Run tests with macOS 10.15. (#112)
* Run tests with macOS 10.15.
* Update prepare_http_tests as in https://github.com/ansible/ansible/pull/71841/files.
* Also skip luks_device tests on macOS.
* Temporarily restrict to macOS/OSX nodes.
* Show full OpenSSL version.
* Show pyOpenSSL debug details.
* Make location of openssl binary configurable.
* Try to upgrade openssl on macOS when LibreSSL is found.
* Use other variable.
* Use found binary instead of default.
* Revert "Temporarily restrict to macOS/OSX nodes."
This reverts commit ea379382e5.
ci_complete
* Avoid crashing when OpenSSL.debug does not exist.
* Combine setup_openssl_cli with setup_openssl
* Split up setup_openssl in setup_openssl (openssl + cryptography) and setup_pyopenssl.
* Fix package name.
* Don't install cryptography on CentOS 6, print environment.
* Work around ansible-test limitation.
pull/134/head
Felix Fontein
GitHub
parent
7559e912f1
commit
ec55161cb1
|
|
@ -14,6 +14,7 @@ matrix:
|
|||
- env: T=devel/units/1
|
||||
|
||||
- env: T=devel/osx/10.11/1
|
||||
- env: T=devel/macos/10.15/1
|
||||
- env: T=devel/rhel/7.8/1
|
||||
- env: T=devel/rhel/8.2/1
|
||||
- env: T=devel/freebsd/11.1/1
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
- name: Generate account keys
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem"
|
||||
loop:
|
||||
- accountkey
|
||||
- accountkey2
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
- accountkey5
|
||||
|
||||
- name: Parse account keys (to ease debugging some test failures)
|
||||
command: openssl ec -in {{ output_dir }}/{{ item }}.pem -noout -text
|
||||
command: "{{ openssl_binary }} ec -in {{ output_dir }}/{{ item }}.pem -noout -text"
|
||||
loop:
|
||||
- accountkey
|
||||
- accountkey2
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
- name: Generate account key
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
|
||||
|
||||
- name: Generate second account key
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem"
|
||||
|
||||
- name: Parse account key (to ease debugging some test failures)
|
||||
command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
|
||||
command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
|
||||
|
||||
- name: Check that account does not exist
|
||||
acme_account_info:
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
---
|
||||
## SET UP ACCOUNT KEYS ########################################################################
|
||||
- name: Create ECC256 account key
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
|
||||
- name: Create ECC384 account key
|
||||
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
||||
command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
|
||||
- name: Create RSA-2048 account key
|
||||
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
||||
command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa2048.pem 2048"
|
||||
## SET UP ACCOUNTS ############################################################################
|
||||
- name: Make sure ECC256 account hasn't been created yet
|
||||
acme_account:
|
||||
|
|
@ -325,61 +325,61 @@
|
|||
## DISSECT CERTIFICATES #######################################################################
|
||||
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
|
||||
- name: Verifying cert 1
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_1_valid
|
||||
- name: Verifying cert 2
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_2_valid
|
||||
- name: Verifying cert 3
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_3_valid
|
||||
- name: Verifying cert 4
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_4_valid
|
||||
- name: Verifying cert 5
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_5_valid
|
||||
- name: Verifying cert 6
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_6_valid
|
||||
- name: Verifying cert 7
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_7_valid
|
||||
- name: Verifying cert 8
|
||||
command: openssl verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"
|
||||
command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"'
|
||||
ignore_errors: yes
|
||||
register: cert_8_valid
|
||||
# Dump certificate info
|
||||
- name: Dumping cert 1
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-1.pem" -noout -text'
|
||||
register: cert_1_text
|
||||
- name: Dumping cert 2
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-2.pem" -noout -text'
|
||||
register: cert_2_text
|
||||
- name: Dumping cert 3
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-3.pem" -noout -text'
|
||||
register: cert_3_text
|
||||
- name: Dumping cert 4
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-4.pem" -noout -text'
|
||||
register: cert_4_text
|
||||
- name: Dumping cert 5
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-5.pem" -noout -text'
|
||||
register: cert_5_text
|
||||
- name: Dumping cert 6
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-6.pem" -noout -text'
|
||||
register: cert_6_text
|
||||
- name: Dumping cert 7
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-7.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-7.pem" -noout -text'
|
||||
register: cert_7_text
|
||||
- name: Dumping cert 8
|
||||
command: openssl x509 -in "{{ output_dir }}/cert-8.pem" -noout -text
|
||||
command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-8.pem" -noout -text'
|
||||
register: cert_8_text
|
||||
# Dump certificate info
|
||||
- name: Dumping cert 1
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
---
|
||||
## SET UP ACCOUNT KEYS ########################################################################
|
||||
- name: Create ECC256 account key
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
|
||||
- name: Create ECC384 account key
|
||||
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
||||
command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
|
||||
- name: Create RSA-2048 account key
|
||||
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
||||
command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa2048.pem 2048"
|
||||
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
|
||||
- name: Obtain cert 1
|
||||
include_tasks: obtain-cert.yml
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
- block:
|
||||
- name: Create ECC256 account key
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
|
||||
- name: Obtain cert 1
|
||||
include_tasks: obtain-cert.yml
|
||||
vars:
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
- name: Generate account key
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
|
||||
|
||||
- name: Parse account key (to ease debugging some test failures)
|
||||
command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
|
||||
command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
|
||||
|
||||
- name: Get directory
|
||||
acme_inspect:
|
||||
|
|
|
|||
|
|
@ -206,7 +206,7 @@
|
|||
|
||||
# For bug 61738, verify that the full chain is valid
|
||||
- name: Verify that the full chain path can be successfully imported
|
||||
command: openssl verify "{{ example4_full_chain_path }}"
|
||||
command: '{{ openssl_binary }} verify "{{ example4_full_chain_path }}"'
|
||||
register: openssl_result
|
||||
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
- prepare_http_tests
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
shippable/posix/group1
|
||||
skip/osx
|
||||
skip/macos
|
||||
skip/freebsd
|
||||
skip/docker
|
||||
needs/root
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
|
||||
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
register: privatekey_modulus
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
|
||||
shell: "openssl req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"
|
||||
shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"
|
||||
register: csr_cn
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
|
||||
shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr'
|
||||
shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr.csr'
|
||||
register: csr_modulus
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
|
||||
|
|
@ -49,11 +49,11 @@
|
|||
- csr_ku_xku_change_2 is changed
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
|
||||
shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
|
||||
shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
|
||||
register: csr_oldapi_cn
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)"
|
||||
shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
|
||||
shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
|
||||
register: csr_oldapi_modulus
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)"
|
||||
|
|
@ -78,7 +78,7 @@
|
|||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.0', '<')
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
|
||||
shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
|
||||
shell: "{{ openssl_binary }} req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
|
||||
register: csr_ocsp
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)"
|
||||
|
|
@ -93,15 +93,15 @@
|
|||
- csr_ocsp_idempotency is not changed
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)"
|
||||
shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem'
|
||||
shell: '{{ openssl_binary }} ec -pubout -in {{ output_dir }}/privatekey2.pem'
|
||||
register: privatekey_ecc_key
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)"
|
||||
shell: "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"
|
||||
shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"
|
||||
register: csr_ecc_cn
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)"
|
||||
shell: 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr'
|
||||
shell: '{{ openssl_binary }} req -noout -pubkey -in {{ output_dir }}/csr2.csr'
|
||||
register: csr_ecc_pubkey
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)"
|
||||
|
|
@ -111,7 +111,7 @@
|
|||
- csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)"
|
||||
shell: "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
|
||||
shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
|
||||
register: csr3_cn
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -59,17 +59,17 @@
|
|||
register: generate_csr_changed_check
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
|
||||
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
register: privatekey_modulus
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
|
||||
shell: "openssl req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
|
||||
shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
|
||||
args:
|
||||
stdin: "{{ generate_csr.csr }}"
|
||||
register: csr_cn
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
|
||||
shell: 'openssl req -noout -modulus -in /dev/stdin'
|
||||
shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
|
||||
args:
|
||||
stdin: "{{ generate_csr.csr }}"
|
||||
register: csr_modulus
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
- name: "[{{ select_crypto_backend }}] Validate generated params"
|
||||
shell: 'openssl dhparam -in {{ output_dir }}/{{ item }}.pem -noout -check'
|
||||
shell: '{{ openssl_binary }} dhparam -in {{ output_dir }}/{{ item }}.pem -noout -check'
|
||||
with_items:
|
||||
- dh768
|
||||
- dh512
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Get bit size of 768"
|
||||
shell: 'openssl dhparam -noout -in {{ output_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
|
||||
shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
|
||||
register: bit_size_dhparam
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Check bit size of default"
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
- bit_size_dhparam.stdout == "768"
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Get bit size of 512"
|
||||
shell: 'openssl dhparam -noout -in {{ output_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
|
||||
shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
|
||||
register: bit_size_dhparam_512
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Check bit size of default"
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
- name: 'Validate PKCS#12'
|
||||
command: "openssl pkcs12 -info -in {{ output_dir }}/ansible.p12 -nodes -passin pass:''"
|
||||
command: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible.p12 -nodes -passin pass:''"
|
||||
register: p12
|
||||
|
||||
- name: 'Validate PKCS#12 with no private key'
|
||||
command: "openssl pkcs12 -info -in {{ output_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''"
|
||||
command: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''"
|
||||
register: p12_validate_no_pkey
|
||||
|
||||
- name: 'Validate PKCS#12 with multiple certs'
|
||||
shell: "openssl pkcs12 -info -in {{ output_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'' | grep subject"
|
||||
shell: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'' | grep subject"
|
||||
register: p12_validate_multi_certs
|
||||
|
||||
- name: 'Validate PKCS#12 (assert)'
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
####################################################################
|
||||
|
||||
- name: Find out which elliptic curves are supported by installed OpenSSL
|
||||
command: openssl ecparam -list_curves
|
||||
command: "{{ openssl_binary }} ecparam -list_curves"
|
||||
register: openssl_ecc
|
||||
|
||||
- name: Compile list of elliptic curves supported by OpenSSL
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate privatekey1 (test - RSA key with size 4096 bits)"
|
||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
register: privatekey1
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate privatekey1 (assert - RSA key with size 4096 bits)"
|
||||
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate privatekey2 (test - RSA key with size 2048 bits)"
|
||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
register: privatekey2
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate privatekey2 (assert - RSA key with size 2048 bits)"
|
||||
|
|
@ -31,7 +31,7 @@
|
|||
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate privatekey3 (test - DSA key with size 3072 bits)"
|
||||
shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
shell: "{{ openssl_binary }} dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
register: privatekey3
|
||||
|
||||
- name: Validate privatekey3 (assert - DSA key with size 3072 bits)
|
||||
|
|
@ -59,7 +59,7 @@
|
|||
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate privatekey5 (test - Passphrase protected key + idempotence)"
|
||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
register: privatekey5
|
||||
# Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
|
||||
# leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully.
|
||||
|
|
@ -78,7 +78,7 @@
|
|||
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate privatekey6 (test - Passphrase protected key with non ascii character)"
|
||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||
register: privatekey6
|
||||
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
||||
|
||||
|
|
@ -89,7 +89,7 @@
|
|||
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate ECC generation (dump with OpenSSL)"
|
||||
shell: "openssl ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
|
||||
shell: "{{ openssl_binary }} ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
|
||||
loop: "{{ privatekey_ecc_generate.results }}"
|
||||
register: privatekey_ecc_dump
|
||||
when: openssl_version.stdout is version('0.9.8zh', '>=') and 'skip_reason' not in item
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -8,11 +8,11 @@
|
|||
- publickey.publickey == publickey_idempotence.publickey
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate public key (test - privatekey modulus)"
|
||||
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
register: privatekey_modulus
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate public key (test - publickey modulus)"
|
||||
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub'
|
||||
shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub'
|
||||
register: publickey_modulus
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate public key (assert)"
|
||||
|
|
@ -62,12 +62,12 @@
|
|||
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate publickey3 (test - privatekey modulus)"
|
||||
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible'
|
||||
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible'
|
||||
register: privatekey3_modulus
|
||||
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate publickey3 (test - publickey modulus)"
|
||||
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub'
|
||||
shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub'
|
||||
register: publickey3_modulus
|
||||
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
||||
|
||||
|
|
@ -83,12 +83,12 @@
|
|||
- publickey3_idempotence is not changed
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate publickey4 (test - privatekey modulus)"
|
||||
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
register: privatekey4_modulus
|
||||
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate publickey4 (test - publickey modulus)"
|
||||
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub'
|
||||
shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub'
|
||||
register: publickey4_modulus
|
||||
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
||||
|
||||
|
|
@ -109,12 +109,12 @@
|
|||
- privatekey5_3.backup_file is string
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate public key 5 (test - privatekey's pubkey)"
|
||||
command: 'openssl ec -in {{ output_dir }}/privatekey5.pem -pubout'
|
||||
command: '{{ openssl_binary }} ec -in {{ output_dir }}/privatekey5.pem -pubout'
|
||||
register: privatekey5_pubkey
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate public key 5 (test - publickey pubkey)"
|
||||
# Fancy way of writing "cat {{ output_dir }}/publickey5.pub"
|
||||
command: 'openssl ec -pubin -in {{ output_dir }}/publickey5.pub -pubout'
|
||||
command: '{{ openssl_binary }} ec -pubin -in {{ output_dir }}/publickey5.pub -pubout'
|
||||
register: publickey5_pubkey
|
||||
|
||||
- name: "({{ select_crypto_backend }}) Validate public key 5 (assert)"
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -49,11 +49,16 @@
|
|||
when: ansible_os_family == 'FreeBSD'
|
||||
|
||||
- name: MacOS - Retrieve test cacert
|
||||
get_url:
|
||||
url: "http://ansible.http.tests/cacert.pem"
|
||||
dest: "/usr/local/etc/openssl/certs/ansible.pem"
|
||||
when: ansible_os_family == 'Darwin'
|
||||
block:
|
||||
- uri:
|
||||
url: "http://ansible.http.tests/cacert.pem"
|
||||
return_content: true
|
||||
register: cacert_pem
|
||||
|
||||
- name: MacOS - Update ca certificates
|
||||
command: /usr/local/opt/openssl/bin/c_rehash
|
||||
when: ansible_os_family == 'Darwin'
|
||||
- raw: '{{ ansible_python_interpreter }} -c "import ssl; print(ssl.get_default_verify_paths().cafile)"'
|
||||
register: macos_cafile
|
||||
|
||||
- blockinfile:
|
||||
path: "{{ macos_cafile.stdout_lines|first }}"
|
||||
block: "{{ cacert_pem.content }}"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
dependencies: []
|
||||
# - setup_openssl
|
||||
|
|
@ -4,12 +4,19 @@
|
|||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
- name: register openssl version
|
||||
shell: "openssl version | cut -d' ' -f2"
|
||||
# BEGIN HACK: remove whenever we know how to properly detect 'default' docker container !!!!!!!!!!!!!!!!!!!!!
|
||||
- name: Default value for OpenSSL binary path
|
||||
set_fact:
|
||||
openssl_binary: openssl
|
||||
|
||||
- name: Register openssl version
|
||||
shell: "{{ openssl_binary }} version | cut -d' ' -f2"
|
||||
register: openssl_version
|
||||
|
||||
- name: register cryptography version
|
||||
- name: Register cryptography version
|
||||
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
|
||||
register: cryptography_version
|
||||
# END HACK !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||
|
||||
- debug: msg="ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}"
|
||||
- debug:
|
||||
msg: "ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}"
|
||||
|
|
|
|||
|
|
@ -1,16 +1,16 @@
|
|||
---
|
||||
## PRIVATE KEY ################################################################################
|
||||
- name: ({{ certgen_title }}) Create cert private key (RSA)
|
||||
command: "openssl genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}"
|
||||
command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}"
|
||||
when: "key_type == 'rsa'"
|
||||
- name: ({{ certgen_title }}) Create cert private key (ECC 256)
|
||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
|
||||
command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
|
||||
when: "key_type == 'ec256'"
|
||||
- name: ({{ certgen_title }}) Create cert private key (ECC 384)
|
||||
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
|
||||
command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
|
||||
when: "key_type == 'ec384'"
|
||||
- name: ({{ certgen_title }}) Create cert private key (ECC 512)
|
||||
command: openssl ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
|
||||
command: "{{ openssl_binary }} ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
|
||||
when: "key_type == 'ec521'"
|
||||
## CSR ########################################################################################
|
||||
- name: ({{ certgen_title }}) Create cert CSR
|
||||
|
|
|
|||
|
|
@ -4,43 +4,95 @@
|
|||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
- name: Register system environment
|
||||
command: "{{ ansible_python.executable }} -c 'import os; print(dict(os.environ))'"
|
||||
register: sys_environment
|
||||
|
||||
- debug: var=sys_environment
|
||||
|
||||
- name: Default value for OpenSSL binary path
|
||||
set_fact:
|
||||
openssl_binary: openssl
|
||||
|
||||
- name: Include OS-specific variables
|
||||
include_vars: '{{ ansible_os_family }}.yml'
|
||||
when: not ansible_os_family == "Darwin"
|
||||
|
||||
- name: Install OpenSSL
|
||||
become: True
|
||||
become: true
|
||||
package:
|
||||
name: '{{ openssl_package_name }}'
|
||||
when: not ansible_os_family == 'Darwin'
|
||||
|
||||
- name: Install pyOpenSSL (Python 3)
|
||||
become: True
|
||||
package:
|
||||
name: '{{ pyopenssl_package_name_python3 }}'
|
||||
when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
|
||||
- name: Register openssl version (full)
|
||||
shell: "{{ openssl_binary }} version"
|
||||
register: openssl_version_full
|
||||
|
||||
- name: Install pyOpenSSL (Python 2)
|
||||
become: True
|
||||
package:
|
||||
name: '{{ pyopenssl_package_name }}'
|
||||
when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
|
||||
- name: Show openssl version (full)
|
||||
debug:
|
||||
var: openssl_version_full.stdout_lines
|
||||
|
||||
- name: Install pyOpenSSL (Darwin)
|
||||
become: True
|
||||
pip:
|
||||
name: pyOpenSSL
|
||||
extra_args: "-c {{ remote_constraints }}"
|
||||
when: ansible_os_family == 'Darwin'
|
||||
- when: ansible_os_family == "Darwin" and "LibreSSL" in openssl_version_full.stdout
|
||||
# In case LibreSSL is installed on macOS, we need to install a more modern OpenSSL
|
||||
block:
|
||||
- name: MACOS | Find brew binary
|
||||
command: which brew
|
||||
register: brew_which
|
||||
|
||||
- name: register pyOpenSSL version
|
||||
command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"
|
||||
register: pyopenssl_version
|
||||
- name: MACOS | Get owner of brew binary
|
||||
stat:
|
||||
path: "{{ brew_which.stdout }}"
|
||||
register: brew_stat
|
||||
|
||||
- name: register openssl version
|
||||
shell: "openssl version | cut -d' ' -f2"
|
||||
- name: MACOS | Install openssl
|
||||
homebrew:
|
||||
name: openssl
|
||||
state: present
|
||||
become: yes
|
||||
become_user: "{{ brew_stat.stat.pw_name }}"
|
||||
|
||||
- name: MACOS | Locale openssl binary
|
||||
command: brew --prefix openssl
|
||||
register: brew_openssl_prefix
|
||||
|
||||
- name: MACOS | Point to OpenSSL binary
|
||||
set_fact:
|
||||
openssl_binary: "{{ brew_openssl_prefix.stdout }}/bin/openssl"
|
||||
|
||||
- name: MACOS | Register openssl version (full)
|
||||
shell: "{{ openssl_binary }} version"
|
||||
register: openssl_version_full_again
|
||||
# We must use a different variable to prevent the 'when' condition of the surrounding block to fail
|
||||
|
||||
- name: MACOS | Show openssl version (full)
|
||||
debug:
|
||||
var: openssl_version_full_again.stdout_lines
|
||||
|
||||
- name: Register openssl version
|
||||
shell: "{{ openssl_binary }} version | cut -d' ' -f2"
|
||||
register: openssl_version
|
||||
|
||||
- name: register cryptography version
|
||||
- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
|
||||
block:
|
||||
- name: Install cryptography (Python 3)
|
||||
become: true
|
||||
package:
|
||||
name: '{{ cryptography_package_name_python3 }}'
|
||||
when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
|
||||
|
||||
- name: Install cryptography (Python 2)
|
||||
become: true
|
||||
package:
|
||||
name: '{{ cryptography_package_name }}'
|
||||
when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
|
||||
|
||||
- name: Install cryptography (Darwin)
|
||||
become: true
|
||||
pip:
|
||||
name: cryptography
|
||||
extra_args: "-c {{ remote_constraints }}"
|
||||
when: ansible_os_family == 'Darwin'
|
||||
|
||||
- name: Register cryptography version
|
||||
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
|
||||
register: cryptography_version
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
pyopenssl_package_name: python-openssl
|
||||
pyopenssl_package_name_python3: python3-openssl
|
||||
---
|
||||
openssl_package_name: openssl
|
||||
cryptography_package_name: python-cryptography
|
||||
cryptography_package_name_python3: python3-cryptography
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
pyopenssl_package_name: py27-openssl
|
||||
pyopenssl_package_name_python3: py36-openssl
|
||||
---
|
||||
openssl_package_name: openssl
|
||||
cryptography_package_name: py27-cryptography
|
||||
cryptography_package_name_python3: py36-cryptography
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
pyopenssl_package_name: pyOpenSSL
|
||||
pyopenssl_package_name_python3: python3-pyOpenSSL
|
||||
---
|
||||
openssl_package_name: openssl
|
||||
cryptography_package_name: python-cryptography
|
||||
cryptography_package_name_python3: python3-cryptography
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
pyopenssl_package_name: python-pyOpenSSL
|
||||
pyopenssl_package_name_python3: python3-pyOpenSSL
|
||||
---
|
||||
openssl_package_name: openssl
|
||||
cryptography_package_name: python-cryptography
|
||||
cryptography_package_name_python3: python3-cryptography
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
dependencies:
|
||||
- setup_remote_constraints
|
||||
- setup_pkg_mgr
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
####################################################################
|
||||
# WARNING: These are designed specifically for Ansible tests #
|
||||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
- name: Include OS-specific variables
|
||||
include_vars: '{{ ansible_os_family }}.yml'
|
||||
when: not ansible_os_family == "Darwin"
|
||||
|
||||
- name: Install pyOpenSSL (Python 3)
|
||||
become: true
|
||||
package:
|
||||
name: '{{ pyopenssl_package_name_python3 }}'
|
||||
when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
|
||||
|
||||
- name: Install pyOpenSSL (Python 2)
|
||||
become: true
|
||||
package:
|
||||
name: '{{ pyopenssl_package_name }}'
|
||||
when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
|
||||
|
||||
- name: Install pyOpenSSL (Darwin)
|
||||
become: true
|
||||
pip:
|
||||
name: pyOpenSSL
|
||||
extra_args: "-c {{ remote_constraints }}"
|
||||
when: ansible_os_family == 'Darwin'
|
||||
|
||||
- name: Register pyOpenSSL version
|
||||
command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"
|
||||
register: pyopenssl_version
|
||||
|
||||
- name: Register pyOpenSSL debug details
|
||||
command: "{{ ansible_python.executable }} -m OpenSSL.debug"
|
||||
register: pyopenssl_debug_version
|
||||
ignore_errors: yes
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
pyopenssl_package_name: python-openssl
|
||||
pyopenssl_package_name_python3: python3-openssl
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
pyopenssl_package_name: py27-openssl
|
||||
pyopenssl_package_name_python3: py36-openssl
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
pyopenssl_package_name: pyOpenSSL
|
||||
pyopenssl_package_name_python3: python3-pyOpenSSL
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
pyopenssl_package_name: python-pyOpenSSL
|
||||
pyopenssl_package_name_python3: python3-pyOpenSSL
|
||||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
when: select_crypto_backend == 'pyopenssl' # cryptography won't allow creating expired certificates
|
||||
|
||||
- name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate
|
||||
command: "openssl x509 -req -days -1 -in {{ output_dir }}/has_expired_csr.csr -signkey {{ output_dir }}/has_expired_privatekey.pem -out {{ output_dir }}/has_expired_cert.pem"
|
||||
command: "{{ openssl_binary }} x509 -req -days -1 -in {{ output_dir }}/has_expired_csr.csr -signkey {{ output_dir }}/has_expired_privatekey.pem -out {{ output_dir }}/has_expired_cert.pem"
|
||||
when: select_crypto_backend == 'cryptography' # So we create it with 'command'
|
||||
|
||||
- name: "(Expired) Check task fails because cert is expired (has_expired: false)"
|
||||
|
|
|
|||
|
|
@ -1,18 +1,18 @@
|
|||
---
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - verify CA)
|
||||
shell: 'openssl verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"'
|
||||
shell: '{{ openssl_binary }} verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"'
|
||||
register: ownca_verify_ca
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate modulus)
|
||||
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem'
|
||||
shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem'
|
||||
register: ownca_cert_modulus
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca issuer value)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
|
||||
register: ownca_cert_issuer
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certficate version == default == 3)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: ownca_cert_version
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (assert)
|
||||
|
|
@ -39,7 +39,7 @@
|
|||
|
||||
- block:
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: ownca_cert_v2_version
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate version 2 (assert)
|
||||
|
|
@ -57,7 +57,7 @@
|
|||
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (test - ownca certificate modulus)
|
||||
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem'
|
||||
shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem'
|
||||
register: ownca_cert2_modulus
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (assert)
|
||||
|
|
@ -66,11 +66,11 @@
|
|||
- ownca_cert2_modulus.stdout == privatekey2_modulus.stdout
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate owncal certificate3 (test - notBefore)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: ownca_cert3_notBefore
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (test - notAfter)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: ownca_cert3_notAfter
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (assert - notBefore)
|
||||
|
|
@ -84,11 +84,11 @@
|
|||
- ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey)
|
||||
shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem'
|
||||
shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem'
|
||||
register: ownca_cert_ecc_pubkey
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca issuer value)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
|
||||
register: ownca_cert_ecc_issuer
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (assert)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - privatekey modulus)
|
||||
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
||||
register: privatekey_modulus
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate behavior for no CSR
|
||||
|
|
@ -11,11 +11,11 @@
|
|||
- selfsigned_certificate_no_csr_idempotence_check is not changed
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate modulus)
|
||||
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert_no_csr.pem'
|
||||
shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert_no_csr.pem'
|
||||
register: cert_modulus
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certficate version == default == 3)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: cert_version
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (assert)
|
||||
|
|
@ -38,16 +38,16 @@
|
|||
- selfsigned_certificate_no_csr.certificate == selfsigned_certificate_no_csr_idempotence.certificate
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate modulus)
|
||||
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert.pem'
|
||||
shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert.pem'
|
||||
register: cert_modulus
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - issuer value)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"'
|
||||
register: cert_issuer
|
||||
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certficate version == default == 3)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: cert_version
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (assert)
|
||||
|
|
@ -77,7 +77,7 @@
|
|||
|
||||
- block:
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: cert_v2_version
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate version 2 (assert)
|
||||
|
|
@ -95,11 +95,11 @@
|
|||
when: select_crypto_backend == 'cryptography'
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus)
|
||||
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem'
|
||||
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem'
|
||||
register: privatekey2_modulus
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - certificate modulus)
|
||||
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert2.pem'
|
||||
shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert2.pem'
|
||||
register: cert2_modulus
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (assert)
|
||||
|
|
@ -108,11 +108,11 @@
|
|||
- cert2_modulus.stdout == privatekey2_modulus.stdout
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notBefore)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: cert3_notBefore
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notAfter)
|
||||
shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
|
||||
register: cert3_notAfter
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (assert - notBefore)
|
||||
|
|
@ -126,11 +126,11 @@
|
|||
- cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey)
|
||||
shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey_ecc.pem'
|
||||
shell: '{{ openssl_binary }} ec -pubout -in {{ output_dir }}/privatekey_ecc.pem'
|
||||
register: privatekey_ecc_pubkey
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - certificate pubkey)
|
||||
shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem'
|
||||
shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem'
|
||||
register: cert_ecc_pubkey
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (assert)
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
dependencies:
|
||||
- setup_openssl
|
||||
- setup_pyopenssl
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
remote.sh
|
||||
Loading…
Reference in New Issue