openssl_csr cryptography backend, try II (#50894)

* Revert "Revert "openssl_csr: Allow to use cryptography as backend (#50324)""

This reverts commit bbd2e31e9f.

* Remove more complicated selection copy'n'pasted from openssl_privatekey.

* Add tests for backend selection.

* Add openssl_csr test for arbitrary string commonName.

* Allow to disable commonName -> SAN copying (fixes #36690).

test/integration/targets/openssl_certificate/tasks/ownca.yml

@@ -9,6 +9,7 @@
     privatekey_path: '{{ output_dir }}/ca_privatekey.pem'
     subject:
       commonName: Example CA
+    useCommonNameForSAN: no
     basic_constraints:
     - 'CA:TRUE'
     basic_constraints_critical: yes

test/integration/targets/openssl_csr/tasks/impl.yml

@@ -0,0 +1,157 @@
+---
+- name: Generate privatekey
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey.pem'
+
+- name: Generate CSR (check mode)
+  openssl_csr:
+    path: '{{ output_dir }}/csr.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  check_mode: yes
+  register: generate_csr_check
+
+- name: Generate CSR
+  openssl_csr:
+    path: '{{ output_dir }}/csr.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: generate_csr
+
+- name: Generate CSR (idempotent)
+  openssl_csr:
+    path: '{{ output_dir }}/csr.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: generate_csr_check_idempotent
+
+- name: Generate CSR (idempotent, check mode)
+  openssl_csr:
+    path: '{{ output_dir }}/csr.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  check_mode: yes
+  register: generate_csr_check_idempotent_check
+
+# keyUsage longname and shortname should be able to be used
+# interchangeably. Hence the long name is specified here
+# but the short name is used to test idempotency for ipsecuser
+# and vice-versa for biometricInfo
+- name: Generate CSR with KU and XKU
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ku_xku.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      CN: www.ansible.com
+    keyUsage:
+      - digitalSignature
+      - keyAgreement
+    extendedKeyUsage:
+      - qcStatements
+      - DVCS
+      - IPSec User
+      - biometricInfo
+    select_crypto_backend: '{{ select_crypto_backend }}'
+
+- name: Generate CSR with KU and XKU (test idempotency)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ku_xku.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: 'www.ansible.com'
+    keyUsage:
+      - Key Agreement
+      - digitalSignature
+    extendedKeyUsage:
+      - ipsecUser
+      - qcStatements
+      - DVCS
+      - Biometric Info
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_ku_xku
+
+- name: Generate CSR with KU and XKU (test XKU change)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ku_xku.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: 'www.ansible.com'
+    keyUsage:
+      - digitalSignature
+      - keyAgreement
+    extendedKeyUsage:
+      - ipsecUser
+      - qcStatements
+      - Biometric Info
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_ku_xku_change
+
+- name: Generate CSR with KU and XKU (test KU change)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ku_xku.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: 'www.ansible.com'
+    keyUsage:
+      - digitalSignature
+    extendedKeyUsage:
+      - ipsecUser
+      - qcStatements
+      - Biometric Info
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_ku_xku_change_2
+
+- name: Generate CSR with old API
+  openssl_csr:
+    path: '{{ output_dir }}/csr_oldapi.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+
+- name: Generate CSR with OCSP Must Staple
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ocsp.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject_alt_name: "DNS:www.ansible.com"
+    ocsp_must_staple: true
+    select_crypto_backend: '{{ select_crypto_backend }}'
+
+- name: Generate CSR with OCSP Must Staple (test idempotency)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ocsp.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject_alt_name: "DNS:www.ansible.com"
+    ocsp_must_staple: true
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_ocsp_idempotency
+
+- name: Generate ECC privatekey
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey2.pem'
+    type: ECC
+    curve: secp384r1
+
+- name: Generate CSR with ECC privatekey
+  openssl_csr:
+    path: '{{ output_dir }}/csr2.csr'
+    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    subject:
+      commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+
+- name: Generate CSR with text common name
+  openssl_csr:
+    path: '{{ output_dir }}/csr3.csr'
+    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    subject:
+      commonName: This is for Ansible
+    useCommonNameForSAN: no
+    select_crypto_backend: '{{ select_crypto_backend }}'

test/integration/targets/openssl_csr/tasks/main.yml

@@ -1,141 +1,40 @@
 ---
+- name: Prepare private key for backend autodetection test
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey_backend_selection.pem'
+- name: Run module with backend autodetection
+  openssl_csr:
+    path: '{{ output_dir }}/csr_backend_selection.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_backend_selection.pem'
+    subject:
+      commonName: www.ansible.com
+
 - block:
-    - name: Generate privatekey
-      openssl_privatekey:
-        path: '{{ output_dir }}/privatekey.pem'
+  - name: Running tests with pyOpenSSL backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: pyopenssl
 
-    - name: Generate CSR (check mode)
-      openssl_csr:
-        path: '{{ output_dir }}/csr.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          commonName: www.ansible.com
-      check_mode: yes
-      register: generate_csr_check
-
-    - name: Generate CSR
-      openssl_csr:
-        path: '{{ output_dir }}/csr.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          commonName: www.ansible.com
-      register: generate_csr
-
-    - name: Generate CSR (idempotent)
-      openssl_csr:
-        path: '{{ output_dir }}/csr.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          commonName: www.ansible.com
-      register: generate_csr_check_idempotent
-
-    - name: Generate CSR (idempotent, check mode)
-      openssl_csr:
-        path: '{{ output_dir }}/csr.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          commonName: www.ansible.com
-      check_mode: yes
-      register: generate_csr_check_idempotent_check
-
-    # keyUsage longname and shortname should be able to be used
-    # interchangeably. Hence the long name is specified here
-    # but the short name is used to test idempotency for ipsecuser
-    # and vice-versa for biometricInfo
-    - name: Generate CSR with KU and XKU
-      openssl_csr:
-        path: '{{ output_dir }}/csr_ku_xku.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          CN: www.ansible.com
-        keyUsage:
-          - digitalSignature
-          - keyAgreement
-        extendedKeyUsage:
-          - qcStatements
-          - DVCS
-          - IPSec User
-          - biometricInfo
-
-    - name: Generate CSR with KU and XKU (test idempotency)
-      openssl_csr:
-        path: '{{ output_dir }}/csr_ku_xku.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          commonName: 'www.ansible.com'
-        keyUsage:
-          - Key Agreement
-          - digitalSignature
-        extendedKeyUsage:
-          - ipsecUser
-          - qcStatements
-          - DVCS
-          - Biometric Info
-      register: csr_ku_xku
-
-    - name: Generate CSR with KU and XKU (test XKU change)
-      openssl_csr:
-        path: '{{ output_dir }}/csr_ku_xku.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          commonName: 'www.ansible.com'
-        keyUsage:
-          - digitalSignature
-          - keyAgreement
-        extendedKeyUsage:
-          - ipsecUser
-          - qcStatements
-          - Biometric Info
-      register: csr_ku_xku_change
-
-    - name: Generate CSR with KU and XKU (test KU change)
-      openssl_csr:
-        path: '{{ output_dir }}/csr_ku_xku.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject:
-          commonName: 'www.ansible.com'
-        keyUsage:
-          - digitalSignature
-        extendedKeyUsage:
-          - ipsecUser
-          - qcStatements
-          - Biometric Info
-      register: csr_ku_xku_change_2
-
-    - name: Generate CSR with old API
-      openssl_csr:
-        path: '{{ output_dir }}/csr_oldapi.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        commonName: www.ansible.com
-
-    - name: Generate CSR with OCSP Must Staple
-      openssl_csr:
-        path: '{{ output_dir }}/csr_ocsp.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject_alt_name: "DNS:www.ansible.com"
-        ocsp_must_staple: true
-
-    - name: Generate CSR with OCSP Must Staple (test idempotency)
-      openssl_csr:
-        path: '{{ output_dir }}/csr_ocsp.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        subject_alt_name: "DNS:www.ansible.com"
-        ocsp_must_staple: true
-      register: csr_ocsp_idempotency
-
-    - name: Generate ECC privatekey
-      openssl_privatekey:
-        path: '{{ output_dir }}/privatekey2.pem'
-        type: ECC
-        curve: secp256k1
-
-    - name: Generate CSR with ECC privatekey
-      openssl_csr:
-        path: '{{ output_dir }}/csr2.csr'
-        privatekey_path: '{{ output_dir }}/privatekey2.pem'
-        subject:
-          commonName: www.ansible.com
-
-    - import_tasks: ../tests/validate.yml
+  - import_tasks: ../tests/validate.yml
 
   when: pyopenssl_version.stdout is version('0.15', '>=')
+
+- name: Remove output directory
+  file:
+    path: "{{ output_dir }}"
+    state: absent
+
+- name: Re-create output directory
+  file:
+    path: "{{ output_dir }}"
+    state: directory
+
+- block:
+  - name: Running tests with cryptography backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: cryptography
+
+  - import_tasks: ../tests/validate.yml
+
+  when: cryptography_version.stdout is version('1.3', '>=')

test/integration/targets/openssl_csr/tests/validate.yml

@@ -78,3 +78,12 @@
     that:
       - csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com'
       - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
+
+- name: Validate CSR (text common name - Common Name)
+  shell: "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
+  register: csr3_cn
+
+- name: Validate CSR (assert)
+  assert:
+    that:
+      - csr3_cn.stdout.split('=')[-1] == 'This is for Ansible'

test/integration/targets/openssl_privatekey/tasks/main.yml

@@ -26,6 +26,10 @@
 - name: List of elliptic curves supported by OpenSSL
   debug: var=openssl_ecc_list
 
+- name: Run module with backend autodetection
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey_backend_selection.pem'
+
 - block:
   - name: Running tests with pyOpenSSL backend
     include_tasks: impl.yml