From 92bc17463aedc3983ca2f4c1911f745370c1d9ac Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Thu, 29 Oct 2020 08:19:13 +0100 Subject: [PATCH] ECC curve list order (#132) * Deprecate secp192r1. * Specify explicit list of OK curves. * Order curves. --- .../132-openssl_privatekey-ecc-order.yml | 2 ++ plugins/doc_fragments/module_privatekey.py | 24 +++++++------ .../crypto/module_backends/privatekey.py | 36 +++++++++---------- 3 files changed, 33 insertions(+), 29 deletions(-) create mode 100644 changelogs/fragments/132-openssl_privatekey-ecc-order.yml diff --git a/changelogs/fragments/132-openssl_privatekey-ecc-order.yml b/changelogs/fragments/132-openssl_privatekey-ecc-order.yml new file mode 100644 index 00000000..634caedb --- /dev/null +++ b/changelogs/fragments/132-openssl_privatekey-ecc-order.yml @@ -0,0 +1,2 @@ +minor_changes: +- "openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security warning. Elliptic curves of at least 224 bits should be used for new keys; see `here `_ (https://github.com/ansible-collections/community.crypto/pull/132)." diff --git a/plugins/doc_fragments/module_privatekey.py b/plugins/doc_fragments/module_privatekey.py index 4679653f..2ac03c27 100644 --- a/plugins/doc_fragments/module_privatekey.py +++ b/plugins/doc_fragments/module_privatekey.py @@ -51,27 +51,29 @@ options: - For maximal interoperability, C(secp384r1) or C(secp256r1) should be used. - We use the curve names as defined in the L(IANA registry for TLS,https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8). + - Please note that all curves except C(secp224r1), C(secp256k1), C(secp256r1), C(secp384r1) and C(secp521r1) + are discouraged for new private keys. type: str choices: + - secp224r1 + - secp256k1 + - secp256r1 - secp384r1 - secp521r1 - - secp224r1 - secp192r1 - - secp256r1 - - secp256k1 - brainpoolP256r1 - brainpoolP384r1 - brainpoolP512r1 - - sect571k1 - - sect409k1 - - sect283k1 - - sect233k1 - sect163k1 - - sect571r1 - - sect409r1 - - sect283r1 - - sect233r1 - sect163r2 + - sect233k1 + - sect233r1 + - sect283k1 + - sect283r1 + - sect409k1 + - sect409r1 + - sect571k1 + - sect571r1 passphrase: description: - The passphrase for the private key. diff --git a/plugins/module_utils/crypto/module_backends/privatekey.py b/plugins/module_utils/crypto/module_backends/privatekey.py index 85d2697e..9be35d71 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey.py +++ b/plugins/module_utils/crypto/module_backends/privatekey.py @@ -315,25 +315,25 @@ class PrivateKeyCryptographyBackend(PrivateKeyBackend): super(PrivateKeyCryptographyBackend, self).__init__(module=module, backend='cryptography') self.curves = dict() + self._add_curve('secp224r1', 'SECP224R1') + self._add_curve('secp256k1', 'SECP256K1') + self._add_curve('secp256r1', 'SECP256R1') self._add_curve('secp384r1', 'SECP384R1') self._add_curve('secp521r1', 'SECP521R1') - self._add_curve('secp224r1', 'SECP224R1') - self._add_curve('secp192r1', 'SECP192R1') - self._add_curve('secp256r1', 'SECP256R1') - self._add_curve('secp256k1', 'SECP256K1') + self._add_curve('secp192r1', 'SECP192R1', deprecated=True) + self._add_curve('sect163k1', 'SECT163K1', deprecated=True) + self._add_curve('sect163r2', 'SECT163R2', deprecated=True) + self._add_curve('sect233k1', 'SECT233K1', deprecated=True) + self._add_curve('sect233r1', 'SECT233R1', deprecated=True) + self._add_curve('sect283k1', 'SECT283K1', deprecated=True) + self._add_curve('sect283r1', 'SECT283R1', deprecated=True) + self._add_curve('sect409k1', 'SECT409K1', deprecated=True) + self._add_curve('sect409r1', 'SECT409R1', deprecated=True) + self._add_curve('sect571k1', 'SECT571K1', deprecated=True) + self._add_curve('sect571r1', 'SECT571R1', deprecated=True) self._add_curve('brainpoolP256r1', 'BrainpoolP256R1', deprecated=True) self._add_curve('brainpoolP384r1', 'BrainpoolP384R1', deprecated=True) self._add_curve('brainpoolP512r1', 'BrainpoolP512R1', deprecated=True) - self._add_curve('sect571k1', 'SECT571K1', deprecated=True) - self._add_curve('sect409k1', 'SECT409K1', deprecated=True) - self._add_curve('sect283k1', 'SECT283K1', deprecated=True) - self._add_curve('sect233k1', 'SECT233K1', deprecated=True) - self._add_curve('sect163k1', 'SECT163K1', deprecated=True) - self._add_curve('sect571r1', 'SECT571R1', deprecated=True) - self._add_curve('sect409r1', 'SECT409R1', deprecated=True) - self._add_curve('sect283r1', 'SECT283R1', deprecated=True) - self._add_curve('sect233r1', 'SECT233R1', deprecated=True) - self._add_curve('sect163r2', 'SECT163R2', deprecated=True) self.cryptography_backend = cryptography.hazmat.backends.default_backend() @@ -565,10 +565,10 @@ def get_privatekey_argument_spec(): 'DSA', 'ECC', 'Ed25519', 'Ed448', 'RSA', 'X25519', 'X448' ]), curve=dict(type='str', choices=[ - 'secp384r1', 'secp521r1', 'secp224r1', 'secp192r1', 'secp256r1', - 'secp256k1', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1', - 'sect571k1', 'sect409k1', 'sect283k1', 'sect233k1', 'sect163k1', - 'sect571r1', 'sect409r1', 'sect283r1', 'sect233r1', 'sect163r2', + 'secp224r1', 'secp256k1', 'secp256r1', 'secp384r1', 'secp521r1', + 'secp192r1', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1', + 'sect163k1', 'sect163r2', 'sect233k1', 'sect233r1', 'sect283k1', + 'sect283r1', 'sect409k1', 'sect409r1', 'sect571k1', 'sect571r1', ]), passphrase=dict(type='str', no_log=True), cipher=dict(type='str'),