internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-03-26 21:33:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
911ed33c2e898e6b56e640fa4f71afa599db3fcb
community.crypto/plugins/modules/crypto_info.py
Felix Fontein 911ed33c2e Fix EC detection. (#981)
2026-02-11 21:44:24 +01:00

429 lines
14 KiB
Python
Raw Blame History

#!/usr/bin/python
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import annotations
DOCUMENTATION = r"""
module: crypto_info
author: "Felix Fontein (@felixfontein)"
short_description: Retrieve cryptographic capabilities
version_added: 2.1.0
description:
- Retrieve information on cryptographic capabilities.
- The current version retrieves information on the L(Python cryptography library, https://cryptography.io/) available to
Ansible modules, and on the OpenSSL binary C(openssl) found in the path.
extends_documentation_fragment:
- community.crypto._attributes
- community.crypto._attributes.info_module
- community.crypto._attributes.idempotent_not_modify_state
options: {}
"""
EXAMPLES = r"""
---
- name: Retrieve information
community.crypto.crypto_info:
account_key_src: /etc/pki/cert/private/account.key
register: crypto_information
- name: Show retrieved information
ansible.builtin.debug:
var: crypto_information
"""
RETURN = r"""
python_cryptography_installed:
description: Whether the L(Python cryptography library, https://cryptography.io/) is installed.
returned: always
type: bool
sample: true
python_cryptography_import_error:
description: Import error when trying to import the L(Python cryptography library, https://cryptography.io/).
returned: when RV(python_cryptography_installed=false)
type: str
python_cryptography_capabilities:
description: Information on the installed L(Python cryptography library, https://cryptography.io/).
returned: when RV(python_cryptography_installed=true)
type: dict
contains:
version:
description: The library version.
type: str
curves:
description:
- List of all supported elliptic curves.
- Theoretically this should be non-empty for version 0.5 and higher, depending on the libssl version used.
type: list
elements: str
has_ec:
description:
- Whether elliptic curves are supported.
- Theoretically this should be the case for version 0.5 and higher, depending on the libssl version used.
type: bool
has_ec_sign:
description:
- Whether signing with elliptic curves is supported.
- Theoretically this should be the case for version 1.5 and higher, depending on the libssl version used.
type: bool
has_ed25519:
description:
- Whether Ed25519 keys are supported.
- Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used.
type: bool
has_ed25519_sign:
description:
- Whether signing with Ed25519 keys is supported.
- Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used.
type: bool
has_ed448:
description:
- Whether Ed448 keys are supported.
- Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used.
type: bool
has_ed448_sign:
description:
- Whether signing with Ed448 keys is supported.
- Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used.
type: bool
has_dsa:
description:
- Whether DSA keys are supported.
- Theoretically this should be the case for version 0.5 and higher.
type: bool
has_dsa_sign:
description:
- Whether signing with DSA keys is supported.
- Theoretically this should be the case for version 1.5 and higher.
type: bool
has_rsa:
description:
- Whether RSA keys are supported.
- Theoretically this should be the case for version 0.5 and higher.
type: bool
has_rsa_sign:
description:
- Whether signing with RSA keys is supported.
- Theoretically this should be the case for version 1.4 and higher.
type: bool
has_x25519:
description:
- Whether X25519 keys are supported.
- Theoretically this should be the case for version 2.0 and higher, depending on the libssl version used.
type: bool
has_x25519_serialization:
description:
- Whether serialization of X25519 keys is supported.
- Theoretically this should be the case for version 2.5 and higher, depending on the libssl version used.
type: bool
has_x448:
description:
- Whether X448 keys are supported.
- Theoretically this should be the case for version 2.5 and higher, depending on the libssl version used.
type: bool
openssl_present:
description: Whether the OpenSSL binary C(openssl) is installed and can be found in the PATH.
returned: always
type: bool
sample: true
openssl:
description: Information on the installed OpenSSL binary.
returned: when RV(openssl_present=true)
type: dict
contains:
path:
description: Path of the OpenSSL binary.
type: str
sample: /usr/bin/openssl
version:
description: The OpenSSL version.
type: str
sample: 1.1.1m
version_output:
description: The complete output of C(openssl version).
type: str
sample: 'OpenSSL 1.1.1m 14 Dec 2021\n'
"""
import traceback
import typing as t
from ansible.module_utils.basic import AnsibleModule
CRYPTOGRAPHY_VERSION: str | None
CRYPTOGRAPHY_IMP_ERR: str | None
try:
import cryptography
import cryptography.hazmat.primitives.asymmetric
from cryptography.exceptions import UnsupportedAlgorithm
try:
# While UnsupportedAlgorithm got added in cryptography 0.1, InternalError
# only got added in 0.2, so let's guard the import
from cryptography.exceptions import InternalError as CryptographyInternalError
except ImportError:
CryptographyInternalError = Exception # type: ignore
except ImportError:
UnsupportedAlgorithm = Exception # type: ignore
CryptographyInternalError = Exception # type: ignore
HAS_CRYPTOGRAPHY = False
CRYPTOGRAPHY_VERSION = None # pylint: disable=invalid-name
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc() # pylint: disable=invalid-name
else:
HAS_CRYPTOGRAPHY = True
CRYPTOGRAPHY_VERSION = cryptography.__version__ # pylint: disable=invalid-name
CRYPTOGRAPHY_IMP_ERR = None # pylint: disable=invalid-name
CURVES = (
("secp224r1", "SECP224R1"),
("secp256k1", "SECP256K1"),
("secp256r1", "SECP256R1"),
("secp384r1", "SECP384R1"),
("secp521r1", "SECP521R1"),
("secp192r1", "SECP192R1"),
("sect163k1", "SECT163K1"),
("sect163r2", "SECT163R2"),
("sect233k1", "SECT233K1"),
("sect233r1", "SECT233R1"),
("sect283k1", "SECT283K1"),
("sect283r1", "SECT283R1"),
("sect409k1", "SECT409K1"),
("sect409r1", "SECT409R1"),
("sect571k1", "SECT571K1"),
("sect571r1", "SECT571R1"),
("brainpoolP256r1", "BrainpoolP256R1"),
("brainpoolP384r1", "BrainpoolP384R1"),
("brainpoolP512r1", "BrainpoolP512R1"),
)
def add_crypto_information(module: AnsibleModule) -> dict[str, t.Any]:
result: dict[str, t.Any] = {}
result["python_cryptography_installed"] = HAS_CRYPTOGRAPHY
if not HAS_CRYPTOGRAPHY:
result["python_cryptography_import_error"] = CRYPTOGRAPHY_IMP_ERR
return result
# Test for DSA
has_dsa = False
has_dsa_sign = False
try:
# added in 0.5 - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/
from cryptography.hazmat.primitives.asymmetric import dsa
has_dsa = True
try:
# added later in 1.5
dsa.DSAPrivateKey.sign # noqa: B018 # pylint: disable=pointless-statement
has_dsa_sign = True
except AttributeError:
pass
except ImportError:
pass
# Test for RSA
has_rsa = False
has_rsa_sign = False
try:
# added in 0.5 - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/
from cryptography.hazmat.primitives.asymmetric import rsa
has_rsa = True
try:
# added later in 1.4
rsa.RSAPrivateKey.sign # noqa: B018 # pylint: disable=pointless-statement
has_rsa_sign = True
except AttributeError:
pass
except ImportError:
pass
# Test for Ed25519
has_ed25519 = False
has_ed25519_sign = False
try:
# added in 2.6 - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed25519/
from cryptography.hazmat.primitives.asymmetric import ed25519
try:
ed25519.Ed25519PrivateKey.from_private_bytes(b"")
except ValueError:
pass
has_ed25519 = True
try:
# added with the primitive in 2.6
ed25519.Ed25519PrivateKey.sign # noqa: B018 # pylint: disable=pointless-statement
has_ed25519_sign = True
except AttributeError:
pass
except (ImportError, UnsupportedAlgorithm):
pass
# Test for Ed448
has_ed448 = False
has_ed448_sign = False
try:
# added in 2.6 - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed448/
from cryptography.hazmat.primitives.asymmetric import ed448
try:
ed448.Ed448PrivateKey.from_private_bytes(b"")
except ValueError:
pass
has_ed448 = True
try:
# added with the primitive in 2.6
ed448.Ed448PrivateKey.sign # noqa: B018 # pylint: disable=pointless-statement
has_ed448_sign = True
except AttributeError:
pass
except (ImportError, UnsupportedAlgorithm):
pass
# Test for X25519
has_x25519 = False
has_x25519_full = False
try:
# added in 2.0 - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/
from cryptography.hazmat.primitives.asymmetric import x25519
try:
# added later in 2.5
x25519.X25519PrivateKey.private_bytes # noqa: B018 # pylint: disable=pointless-statement
full = True
except AttributeError:
full = False
try:
if full:
x25519.X25519PrivateKey.from_private_bytes(b"")
else:
# Some versions do not support serialization and deserialization - use generate() instead
x25519.X25519PrivateKey.generate()
except ValueError:
pass
has_x25519 = True
has_x25519_full = full
except (ImportError, UnsupportedAlgorithm):
pass
# Test for X448
has_x448 = False
try:
# added in 2.5 - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x448/
from cryptography.hazmat.primitives.asymmetric import x448
try:
x448.X448PrivateKey.from_private_bytes(b"")
except ValueError:
pass
has_x448 = True
except (ImportError, UnsupportedAlgorithm):
pass
# Test for ECC
has_ec = False
has_ec_sign = False
curves = []
try:
# added in 0.5 - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/
from cryptography.hazmat.primitives.asymmetric import ec
has_ec = True
try:
# added later in 1.5
ec.EllipticCurvePrivateKey.sign # noqa: B018 # pylint: disable=pointless-statement
has_ec_sign = True
except AttributeError:
pass
except ImportError:
pass
else:
for curve_name, constructor_name in CURVES:
ecclass = getattr(ec, constructor_name, None)
if ecclass is not None:
try:
ec.generate_private_key(curve=ecclass())
curves.append(curve_name)
except UnsupportedAlgorithm:
pass
except ( # pylint: disable=duplicate-except,bad-except-order
CryptographyInternalError
):
# On Fedora 41, some curves result in InternalError. This is probably because
# Fedora's cryptography is linked against the system libssl, which has the
# curves removed.
pass
# Compose result
info = {
"version": CRYPTOGRAPHY_VERSION,
"curves": curves,
"has_ec": has_ec,
"has_ec_sign": has_ec_sign,
"has_ed25519": has_ed25519,
"has_ed25519_sign": has_ed25519_sign,
"has_ed448": has_ed448,
"has_ed448_sign": has_ed448_sign,
"has_dsa": has_dsa,
"has_dsa_sign": has_dsa_sign,
"has_rsa": has_rsa,
"has_rsa_sign": has_rsa_sign,
"has_x25519": has_x25519,
"has_x25519_serialization": has_x25519 and has_x25519_full,
"has_x448": has_x448,
}
result["python_cryptography_capabilities"] = info
return result
def add_openssl_information(module: AnsibleModule) -> dict[str, t.Any]:
openssl_binary = module.get_bin_path("openssl")
result: dict[str, t.Any] = {
"openssl_present": openssl_binary is not None,
}
if openssl_binary is None:
return result
openssl_result = {
"path": openssl_binary,
}
result["openssl"] = openssl_result
rc, out, _err = module.run_command([openssl_binary, "version"])
if rc == 0:
openssl_result["version_output"] = out
parts = out.split(None, 2)
if len(parts) > 1:
openssl_result["version"] = parts[1]
return result
INFO_FUNCTIONS = (
add_crypto_information,
add_openssl_information,
)
def main() -> t.NoReturn:
module = AnsibleModule(argument_spec={}, supports_check_mode=True)
result: dict[str, t.Any] = {}
for fn in INFO_FUNCTIONS:
result.update(fn(module))
module.exit_json(**result)
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink