2022-01-10 20:01:52 +00:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
#
|
2022-07-21 05:27:26 +00:00
|
|
|
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
|
|
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2022-01-10 20:01:52 +00:00
|
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import abc
|
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
|
|
from ansible.module_utils import six
|
|
|
|
|
from ansible.module_utils.basic import missing_required_lib
|
|
|
|
|
from ansible.module_utils.common.text.converters import to_bytes
|
|
|
|
|
|
Revert all non-bugfixes merged since the last release.
Revert "Fix documentation. (#751)"
Revert "ACME modules: simplify code, refactor argspec handling code, move csr/csr_content to own docs fragment (#750)"
Revert "Refactor and extend argument spec helper, use for ACME modules (#749)"
Revert "Avoid exception if certificate has no AKI in acme_certificate. (#748)"
Revert "ACME: improve acme_certificate docs, include cert_id in acme_certificate_renewal_info return value (#747)"
Revert "Add acme_certificate_renewal_info module (#746)"
Revert "Refactor time code, add tests, fix bug when parsing absolute timestamps that omit seconds (#745)"
Revert "Add tests for acme_certificate_deactivate_authz module. (#744)"
Revert "Create acme_certificate_deactivate_authz module (#741)"
Revert "acme_certificate: allow to request renewal of a certificate according to ARI (#739)"
Revert "Implement basic acme_ari_info module. (#732)"
Revert "Add function for retrieval of ARI information. (#738)"
Revert "acme module utils: add functions for parsing Retry-After header values and computation of ARI certificate IDs (#737)"
Revert "Implement certificate information retrieval code in the ACME backends. (#736)"
Revert "Split up the default acme docs fragment to allow modules ot not need account data. (#735)"
This reverts commits 5e59c5261e7664c9f823ff2633c67d4d5de931b5, aa82575a786ec0ab79fe549db6bdd77b325767c2,
f3c9cb7a8ac37a7b2565934ff5c4fc63f087407a, f82b33591614fa8013259762865b69b6e7e537ac, 553ab45f46cf5af6bed5867e447e4c9878cf8e68,
59606d48ad26e0a72c64c10eccaca04bf67db548, 0a15be101758333bafce41f11189852d210f4194, 9501a28a934653d61329c8c271879b09cf6b7c27,
d906914737c40b60b23928f3929ff34d25d25c35, 33d278ad8fafedd01591351bbd584f458bb6f1c0, 6d4fc589aee55b81bb0717eed6dd12401785f20c,
9614b09f7a5b744ebb59e9a1b82cb301dc3859cd, af5f4b57f8afa61082e9a24b6218cbc970939e80, c6fbe58382b4a67fb8d86aaec11f89f7445f15ea,
and afe7f7522c34a0b08199dac39501aa041ce5fc57.
2024-05-11 14:06:52 +00:00
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
|
2022-01-10 20:01:52 +00:00
|
|
|
|
|
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.io import (
|
|
|
|
|
load_file,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
|
|
|
|
|
CRYPTOGRAPHY_HAS_X25519,
|
|
|
|
|
CRYPTOGRAPHY_HAS_X448,
|
|
|
|
|
CRYPTOGRAPHY_HAS_ED25519,
|
|
|
|
|
CRYPTOGRAPHY_HAS_ED448,
|
|
|
|
|
OpenSSLObjectError,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
|
|
|
|
|
cryptography_compare_private_keys,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
|
|
|
|
|
identify_private_key_format,
|
|
|
|
|
)
|
|
|
|
|
|
Revert all non-bugfixes merged since the last release.
Revert "Fix documentation. (#751)"
Revert "ACME modules: simplify code, refactor argspec handling code, move csr/csr_content to own docs fragment (#750)"
Revert "Refactor and extend argument spec helper, use for ACME modules (#749)"
Revert "Avoid exception if certificate has no AKI in acme_certificate. (#748)"
Revert "ACME: improve acme_certificate docs, include cert_id in acme_certificate_renewal_info return value (#747)"
Revert "Add acme_certificate_renewal_info module (#746)"
Revert "Refactor time code, add tests, fix bug when parsing absolute timestamps that omit seconds (#745)"
Revert "Add tests for acme_certificate_deactivate_authz module. (#744)"
Revert "Create acme_certificate_deactivate_authz module (#741)"
Revert "acme_certificate: allow to request renewal of a certificate according to ARI (#739)"
Revert "Implement basic acme_ari_info module. (#732)"
Revert "Add function for retrieval of ARI information. (#738)"
Revert "acme module utils: add functions for parsing Retry-After header values and computation of ARI certificate IDs (#737)"
Revert "Implement certificate information retrieval code in the ACME backends. (#736)"
Revert "Split up the default acme docs fragment to allow modules ot not need account data. (#735)"
This reverts commits 5e59c5261e7664c9f823ff2633c67d4d5de931b5, aa82575a786ec0ab79fe549db6bdd77b325767c2,
f3c9cb7a8ac37a7b2565934ff5c4fc63f087407a, f82b33591614fa8013259762865b69b6e7e537ac, 553ab45f46cf5af6bed5867e447e4c9878cf8e68,
59606d48ad26e0a72c64c10eccaca04bf67db548, 0a15be101758333bafce41f11189852d210f4194, 9501a28a934653d61329c8c271879b09cf6b7c27,
d906914737c40b60b23928f3929ff34d25d25c35, 33d278ad8fafedd01591351bbd584f458bb6f1c0, 6d4fc589aee55b81bb0717eed6dd12401785f20c,
9614b09f7a5b744ebb59e9a1b82cb301dc3859cd, af5f4b57f8afa61082e9a24b6218cbc970939e80, c6fbe58382b4a67fb8d86aaec11f89f7445f15ea,
and afe7f7522c34a0b08199dac39501aa041ce5fc57.
2024-05-11 14:06:52 +00:00
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.common import ArgumentSpec
|
|
|
|
|
|
2022-01-10 20:01:52 +00:00
|
|
|
|
|
|
|
|
MINIMAL_CRYPTOGRAPHY_VERSION = '1.2.3'
|
|
|
|
|
|
|
|
|
|
CRYPTOGRAPHY_IMP_ERR = None
|
|
|
|
|
try:
|
|
|
|
|
import cryptography
|
|
|
|
|
import cryptography.exceptions
|
|
|
|
|
import cryptography.hazmat.backends
|
|
|
|
|
import cryptography.hazmat.primitives.serialization
|
|
|
|
|
import cryptography.hazmat.primitives.asymmetric.rsa
|
|
|
|
|
import cryptography.hazmat.primitives.asymmetric.dsa
|
|
|
|
|
import cryptography.hazmat.primitives.asymmetric.ec
|
|
|
|
|
import cryptography.hazmat.primitives.asymmetric.utils
|
|
|
|
|
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
|
|
|
|
|
except ImportError:
|
|
|
|
|
CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
|
|
|
|
|
CRYPTOGRAPHY_FOUND = False
|
|
|
|
|
else:
|
|
|
|
|
CRYPTOGRAPHY_FOUND = True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class PrivateKeyError(OpenSSLObjectError):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# From the object called `module`, only the following properties are used:
|
|
|
|
|
#
|
|
|
|
|
# - module.params[]
|
|
|
|
|
# - module.warn(msg: str)
|
|
|
|
|
# - module.fail_json(msg: str, **kwargs)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@six.add_metaclass(abc.ABCMeta)
|
|
|
|
|
class PrivateKeyConvertBackend:
|
|
|
|
|
def __init__(self, module, backend):
|
|
|
|
|
self.module = module
|
|
|
|
|
self.src_path = module.params['src_path']
|
|
|
|
|
self.src_content = module.params['src_content']
|
|
|
|
|
self.src_passphrase = module.params['src_passphrase']
|
|
|
|
|
self.format = module.params['format']
|
|
|
|
|
self.dest_passphrase = module.params['dest_passphrase']
|
|
|
|
|
self.backend = backend
|
|
|
|
|
|
|
|
|
|
self.src_private_key = None
|
|
|
|
|
if self.src_path is not None:
|
|
|
|
|
self.src_private_key_bytes = load_file(self.src_path, module)
|
|
|
|
|
else:
|
|
|
|
|
self.src_private_key_bytes = self.src_content.encode('utf-8')
|
|
|
|
|
|
|
|
|
|
self.dest_private_key = None
|
|
|
|
|
self.dest_private_key_bytes = None
|
|
|
|
|
|
|
|
|
|
@abc.abstractmethod
|
|
|
|
|
def get_private_key_data(self):
|
|
|
|
|
"""Return bytes for self.src_private_key in output format."""
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
def set_existing_destination(self, privatekey_bytes):
|
|
|
|
|
"""Set existing private key bytes. None indicates that the key does not exist."""
|
|
|
|
|
self.dest_private_key_bytes = privatekey_bytes
|
|
|
|
|
|
|
|
|
|
def has_existing_destination(self):
|
|
|
|
|
"""Query whether an existing private key is/has been there."""
|
|
|
|
|
return self.dest_private_key_bytes is not None
|
|
|
|
|
|
|
|
|
|
@abc.abstractmethod
|
|
|
|
|
def _load_private_key(self, data, passphrase, current_hint=None):
|
2023-10-28 20:54:56 +00:00
|
|
|
"""Check whether data can be loaded as a private key with the provided passphrase. Return tuple (type, private_key)."""
|
2022-01-10 20:01:52 +00:00
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
def needs_conversion(self):
|
|
|
|
|
"""Check whether a conversion is necessary. Must only be called if needs_regeneration() returned False."""
|
|
|
|
|
dummy, self.src_private_key = self._load_private_key(self.src_private_key_bytes, self.src_passphrase)
|
|
|
|
|
|
|
|
|
|
if not self.has_existing_destination():
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
format, self.dest_private_key = self._load_private_key(self.dest_private_key_bytes, self.dest_passphrase, current_hint=self.src_private_key)
|
|
|
|
|
except Exception:
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
return format != self.format or not cryptography_compare_private_keys(self.dest_private_key, self.src_private_key)
|
|
|
|
|
|
|
|
|
|
def dump(self):
|
|
|
|
|
"""Serialize the object into a dictionary."""
|
|
|
|
|
return {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Implementation with using cryptography
|
|
|
|
|
class PrivateKeyConvertCryptographyBackend(PrivateKeyConvertBackend):
|
|
|
|
|
def __init__(self, module):
|
|
|
|
|
super(PrivateKeyConvertCryptographyBackend, self).__init__(module=module, backend='cryptography')
|
|
|
|
|
|
|
|
|
|
self.cryptography_backend = cryptography.hazmat.backends.default_backend()
|
|
|
|
|
|
|
|
|
|
def get_private_key_data(self):
|
|
|
|
|
"""Return bytes for self.src_private_key in output format"""
|
|
|
|
|
# Select export format and encoding
|
|
|
|
|
try:
|
|
|
|
|
export_encoding = cryptography.hazmat.primitives.serialization.Encoding.PEM
|
|
|
|
|
if self.format == 'pkcs1':
|
|
|
|
|
# "TraditionalOpenSSL" format is PKCS1
|
|
|
|
|
export_format = cryptography.hazmat.primitives.serialization.PrivateFormat.TraditionalOpenSSL
|
|
|
|
|
elif self.format == 'pkcs8':
|
|
|
|
|
export_format = cryptography.hazmat.primitives.serialization.PrivateFormat.PKCS8
|
|
|
|
|
elif self.format == 'raw':
|
|
|
|
|
export_format = cryptography.hazmat.primitives.serialization.PrivateFormat.Raw
|
|
|
|
|
export_encoding = cryptography.hazmat.primitives.serialization.Encoding.Raw
|
|
|
|
|
except AttributeError:
|
|
|
|
|
self.module.fail_json(msg='Cryptography backend does not support the selected output format "{0}"'.format(self.format))
|
|
|
|
|
|
|
|
|
|
# Select key encryption
|
|
|
|
|
encryption_algorithm = cryptography.hazmat.primitives.serialization.NoEncryption()
|
|
|
|
|
if self.dest_passphrase:
|
|
|
|
|
encryption_algorithm = cryptography.hazmat.primitives.serialization.BestAvailableEncryption(to_bytes(self.dest_passphrase))
|
|
|
|
|
|
|
|
|
|
# Serialize key
|
|
|
|
|
try:
|
|
|
|
|
return self.src_private_key.private_bytes(
|
|
|
|
|
encoding=export_encoding,
|
|
|
|
|
format=export_format,
|
|
|
|
|
encryption_algorithm=encryption_algorithm
|
|
|
|
|
)
|
|
|
|
|
except ValueError as dummy:
|
|
|
|
|
self.module.fail_json(
|
|
|
|
|
msg='Cryptography backend cannot serialize the private key in the required format "{0}"'.format(self.format)
|
|
|
|
|
)
|
|
|
|
|
except Exception as dummy:
|
|
|
|
|
self.module.fail_json(
|
|
|
|
|
msg='Error while serializing the private key in the required format "{0}"'.format(self.format),
|
|
|
|
|
exception=traceback.format_exc()
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def _load_private_key(self, data, passphrase, current_hint=None):
|
|
|
|
|
try:
|
|
|
|
|
# Interpret bytes depending on format.
|
|
|
|
|
format = identify_private_key_format(data)
|
|
|
|
|
if format == 'raw':
|
|
|
|
|
if passphrase is not None:
|
|
|
|
|
raise PrivateKeyError('Cannot load raw key with passphrase')
|
|
|
|
|
if len(data) == 56 and CRYPTOGRAPHY_HAS_X448:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.from_private_bytes(data)
|
|
|
|
|
if len(data) == 57 and CRYPTOGRAPHY_HAS_ED448:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey.from_private_bytes(data)
|
|
|
|
|
if len(data) == 32:
|
|
|
|
|
if CRYPTOGRAPHY_HAS_X25519 and not CRYPTOGRAPHY_HAS_ED25519:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(data)
|
|
|
|
|
if CRYPTOGRAPHY_HAS_ED25519 and not CRYPTOGRAPHY_HAS_X25519:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(data)
|
|
|
|
|
if CRYPTOGRAPHY_HAS_X25519 and CRYPTOGRAPHY_HAS_ED25519:
|
|
|
|
|
if isinstance(current_hint, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey):
|
|
|
|
|
try:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(data)
|
|
|
|
|
except Exception:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(data)
|
|
|
|
|
else:
|
|
|
|
|
try:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(data)
|
|
|
|
|
except Exception:
|
|
|
|
|
return format, cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(data)
|
|
|
|
|
raise PrivateKeyError('Cannot load raw key')
|
|
|
|
|
else:
|
|
|
|
|
return format, cryptography.hazmat.primitives.serialization.load_pem_private_key(
|
|
|
|
|
data,
|
|
|
|
|
None if passphrase is None else to_bytes(passphrase),
|
|
|
|
|
backend=self.cryptography_backend
|
|
|
|
|
)
|
|
|
|
|
except Exception as e:
|
|
|
|
|
raise PrivateKeyError(e)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def select_backend(module):
|
|
|
|
|
if not CRYPTOGRAPHY_FOUND:
|
|
|
|
|
module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
|
|
|
|
|
exception=CRYPTOGRAPHY_IMP_ERR)
|
|
|
|
|
return PrivateKeyConvertCryptographyBackend(module)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_privatekey_argument_spec():
|
|
|
|
|
return ArgumentSpec(
|
|
|
|
|
argument_spec=dict(
|
|
|
|
|
src_path=dict(type='path'),
|
|
|
|
|
src_content=dict(type='str'),
|
|
|
|
|
src_passphrase=dict(type='str', no_log=True),
|
|
|
|
|
dest_passphrase=dict(type='str', no_log=True),
|
|
|
|
|
format=dict(type='str', required=True, choices=['pkcs1', 'pkcs8', 'raw']),
|
|
|
|
|
),
|
|
|
|
|
mutually_exclusive=[
|
|
|
|
|
['src_path', 'src_content'],
|
|
|
|
|
],
|
|
|
|
|
required_one_of=[
|
|
|
|
|
['src_path', 'src_content'],
|
|
|
|
|
],
|
|
|
|
|
)
|