Regenerate certificate on CA's subject change. (#402)

2022-02-14 18:04:29 +01:00 · 2022-02-14 18:04:29 +01:00 · 3ebc132c03
parent 11a14543c8
commit 3ebc132c03
4 changed files with 68 additions and 4 deletions
--- a/changelogs/fragments/402-x509_certificate-ownca-subject.yml
+++ b/changelogs/fragments/402-x509_certificate-ownca-subject.yml
@ -0,0 +1,2 @@
 bugfixes:
  - "x509_certificate - regenerate certificate when the CA's subject changes for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400, https://github.com/ansible-collections/community.crypto/pull/402)."
--- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py
@ -173,6 +173,12 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
        if super(OwnCACertificateBackendCryptography, self).needs_regeneration(not_before=self.notBefore, not_after=self.notAfter):
            return True
        self._ensure_existing_certificate_loaded()
        # Check subject
        if self.ca_cert.subject != self.existing_certificate.issuer:
            return True
        # Check AuthorityKeyIdentifier
        if self.create_authority_key_identifier:
            try:
@ -185,7 +191,6 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
            except cryptography.x509.ExtensionNotFound:
                expected_ext = x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_cert.public_key())
            self._ensure_existing_certificate_loaded()
            try:
                ext = self.existing_certificate.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
                if ext.value != expected_ext:
--- a/tests/integration/targets/x509_certificate/tasks/ownca.yml
+++ b/tests/integration/targets/x509_certificate/tasks/ownca.yml
@ -14,14 +14,20 @@
 - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
  openssl_csr:
-    path: '{{ remote_tmp_dir }}/ca_csr.csr'
+    path: '{{ item.path }}'
    privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
-    subject:
+    subject: '{{ item.subject }}'
      commonName: Example CA
    useCommonNameForSAN: no
    basic_constraints:
    - 'CA:TRUE'
    basic_constraints_critical: yes
  loop:
    - path: '{{ remote_tmp_dir }}/ca_csr.csr'
      subject:
        commonName: Example CA
    - path: '{{ remote_tmp_dir }}/ca_csr2.csr'
      subject:
        commonName: Example CA 2
 - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
  openssl_csr:
@ -62,6 +68,15 @@
      - result_check_mode is changed
      - result is changed
 - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate with different commonName
  x509_certificate:
    path: '{{ remote_tmp_dir }}/ca_cert2.pem'
    csr_path: '{{ remote_tmp_dir }}/ca_csr2.csr'
    privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
    provider: selfsigned
    selfsigned_digest: sha256
    select_crypto_backend: '{{ select_crypto_backend }}'
 - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
  x509_certificate:
    path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
@ -110,6 +125,42 @@
    select_crypto_backend: '{{ select_crypto_backend }}'
  check_mode: yes
 - name: (OwnCA, {{select_crypto_backend}}) Copy ownca certificate to new file to check regeneration
  copy:
    src: '{{ remote_tmp_dir }}/ownca_cert.pem'
    dest: '{{ item }}'
    remote_src: true
  loop:
    - '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
    - '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
 - name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA subject
  x509_certificate:
    path: '{{ remote_tmp_dir }}/ownca_cert_ca_cn.pem'
    csr_path: '{{ remote_tmp_dir }}/csr.csr'
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    ownca_path: '{{ remote_tmp_dir }}/ca_cert2.pem'
    ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
    provider: ownca
    ownca_digest: sha256
    select_crypto_backend: '{{ select_crypto_backend }}'
    return_content: yes
  register: ownca_certificate_ca_subject_changed
 - name: (OwnCA, {{select_crypto_backend}}) Regenerate ownca certificate with different CA key
  x509_certificate:
    path: '{{ remote_tmp_dir }}/ownca_cert_ca_key.pem'
    csr_path: '{{ remote_tmp_dir }}/csr.csr'
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    ownca_path: '{{ remote_tmp_dir }}/ca_cert_pw.pem'
    ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem'
    ownca_privatekey_passphrase: hunter2
    provider: ownca
    ownca_digest: sha256
    select_crypto_backend: '{{ select_crypto_backend }}'
    return_content: yes
  register: ownca_certificate_ca_key_changed
 - name: (OwnCA, {{select_crypto_backend}}) Get certificate information
  community.crypto.x509_certificate_info:
    path: '{{ remote_tmp_dir }}/ownca_cert.pem'
--- a/tests/integration/targets/x509_certificate/tests/validate_ownca.yml
+++ b/tests/integration/targets/x509_certificate/tests/validate_ownca.yml
@ -31,6 +31,12 @@
      - ownca_certificate.notBefore == ownca_certificate_idempotence.notBefore
      - ownca_certificate.notAfter == ownca_certificate_idempotence.notAfter
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate regeneration
  assert:
    that:
      - ownca_certificate_ca_subject_changed is changed
      - ownca_certificate_ca_key_changed is changed
 - name: (OwnCA validation, {{select_crypto_backend}}) Read certificate
  slurp:
    src: '{{ remote_tmp_dir }}/ownca_cert.pem'
		`@ -0,0 +1,2 @@`
							`bugfixes:`
							- "x509_certificate - regenerate certificate when the CA's subject changes for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400, https://github.com/ansible-collections/community.crypto/pull/402)."