mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-03-26 21:33:25 +00:00
04967efe26
* Create script to reproduce certs. * Recreate the certificates and update the tests. * Anonymize certificates. * Make mostly reproducable by storing the private keys. I've tried to hide the private keys so that 'security checkers' won't find them and won't complain. Let's see whether that works...
221 lines
10 KiB
YAML
221 lines
10 KiB
YAML
---
|
|
# Copyright (c) Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
- debug:
|
|
msg: "Executing tests with backend {{ select_crypto_backend }}"
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info
|
|
x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/cert_1.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info (IDNA encoding)
|
|
x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/cert_1.pem'
|
|
name_encoding: idna
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result_idna
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info (Unicode encoding)
|
|
x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/cert_1.pem'
|
|
name_encoding: unicode
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result_unicode
|
|
|
|
- name: Check whether issuer and subject and extensions behave as expected
|
|
assert:
|
|
that:
|
|
- result.issuer.organizationalUnitName == 'ACME Department'
|
|
- "['organizationalUnitName', 'Crypto Department'] in result.issuer_ordered"
|
|
- "['organizationalUnitName', 'ACME Department'] in result.issuer_ordered"
|
|
- result.subject.organizationalUnitName == 'ACME Department'
|
|
- "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
|
|
- "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
|
|
- result.public_key_type == 'RSA'
|
|
- result.public_key_data.size == (default_rsa_key_size_certificates | int)
|
|
- "result.subject_alt_name == [
|
|
'DNS:www.ansible.com',
|
|
'DNS:' ~ ('öç' if cryptography_version.stdout is version('2.1', '<') else 'xn--7ca3a') ~ '.com',
|
|
'DNS:' ~ ('www.öç' if cryptography_version.stdout is version('2.1', '<') else 'xn--74h') ~ '.com',
|
|
'IP:1.2.3.4',
|
|
'IP:::1',
|
|
'email:test@example.org',
|
|
'URI:https://example.org/test/index.html'
|
|
]"
|
|
- "result_idna.subject_alt_name == [
|
|
'DNS:www.ansible.com',
|
|
'DNS:xn--7ca3a.com',
|
|
'DNS:' ~ ('www.xn--7ca3a' if cryptography_version.stdout is version('2.1', '<') else 'xn--74h') ~ '.com',
|
|
'IP:1.2.3.4',
|
|
'IP:::1',
|
|
'email:test@example.org',
|
|
'URI:https://example.org/test/index.html'
|
|
]"
|
|
- "result_unicode.subject_alt_name == [
|
|
'DNS:www.ansible.com',
|
|
'DNS:öç.com',
|
|
'DNS:' ~ ('www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺') ~ '.com',
|
|
'IP:1.2.3.4',
|
|
'IP:::1',
|
|
'email:test@example.org',
|
|
'URI:https://example.org/test/index.html'
|
|
]"
|
|
# TLS Feature
|
|
- result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].critical == false
|
|
- result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].value == 'MAMCAQU='
|
|
# Key Usage
|
|
- result.extensions_by_oid['2.5.29.15'].critical == true
|
|
- result.extensions_by_oid['2.5.29.15'].value in ['AwMA/4A=', 'AwMH/4A=']
|
|
# Subject Alternative Names
|
|
- result.extensions_by_oid['2.5.29.17'].critical == false
|
|
- >
|
|
result.extensions_by_oid['2.5.29.17'].value == (
|
|
'MIGCgg93d3cuYW5zaWJsZS5jb22CDXhuLS03Y2EzYS5jb22CEXd3dy54bi0tN2NhM2EuY29thwQBAgMEhxAAAAAAAAAAAAAAAAAAAAABgRB0ZXN0QGV4YW1wbGUub3JnhiNodHRwczovL2V4YW1wbGUub3JnL3Rlc3QvaW5kZXguaHRtbA=='
|
|
if cryptography_version.stdout is version('2.1', '<') else
|
|
'MHyCD3d3dy5hbnNpYmxlLmNvbYINeG4tLTdjYTNhLmNvbYILeG4tLTc0aC5jb22HBAECAwSHEAAAAAAAAAAAAAAAAAAAAAGBEHRlc3RAZXhhbXBsZS5vcmeGI2h0dHBzOi8vZXhhbXBsZS5vcmcvdGVzdC9pbmRleC5odG1s'
|
|
)
|
|
# Basic Constraints
|
|
- result.extensions_by_oid['2.5.29.19'].critical == true
|
|
- result.extensions_by_oid['2.5.29.19'].value == 'MAYBAf8CARc='
|
|
# Extended Key Usage
|
|
- result.extensions_by_oid['2.5.29.37'].critical == false
|
|
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
|
|
|
|
- name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
|
|
assert:
|
|
that:
|
|
- result.subject_key_identifier == "00:11:22:33"
|
|
- result.authority_key_identifier == "44:55:66:77"
|
|
- result.authority_cert_issuer == expected_authority_cert_issuer
|
|
- result.authority_cert_serial_number == 12345
|
|
# Subject Key Identifier
|
|
- result.extensions_by_oid['2.5.29.14'].critical == false
|
|
# Authority Key Identifier
|
|
- result.extensions_by_oid['2.5.29.35'].critical == false
|
|
vars:
|
|
expected_authority_cert_issuer:
|
|
- "DNS:ca.example.org"
|
|
- "IP:1.2.3.4"
|
|
when: cryptography_version.stdout is version('1.3', '>=')
|
|
|
|
- name: ({{select_crypto_backend}}) Read file
|
|
slurp:
|
|
src: '{{ remote_tmp_dir }}/cert_1.pem'
|
|
register: slurp
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info directly
|
|
x509_certificate_info:
|
|
content: '{{ slurp.content | b64decode }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result_direct
|
|
|
|
- name: ({{select_crypto_backend}}) Compare output of direct and loaded info
|
|
assert:
|
|
that:
|
|
- >-
|
|
(result | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
|
|
==
|
|
(result_direct | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info
|
|
x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/cert_2.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
valid_at:
|
|
today: "+0d"
|
|
past: "20190101235901Z"
|
|
twentydays: "+20d"
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.valid_at.today
|
|
- not result.valid_at.past
|
|
- not result.valid_at.twentydays
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info
|
|
x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/cert_3.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result
|
|
|
|
- name: Check AuthorityKeyIdentifier
|
|
assert:
|
|
that:
|
|
- result.authority_key_identifier is none
|
|
- result.authority_cert_issuer == expected_authority_cert_issuer
|
|
- result.authority_cert_serial_number == 12345
|
|
vars:
|
|
expected_authority_cert_issuer:
|
|
- "DNS:ca.example.org"
|
|
- "IP:1.2.3.4"
|
|
when: cryptography_version.stdout is version('1.3', '>=')
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info
|
|
x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/cert_4.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result
|
|
|
|
- name: Check AuthorityKeyIdentifier
|
|
assert:
|
|
that:
|
|
- result.authority_key_identifier == "44:55:66:77"
|
|
- result.authority_cert_issuer is none
|
|
- result.authority_cert_serial_number is none
|
|
when: cryptography_version.stdout is version('1.3', '>=')
|
|
|
|
- name: Copy packed cert 1 to remote
|
|
copy:
|
|
src: cert1.pem
|
|
dest: '{{ remote_tmp_dir }}/packed-cert-1.pem'
|
|
|
|
- name: ({{select_crypto_backend}}) Get certificate info for packaged cert 1
|
|
x509_certificate_info:
|
|
path: '{{ remote_tmp_dir }}/packed-cert-1.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: result
|
|
- name: Check extensions
|
|
assert:
|
|
that:
|
|
- "'ocsp_uri' in result"
|
|
- "result.ocsp_uri == 'http://ocsp.foobarbaz.example.com'"
|
|
- "'issuer_uri' in result"
|
|
- "result.issuer_uri == 'http://cert.foobarbaz.example.com/inter.pem'"
|
|
- result.extensions_by_oid | length == 9
|
|
# Precert Signed Certificate Timestamps
|
|
- result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].critical == false
|
|
- result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].value == 'BIHvAO0AdADd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZYL7QgtAAAEAwBFMEMCIAXku/W4fMbkoOkHguRt8RfxVy6dgwpi9A8IDTRkOn1XAh9g9RjiBvMJdM/+UQS+WNXaxOqA5JzUfvCFjbYLbEZ5AHUADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQAAAGWC+0H2AAABAMARjBEAiB26F5G8YPuZ11gAfEXqAFpVk01VcbOsS6w3dn2CJf6zgIgeEWCpg9tsQ8dB7/hU1zOmkZom62VDXvk8Cs+yscbQq4='
|
|
# Authority Information Access
|
|
- result.extensions_by_oid['1.3.6.1.5.5.7.1.1'].critical == false
|
|
- result.extensions_by_oid['1.3.6.1.5.5.7.1.1'].value == 'MGgwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmZvb2JhcmJhei5leGFtcGxlLmNvbTA3BggrBgEFBQcwAoYraHR0cDovL2NlcnQuZm9vYmFyYmF6LmV4YW1wbGUuY29tL2ludGVyLnBlbQ=='
|
|
# Subject Key Identifier
|
|
- result.extensions_by_oid['2.5.29.14'].critical == false
|
|
- result.extensions_by_oid['2.5.29.14'].value == 'BBSq0oNG47DU/2s2mDG6sXXx3vBVoA=='
|
|
# Key Usage
|
|
- result.extensions_by_oid['2.5.29.15'].critical == true
|
|
- result.extensions_by_oid['2.5.29.15'].value == 'AwIFoA=='
|
|
# Subject Alternative Names
|
|
- result.extensions_by_oid['2.5.29.17'].critical == false
|
|
- result.extensions_by_oid['2.5.29.17'].value == 'MHWCC2V4YW1wbGUubmV0gg93d3cuZXhhbXBsZS5uZXSCD2Zvby5leGFtcGxlLm5ldIIPYmFyLmV4YW1wbGUubmV0gg9iYXouZXhhbXBsZS5uZXSCD2JhbS5leGFtcGxlLm5ldIIRKi5iYW0uZXhhbXBsZS5uZXQ='
|
|
# Basic Constraints
|
|
- result.extensions_by_oid['2.5.29.19'].critical == true
|
|
- result.extensions_by_oid['2.5.29.19'].value == 'MAA='
|
|
# Certificate Policies
|
|
- result.extensions_by_oid['2.5.29.32'].critical == false
|
|
- result.extensions_by_oid['2.5.29.32'].value == 'MHMwCAYGZ4EMAQIBMGcGCysGAQQBgt8TAQEBMFgwNgYIKwYBBQUHAgEWKmh0dHA6Ly9jcHMuZm9vYmFyYmF6LmV4YW1wbGUuY29tL3NvbWV0aGluZzAeBggrBgEFBQcCAjASDBBCbGFibGEgd2hhdGV2ZXIu'
|
|
# Authority Key Identifier
|
|
- result.extensions_by_oid['2.5.29.35'].critical == false
|
|
- result.extensions_by_oid['2.5.29.35'].value == 'MBaAFGgVOaTes3MnP1bD3KkShc1RApS4'
|
|
# Extended Key Usage
|
|
- result.extensions_by_oid['2.5.29.37'].critical == false
|
|
- result.extensions_by_oid['2.5.29.37'].value == 'MBQGCCsGAQUFBwMBBggrBgEFBQcDAg=='
|
|
- name: Check fingerprints
|
|
assert:
|
|
that:
|
|
- (result.fingerprints.sha256 == '08:26:60:3d:29:11:f2:88:09:3f:40:71:bb:67:cb:59:9c:6e:cf:e0:49:22:ab:e8:60:bd:f6:9a:01:e3:0e:2c' if result.fingerprints.sha256 is defined else true)
|
|
- (result.fingerprints.sha1 == '5a:32:7f:22:61:f3:2e:ad:a7:d8:77:07:1c:7f:08:cd:ab:7f:bc:11' if result.fingerprints.sha1 is defined else true)
|