Add support for PKCS#11 tokens to openssh_cert. (#95)

This adds the parameter pkcs11_provider, which can be set to the name of or path to a PKCS#11 library (e.g. libpkcs11.so). ssh-keygen will then use this library to have the token make any required signatures. If this is used, signing_key needs to be set to a file containing the public key that matches the private key on the token.
2020-08-04 15:59:24 +00:00 · 2020-08-04 15:59:24 +00:00 · a72f9f53a4
parent 1847b3ead7
commit a72f9f53a4
2 changed files with 25 additions and 0 deletions
--- a/changelogs/fragments/openssh_cert-pkcs11.yml
+++ b/changelogs/fragments/openssh_cert-pkcs11.yml
@ -0,0 +1,2 @@
+minor_changes:
+  - "openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95)."
--- a/plugins/modules/openssh_cert.py
+++ b/plugins/modules/openssh_cert.py
@ -43,8 +43,16 @@ options:
    signing_key:
        description:
            - The path to the private openssh key that is used for signing the public key in order to generate the certificate.
+            - If the private key is on a PKCS#11 token (I(pkcs11_provider)), set this to the path to the public key instead.
            - Required if I(state) is C(present).
        type: path
+    pkcs11_provider:
+        description:
+            - To use a signing key that resides on a PKCS#11 token, set this to the name (or full path) of the shared library to use with the token.
+              Usually C(libpkcs11.so).
+            - If this is set, I(signing_key) needs to point to a file containing the public key of the CA.
+        type: str
+        version_added: 1.1.0
    public_key:
        description:
            - The path to the public key that will be signed with the signing key in order to generate the certificate.
@ -170,6 +178,16 @@ EXAMPLES = '''
        - "clear"
        - "force-command=/tmp/bla/foo"

+- name: Generate an OpenSSH user certificate using a PKCS#11 token
+  community.crypto.openssh_cert:
+    type: user
+    signing_key: /path/to/ca_public_key.pub
+    pkcs11_provider: libpkcs11.so
+    public_key: /path/to/public_key.pub
+    path: /path/to/certificate
+    valid_from: always
+    valid_to: forever
+
 '''

 RETURN = '''
@ -217,6 +235,7 @@ class Certificate(object):
        self.force = module.params['force']
        self.type = module.params['type']
        self.signing_key = module.params['signing_key']
+        self.pkcs11_provider = module.params['pkcs11_provider']
        self.public_key = module.params['public_key']
        self.path = module.params['path']
        self.identifier = module.params['identifier']
@ -251,6 +270,9 @@ class Certificate(object):
                '-s', self.signing_key
            ]

+            if self.pkcs11_provider:
+                args.extend(['-D', self.pkcs11_provider])
+
            validity = ""

            if not (self.valid_from == "always" and self.valid_to == "forever"):
@ -525,6 +547,7 @@ def main():
            force=dict(type='bool', default=False),
            type=dict(type='str', choices=['host', 'user']),
            signing_key=dict(type='path'),
+            pkcs11_provider=dict(type='str'),
            public_key=dict(type='path'),
            path=dict(type='path', required=True),
            identifier=dict(type='str'),