* Check return code on ssh(-keygen) invocations.
* openssh_cert: only check for errors if certificate should be present and module is not in check mode.
* Handle rc check for _get_private_key().
* Add changelog fragment.
* Only pass -o for comment updating when necessary.
* Now fails if comment cannot be updated.
This was silently ignored in the past.
* Avoid failing operation.
* Added support for DER format
* Updated description
* Adjusted description
The content of the certificate cannot be in DER format due to an input encoding problem in the Ansible module, but it works fine when reading the certificate from a file
* Update support.py
* Added der_support_enabled flag for DER-format support
* Added changelog fragment for #603
* Fixed typo
* Fixed missing import
* Resolved issues found by static code analysis
* Update plugins/module_utils/crypto/support.py
Committed suggested change
Co-authored-by: Felix Fontein <felix@fontein.de>
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Improve examples: use FQCNs and always add name: to tasks.
* Improve formulation.
Co-authored-by: Don Naro <dnaro@redhat.com>
* Accidentally added a period.
---------
Co-authored-by: Don Naro <dnaro@redhat.com>
* Enable custom cipher selection for get_certificate
* get_certificate ciphers desc grammar fix
Co-authored-by: Felix Fontein <felix@fontein.de>
* get_certificate ciphers desc grammar fix
Co-authored-by: Felix Fontein <felix@fontein.de>
* get_certificate ciphers include version_added
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add changelog fragment
* Fail if ciphers is set and Python < 2.7.9
* Standardize ciphers conditionals in get_certificate
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is.
Handling is exactly the same since they reside in the same OID space and have the same data type.
Tests have also been added based on the integration test certificates.
Signed-off-by: benaryorg <binary@benary.org>
Signed-off-by: benaryorg <binary@benary.org>
the cipher parameter required for encrypted private keys only accepts the value "auto"
as described in /plugins/doc_fragments/module_privatekey.py.
The previously documented value of "aes256" is invalid here.
* Prepare IDNA/Unicode conversion code. Use to normalize input.
* Use IDNA library first (IDNA2008) and Python's IDNA2003 implementation as a fallback.
* Make sure idna is installed.
* Add changelog fragment.
* 'punycode' → 'idna'.
* Add name_encoding options and tests.
* Avoid invalid character for IDNA2008.
* Linting.
* Forgot to upate value.
* Work around cryptography bug. Fix port handling for URIs.
* Forgot other place sensitive to cryptography bug.
* Forgot one. (Will likely still fail.)
* Decode IDNA in _compress_entry() to avoid comparison screw-ups.
* Work around Python 3.5 problem in Ansible 2.9's default test container.
* Update changelog fragment.
* Fix error, add tests.
* Python 2 compatibility.
* Update requirements.
* Fix empty check for openssl_pkcs12 tests.
* Remove unnecessary imports.
* Prevent crash if PyOpenSSL cannot be imported because of an AttributeError.
* Add changelog fragment.
* Fix constraints file.
* Use Python 2.7 instead of 3.5 for 2.9 cloud tests (pip module is broken).
* Prevent upgrading cryptography on ansible-core 2.12's default container with Python 3.9.
Read and write work queue significantly degrades performance on
SSD/NVME devices[1].
In Debian 11 crypttab does not support no-read-workqueue and
no-write-workqueue flags, so the persistent flag is workaround: once
opened with perf parameters persists forever.
[1] https://blog.cloudflare.com/speeding-up-linux-disk-encryption/
Signed-off-by: Yauhen Artsiukhou <jsirex@gmail.com>
* Document OpenSSH 7.7 required for validity always
* Document cert start time option for OpenSSH <7.7
* Improve language of "always" time support
* Update language on `always` to suggested
* Fix indetation
* Allow multiple intermediate CAs to have same subject.
* Add tests.
* Fix test name.
* Don't use CN for SAN.
* Make a bit more compatible.
* Include jinja2 compat for CentOS 6.
* Add basic crypto_info module.
* Improve check.
* Actually test capabilities.
* Also output EC curve list.
* Fix detections.
* Ed25519 and Ed448 are not supported on FreeBSD 12.1.
* Refactor.
* Also retrieve information on the OpenSSL binary.
* Improve splitting.
* Update plugins/modules/crypto_info.py
Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>
* Replace list by tuple.
Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>
* Prepare for distutils.version being removed in Python 2.12.
* Fix copy'n'paste error.
* Re-add Loose prefix.
* Fix Python version typo.
* Improve formulation.
* Move message into own line.
* Fix casing, now that the object is no longer called Version.
* Add warning that ASN.1 encoded extension values returned by some modules might not reflect the exact byte sequence in the source file anymore depending on the cryptography version.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Remove assertonly backend.
* Remove assertonly tests.
* The expired test is basically a test of assertonly.
* Replace assertonly verification by _info + assert.
* Remove Ubuntu 16.04 (Xenial Xerus) from CI.
* Removing PyOpenSSL backend from everywhere but openssl_pkcs12.
* Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12.
* Add changelog fragment.
* Initial commit
* Matching tests to overwritten permissions behavior with cryptography
* Ensuring key validation only occurs when state=present and accomodating CentOS6 restrictions
* Making ssh-keygen behavior explicit by version in tests
* Ensuring cyrptography not excluded in new conditions
* Adding changelog fragment
* Fixing sanity checks
* Improving readability
* Applying review suggestions
* addressing restore_on_failure conflict
* Initial commit
* Fixing unit tests
* More unit fixes
* Adding changelog fragment
* Minor refactor in Certificate.generate()
* Addressing option case-sensitivity and directive overrides
* Renaming idempotency to regenerate
* updating changelog
* Minor refactoring of default options
* Cleaning up with inline functions
* Fixing false failures when regenerate=fail and improving clarity
* Applying second round of review suggestions
* adding helper for safe atomic moves
Use of the confusingly-named _permissions_changed() on both
sides of an `or` was resulting in the second invocation not
being reached if the first invocation returned True, which it
does any time it applied custom attributes to the private key.
As a result, custom file attributes were only ever being
applied to the private key (except in one specific case)
This is fixed by explicitly updating attributes of both files
before checking if changes have been made.
Signed-off-by: Charlie Wheeler-Robinson <cwheeler@redhat.com>
* Initial commit
* Fixing units
* Adding changelog fragment
* Enhanced encapsulation of certificate data
* Avoiding failure when path is not parseable
* Diff refactor
* Applying initial review suggestions
* Refactoring openssh_keypair for multiple backends
* Fixing cryptography backend validations
* Simplifying conditionals and excess variable assignments
* Fixing docs and adding cleanup for integration tests
* Fixing docs and public key validation bugs in crypto backend
* Enhancing cryptogagraphy utils to raise OpenSSHErrors when file not found
* Adding missed copyright and cleanup for idempotency test keys
* Fixing doc style
* Readding crypto/openssh for backwards compatibility
* Adding changelog fragment and final simplifications of conditional statements
* Applied initial review suggestions
* Add diff support to openssl_privatekey.
* Add diff support to openssl_csr.
* Add diff support to x509_crl.
* Add diff support to x509_certificate.
* Add diff support to openssl_publickey.
* Add changelog fragment.
* Prefer one fingerprint for diff infos to reduce noise.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Began refactoring.
* Continue.
* Factor PyOpenSSL backend out.
* Add basic cryptography backend.
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Only run tests when new enough pyOpenSSL or cryptography is around.
* Reduce required pyOpenSSL version from 17.1.0 to 0.15.
I have no idea why 17.1.0 was there (in the tests), and not something smaller.
The module itself did not mention any version.
* Linting.
* Linting.
* Increase compatibility by selecting pyopenssl backend when iter_size or maciter_size is used.
* Improve docs, add changelog fragment.
* Move hackish code to cryptography_support.
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Streamline cert creation.
* Convert range to list.
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Return more public key information.
* Make sure bit size is converted to int first.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Remove no longer necessary code.
* Use correct return value's name.
* Add trailing commas.
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Add openssl_publickey_info module. Share code between openssl_privatekey_info and the new module, and improve documentation of it.
* Move public key loading to support module.
* Require pyOpenSSL 16.0.0 for public key loading.
* Linting.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Integrating openssh module utils with openssh_keypair
* Added explicit PEM formatting for OpenSSH < 7.8
* Adding changelog fragment
* Adding OpenSSL/cryptography dependency for integration tests
* Adding private_key_format option and removing forced cryptography update for CI
* Fixed version check for bcrypt and key_format option name
* Setting no_log=False for private_key_format
* Docs correction and simplification of control flow for private_key_format
* Fix wrong usages of ACMEProtocolException.
* Add changelog fragment.
* Fix error handling when content could not be decoded.
* Make sure that content_json is a dict or None.
* Improve acme_inspect's ACMEProtocolException handling.
* Improve error handling.
* Add tests.
* Fix challenge error.
* Add challenges tests.
* Provide content if available.
* Add some order tests.
* Linting.
* Move acme.py to acme/__init__.py to prepare splitup.
* Began moving generic code out.
* Creating backends.
* Update unit tests.
* Move remaining new code out.
* Use new interface.
* Rewrite module init code.
* Add changelog.
* Add BackendException for crypto backend errors.
* Improve / uniformize ACME error reporting.
* Create ACMELegacyAccount for backwards compatibility.
* Split up ACMEAccount into ACMEClient and ACMEAccount.
* Move get_keyauthorization into module_utils.acme.challenges.
* Improve error handling.
* Move challenge and authorization handling code into module_utils.
* Add split_identifier helper.
* Move order code into module_utils.
* Move ACME v2 certificate handling code to module_utils.
* Fix/move ACME v1 certificate retrieval to module_utils as well.
* Refactor alternate chain handling code by splitting it up into simpler functions.
* Make chain matcher creation part of backend.
* Use B(...) instead of RST formatting (which does not work for options).
* Improve the documentation on acme_directory.
It now mentions the ACME v1 deprecation for Let's Encrypt,
and mentions that ZeroSSL works.
* Improve ACME module documentation.
* Update plugins/doc_fragments/acme.py
* Rename identify.py to pem.py.
* Move split PEM list code to pem.py crypto module_utils.
* Extend and use global certificate splitting code in acme_certificate.
* openssl_pkcs12: allow to load multiple certificates from files mentioned in other_certificates.
* Add changelog and module_utils redirect.
* Remove old check.
* Fix typo.
* Apply suggestions from code review
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Add example.
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Improve error messages for name decoding (not all names appear in SANs).
* Refactor DN parsing, add relative DN parsing code.
* Allow to specify CRL distribution points.
* Add changelog fragment.
* Fix typo.
* Make sure value argument to x509.NameAttribute is a text.
* Update changelogs/fragments/167-openssl_csr-crl-distribution-points.yml
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Add example.
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Allow to configure PBKDF.
* Also add PBKDF options to key add operation.
* Simplify code.
* Update plugins/modules/luks_device.py
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Fix indent.
* Use more of the options.
* Bump iteration count.
* Increase memory limit.
* Fall back to default PBKDF.
* Apply suggestions from code review
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Added sever name option to use for SNI
* cleanup code
Co-authored-by: Felix Fontein <felix@fontein.de>
* added module version for new parameter
Co-authored-by: Felix Fontein <felix@fontein.de>
* added SNI explanation
Co-authored-by: Felix Fontein <felix@fontein.de>
* added SNI link to module description
* linting
* cleanup code
* Update plugins/modules/get_certificate.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* integration test for SNI server_name option
Co-authored-by: Felix Fontein <felix@fontein.de>
Felix Fontein
Kloppi313
Marcin Słowikowski
dlehrman
Katze
Christoph
Andrew Pantuso
Yauhen
bluikko
JochenKorge
Jasmine Hegman
Charlie Wheeler-Robinson
Orosz Dávid
NorthFuture