x509_crl: do not crash when signing with Ed25519 or Ed448 (#475) (#480)

* Do not crash when signing with Ed25519 or Ed448.

* Forgot replace.

(cherry picked from commit 297b44f24b)

changelogs/fragments/474-x509_crl-ed25519-ed448.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473, https://github.com/ansible-collections/community.crypto/pull/474)."

plugins/modules/x509_crl.py

@@ -392,6 +392,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
     cryptography_get_name,
+    cryptography_key_needs_digest_for_signing,
     cryptography_name_to_oid,
     cryptography_oid_to_name,
     cryptography_serial_number_of_cert,
@@ -612,8 +613,12 @@ class CRL(OpenSSLObject):
             return False
         if self.next_update != self.crl.next_update and not self.ignore_timestamps:
             return False
-        if self.digest.name != self.crl.signature_hash_algorithm.name:
-            return False
+        if cryptography_key_needs_digest_for_signing(self.privatekey):
+            if self.crl.signature_hash_algorithm is None or self.digest.name != self.crl.signature_hash_algorithm.name:
+                return False
+        else:
+            if self.crl.signature_hash_algorithm is not None:
+                return False
 
         want_issuer = [(cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.issuer]
         if want_issuer != [(sub.oid, sub.value) for sub in self.crl.issuer]:
@@ -679,7 +684,10 @@ class CRL(OpenSSLObject):
                 )
             crl = crl.add_revoked_certificate(revoked_cert.build(backend))
 
-        self.crl = crl.sign(self.privatekey, self.digest, backend=backend)
+        digest = None
+        if cryptography_key_needs_digest_for_signing(self.privatekey):
+            digest = self.digest
+        self.crl = crl.sign(self.privatekey, digest, backend=backend)
         if self.format == 'pem':
             return self.crl.public_bytes(Encoding.PEM)
         else:

tests/integration/targets/x509_crl/tasks/impl.yml

@@ -478,3 +478,68 @@
     path: '{{ remote_tmp_dir }}/ca-crl3.crl'
     list_revoked_certificates: true
   register: crl_3_info
+
+- name: Ed25519 and Ed448 tests (for cryptography >= 2.6)
+  block:
+    - name: Generate private keys
+      openssl_privatekey:
+        path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
+        type: '{{ item }}'
+      loop:
+        - Ed25519
+        - Ed448
+      register: ed25519_ed448_privatekey
+      ignore_errors: yes
+
+    - when: ed25519_ed448_privatekey is not failed
+      block:
+
+        - name: Create CRL
+          x509_crl:
+            path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl'
+            privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
+            issuer:
+              CN: Ansible
+            last_update: 20191013000000Z
+            next_update: 20191113000000Z
+            revoked_certificates:
+              - path: '{{ remote_tmp_dir }}/cert-1.pem'
+                revocation_date: 20191013000000Z
+              - path: '{{ remote_tmp_dir }}/cert-2.pem'
+                revocation_date: 20191013000000Z
+                reason: key_compromise
+                reason_critical: yes
+                invalidity_date: 20191012000000Z
+              - serial_number: 1234
+                revocation_date: 20191001000000Z
+          register: ed25519_ed448_crl
+          loop:
+            - Ed25519
+            - Ed448
+          ignore_errors: yes
+
+        - name: Create CRL (idempotence)
+          x509_crl:
+            path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl'
+            privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
+            issuer:
+              CN: Ansible
+            last_update: 20191013000000Z
+            next_update: 20191113000000Z
+            revoked_certificates:
+              - path: '{{ remote_tmp_dir }}/cert-1.pem'
+                revocation_date: 20191013000000Z
+              - path: '{{ remote_tmp_dir }}/cert-2.pem'
+                revocation_date: 20191013000000Z
+                reason: key_compromise
+                reason_critical: yes
+                invalidity_date: 20191012000000Z
+              - serial_number: 1234
+                revocation_date: 20191001000000Z
+          register: ed25519_ed448_crl_idempotence
+          loop:
+            - Ed25519
+            - Ed448
+          ignore_errors: yes
+
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')

tests/integration/targets/x509_crl/tests/validate.yml

@@ -98,3 +98,23 @@
       - crl_3.revoked_certificates[0].issuer == [
           "DNS:ca.example.org",
         ]
+
+- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
+  assert:
+    that:
+      - ed25519_ed448_crl.results[0] is failed
+      - ed25519_ed448_crl.results[1] is failed
+      - ed25519_ed448_crl_idempotence.results[0] is failed
+      - ed25519_ed448_crl_idempotence.results[1] is failed
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ed25519_ed448_privatekey is not failed
+
+- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
+  assert:
+    that:
+      - ed25519_ed448_crl is succeeded
+      - ed25519_ed448_crl.results[0] is changed
+      - ed25519_ed448_crl.results[1] is changed
+      - ed25519_ed448_crl_idempotence is succeeded
+      - ed25519_ed448_crl_idempotence.results[0] is not changed
+      - ed25519_ed448_crl_idempotence.results[1] is not changed
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ed25519_ed448_privatekey is not failed