Add openssl_privatekey_info module (#54845)

* Add openssl_privatekey_info module. * Addressing review feedback. * Update docs. * Update tests. * Work around too broad sanity checks. * ... * Don't die when None is returned. * Use OpenSSL to extract RSA and DSA key data. * Extend tests. * Make OpenSSL code compatible to OpenSSL < 1.1. * Rewrite tests to use result dicts instead of result lists. * Skip ECC for too old PyOpenSSL. * Reformulate. * Improve return_private_key_data docs. * Rename path_content -> content. * Add sample. * Cleanup. * Add key consistency check. * Improve description. * Adjust minimal version. * Fallback code for some pyOpenSSL < 16.0 versions. * Also support Ed25519 and Ed448 keys (or not). * Add more consistency checks. * Verify DSA keys manually. * Improve DSA key validation. * Forgot one condition. * Make validation more robust. * Move generic arithmetic code to module_utils/crypto.py.
2026-05-06 05:12:45 +00:00 · 2019-04-08 10:07:56 +02:00
parent 4503426f32
commit 7a16703dff
10 changed files with 970 additions and 19 deletions
--- a/test/integration/targets/openssl_privatekey_info/aliases
+++ b/test/integration/targets/openssl_privatekey_info/aliases
@@ -0,0 +1,2 @@
+shippable/posix/group1
+destructive
--- a/test/integration/targets/openssl_privatekey_info/meta/main.yml
+++ b/test/integration/targets/openssl_privatekey_info/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - setup_openssl
--- a/test/integration/targets/openssl_privatekey_info/tasks/impl.yml
+++ b/test/integration/targets/openssl_privatekey_info/tasks/impl.yml
@@ -0,0 +1,167 @@
+---
+- debug:
+    msg: "Executing tests with backend {{ select_crypto_backend }}"
+
+- name: ({{select_crypto_backend}}) Get key 1 info
+  openssl_privatekey_info:
+    path: '{{ output_dir }}/privatekey_1.pem'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+
+- name: Check that RSA key info is ok
+  assert:
+    that:
+      - "'public_key' in result"
+      - "'public_key_fingerprints' in result"
+      - "'type' in result"
+      - "result.type == 'RSA'"
+      - "'public_data' in result"
+      - "2 ** (result.public_data.size - 1) < result.public_data.modulus < 2 ** result.public_data.size"
+      - "result.public_data.exponent > 5"
+      - "'private_data' not in result"
+
+- name: Update result list
+  set_fact:
+    info_results: "{{ info_results | combine({'key1': result}) }}"
+
+- name: ({{select_crypto_backend}}) Get key 2 info
+  openssl_privatekey_info:
+    path: '{{ output_dir }}/privatekey_2.pem'
+    return_private_key_data: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+
+- name: Check that RSA key info is ok
+  assert:
+    that:
+      - "'public_key' in result"
+      - "'public_key_fingerprints' in result"
+      - "'type' in result"
+      - "result.type == 'RSA'"
+      - "'public_data' in result"
+      - "result.public_data.size == 2048"
+      - "2 ** (result.public_data.size - 1) < result.public_data.modulus < 2 ** result.public_data.size"
+      - "result.public_data.exponent > 5"
+      - "'private_data' in result"
+      - "result.public_data.modulus == result.private_data.p * result.private_data.q"
+      - "result.private_data.exponent > 5"
+
+- name: Update result list
+  set_fact:
+    info_results: "{{ info_results | combine({'key2': result}) }}"
+
+- name: ({{select_crypto_backend}}) Get key 3 info (without passphrase)
+  openssl_privatekey_info:
+    path: '{{ output_dir }}/privatekey_3.pem'
+    return_private_key_data: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  ignore_errors: yes
+  register: result
+
+- name: Check that loading passphrase protected key without passphrase failed
+  assert:
+    that:
+      - result is failed
+      # Check that return values are there
+      - result.can_load_key is defined
+      - result.can_parse_key is defined
+      # Check that return values are correct
+      - result.can_load_key
+      - not result.can_parse_key
+      # Check that additional data isn't there
+      - "'pulic_key' not in result"
+      - "'pulic_key_fingerprints' not in result"
+      - "'type' not in result"
+      - "'public_data' not in result"
+      - "'private_data' not in result"
+
+- name: ({{select_crypto_backend}}) Get key 3 info (with passphrase)
+  openssl_privatekey_info:
+    path: '{{ output_dir }}/privatekey_3.pem'
+    passphrase: hunter2
+    return_private_key_data: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+
+- name: Check that RSA key info is ok
+  assert:
+    that:
+      - "'public_key' in result"
+      - "'public_key_fingerprints' in result"
+      - "'type' in result"
+      - "result.type == 'RSA'"
+      - "'public_data' in result"
+      - "2 ** (result.public_data.size - 1) < result.public_data.modulus < 2 ** result.public_data.size"
+      - "result.public_data.exponent > 5"
+      - "'private_data' in result"
+      - "result.public_data.modulus == result.private_data.p * result.private_data.q"
+      - "result.private_data.exponent > 5"
+
+- name: Update result list
+  set_fact:
+    info_results: "{{ info_results | combine({'key3': result}) }}"
+
+- name: ({{select_crypto_backend}}) Get key 4 info
+  openssl_privatekey_info:
+    path: '{{ output_dir }}/privatekey_4.pem'
+    return_private_key_data: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+
+- block:
+  - name: Check that ECC key info is ok
+    assert:
+      that:
+        - "'public_key' in result"
+        - "'public_key_fingerprints' in result"
+        - "'type' in result"
+        - "result.type == 'ECC'"
+        - "'public_data' in result"
+        - "result.public_data.curve is string"
+        - "result.public_data.x != 0"
+        - "result.public_data.y != 0"
+        - "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
+        - "'private_data' in result"
+        - "result.private_data.multiplier > 1024"
+
+  - name: Update result list
+    set_fact:
+      info_results: "{{ info_results | combine({'key4': result}) }}"
+  when: select_crypto_backend != 'pyopenssl' or (pyopenssl_version.stdout is version('16.1.0', '>=') and cryptography_version.stdout is version('0.0', '>'))
+
+- name: Check that ECC key info is ok
+  assert:
+    that:
+      - "'public_key' in result"
+      - "'public_key_fingerprints' in result"
+      - "'type' in result"
+      - "result.type.startswith('unknown ')"
+      - "'public_data' in result"
+      - "'private_data' in result"
+  when: select_crypto_backend == 'pyopenssl' and not (pyopenssl_version.stdout is version('16.1.0', '>=') and cryptography_version.stdout is version('0.0', '>'))
+
+- name: ({{select_crypto_backend}}) Get key 5 info
+  openssl_privatekey_info:
+    path: '{{ output_dir }}/privatekey_5.pem'
+    return_private_key_data: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+
+- name: Check that DSA key info is ok
+  assert:
+    that:
+      - "'public_key' in result"
+      - "'public_key_fingerprints' in result"
+      - "'type' in result"
+      - "result.type == 'DSA'"
+      - "'public_data' in result"
+      - "result.public_data.p > 2"
+      - "result.public_data.q > 2"
+      - "result.public_data.g >= 2"
+      - "result.public_data.y > 2"
+      - "'private_data' in result"
+      - "result.private_data.x > 2"
+
+- name: Update result list
+  set_fact:
+    info_results: "{{ info_results | combine({'key5': result}) }}"
--- a/test/integration/targets/openssl_privatekey_info/tasks/main.yml
+++ b/test/integration/targets/openssl_privatekey_info/tasks/main.yml
@@ -0,0 +1,70 @@
+---
+- name: Generate privatekey 1
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey_1.pem'
+
+- name: Generate privatekey 2 (less bits)
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey_2.pem'
+    type: RSA
+    size: 2048
+
+- name: Generate privatekey 3 (with password)
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey_3.pem'
+    passphrase: hunter2
+    cipher: auto
+    select_crypto_backend: cryptography
+
+- name: Generate privatekey 4 (ECC)
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey_4.pem'
+    type: ECC
+    curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
+    # ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead
+    select_crypto_backend: cryptography
+
+- name: Generate privatekey 5 (DSA)
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey_5.pem'
+    type: DSA
+    size: 1024
+
+- name: Prepare result list
+  set_fact:
+    info_results: {}
+
+- name: Running tests with pyOpenSSL backend
+  include_tasks: impl.yml
+  vars:
+    select_crypto_backend: pyopenssl
+  when: pyopenssl_version.stdout is version('0.15', '>=')
+
+- name: Prepare result list
+  set_fact:
+    pyopenssl_info_results: "{{ info_results }}"
+    info_results: {}
+
+- name: Running tests with cryptography backend
+  include_tasks: impl.yml
+  vars:
+    select_crypto_backend: cryptography
+  when: cryptography_version.stdout is version('1.2.3', '>=')
+
+- name: Prepare result list
+  set_fact:
+    cryptography_info_results: "{{ info_results }}"
+
+- block:
+  - name: Dump pyOpenSSL results
+    debug:
+      var: pyopenssl_info_results
+  - name: Dump cryptography results
+    debug:
+      var: cryptography_info_results
+  - name: Compare results
+    assert:
+      that:
+      - pyopenssl_info_results[item] == cryptography_info_results[item]
+    loop: "{{ pyopenssl_info_results.keys() | intersect(cryptography_info_results.keys()) | list }}"
+  when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.2.3', '>=')