a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[stable-1] Disable consistency checking of RSA keys for cryptography 42.0.0 which no longer gives access to the required function (#703) 

* Disable consistency checking of RSA keys for cryptography 42.0.0 which no longer gives access to the required function. (#702)

(cherry picked from commit 87af1f2761)

* Adjust tests to ignore key_is_consistent.
pull/704/head
Felix Fontein 2024-01-26 19:27:40 +01:00 committed by GitHub
parent 940a1aabd9
commit 642d6872d1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/701-private_key_info-consistency.yml Normal file
View File

@ -0,0 +1,2 @@
bugfixes:
- "openssl_privatekey_info - ``check_consistency=true`` no longer works for RSA keys with cryptography 42.0.0+ (https://github.com/ansible-collections/community.crypto/pull/701)."

5
plugins/module_utils/crypto/module_backends/privatekey_info.py
View File

@ -119,7 +119,10 @@ def _check_dsa_consistency(key_public_data, key_private_data):
def _is_cryptography_key_consistent(key, key_public_data, key_private_data): def _is_cryptography_key_consistent(key, key_public_data, key_private_data):
if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey): if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey):
return bool(key._backend._lib.RSA_check_key(key._rsa_cdata)) # key._backend was removed in cryptography 42.0.0
backend = getattr(key, '_backend', None)
if backend is not None:
return bool(backend._lib.RSA_check_key(key._rsa_cdata))
if isinstance(key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey): if isinstance(key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey):
result = _check_dsa_consistency(key_public_data, key_private_data) result = _check_dsa_consistency(key_public_data, key_private_data)
if result is not None: if result is not None:

3
plugins/modules/openssl_privatekey_info.py
View File

@ -102,6 +102,9 @@ key_is_consistent:
- Whether the key is consistent. Can also return C(none) next to C(yes) and - Whether the key is consistent. Can also return C(none) next to C(yes) and
C(no), to indicate that consistency could not be checked. C(no), to indicate that consistency could not be checked.
- In case the check returns C(no), the module will fail. - In case the check returns C(no), the module will fail.
- Note that consistency checks only work for certain key types, and might depend on the
version of the cryptography library. For example, with cryptography 42.0.0 and newer
consistency of RSA keys can no longer be checked.
returned: always returned: always
type: bool type: bool
public_key: public_key:

5
tests/integration/targets/openssl_privatekey_info/tasks/main.yml
View File

@ -71,7 +71,8 @@
- name: Compare results - name: Compare results
assert: assert:
that: that:
- ' (pyopenssl_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | list | items2dict) - >-
== (cryptography_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | list | items2dict)' (pyopenssl_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | rejectattr("key", "equalto", "key_is_consistent") | list | items2dict)
== (cryptography_info_results[item] | dict2items | rejectattr("key", "equalto", "deprecations") | rejectattr("key", "equalto", "key_is_consistent") | list | items2dict)
loop: "{{ pyopenssl_info_results.keys() | intersect(cryptography_info_results.keys()) | list }}" loop: "{{ pyopenssl_info_results.keys() | intersect(cryptography_info_results.keys()) | list }}"
when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.2.3', '>=') when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.2.3', '>=')