[stable-1] x509_certificate: handle unexpected error, fix test (#704)

* Handle unexpected error. * Increase certificate key size on Darwin. * Add changelog fragment.
2024-01-26 21:58:12 +01:00 · 2024-01-26 21:58:12 +01:00 · 1d26ee66ea
parent 642d6872d1
commit 1d26ee66ea
3 changed files with 13 additions and 3 deletions
--- a/changelogs/fragments/704-x509_certificate-assertonly-privatekey.yml
+++ b/changelogs/fragments/704-x509_certificate-assertonly-privatekey.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - "x509_certificate - when using the PyOpenSSL backend with ``provider=assertonly``, better handle unexpected errors when validating private keys (https://github.com/ansible-collections/community.crypto/pull/704)."
--- a/plugins/module_utils/crypto/module_backends/certificate_assertonly.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_assertonly.py
@ -13,6 +13,10 @@ import datetime

 from ansible.module_utils.common.text.converters import to_native, to_bytes, to_text

+from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
+    OpenSSLObjectError,
+)
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
    parse_name_field,
    get_relative_time_option,
@ -485,8 +489,11 @@ class AssertOnlyCertificateBackendPyOpenSSL(AssertOnlyCertificateBackend):

    def _validate_privatekey(self):
        ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_2_METHOD)
-        ctx.use_privatekey(self.privatekey)
-        ctx.use_certificate(self.existing_certificate)
+        try:
+            ctx.use_privatekey(self.privatekey)
+            ctx.use_certificate(self.existing_certificate)
+        except OpenSSL.SSL.Error as exc:
+            raise OpenSSLObjectError('Unexpected error while trying to validate private key with certificate: %s' % exc)
        try:
            ctx.check_privatekey()
            return True
--- a/tests/integration/targets/setup_openssl/vars/main.yml
+++ b/tests/integration/targets/setup_openssl/vars/main.yml
@ -4,6 +4,7 @@ default_rsa_key_size_certifiates: >-
  {{
      2048 if
        (ansible_os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 8) or
-        (ansible_distribution == "Ubuntu" and ansible_facts.distribution_major_version | int >= 20)
+        (ansible_distribution == "Ubuntu" and ansible_facts.distribution_major_version | int >= 20) or
+        (ansible_os_family == "Darwin" and ansible_facts.distribution_major_version | int >= 12)
      else 1024
  }}