txt or https://opensource.org/licenses/Python-2.0)
+# PSF License (see PSF-license.txt or https://opensource.org/licenses/Python-2.0)
 #
 
 """Provides classes to represent module version numbers (one class for

plugins/module_utils/crypto/_obj2txt.py

@@ -2,6 +2,8 @@
 # 2.0, and the BSD License. See the LICENSE file at
 # https://github.com/pyca/cryptography/blob/master/LICENSE for complete details.
 #
+# The Apache 2.0 license has been included as Apache-2.0.txt in this collection.
+#
 # Adapted from cryptography's hazmat/backends/openssl/decode_asn1.py
 #
 # Copyright (c) 2015, 2016 Paul Kehrer (@reaperhulk)

plugins/module_utils/crypto/_objects_data.py

@@ -5,7 +5,7 @@
 # In case the following data structure has any copyrightable content, note that it is licensed as follows:
 # Copyright (c) the OpenSSL contributors
 # Licensed under the Apache License 2.0
-# https://github.com/openssl/openssl/blob/master/LICENSE
+# https://github.com/openssl/openssl/blob/master/LICENSE.txt or Apache-2.0.txt
 
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

plugins/module_utils/crypto/basic.py

@@ -26,7 +26,7 @@ try:
     import OpenSSL  # noqa
     from OpenSSL import crypto  # noqa
     HAS_PYOPENSSL = True
-except ImportError:
+except (ImportError, AttributeError):
     # Error handled in the calling module.
     HAS_PYOPENSSL = False
 

plugins/module_utils/crypto/module_backends/certificate.py

@@ -45,7 +45,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/module_utils/crypto/module_backends/certificate_assertonly.py

@@ -37,7 +37,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
 try:
     import OpenSSL
     from OpenSSL import crypto
-except ImportError:
+except (ImportError, AttributeError):
     pass
 
 try:

plugins/module_utils/crypto/module_backends/certificate_info.py

@@ -59,7 +59,7 @@ try:
         # OpenSSL 1.0.x or older
         OPENSSL_MUST_STAPLE_NAME = b"1.3.6.1.5.5.7.1.24"
         OPENSSL_MUST_STAPLE_VALUE = b"DER:30:03:02:01:05"
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/module_utils/crypto/module_backends/certificate_ownca.py

@@ -43,7 +43,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
 
 try:
     from OpenSSL import crypto
-except ImportError:
+except (ImportError, AttributeError):
     pass
 
 try:

plugins/module_utils/crypto/module_backends/certificate_selfsigned.py

@@ -33,7 +33,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
 
 try:
     from OpenSSL import crypto
-except ImportError:
+except (ImportError, AttributeError):
     pass
 
 try:

plugins/module_utils/crypto/module_backends/csr.py

@@ -63,7 +63,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:
@@ -528,8 +528,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
         if self.name_constraints_permitted or self.name_constraints_excluded:
             try:
                 csr = csr.add_extension(cryptography.x509.NameConstraints(
-                    [cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted],
-                    [cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded],
+                    [cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted] or None,
+                    [cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded] or None,
                 ), critical=self.name_constraints_critical)
             except TypeError as e:
                 raise OpenSSLObjectError('Error while parsing name constraint: {0}'.format(e))
@@ -678,8 +678,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
 
         def _check_nameConstraints(extensions):
             current_nc_ext = _find_extension(extensions, cryptography.x509.NameConstraints)
-            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
-            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []
+            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees or []] if current_nc_ext else []
+            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees or []] if current_nc_ext else []
             nc_perm = [to_text(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
             nc_excl = [to_text(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
             if set(nc_perm) != set(current_nc_perm) or set(nc_excl) != set(current_nc_excl):

plugins/module_utils/crypto/module_backends/csr_info.py

@@ -57,7 +57,7 @@ try:
         # OpenSSL 1.0.x or older
         OPENSSL_MUST_STAPLE_NAME = b"1.3.6.1.5.5.7.1.24"
         OPENSSL_MUST_STAPLE_VALUE = b"DER:30:03:02:01:05"
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/module_utils/crypto/module_backends/privatekey.py

@@ -54,7 +54,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/module_utils/crypto/module_backends/privatekey_info.py

@@ -49,7 +49,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/module_utils/crypto/module_backends/publickey_info.py

@@ -38,7 +38,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/module_utils/crypto/pyopenssl_support.py

@@ -29,7 +29,7 @@ from ._objects import OID_LOOKUP
 
 try:
     import OpenSSL
-except ImportError:
+except (ImportError, AttributeError):
     # Error handled in the calling module.
     pass
 

plugins/module_utils/crypto/support.py

@@ -32,7 +32,7 @@ from ansible.module_utils.common.text.converters import to_native, to_bytes
 try:
     from OpenSSL import crypto
     HAS_PYOPENSSL = True
-except ImportError:
+except (ImportError, AttributeError):
     # Error handled in the calling module.
     HAS_PYOPENSSL = False
 

plugins/module_utils/ecs/api.py

@@ -7,7 +7,7 @@
 # their own license to the complete work.
 #
 # Copyright (c), Entrust Datacard Corporation, 2019
-# Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
+# Simplified BSD License (see simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
 
 # Redistribution and use in source and binary forms, with or without modification,
 # are permitted provided that the following conditions are met:

plugins/module_utils/openssh/backends/common.py

@@ -21,9 +21,11 @@ __metaclass__ = type
 import abc
 import os
 import stat
+import traceback
 
 from ansible.module_utils import six
 
+from ansible.module_utils.common.text.converters import to_native
 from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
     parse_openssh_version,
 )
@@ -75,7 +77,14 @@ class OpensshModule(object):
         self.check_mode = self.module.check_mode
 
     def execute(self):
-        self._execute()
+        try:
+            self._execute()
+        except Exception as e:
+            self.module.fail_json(
+                msg="unexpected error occurred: %s" % to_native(e),
+                exception=traceback.format_exc(),
+            )
+
         self.module.exit_json(**self.result)
 
     @abc.abstractmethod

plugins/modules/acme_account_info.py

@@ -101,7 +101,7 @@ account:
       returned: always
       type: list
       elements: str
-      sample: "['mailto:me@example.com', 'tel:00123456789']"
+      sample: ['mailto:me@example.com', 'tel:00123456789']
     status:
       description: the account's status
       returned: always

plugins/modules/acme_certificate.py

@@ -467,7 +467,20 @@ authorizations:
     - Maps an identifier to ACME authorization objects. See U(https://tools.ietf.org/html/rfc8555#section-7.1.4).
   returned: changed
   type: dict
-  sample: '{"example.com":{...}}'
+  sample:
+    example.com:
+      identifier:
+        type: dns
+        value: example.com
+      status: valid
+      expires: '2022-08-04T01:02:03.45Z'
+      challenges:
+        - url: https://example.org/acme/challenge/12345
+          type: http-01
+          status: valid
+          token: A5b1C3d2E9f8G7h6
+          validated: '2022-08-01T01:01:02.34Z'
+      wildcard: false
 order_uri:
   description: ACME order URI.
   returned: changed

plugins/modules/acme_inspect.py

@@ -183,7 +183,7 @@ directory:
   description: The ACME directory's content
   returned: always
   type: dict
-  sample: |
+  sample:
     {
       "a85k3x9f91A4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
       "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
@@ -203,7 +203,7 @@ headers:
   description: The request's HTTP headers (with lowercase keys)
   returned: always
   type: dict
-  sample: |
+  sample:
     {
       "boulder-requester": "12345",
       "cache-control": "max-age=0, no-cache, no-store",
@@ -214,7 +214,7 @@ headers:
       "cookies_string": "",
       "date": "Wed, 07 Nov 2018 12:34:56 GMT",
       "expires": "Wed, 07 Nov 2018 12:44:56 GMT",
-      "link": "<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=\"terms-of-service\"",
+      "link": '<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"',
       "msg": "OK (904 bytes)",
       "pragma": "no-cache",
       "replay-nonce": "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGH",

plugins/modules/certificate_complete_chain.py

@@ -133,6 +133,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import
 CRYPTOGRAPHY_IMP_ERR = None
 try:
     import cryptography
+    import cryptography.exceptions
     import cryptography.hazmat.backends
     import cryptography.hazmat.primitives.serialization
     import cryptography.hazmat.primitives.asymmetric.rsa
@@ -190,6 +191,9 @@ def is_parent(module, cert, potential_parent):
         return True
     except cryptography.exceptions.InvalidSignature as dummy:
         return False
+    except cryptography.exceptions.UnsupportedAlgorithm as dummy:
+        module.warn('Unsupported algorithm "{0}"'.format(cert.cert.signature_hash_algorithm))
+        return False
     except Exception as e:
         module.fail_json(msg='Unknown error on signature validation: {0}'.format(e))
 

plugins/modules/get_certificate.py

@@ -198,7 +198,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/modules/openssl_csr.py

@@ -177,7 +177,7 @@ subject:
     returned: changed or success
     type: list
     elements: list
-    sample: "[('CN', 'www.ansible.com'), ('O', 'Ansible')]"
+    sample: [['CN', 'www.ansible.com'], ['O', 'Ansible']]
 subjectAltName:
     description: The alternative names this CSR is valid for
     returned: changed or success

plugins/modules/openssl_csr_info.py

@@ -85,7 +85,7 @@ basic_constraints:
     returned: success
     type: list
     elements: str
-    sample: "[CA:TRUE, pathlen:1]"
+    sample: ['CA:TRUE', 'pathlen:1']
 basic_constraints_critical:
     description: Whether the C(basic_constraints) extension is critical.
     returned: success
@@ -95,7 +95,7 @@ extended_key_usage:
     returned: success
     type: list
     elements: str
-    sample: "[Biometric Info, DVCS, Time Stamping]"
+    sample: [Biometric Info, DVCS, Time Stamping]
 extended_key_usage_critical:
     description: Whether the C(extended_key_usage) extension is critical.
     returned: success
@@ -114,12 +114,12 @@ extensions_by_oid:
             returned: success
             type: str
             sample: "MAMCAQU="
-    sample: '{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}'
+    sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
 key_usage:
     description: Entries in the C(key_usage) extension, or C(none) if extension is not present.
     returned: success
     type: str
-    sample: "[Key Agreement, Data Encipherment]"
+    sample: [Key Agreement, Data Encipherment]
 key_usage_critical:
     description: Whether the C(key_usage) extension is critical.
     returned: success
@@ -129,7 +129,7 @@ subject_alt_name:
     returned: success
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 subject_alt_name_critical:
     description: Whether the C(subject_alt_name) extension is critical.
     returned: success
@@ -171,13 +171,13 @@ subject:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}'
+    sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}
 subject_ordered:
     description: The CSR's subject as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]'
+    sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]
 public_key:
     description: CSR's public key in PEM format
     returned: success
@@ -285,14 +285,14 @@ authority_cert_issuer:
     returned: success and if the pyOpenSSL backend is I(not) used
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 authority_cert_serial_number:
     description:
         - The CSR's authority cert serial number.
         - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
     returned: success and if the pyOpenSSL backend is I(not) used
     type: int
-    sample: '12345'
+    sample: 12345
 '''
 
 

plugins/modules/openssl_csr_pipe.py

@@ -66,7 +66,7 @@ subject:
     returned: changed or success
     type: list
     elements: list
-    sample: "[('CN', 'www.ansible.com'), ('O', 'Ansible')]"
+    sample: [['CN', 'www.ansible.com'], ['O', 'Ansible']]
 subjectAltName:
     description: The alternative names this CSR is valid for
     returned: changed or success

plugins/modules/openssl_pkcs12.py

@@ -276,7 +276,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:
@@ -542,6 +542,8 @@ class PkcsPyOpenSSL(Pkcs):
         return crypto.dump_certificate(crypto.FILETYPE_PEM, cert) if cert else None
 
     def _dump_other_certificates(self, pkcs12):
+        if pkcs12.get_ca_certificates() is None:
+            return []
         return [
             crypto.dump_certificate(crypto.FILETYPE_PEM, other_cert)
             for other_cert in pkcs12.get_ca_certificates()

plugins/modules/openssl_publickey.py

@@ -217,7 +217,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/modules/openssl_signature.py

@@ -108,7 +108,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/modules/openssl_signature_info.py

@@ -108,7 +108,7 @@ try:
     import OpenSSL
     from OpenSSL import crypto
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     PYOPENSSL_FOUND = False
 else:

plugins/modules/x509_certificate_info.py

@@ -129,7 +129,7 @@ basic_constraints:
     returned: success
     type: list
     elements: str
-    sample: "[CA:TRUE, pathlen:1]"
+    sample: ["CA:TRUE", "pathlen:1"]
 basic_constraints_critical:
     description: Whether the C(basic_constraints) extension is critical.
     returned: success
@@ -139,7 +139,7 @@ extended_key_usage:
     returned: success
     type: list
     elements: str
-    sample: "[Biometric Info, DVCS, Time Stamping]"
+    sample: [Biometric Info, DVCS, Time Stamping]
 extended_key_usage_critical:
     description: Whether the C(extended_key_usage) extension is critical.
     returned: success
@@ -158,12 +158,12 @@ extensions_by_oid:
             returned: success
             type: str
             sample: "MAMCAQU="
-    sample: '{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}'
+    sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
 key_usage:
     description: Entries in the C(key_usage) extension, or C(none) if extension is not present.
     returned: success
     type: str
-    sample: "[Key Agreement, Data Encipherment]"
+    sample: [Key Agreement, Data Encipherment]
 key_usage_critical:
     description: Whether the C(key_usage) extension is critical.
     returned: success
@@ -173,7 +173,7 @@ subject_alt_name:
     returned: success
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 subject_alt_name_critical:
     description: Whether the C(subject_alt_name) extension is critical.
     returned: success
@@ -192,36 +192,36 @@ issuer:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
+    sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
 issuer_ordered:
     description: The certificate's issuer as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
+    sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
 subject:
     description:
         - The certificate's subject as a dictionary.
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}'
+    sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}
 subject_ordered:
     description: The certificate's subject as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]'
+    sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]
 not_after:
     description: C(notAfter) date as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190413202428Z
+    sample: '20190413202428Z'
 not_before:
     description: C(notBefore) date as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190331202428Z
+    sample: '20190331202428Z'
 public_key:
     description: Certificate's public key in PEM format.
     returned: success
@@ -359,14 +359,14 @@ authority_cert_issuer:
     returned: success and if the pyOpenSSL backend is I(not) used
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 authority_cert_serial_number:
     description:
         - The certificate's authority cert serial number.
         - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
     returned: success and if the pyOpenSSL backend is I(not) used
     type: int
-    sample: '12345'
+    sample: 12345
 ocsp_uri:
     description: The OCSP responder URI, if included in the certificate. Will be
                  C(none) if no OCSP responder URI is included.

plugins/modules/x509_crl.py

@@ -286,13 +286,13 @@ issuer:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
+    sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
 issuer_ordered:
     description: The CRL's issuer as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
+    sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
 last_update:
     description: The point in time from which this CRL can be trusted as ASN.1 TIME.
     returned: success
@@ -326,7 +326,7 @@ revoked_certificates:
             description: The certificate's issuer.
             type: list
             elements: str
-            sample: '["DNS:ca.example.org"]'
+            sample: ["DNS:ca.example.org"]
         issuer_critical:
             description: Whether the certificate issuer extension is critical.
             type: bool
@@ -392,6 +392,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
     cryptography_get_name,
+    cryptography_key_needs_digest_for_signing,
     cryptography_name_to_oid,
     cryptography_oid_to_name,
     cryptography_serial_number_of_cert,
@@ -612,8 +613,12 @@ class CRL(OpenSSLObject):
             return False
         if self.next_update != self.crl.next_update and not self.ignore_timestamps:
             return False
-        if self.digest.name != self.crl.signature_hash_algorithm.name:
-            return False
+        if cryptography_key_needs_digest_for_signing(self.privatekey):
+            if self.crl.signature_hash_algorithm is None or self.digest.name != self.crl.signature_hash_algorithm.name:
+                return False
+        else:
+            if self.crl.signature_hash_algorithm is not None:
+                return False
 
         want_issuer = [(cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.issuer]
         if want_issuer != [(sub.oid, sub.value) for sub in self.crl.issuer]:
@@ -664,9 +669,7 @@ class CRL(OpenSSLObject):
             revoked_cert = revoked_cert.revocation_date(entry['revocation_date'])
             if entry['issuer'] is not None:
                 revoked_cert = revoked_cert.add_extension(
-                    x509.CertificateIssuer([
-                        cryptography_get_name(name, 'issuer') for name in entry['issuer']
-                    ]),
+                    x509.CertificateIssuer(entry['issuer']),
                     entry['issuer_critical']
                 )
             if entry['reason'] is not None:
@@ -681,7 +684,10 @@ class CRL(OpenSSLObject):
                 )
             crl = crl.add_revoked_certificate(revoked_cert.build(backend))
 
-        self.crl = crl.sign(self.privatekey, self.digest, backend=backend)
+        digest = None
+        if cryptography_key_needs_digest_for_signing(self.privatekey):
+            digest = self.digest
+        self.crl = crl.sign(self.privatekey, digest, backend=backend)
         if self.format == 'pem':
             return self.crl.public_bytes(Encoding.PEM)
         else:

plugins/modules/x509_crl_info.py

@@ -78,23 +78,23 @@ issuer:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
+    sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
 issuer_ordered:
     description: The CRL's issuer as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
+    sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
 last_update:
     description: The point in time from which this CRL can be trusted as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190413202428Z
+    sample: '20190413202428Z'
 next_update:
     description: The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190413202428Z
+    sample: '20190413202428Z'
 digest:
     description: The signature algorithm used to sign the CRL.
     returned: success
@@ -113,12 +113,12 @@ revoked_certificates:
         revocation_date:
             description: The point in time the certificate was revoked as ASN.1 TIME.
             type: str
-            sample: 20190413202428Z
+            sample: '20190413202428Z'
         issuer:
             description: The certificate's issuer.
             type: list
             elements: str
-            sample: '["DNS:ca.example.org"]'
+            sample: ["DNS:ca.example.org"]
         issuer_critical:
             description: Whether the certificate issuer extension is critical.
             type: bool
@@ -140,7 +140,7 @@ revoked_certificates:
                 The point in time it was known/suspected that the private key was compromised
                 or that the certificate otherwise became invalid as ASN.1 TIME.
             type: str
-            sample: 20190413202428Z
+            sample: '20190413202428Z'
         invalidity_date_critical:
             description: Whether the invalidity date extension is critical.
             type: bool

plugins/plugin_utils/action_module.py

@@ -115,13 +115,12 @@ class AnsibleActionModule(object):
         self.required_by = required_by
         self._diff = self.__action_plugin._play_context.diff
         self._verbosity = self.__action_plugin._display.verbosity
-        self._string_conversion_action = C.STRING_CONVERSION_ACTION
 
         self.aliases = {}
         self._legal_inputs = []
         self._options_context = list()
 
-        self.params = copy.deepcopy(action_plugin._task.args)
+        self.params = copy.deepcopy(self.__action_plugin._task.args)
         self.no_log_values = set()
         if HAS_ARGSPEC_VALIDATOR:
             self._validator = ArgumentSpecValidator(
@@ -444,7 +443,7 @@ class AnsibleActionModule(object):
         }
 
         # Ignore, warn, or error when converting to a string.
-        allow_conversion = opts.get(self._string_conversion_action, True)
+        allow_conversion = opts.get(C.STRING_CONVERSION_ACTION, True)
         try:
             return check_type_str(value, allow_conversion)
         except TypeError:
@@ -459,10 +458,10 @@ class AnsibleActionModule(object):
                 from_msg = '{0}: {1!r}'.format(param, value)
                 to_msg = '{0}: {1!r}'.format(param, to_text(value))
 
-            if self._string_conversion_action == 'error':
+            if C.STRING_CONVERSION_ACTION == 'error':
                 msg = common_msg.capitalize()
                 raise TypeError(to_native(msg))
-            elif self._string_conversion_action == 'warn':
+            elif C.STRING_CONVERSION_ACTION == 'warn':
                 msg = ('The value "{0}" (type {1.__class__.__name__}) was converted to "{2}" (type string). '
                        'If this does not look like what you expect, {3}').format(from_msg, value, to_msg, common_msg)
                 self.warn(to_native(msg))

simplified_bsd.txt

@@ -0,0 +1,8 @@
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

tests/integration/targets/openssl_pkcs12/tasks/impl.yml

@@ -45,6 +45,18 @@
       return_content: true
     register: p12_standard_idempotency
 
+  - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (empty other_certificates)"
+    openssl_pkcs12:
+      select_crypto_backend: '{{ select_crypto_backend }}'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
+      friendly_name: abracadabra
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
+      state: present
+      return_content: true
+      other_certificates: []
+    register: p12_standard_idempotency_no_certs
+
   - name: "({{ select_crypto_backend }}) Read ansible.p12"
     slurp:
       src: '{{ remote_tmp_dir }}/ansible.p12'

tests/integration/targets/openssl_pkcs12/tests/validate.yml

@@ -25,6 +25,7 @@
       - p12_dumped is changed
       - p12_standard_idempotency is not changed
       - p12_standard_idempotency_check is not changed
+      - p12_standard_idempotency_no_certs is not changed
       - p12_multiple_certs_idempotency is not changed
       - p12_dumped_idempotency is not changed
       - p12_dumped_check_mode is not changed
@@ -83,4 +84,4 @@
       - p12_empty is changed
       - p12_empty_idem is not changed
       - p12_empty_concat_idem is not changed
-      - empty_contents == (empty_expected_pyopenssl if select_crypto_backend == 'pyopenssl' else empty_expected_cryptography)
+      - (empty_contents == empty_expected_cryptography) or (empty_contents == empty_expected_pyopenssl and select_crypto_backend == 'pyopenssl')

tests/integration/targets/setup_python_info/vars/main.yml

@@ -59,3 +59,6 @@ cannot_upgrade_cryptography:
       - '3.8'  # on the VMs in CI, system packages are used for this version as well
     '13.0':
       - '3.8'  # on the VMs in CI, system packages are used for this version as well
+  Ubuntu:
+    '18':
+      - '3.9'  # this is the default container for ansible-core 2.12; upgrading cryptography wrecks pyOpenSSL

tests/integration/targets/setup_ssh_agent/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_ssh_keygen
+  - prepare_jinja2_compat

tests/integration/targets/setup_ssh_agent/tasks/main.yml

@@ -5,13 +5,22 @@
 ####################################################################
 
 - name: Start an ssh agent to use for tests
-  shell: eval $(ssh-agent)>/dev/null&&echo "${SSH_AGENT_PID};${SSH_AUTH_SOCK}"
-  register: openssh_agent_env_vars
+  shell: ssh-agent -c | grep "^setenv"
+  register: openssh_agent_stdout
+
+- name: Convert output to dictionary
+  set_fact:
+    openssh_agent_env: >-
+      {{
+        openssh_agent_stdout.stdout_lines | map('regex_replace', '^setenv ([^ ]+) ([^ ]+);', '\1')
+          | zip(openssh_agent_stdout.stdout_lines | map('regex_replace', '^setenv ([^ ]+) ([^ ]+);', '\2'))
+          | list | items2dict(key_name=0, value_name=1)
+      }}
 
 - name: Register ssh agent facts
   set_fact:
-    openssh_agent_pid: "{{ openssh_agent_env_vars.stdout.split(';')[0] }}"
-    openssh_agent_sock: "{{ openssh_agent_env_vars.stdout.split(';')[1] }}"
+    openssh_agent_pid: "{{ openssh_agent_env.SSH_AGENT_PID }}"
+    openssh_agent_sock: "{{ openssh_agent_env.SSH_AUTH_SOCK }}"
 
 - name: stat agent socket
   stat:

tests/integration/targets/x509_crl/tasks/impl.yml

@@ -456,3 +456,90 @@
     path: '{{ remote_tmp_dir }}/ca-crl2.crl'
     list_revoked_certificates: false
   register: crl_2_info_1
+
+- name: Create CRL 3
+  x509_crl:
+    path: '{{ remote_tmp_dir }}/ca-crl3.crl'
+    privatekey_path: '{{ remote_tmp_dir }}/ca.key'
+    issuer:
+      CN: Ansible
+    last_update: +0d
+    next_update: +0d
+    revoked_certificates:
+      - serial_number: 1234
+        revocation_date: 20191001000000Z
+        issuer:
+          - "DNS:ca.example.org"
+        issuer_critical: true
+  register: crl_3
+
+- name: Retrieve CRL 3 infos
+  x509_crl_info:
+    path: '{{ remote_tmp_dir }}/ca-crl3.crl'
+    list_revoked_certificates: true
+  register: crl_3_info
+
+- name: Ed25519 and Ed448 tests (for cryptography >= 2.6)
+  block:
+    - name: Generate private keys
+      openssl_privatekey:
+        path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
+        type: '{{ item }}'
+      loop:
+        - Ed25519
+        - Ed448
+      register: ed25519_ed448_privatekey
+      ignore_errors: yes
+
+    - when: ed25519_ed448_privatekey is not failed
+      block:
+
+        - name: Create CRL
+          x509_crl:
+            path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl'
+            privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
+            issuer:
+              CN: Ansible
+            last_update: 20191013000000Z
+            next_update: 20191113000000Z
+            revoked_certificates:
+              - path: '{{ remote_tmp_dir }}/cert-1.pem'
+                revocation_date: 20191013000000Z
+              - path: '{{ remote_tmp_dir }}/cert-2.pem'
+                revocation_date: 20191013000000Z
+                reason: key_compromise
+                reason_critical: yes
+                invalidity_date: 20191012000000Z
+              - serial_number: 1234
+                revocation_date: 20191001000000Z
+          register: ed25519_ed448_crl
+          loop:
+            - Ed25519
+            - Ed448
+          ignore_errors: yes
+
+        - name: Create CRL (idempotence)
+          x509_crl:
+            path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl'
+            privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
+            issuer:
+              CN: Ansible
+            last_update: 20191013000000Z
+            next_update: 20191113000000Z
+            revoked_certificates:
+              - path: '{{ remote_tmp_dir }}/cert-1.pem'
+                revocation_date: 20191013000000Z
+              - path: '{{ remote_tmp_dir }}/cert-2.pem'
+                revocation_date: 20191013000000Z
+                reason: key_compromise
+                reason_critical: yes
+                invalidity_date: 20191012000000Z
+              - serial_number: 1234
+                revocation_date: 20191001000000Z
+          register: ed25519_ed448_crl_idempotence
+          loop:
+            - Ed25519
+            - Ed448
+          ignore_errors: yes
+
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')

tests/integration/targets/x509_crl/tests/validate.yml

@@ -90,3 +90,31 @@
   assert:
     that:
       - "'revoked_certificates' not in crl_2_info_1"
+
+- name: Validate CRL 3 info
+  assert:
+    that:
+      - crl_3.revoked_certificates == crl_3_info.revoked_certificates
+      - crl_3.revoked_certificates[0].issuer == [
+          "DNS:ca.example.org",
+        ]
+
+- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
+  assert:
+    that:
+      - ed25519_ed448_crl.results[0] is failed
+      - ed25519_ed448_crl.results[1] is failed
+      - ed25519_ed448_crl_idempotence.results[0] is failed
+      - ed25519_ed448_crl_idempotence.results[1] is failed
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ed25519_ed448_privatekey is not failed
+
+- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
+  assert:
+    that:
+      - ed25519_ed448_crl is succeeded
+      - ed25519_ed448_crl.results[0] is changed
+      - ed25519_ed448_crl.results[1] is changed
+      - ed25519_ed448_crl_idempotence is succeeded
+      - ed25519_ed448_crl_idempotence.results[0] is not changed
+      - ed25519_ed448_crl_idempotence.results[1] is not changed
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ed25519_ed448_privatekey is not failed

tests/sanity/extra/extra-docs.json

@@ -5,6 +5,6 @@
     ],
     "output": "path-line-column-message",
     "requirements": [
-        "antsibull"
+        "antsibull-docs"
     ]
 }

tests/sanity/extra/extra-docs.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # Copyright (c) Ansible Project
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-"""Check extra collection docs with antsibull-lint."""
+"""Check extra collection docs with antsibull-docs."""
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
@@ -14,7 +14,7 @@ def main():
     """Main entry point."""
     if not os.path.isdir(os.path.join('docs', 'docsite')):
         return
-    p = subprocess.run(['antsibull-lint', 'collection-docs', '.'], check=False)
+    p = subprocess.run(['antsibull-docs', 'lint-collection-docs', '.'], check=False)
     if p.returncode not in (0, 3):
         print('{0}:0:0: unexpected return code {1}'.format(sys.argv[0], p.returncode))
 

tests/utils/constraints.txt

@@ -1,7 +1,8 @@
 coverage >= 4.2, < 5.0.0, != 4.3.2 ; python_version <= '3.7' # features in 4.2+ required, avoid known bug in 4.3.2 on python 2.6, coverage 5.0+ incompatible
 coverage >= 4.5.4, < 5.0.0 ; python_version > '3.7' # coverage had a bug in < 4.5.4 that would cause unit tests to hang in Python 3.8, coverage 5.0+ incompatible
 cryptography < 2.2 ; python_version < '2.7' # cryptography 2.2 drops support for python 2.6
-cryptography >= 3.0, < 3.4 ; python_version < '3.6' # cryptography 3.4 drops support for python 2.7
+cryptography >= 3.0, < 3.4 ; python_version < '3.5' # cryptography 3.4 drops support for python 2.7
+cryptography >= 3.0, < 3.3 ; python_version == '3.5' # cryptography 3.3 drops support for python 3.5
 urllib3 < 1.24 ; python_version < '2.7' # urllib3 1.24 and later require python 2.7 or later
 idna < 2.6, >= 2.5 # linode requires idna < 2.9, >= 2.5, requests requires idna < 2.6, but cryptography will cause the latest version to be installed instead
 requests < 2.20.0 ; python_version < '2.7' # requests 2.20.0 drops support for python 2.6