ECC curve list order (#132)

* Deprecate secp192r1.

* Specify explicit list of OK curves.

* Order curves.

changelogs/fragments/132-openssl_privatekey-ecc-order.yml

@@ -0,0 +1,2 @@
+minor_changes:
+- "openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security warning. Elliptic curves of at least 224 bits should be used for new keys; see `here <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec.html#elliptic-curves>`_ (https://github.com/ansible-collections/community.crypto/pull/132)."

plugins/doc_fragments/module_privatekey.py

@@ -51,27 +51,29 @@ options:
             - For maximal interoperability, C(secp384r1) or C(secp256r1) should be used.
             - We use the curve names as defined in the
               L(IANA registry for TLS,https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8).
+            - Please note that all curves except C(secp224r1), C(secp256k1), C(secp256r1), C(secp384r1) and C(secp521r1)
+              are discouraged for new private keys.
         type: str
         choices:
+            - secp224r1
+            - secp256k1
+            - secp256r1
             - secp384r1
             - secp521r1
-            - secp224r1
             - secp192r1
-            - secp256r1
-            - secp256k1
             - brainpoolP256r1
             - brainpoolP384r1
             - brainpoolP512r1
-            - sect571k1
-            - sect409k1
-            - sect283k1
-            - sect233k1
             - sect163k1
-            - sect571r1
-            - sect409r1
-            - sect283r1
-            - sect233r1
             - sect163r2
+            - sect233k1
+            - sect233r1
+            - sect283k1
+            - sect283r1
+            - sect409k1
+            - sect409r1
+            - sect571k1
+            - sect571r1
     passphrase:
         description:
             - The passphrase for the private key.

plugins/module_utils/crypto/module_backends/privatekey.py

@@ -315,25 +315,25 @@ class PrivateKeyCryptographyBackend(PrivateKeyBackend):
         super(PrivateKeyCryptographyBackend, self).__init__(module=module, backend='cryptography')
 
         self.curves = dict()
+        self._add_curve('secp224r1', 'SECP224R1')
+        self._add_curve('secp256k1', 'SECP256K1')
+        self._add_curve('secp256r1', 'SECP256R1')
         self._add_curve('secp384r1', 'SECP384R1')
         self._add_curve('secp521r1', 'SECP521R1')
-        self._add_curve('secp224r1', 'SECP224R1')
+        self._add_curve('secp192r1', 'SECP192R1', deprecated=True)
-        self._add_curve('secp192r1', 'SECP192R1')
+        self._add_curve('sect163k1', 'SECT163K1', deprecated=True)
-        self._add_curve('secp256r1', 'SECP256R1')
+        self._add_curve('sect163r2', 'SECT163R2', deprecated=True)
-        self._add_curve('secp256k1', 'SECP256K1')
+        self._add_curve('sect233k1', 'SECT233K1', deprecated=True)
+        self._add_curve('sect233r1', 'SECT233R1', deprecated=True)
+        self._add_curve('sect283k1', 'SECT283K1', deprecated=True)
+        self._add_curve('sect283r1', 'SECT283R1', deprecated=True)
+        self._add_curve('sect409k1', 'SECT409K1', deprecated=True)
+        self._add_curve('sect409r1', 'SECT409R1', deprecated=True)
+        self._add_curve('sect571k1', 'SECT571K1', deprecated=True)
+        self._add_curve('sect571r1', 'SECT571R1', deprecated=True)
         self._add_curve('brainpoolP256r1', 'BrainpoolP256R1', deprecated=True)
         self._add_curve('brainpoolP384r1', 'BrainpoolP384R1', deprecated=True)
         self._add_curve('brainpoolP512r1', 'BrainpoolP512R1', deprecated=True)
-        self._add_curve('sect571k1', 'SECT571K1', deprecated=True)
-        self._add_curve('sect409k1', 'SECT409K1', deprecated=True)
-        self._add_curve('sect283k1', 'SECT283K1', deprecated=True)
-        self._add_curve('sect233k1', 'SECT233K1', deprecated=True)
-        self._add_curve('sect163k1', 'SECT163K1', deprecated=True)
-        self._add_curve('sect571r1', 'SECT571R1', deprecated=True)
-        self._add_curve('sect409r1', 'SECT409R1', deprecated=True)
-        self._add_curve('sect283r1', 'SECT283R1', deprecated=True)
-        self._add_curve('sect233r1', 'SECT233R1', deprecated=True)
-        self._add_curve('sect163r2', 'SECT163R2', deprecated=True)
 
         self.cryptography_backend = cryptography.hazmat.backends.default_backend()
 
@@ -565,10 +565,10 @@ def get_privatekey_argument_spec():
                 'DSA', 'ECC', 'Ed25519', 'Ed448', 'RSA', 'X25519', 'X448'
             ]),
             curve=dict(type='str', choices=[
-                'secp384r1', 'secp521r1', 'secp224r1', 'secp192r1', 'secp256r1',
+                'secp224r1', 'secp256k1', 'secp256r1', 'secp384r1', 'secp521r1',
-                'secp256k1', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1',
+                'secp192r1', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1',
-                'sect571k1', 'sect409k1', 'sect283k1', 'sect233k1', 'sect163k1',
+                'sect163k1', 'sect163r2', 'sect233k1', 'sect233r1', 'sect283k1',
-                'sect571r1', 'sect409r1', 'sect283r1', 'sect233r1', 'sect163r2',
+                'sect283r1', 'sect409k1', 'sect409r1', 'sect571k1', 'sect571r1',
             ]),
             passphrase=dict(type='str', no_log=True),
             cipher=dict(type='str'),