a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Increase # of bits for random serial numbers of certificates with PyOpenSSL backend (#90) 

* Increase # of bits for random serial numbers of certificates with PyOpenSSL backend.

* Adjust algorithm to return a random number between 1000 and 2^160-1.
pull/106/head
Felix Fontein 2020-08-18 16:34:01 +02:00 committed by GitHub
parent 346c2f55ff
commit 430c6d0c1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/90-openssl_certificate-pyopenssl-serial.yml Normal file
View File

@ -0,0 +1,2 @@
minor_changes:
- "openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76)."

14
plugins/modules/x509_certificate.py
View File

@ -868,7 +868,7 @@ import tempfile
import traceback import traceback
from distutils.version import LooseVersion from distutils.version import LooseVersion
from random import randint from random import randrange
from ansible.module_utils.basic import AnsibleModule, missing_required_lib from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils._text import to_native, to_bytes, to_text from ansible.module_utils._text import to_native, to_bytes, to_text
@ -1264,6 +1264,14 @@ class SelfSignedCertificateCryptography(Certificate):
return result return result
def generate_serial_number():
"""Generate a serial number for a certificate"""
while True:
result = randrange(0, 1 << 160)
if result >= 1000:
return result
class SelfSignedCertificate(Certificate): class SelfSignedCertificate(Certificate):
"""Generate the self-signed certificate.""" """Generate the self-signed certificate."""
@ -1275,7 +1283,7 @@ class SelfSignedCertificate(Certificate):
self.notAfter = get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after', backend=self.backend) self.notAfter = get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after', backend=self.backend)
self.digest = module.params['selfsigned_digest'] self.digest = module.params['selfsigned_digest']
self.version = module.params['selfsigned_version'] self.version = module.params['selfsigned_version']
self.serial_number = randint(1000, 99999) self.serial_number = generate_serial_number()
if self.csr_content is None and not os.path.exists(self.csr_path): if self.csr_content is None and not os.path.exists(self.csr_path):
raise CertificateError( raise CertificateError(
@ -1570,7 +1578,7 @@ class OwnCACertificate(Certificate):
self.notAfter = get_relative_time_option(module.params['ownca_not_after'], 'ownca_not_after', backend=self.backend) self.notAfter = get_relative_time_option(module.params['ownca_not_after'], 'ownca_not_after', backend=self.backend)
self.digest = module.params['ownca_digest'] self.digest = module.params['ownca_digest']
self.version = module.params['ownca_version'] self.version = module.params['ownca_version']
self.serial_number = randint(1000, 99999) self.serial_number = generate_serial_number()
if module.params['ownca_create_subject_key_identifier'] != 'create_if_not_provided': if module.params['ownca_create_subject_key_identifier'] != 'create_if_not_provided':
module.fail_json(msg='ownca_create_subject_key_identifier cannot be used with the pyOpenSSL backend!') module.fail_json(msg='ownca_create_subject_key_identifier cannot be used with the pyOpenSSL backend!')
if module.params['ownca_create_authority_key_identifier']: if module.params['ownca_create_authority_key_identifier']: