a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[stable-1] x509_certificate: handle unexpected error, fix test (#704) 

* Handle unexpected error.

* Increase certificate key size on Darwin.

* Add changelog fragment.
pull/709/head
Felix Fontein 2024-01-26 21:58:12 +01:00 committed by GitHub
parent 642d6872d1
commit 1d26ee66ea
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/704-x509_certificate-assertonly-privatekey.yml Normal file
View File

@ -0,0 +1,2 @@
bugfixes:
- "x509_certificate - when using the PyOpenSSL backend with ``provider=assertonly``, better handle unexpected errors when validating private keys (https://github.com/ansible-collections/community.crypto/pull/704)."

7
plugins/module_utils/crypto/module_backends/certificate_assertonly.py
View File

@ -13,6 +13,10 @@ import datetime
from ansible.module_utils.common.text.converters import to_native, to_bytes, to_text from ansible.module_utils.common.text.converters import to_native, to_bytes, to_text
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
parse_name_field, parse_name_field,
get_relative_time_option, get_relative_time_option,
@ -485,8 +489,11 @@ class AssertOnlyCertificateBackendPyOpenSSL(AssertOnlyCertificateBackend):
def _validate_privatekey(self): def _validate_privatekey(self):
ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_2_METHOD) ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_2_METHOD)
try:
ctx.use_privatekey(self.privatekey) ctx.use_privatekey(self.privatekey)
ctx.use_certificate(self.existing_certificate) ctx.use_certificate(self.existing_certificate)
except OpenSSL.SSL.Error as exc:
raise OpenSSLObjectError('Unexpected error while trying to validate private key with certificate: %s' % exc)
try: try:
ctx.check_privatekey() ctx.check_privatekey()
return True return True

3
tests/integration/targets/setup_openssl/vars/main.yml
View File

@ -4,6 +4,7 @@ default_rsa_key_size_certifiates: >-
{{ {{
2048 if 2048 if
(ansible_os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 8) or (ansible_os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 8) or
(ansible_distribution == "Ubuntu" and ansible_facts.distribution_major_version | int >= 20) (ansible_distribution == "Ubuntu" and ansible_facts.distribution_major_version | int >= 20) or
(ansible_os_family == "Darwin" and ansible_facts.distribution_major_version | int >= 12)
else 1024 else 1024
}} }}