a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for PKCS#11 tokens to openssh_cert. (#95) 

This adds the parameter pkcs11_provider, which can be set to the name of
or path to a PKCS#11 library (e.g. libpkcs11.so). ssh-keygen will then
use this library to have the token make any required signatures.
If this is used, signing_key needs to be set to a file containing the
public key that matches the private key on the token.
pull/97/head
s-hamann 2020-08-04 15:59:24 +00:00 committed by GitHub
parent 1847b3ead7
commit a72f9f53a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/openssh_cert-pkcs11.yml Normal file
View File

@ -0,0 +1,2 @@
minor_changes:
- "openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95)."

23
plugins/modules/openssh_cert.py
View File

@ -43,8 +43,16 @@ options:
signing_key: signing_key:
description: description:
- The path to the private openssh key that is used for signing the public key in order to generate the certificate. - The path to the private openssh key that is used for signing the public key in order to generate the certificate.
- If the private key is on a PKCS#11 token (I(pkcs11_provider)), set this to the path to the public key instead.
- Required if I(state) is C(present). - Required if I(state) is C(present).
type: path type: path
pkcs11_provider:
description:
- To use a signing key that resides on a PKCS#11 token, set this to the name (or full path) of the shared library to use with the token.
Usually C(libpkcs11.so).
- If this is set, I(signing_key) needs to point to a file containing the public key of the CA.
type: str
version_added: 1.1.0
public_key: public_key:
description: description:
- The path to the public key that will be signed with the signing key in order to generate the certificate. - The path to the public key that will be signed with the signing key in order to generate the certificate.
@ -170,6 +178,16 @@ EXAMPLES = '''
- "clear" - "clear"
- "force-command=/tmp/bla/foo" - "force-command=/tmp/bla/foo"
- name: Generate an OpenSSH user certificate using a PKCS#11 token
community.crypto.openssh_cert:
type: user
signing_key: /path/to/ca_public_key.pub
pkcs11_provider: libpkcs11.so
public_key: /path/to/public_key.pub
path: /path/to/certificate
valid_from: always
valid_to: forever
''' '''
RETURN = ''' RETURN = '''
@ -217,6 +235,7 @@ class Certificate(object):
self.force = module.params['force'] self.force = module.params['force']
self.type = module.params['type'] self.type = module.params['type']
self.signing_key = module.params['signing_key'] self.signing_key = module.params['signing_key']
self.pkcs11_provider = module.params['pkcs11_provider']
self.public_key = module.params['public_key'] self.public_key = module.params['public_key']
self.path = module.params['path'] self.path = module.params['path']
self.identifier = module.params['identifier'] self.identifier = module.params['identifier']
@ -251,6 +270,9 @@ class Certificate(object):
'-s', self.signing_key '-s', self.signing_key
] ]
if self.pkcs11_provider:
args.extend(['-D', self.pkcs11_provider])
validity = "" validity = ""
if not (self.valid_from == "always" and self.valid_to == "forever"): if not (self.valid_from == "always" and self.valid_to == "forever"):
@ -525,6 +547,7 @@ def main():
force=dict(type='bool', default=False), force=dict(type='bool', default=False),
type=dict(type='str', choices=['host', 'user']), type=dict(type='str', choices=['host', 'user']),
signing_key=dict(type='path'), signing_key=dict(type='path'),
pkcs11_provider=dict(type='str'),
public_key=dict(type='path'), public_key=dict(type='path'),
path=dict(type='path', required=True), path=dict(type='path', required=True),
identifier=dict(type='str'), identifier=dict(type='str'),