diff --git a/changelogs/fragments/474-x509_crl-ed25519-ed448.yml b/changelogs/fragments/474-x509_crl-ed25519-ed448.yml new file mode 100644 index 00000000..9e28f4bc --- /dev/null +++ b/changelogs/fragments/474-x509_crl-ed25519-ed448.yml @@ -0,0 +1,2 @@ +bugfixes: + - "x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473, https://github.com/ansible-collections/community.crypto/pull/474)." diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py index 9a85ae39..d0d7113f 100644 --- a/plugins/modules/x509_crl.py +++ b/plugins/modules/x509_crl.py @@ -411,6 +411,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( cryptography_decode_name, cryptography_get_name, + cryptography_key_needs_digest_for_signing, cryptography_name_to_oid, cryptography_oid_to_name, cryptography_serial_number_of_cert, @@ -648,8 +649,12 @@ class CRL(OpenSSLObject): return False if self.next_update != self.crl.next_update and not self.ignore_timestamps: return False - if self.digest.name != self.crl.signature_hash_algorithm.name: - return False + if cryptography_key_needs_digest_for_signing(self.privatekey): + if self.crl.signature_hash_algorithm is None or self.digest.name != self.crl.signature_hash_algorithm.name: + return False + else: + if self.crl.signature_hash_algorithm is not None: + return False want_issuer = [(cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.issuer] is_issuer = [(sub.oid, sub.value) for sub in self.crl.issuer] @@ -719,7 +724,10 @@ class CRL(OpenSSLObject): ) crl = crl.add_revoked_certificate(revoked_cert.build(backend)) - self.crl = crl.sign(self.privatekey, self.digest, backend=backend) + digest = None + if cryptography_key_needs_digest_for_signing(self.privatekey): + digest = self.digest + self.crl = crl.sign(self.privatekey, digest, backend=backend) if self.format == 'pem': return self.crl.public_bytes(Encoding.PEM) else: diff --git a/tests/integration/targets/x509_crl/tasks/impl.yml b/tests/integration/targets/x509_crl/tasks/impl.yml index 5284d5c5..853eb173 100644 --- a/tests/integration/targets/x509_crl/tasks/impl.yml +++ b/tests/integration/targets/x509_crl/tasks/impl.yml @@ -624,3 +624,68 @@ name_encoding: unicode list_revoked_certificates: true register: crl_3_info_unicode + +- name: Ed25519 and Ed448 tests (for cryptography >= 2.6) + block: + - name: Generate private keys + openssl_privatekey: + path: '{{ remote_tmp_dir }}/ca-{{ item }}.key' + type: '{{ item }}' + loop: + - Ed25519 + - Ed448 + register: ed25519_ed448_privatekey + ignore_errors: yes + + - when: ed25519_ed448_privatekey is not failed + block: + + - name: Create CRL + x509_crl: + path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl' + privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key' + issuer: + CN: Ansible + last_update: 20191013000000Z + next_update: 20191113000000Z + revoked_certificates: + - path: '{{ remote_tmp_dir }}/cert-1.pem' + revocation_date: 20191013000000Z + - path: '{{ remote_tmp_dir }}/cert-2.pem' + revocation_date: 20191013000000Z + reason: key_compromise + reason_critical: yes + invalidity_date: 20191012000000Z + - serial_number: 1234 + revocation_date: 20191001000000Z + register: ed25519_ed448_crl + loop: + - Ed25519 + - Ed448 + ignore_errors: yes + + - name: Create CRL (idempotence) + x509_crl: + path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl' + privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key' + issuer: + CN: Ansible + last_update: 20191013000000Z + next_update: 20191113000000Z + revoked_certificates: + - path: '{{ remote_tmp_dir }}/cert-1.pem' + revocation_date: 20191013000000Z + - path: '{{ remote_tmp_dir }}/cert-2.pem' + revocation_date: 20191013000000Z + reason: key_compromise + reason_critical: yes + invalidity_date: 20191012000000Z + - serial_number: 1234 + revocation_date: 20191001000000Z + register: ed25519_ed448_crl_idempotence + loop: + - Ed25519 + - Ed448 + ignore_errors: yes + + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') diff --git a/tests/integration/targets/x509_crl/tests/validate.yml b/tests/integration/targets/x509_crl/tests/validate.yml index da5083df..213544cb 100644 --- a/tests/integration/targets/x509_crl/tests/validate.yml +++ b/tests/integration/targets/x509_crl/tests/validate.yml @@ -177,3 +177,23 @@ "URI:http://gefäß.org", "URI:http://a:b@ä:1", ]) + +- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8) + assert: + that: + - ed25519_ed448_crl.results[0] is failed + - ed25519_ed448_crl.results[1] is failed + - ed25519_ed448_crl_idempotence.results[0] is failed + - ed25519_ed448_crl_idempotence.results[1] is failed + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ed25519_ed448_privatekey is not failed + +- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) + assert: + that: + - ed25519_ed448_crl is succeeded + - ed25519_ed448_crl.results[0] is changed + - ed25519_ed448_crl.results[1] is changed + - ed25519_ed448_crl_idempotence is succeeded + - ed25519_ed448_crl_idempotence.results[0] is not changed + - ed25519_ed448_crl_idempotence.results[1] is not changed + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ed25519_ed448_privatekey is not failed