crypto modules: use module_utils.compat.ipaddress when possible (#55278)

* Use module_utils.compat.ipaddress where possible.

* Simplify reverse pointer computation.

* Use dummy for unused variables.

* Remove from ignore list.

* Adjust fix.

* Fix text handling for Python 2.

* Add changelog.

lib/ansible/modules/crypto/acme/acme_certificate.py

@@ -395,6 +395,7 @@ from datetime import datetime
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_bytes
+from ansible.module_utils.compat import ipaddress as compat_ipaddress
 
 
 def get_cert_days(module, cert_file):
@@ -550,26 +551,10 @@ class ACMEClient(object):
             elif challenge_type == 'tls-alpn-01':
                 # https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3
                 if identifier_type == 'ip':
-                    if ':' in identifier:
-                        # IPv6 address: use reverse IP6.ARPA mapping (RFC3596)
-                        i = identifier.find('::')
-                        if i >= 0:
-                            nibbles = [nibble for nibble in identifier[:i].split(':') if nibble]
-                            suffix = [nibble for nibble in identifier[i + 1:].split(':') if nibble]
-                            if len(nibbles) + len(suffix) < 8:
-                                nibbles.extend(['0'] * (8 - len(nibbles) - len(suffix)))
-                            nibbles.extend(suffix)
-                        else:
-                            nibbles = identifier.split(':')
-                        resource = []
-                        for nibble in reversed(nibbles):
-                            nibble = '0' * (4 - len(nibble)) + nibble.lower()
-                            for octet in reversed(nibble):
-                                resource.append(octet)
-                        resource = '.'.join(resource) + '.ip6.arpa.'
-                    else:
-                        # IPv4 address: use reverse IN-ADDR.ARPA mapping (RFC1034)
-                        resource = '.'.join(reversed(identifier.split('.'))) + '.in-addr.arpa.'
+                    # IPv4/IPv6 address: use reverse mapping (RFC1034, RFC3596)
+                    resource = compat_ipaddress.ip_address(identifier).reverse_pointer
+                    if not resource.endswith('.'):
+                        resource += '.'
                 else:
                     resource = identifier
                 value = base64.b64encode(hashlib.sha256(to_bytes(keyauthorization)).digest())

lib/ansible/modules/crypto/openssl_certificate_info.py

@@ -235,6 +235,7 @@ from ansible.module_utils import crypto as crypto_utils
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.six import string_types
 from ansible.module_utils._text import to_native, to_text, to_bytes
+from ansible.module_utils.compat import ipaddress as compat_ipaddress
 
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.6'
 MINIMAL_PYOPENSSL_VERSION = '0.15'
@@ -243,7 +244,6 @@ PYOPENSSL_IMP_ERR = None
 try:
     import OpenSSL
     from OpenSSL import crypto
-    import ipaddress
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
     if OpenSSL.SSL.OPENSSL_VERSION_NUMBER >= 0x10100000:
         # OpenSSL 1.1.0 or newer
@@ -609,7 +609,7 @@ class CertificateInfoPyOpenSSL(CertificateInfo):
         if san.startswith('IP Address:'):
             san = 'IP:' + san[len('IP Address:'):]
         if san.startswith('IP:'):
-            ip = ipaddress.ip_address(san[3:])
+            ip = compat_ipaddress.ip_address(san[3:])
             san = 'IP:{0}'.format(ip.compressed)
         return san
 

lib/ansible/modules/crypto/openssl_csr.py

@@ -336,6 +336,7 @@ from distutils.version import LooseVersion
 from ansible.module_utils import crypto as crypto_utils
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils._text import to_native, to_bytes, to_text
+from ansible.module_utils.compat import ipaddress as compat_ipaddress
 
 MINIMAL_PYOPENSSL_VERSION = '0.15'
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.3'
@@ -368,7 +369,6 @@ try:
     import cryptography.hazmat.backends
     import cryptography.hazmat.primitives.serialization
     import cryptography.hazmat.primitives.hashes
-    import ipaddress
     CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
 except ImportError:
     CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
@@ -560,7 +560,7 @@ class CertificateSigningRequestPyOpenSSL(CertificateSigningRequestBase):
         if san.startswith('IP Address:'):
             san = 'IP:' + san[len('IP Address:'):]
         if san.startswith('IP:'):
-            ip = ipaddress.ip_address(san[3:])
+            ip = compat_ipaddress.ip_address(san[3:])
             san = 'IP:{0}'.format(ip.compressed)
         return san
 

lib/ansible/modules/crypto/openssl_csr_info.py

@@ -165,6 +165,7 @@ from ansible.module_utils import crypto as crypto_utils
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.six import string_types
 from ansible.module_utils._text import to_native, to_text, to_bytes
+from ansible.module_utils.compat import ipaddress as compat_ipaddress
 
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.3'
 MINIMAL_PYOPENSSL_VERSION = '0.15'
@@ -173,7 +174,6 @@ PYOPENSSL_IMP_ERR = None
 try:
     import OpenSSL
     from OpenSSL import crypto
-    import ipaddress
     PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
     if OpenSSL.SSL.OPENSSL_VERSION_NUMBER >= 0x10100000:
         # OpenSSL 1.1.0 or newer
@@ -444,7 +444,7 @@ class CertificateSigningRequestInfoPyOpenSSL(CertificateSigningRequestInfo):
         if san.startswith('IP Address:'):
             san = 'IP:' + san[len('IP Address:'):]
         if san.startswith('IP:'):
-            ip = ipaddress.ip_address(san[3:])
+            ip = compat_ipaddress.ip_address(san[3:])
             san = 'IP:{0}'.format(ip.compressed)
         return san