Commit Graph

168 Commits (355480601d9bde0ada4b29fe62c752b8eb9f4a67)

Author SHA1 Message Date
Felix Fontein c173449c46
Add x509_crl_info filter (#558)
* Add x509_crl_info filter.

* Work around bugs in Ansible 2.9 and ansible-base 2.10.
2022-12-31 07:56:34 +01:00
Felix Fontein c08bae8308
Add x509_certificate_info filter. (#557) 2022-12-31 07:56:11 +01:00
Felix Fontein 80f7b084c0
Add filter module base, prepare adding filters (#553)
* Improve string handling.

* Cleanup tests.

* Add filter module mock.
2022-12-30 20:44:13 +01:00
Felix Fontein 7cc9a70e43
Add split_pem filter (#549)
* Add split_pem filter.

* Fix documentation.

* Python 2.7.

* Improve error message matching.

Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>

Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
2022-12-27 21:57:20 +01:00
Felix Fontein 5ddfb2c2ca
CI: balance groups (#548)
* Show timings with devel, and skip everything else.

* Move to other group.

* Try smaller SSH key size (i.e. make tests run faster).

* Add implicit size that now must be explicit.

* Change group of luks_device.

* Revert "Show timings with devel, and skip everything else."

This reverts commit 7b73f7e4d7.
2022-12-21 08:12:53 +01:00
Felix Fontein 242c15bf4c
Make sure that iteration_count=1000 is not used with algorithm=argon* (which is SLOW and takes around 10 minutes). (#546) 2022-12-20 20:01:26 +01:00
Felix Fontein 867f407401
CI: improve CI matrix, split into two groups (#544)
* Prepare having more than one group.

* Remove duplicates; add CentOS Stream 8 with Python 3.6.

* Split up tests into two groups.
2022-12-20 12:57:53 +01:00
Felix Fontein ca23b2ed9a
Improve CI (#539)
* Update CI scripts to be more close to the ones in ansible-core.

* Extend CI matrix.

* Mark more VMs.

* Revert "Mark more VMs."

This reverts commit 8bc79af636.

* Disable alpine VMs for get_certificate due to httptester problems.

* Improve retrieval of cryptsetup version.

* ACME 'emulator' won't work on Alpine either.

* Improve luks test setup.

* Make sure wipefs is installed on Alpine.

* dmsetup (from device-mapper) is used by the tests.

* Fix bcrypt install failure handling.

* String, not float.

* openssl_privatekey_convert is not an action module.

* Update Python info.

* Try out which VMs can be used by now.

* Enable ACME tests on all VMs but Alpine; update comment.

* Adjust acme-tiny shebang.

* Remove new entries from CI matrix.
2022-12-11 19:55:47 +01:00
Felix Fontein 664f34f2ac Mark x509_certificate-acme test as target test. 2022-12-09 23:10:26 +01:00
Katze 2a746115ca
fix #529 issuer_uri in x509_certificate_info (#530)
The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is.
Handling is exactly the same since they reside in the same OID space and have the same data type.
Tests have also been added based on the integration test certificates.

Signed-off-by: benaryorg <binary@benary.org>

Signed-off-by: benaryorg <binary@benary.org>
2022-11-17 12:40:44 +01:00
Felix Fontein e4e2b804bc
Allow to configure encryption level. (#523) 2022-11-01 19:51:28 +01:00
Felix Fontein 1f4840ba2f
Change CI group identifiers (#517)
* Change CI group identifiers.

* cloud → generic.
2022-10-10 22:39:10 +02:00
Andrew Pantuso 1dcc135da5
feat: add private_key_format choices for openssh_keypair (#511)
* feat: add private_key_format choices for openssh_keypair

* chore: add changelog fragment
2022-09-18 20:10:29 -04:00
Felix Fontein 95626abdd3
Make mostly reuse conformant (#502)
* Add .license files.

* Update README.

* Normalize licenses test.

* Add reuse GHA.

* Add blanket rule for changelog fragments.

* Add .license file for vendored third-party certificates.

* Fix workflow's permissions.

* Revert "Add .license file for vendored third-party certificates."

This reverts commit 35e106867c.

* Make reuse lint test optional.

* Add exceptions.

* Update README.

* Improve reuse test.
2022-09-13 19:13:04 +00:00
Felix Fontein d0d99c31b0
[TEMP] Create temp remote directory in ~. (#504) 2022-08-24 06:54:09 +02:00
Felix Fontein ed03b1aa7f
Remove included fake CA cert, create one on demand. (#501) 2022-08-21 09:53:57 +02:00
Felix Fontein e4ebca0945
Fix ssh-agent tests (#493)
* Work around stupid ssh-agent output format.

* Workaround for Ansible 2.9.

* Old jinja2...

* Jinja2 on CentOS 6 is really annoying.
2022-07-22 13:54:15 +02:00
Felix Fontein 6bf3ef47e1
Move licenses to LICENSES/, use SPDX-License-Identifier, mention all licenses in galaxy.yml (#491)
* Add SPDX license identifiers, mention all licenses in galaxy.yml.

* Add default copyright headers.

* Add headers for documents.

* Fix/add more copyright statements.

* Add copyright / license info for vendored code.

* Add extra sanity test.

* Add changelog fragment.

* Comment PSF-2.0 license out in galaxy.yml for now.

* Remove colon after 'Copyright'.

* Avoid colon after 'Copyright' in lint script.

* Mention correct filename.

* Add BSD-3-Clause.

* Improve lint script.

* Update README.

* Symlinks...
2022-07-21 07:27:26 +02:00
Felix Fontein 7deb0a6db9
openssl_csr: extend tests to check for privatekey_content together with privatekey_passphrase (#490)
* Extend tests to check for privatekey_content together with privatekey_passphrase.

* Also test privatekey_content for private keys without passphrases.
2022-07-14 14:32:53 +02:00
Felix Fontein 9ed4526fee
openssl_pkcs12: fix crash when trying to get non-existing other certificates (#487)
* Fix crash when trying to get non-existing other certificates.

* Add test.
2022-07-07 22:30:22 +02:00
Felix Fontein de0ec1f739
Add Apache 2.0 license; simplify and standardize license headers (#478)
* Add Apache 2.0 license for Apache 2.0 licensed parts.

* Unify license headers.

* Move additional licenses to licenses/.

* Revert "Move additional licenses to licenses/."

This reverts commit c12b22de1c.
2022-06-17 08:20:40 +02:00
Felix Fontein 297b44f24b
x509_crl: do not crash when signing with Ed25519 or Ed448 (#475)
* Do not crash when signing with Ed25519 or Ed448.

* Forgot replace.
2022-06-15 22:06:40 +02:00
Andrew Pantuso 4ab45e8c21
ci: enable rhel9.0 tests for openssh_cert (#463)
* ci: enable rhel9.0 tests for openssh_cert

* ci: allow openssh_cert second signature algorithm test for versions >8.7

* ci: narrowing condition to not attempt RSA1 signing exclusively on RHEL >=9

* ci: grouping and documenting condition
2022-05-21 16:43:54 +02:00
Felix Fontein c566a7abf3
Add RHEL 9.0, FreeBSD 13.1, Ubuntu 22.04 and Fedora 36 to CI (#456)
* Add RHEL 9.0 and FreeBSD 13.1 to CI.

* Add Ubuntu 22.04 and Fedora 36 to CI.

* Switch orders so that root doesn't have a SHA1 signature.

* Skip openssh_cert test on RHEL 9.0.

* Make it possible that pyOpenSSL isn't installed *at all*.

* Work with default.
2022-05-20 23:03:54 +02:00
Felix Fontein 4cf951596f
Improve handling of IDNA/Unicode domains (#436)
* Prepare IDNA/Unicode conversion code. Use to normalize input.

* Use IDNA library first (IDNA2008) and Python's IDNA2003 implementation as a fallback.

* Make sure idna is installed.

* Add changelog fragment.

* 'punycode' → 'idna'.

* Add name_encoding options and tests.

* Avoid invalid character for IDNA2008.

* Linting.

* Forgot to upate value.

* Work around cryptography bug. Fix port handling for URIs.

* Forgot other place sensitive to cryptography bug.

* Forgot one. (Will likely still fail.)

* Decode IDNA in _compress_entry() to avoid comparison screw-ups.

* Work around Python 3.5 problem in Ansible 2.9's default test container.

* Update changelog fragment.

* Fix error, add tests.

* Python 2 compatibility.

* Update requirements.
2022-05-09 19:57:14 +02:00
Felix Fontein 90efcc1ca7
Add privatekey_content option. (#452) 2022-05-09 19:56:08 +02:00
Felix Fontein 91f192ce5b
Fix main for new cryptography 37.0.0 release (#445)
* Fix empty check for openssl_pkcs12 tests.

* Remove unnecessary imports.

* Prevent crash if PyOpenSSL cannot be imported because of an AttributeError.

* Add changelog fragment.

* Fix constraints file.

* Use Python 2.7 instead of 3.5 for 2.9 cloud tests (pip module is broken).

* Prevent upgrading cryptography on ansible-core 2.12's default container with Python 3.9.
2022-04-26 22:18:37 +02:00
Felix Fontein 9d03178b00
Fix crash in x509_crl when certificate issuer is specified (#441)
* Fix x509_crl certificate issuer issue.

* Add tests.

* Add changelog fragment.
2022-04-18 08:17:27 +02:00
Yauhen 041fff5057
Add persistent and perf options to the luks_device (#434)
Read and write work queue significantly degrades performance on
SSD/NVME devices[1].

In Debian 11 crypttab does not support no-read-workqueue and
no-write-workqueue flags, so the persistent flag is workaround: once
opened with perf parameters persists forever.

[1] https://blog.cloudflare.com/speeding-up-linux-disk-encryption/

Signed-off-by: Yauhen Artsiukhou <jsirex@gmail.com>
2022-04-10 14:30:10 +02:00
Felix Fontein 867158a942
Run ACME tests on more targets. (#419) 2022-03-12 08:55:06 +01:00
Felix Fontein 73c8577b61
Integrate Alpine into CI (#408)
* Integrate Alpine into CI.

* Fix package names.
2022-02-19 17:54:05 +00:00
Felix Fontein 84c1a20af7
CI: add community ansible-test images (#404)
* Use community ansible-test images.

* Adjust tests for new operating systems, and pass on Python version as well.

* Fix Python version.

Co-authored-by: David Moreau Simard <moi@dmsimard.com>

* Fix package name.

Co-authored-by: David Moreau Simard <moi@dmsimard.com>
2022-02-17 22:29:50 +01:00
Felix Fontein 28729657ac
x509_certificate: check existing certificate's signature for selfsigned and ownca provider (#407)
* Verify whether signature matches.

* Add changelog fragment.

* Forgot imports.

* Fix wrong name.

* Check whether the CA private key fits to the CA certificate. Use correct key in tests.

* Refactor code.
2022-02-16 07:38:11 +01:00
Felix Fontein 3ebc132c03
Regenerate certificate on CA's subject change. (#402) 2022-02-14 18:04:29 +01:00
Felix Fontein 11a14543c8
certificate_complete_chain: handle duplicate intermediate subjects (#403)
* Allow multiple intermediate CAs to have same subject.

* Add tests.

* Fix test name.

* Don't use CN for SAN.

* Make a bit more compatible.

* Include jinja2 compat for CentOS 6.
2022-02-14 13:29:19 +01:00
Andrew Pantuso a307618872
openssh_cert - fix full_idempotence for host certificates (#396)
* fixing host cert idempotence

* adding changelog fragment
2022-02-04 20:53:50 +01:00
JochenKorge b339e71973
Added 'ignore_timestamps' parameter (#381)
* Added 'ignore_timestamps' parameter

* Update plugins/modules/openssh_cert.py

Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>

* Update plugins/modules/openssh_cert.py

Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>

* Update plugins/modules/openssh_cert.py

Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>

* Added fragment

* Update plugins/modules/openssh_cert.py

Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>

* added ignore_timestamps to example

* corrected styling

* fixed styling (again)

* Update changelogs/fragments/381_openssh_cert_add_ignore_timestamps.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* splitted description as suggested by felixfontein

* fixed linebreak

* Mentioned ignore_timestamps in regenerate

Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
2022-01-20 16:15:50 +01:00
Felix Fontein cd5ed011a5
Update CI matrix for Remote Devel (#377)
* Update CI matrix for Remote Devel.

* Add Python info entries.
2022-01-13 09:18:48 +01:00
Felix Fontein bd2bd79497
Add openssl_privatekey_convert module (#362)
* Add openssl_privatekey_convert module.

* Extend tests and fix bugs.

* Fix wrong required.

* Fix condition.

* Fix bad tests.

* Fix documentation for format.

* Fix copyright lines.
2022-01-10 21:01:52 +01:00
Felix Fontein b2ea4a7ce5
Add basic crypto_info module (#363)
* Add basic crypto_info module.

* Improve check.

* Actually test capabilities.

* Also output EC curve list.

* Fix detections.

* Ed25519 and Ed448 are not supported on FreeBSD 12.1.

* Refactor.

* Also retrieve information on the OpenSSL binary.

* Improve splitting.

* Update plugins/modules/crypto_info.py

Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>

* Replace list by tuple.

Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>
2022-01-05 18:19:42 +01:00
Felix Fontein 6ee238d961
certificate_complete_chain: avoid infinite loops, and double roots when root certificate was already part of chain (#360)
* Avoid infinite loops, and double roots when root certificate was already part of chain.

* Refactor tests for readability.
2022-01-04 07:00:09 +01:00
Felix Fontein 471506c5d4
Improve changed / nonchanged validations by using new modules from community.internal_test_tools (#183)
* Use modules from internal_test_tools instead of stat workaround to check whether file actually changed.

* Properly add testing dependency.
2022-01-03 18:43:17 +01:00
Jens Heinrich 2c05221d89
Feature/rename test cases (#356)
* Name test tasks in a more explicite manner

* Space test + verification blocks apart

* Apply suggestions from code review

Co-authored-by: Jens Heinrich <github.com/JensHeinrich>
Co-authored-by: Felix Fontein <felix@fontein.de>
2021-12-30 10:06:43 +01:00
Felix Fontein 3f40795a98
Extension parsing: add new fallback code which uses the new cryptography API (#331)
* Add new code as fallback which re-serializes de-serialized extensions using the new cryptography API.

* Forgot Base64 encoding.

* Add extension by OID tests.

* There's one value which is different with the new code.

* Differences in CI.

* Working around older Jinjas.

* Value depends on which SAN was included.

* Force complete CI run now since cryptography 36.0.0 is out.

ci_complete
2021-11-22 07:42:49 +01:00
Felix Fontein 589e7c72ef
Allow to specify subject (for CSRs) and issuer (for CRLs) ordered (#316)
* Allow to specify subject (for CSRs) and issuer (for CRLs) ordered.

* Forgot import.

* Apply suggestions from code review

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* Apply suggestions from code review

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* Fix typo.

* Simplify error handling, reject empty values outright.

* Document d497231e1c.

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
2021-10-31 15:05:04 +01:00
Felix Fontein eb8dabce84
Improve Python 2 Unicode handling. (#313) 2021-10-22 07:15:20 +02:00
Felix Fontein a581f1ebcd
Remove other deprecations (#290)
* Remove deprecated redirects.

* Remove deprecations.

* Add changelog fragment.

* Add some forgotten pieces.

* Bump version to 2.0.0.

* Fix formulation.
2021-10-16 21:00:48 +02:00
Felix Fontein 5f1efb6f7e
Remove assertonly (#289)
* Remove assertonly backend.

* Remove assertonly tests.

* The expired test is basically a test of assertonly.

* Replace assertonly verification by _info + assert.
2021-10-10 10:24:00 +02:00
Felix Fontein 838bdd711b
Make Dirname (de)serialization conformant to RFC 4514 (#274)
* Adjust dirName serialization to RFC 4514.

* Adjust deserialization to RFC 4514.

* Add changelog fragment.

* Use Unicode strings, and work around Python 2 and Python 3 differences and problems with old cryptography versions.

* Work with bytes, not Unicode strings, to handle escaping of Unicode endpoints correctly.
2021-09-28 18:15:38 +02:00
Felix Fontein f644db3c79
Remove PyOpenSSL backends (except for openssl_pkcs12) (#273)
* Remove Ubuntu 16.04 (Xenial Xerus) from CI.

* Removing PyOpenSSL backend from everywhere but openssl_pkcs12.

* Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12.

* Add changelog fragment.
2021-09-28 17:46:35 +02:00
Felix Fontein 44f7367e21
Extend CI (#283)
* Run all tests on all targets. Remove hack in setup_acme.

* Fix some failing tests.

* OpenSSH tests do not work yet with default image on Ansible 2.9. Let's skip them on the cloud target.

* Make tests pass again.

* Make sure to install *latest* versions of cryptography and pyOpenSSL when not installing system packages, whenever possible.

ci_complete

* Update/fix aliases files.
2021-09-25 17:21:06 +02:00
Ajpantuso 771a9eebcf
Initial commit (#285) 2021-09-24 06:59:52 +02:00
Felix Fontein 0fdede5d7a
Fix CI (1/2) (#284)
* New default docker image no longer contains bcrypt.

* Install cryptography for ACME tests.

* Add constraints.
2021-09-23 21:56:03 +02:00
Felix Fontein 56b2130c6e
openssl_privatekey_pipe is an action plugin. (#267) 2021-09-21 07:29:26 +02:00
Felix Fontein 6c018b94da
Improve CI (#281)
* Install PyOpenSSL and cryptography from PyPi if target Python != system Python.

* Work around some CentOS6, 7, Ubuntu 16.04 problems. Improve jinja2 compatibility handling.

* Skip tasks that require properties that aren't always there.

* Only install OpenSSL when not present.

* Improve output.

* Improve get_certificate integration test graceful failing.

* Fix tests.

* Fix assert.

* OpenSSL peculiarities.

* Fix condition.
2021-09-18 15:21:40 +02:00
Ajpantuso eea7bfc6bf
openssh_cert - adding signature_algorithm option (#277)
* Initial Commit

* Update supported OpenSSH versions for RSA SHA-2 signed certs

* Updating 'regenerate' documentation
2021-09-15 08:53:53 +02:00
Felix Fontein 03427e35a7
Fix idempotency for non-ASCII string comparisons. (#271) 2021-09-14 07:06:35 +02:00
Felix Fontein 330b30d5d2
certificate_complete_chain tests need cryptography installed on the target, so use setup_openssl. (#272) 2021-09-11 11:29:03 +02:00
Felix Fontein 02ee3fb974
Improve CI (#268)
* Remove superfluous remote_src.

* Use temp dir twice instead of output_dir.

* Use remote temp directory instead of output_dir.

* Fix syntax error.

* Add some fixes.

* Copy more files to remote.

* More fixes.

* Fixing ACME/'cloud' tests.

* Forgot when.

* Try to fix filters.

* Skip unnecessary steps.

* Avoid collision.
2021-09-07 22:37:40 +02:00
Felix Fontein 94fc356338
https://github.com/diafygi/acme-tiny/pull/254 has been merged. (#265) 2021-08-22 12:41:41 +02:00
Ajpantuso 08ada24a53
openssh_keypair - Add diff support and general cleanup (#260)
* Initial commit

* Matching tests to overwritten permissions behavior with cryptography

* Ensuring key validation only occurs when state=present and accomodating CentOS6 restrictions

* Making ssh-keygen behavior explicit by version in tests

* Ensuring cyrptography not excluded in new conditions

* Adding changelog fragment

* Fixing sanity checks

* Improving readability

* Applying review suggestions

* addressing restore_on_failure conflict
2021-08-18 09:22:31 +02:00
Ajpantuso 85ac60e2c3
openssh_keypair - integration test refactoring (#259)
* Initial commit

* Fixed CRLF and ed25519 handling on CentOS6

* Separated expected test results for file permissions between backends

* Fixed unprotected key base directory

* Fixed PEM encoded file test
2021-08-04 21:19:32 +02:00
Ajpantuso aaba87ac57
openssh_cert - Adding regenerate option (#256)
* Initial commit

* Fixing unit tests

* More unit fixes

* Adding changelog fragment

* Minor refactor in Certificate.generate()

* Addressing option case-sensitivity and directive overrides

* Renaming idempotency to regenerate

* updating changelog

* Minor refactoring of default options

* Cleaning up with inline functions

* Fixing false failures when regenerate=fail and improving clarity

* Applying second round of review suggestions

* adding helper for safe atomic moves
2021-07-31 11:36:03 +02:00
Ajpantuso 4908f1a8ec
openssh_cert - cleanup and diff support (#255)
* Initial commit

* Fixing units

* Adding changelog fragment

* Enhanced encapsulation of certificate data

* Avoiding failure when path is not parseable

* Diff refactor

* Applying initial review suggestions
2021-07-16 19:00:22 +02:00
Felix Fontein 0df33de73e
Fix openssl_pkcs12 crash with cryptography backend when loading passphrase-protected files (#248)
* Convert passphrase to bytes when loading PKCS#12 file with cryptography.

* Add tests with PKCS#12 passphrase.

* Add changelog fragment.
2021-06-11 18:03:16 +00:00
Felix Fontein bfb8e5df82
Fix crash in x509_certificate (#241)
* Fix crash in x509_certificate.

* Add test.
2021-06-02 16:44:58 +02:00
Felix Fontein 376d7cde12
Avoid crash in check mode (#243)
* Do not let AnsibleModule crash when setting permissions on not yet existing files in check mode.

* Add tests.

* Fix bugs.
2021-06-02 16:44:26 +02:00
Ajpantuso c6483751b5
openssh_keypair - Adding backend option and refactoring backend code (#236)
* Refactoring openssh_keypair for multiple backends

* Fixing cryptography backend validations

* Simplifying conditionals and excess variable assignments

* Fixing docs and adding cleanup for integration tests

* Fixing docs and public key validation bugs in crypto backend

* Enhancing cryptogagraphy utils to raise OpenSSHErrors when file not found

* Adding missed copyright and cleanup for idempotency test keys

* Fixing doc style

* Readding crypto/openssh for backwards compatibility

* Adding changelog fragment and final simplifications of conditional statements

* Applied initial review suggestions
2021-05-23 22:36:55 +02:00
Felix Fontein e9bc7c7163
openssl_pkcs12: add cryptography backend (#234)
* Began refactoring.

* Continue.

* Factor PyOpenSSL backend out.

* Add basic cryptography backend.

* Update plugins/modules/openssl_pkcs12.py

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* Only run tests when new enough pyOpenSSL or cryptography is around.

* Reduce required pyOpenSSL version from 17.1.0 to 0.15.

I have no idea why 17.1.0 was there (in the tests), and not something smaller.
The module itself did not mention any version.

* Linting.

* Linting.

* Increase compatibility by selecting pyopenssl backend when iter_size or maciter_size is used.

* Improve docs, add changelog fragment.

* Move hackish code to cryptography_support.

* Update plugins/modules/openssl_pkcs12.py

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* Update plugins/modules/openssl_pkcs12.py

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* Streamline cert creation.

* Convert range to list.

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
2021-05-20 19:36:07 +02:00
Felix Fontein 0a0d0f2bdf
openssl_csr_info and x509_certificate_info: return more public key information (#233)
* Return more public key information.

* Make sure bit size is converted to int first.

* Apply suggestions from code review

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

* Remove no longer necessary code.

* Use correct return value's name.

* Add trailing commas.

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
2021-05-19 14:02:45 +02:00
Felix Fontein 69aeb2d86f
x509_crl_info: allow to not enumerate revoked certificates (#232)
* Allow to not enumerate revoked certificates.

* Forgot to remove one instance.

* Add example.
2021-05-19 09:32:30 +02:00
Felix Fontein 7298c1f49a
Add openssl_publickey_info module (#231)
* Add openssl_publickey_info module. Share code between openssl_privatekey_info and the new module, and improve documentation of it.

* Move public key loading to support module.

* Require pyOpenSSL 16.0.0 for public key loading.

* Linting.

* Apply suggestions from code review

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>

Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
2021-05-18 17:47:10 +02:00
Felix Fontein 6c5a0c6df1
x509_crl_info: move main code to module_utils to allow easier implementation of diff mode (#203)
* Move x509_crl_info code to module_utils.

* Add changelog fragment.

* Make sure PyOpenSSL is also installed.

* Implement review comments.
2021-05-12 23:30:19 +02:00
Ajpantuso 80d64e7b64
openssh_keypair: Populate return values when keypair exists and check_mode=true (#230)
* Swapping statement order for check_mode to initialize return values

* Adding changelog fragment

* Updated changelog to reflect bugfix
2021-05-12 16:10:08 +02:00
Ajpantuso 6100d9b4df
openssh_keypair: Adding passphrase parameter (#225)
* Integrating openssh module utils with openssh_keypair

* Added explicit PEM formatting for OpenSSH < 7.8

* Adding changelog fragment

* Adding OpenSSL/cryptography dependency for integration tests

* Adding private_key_format option and removing forced cryptography update for CI

* Fixed version check for bcrypt and key_format option name

* Setting no_log=False for private_key_format

* Docs correction and simplification of control flow for private_key_format
2021-05-10 14:47:01 +02:00
Felix Fontein e85554827f
acme_* modules: support private key passprases (#207)
* Support private key passprases.

* Use c.c modules for key generation, add first passphrase tests.

* Some more passphrase tests.
2021-03-21 17:53:20 +01:00
Felix Fontein a1897fd3b1
luks_device: add sector_size option (#193)
* Add sector_size option to luks_device.

* Trying to improve error handling.

* Improve error handling.
2021-03-02 22:02:31 +01:00
Felix Fontein b22c4fb65a
Fix CI (#188)
* Limit cryptography to < 3.4 for Python < 3.6.

* Make sure cryptography 3.3+ is installed on Darwin.

* Work around old pip versions.
2021-02-09 06:47:30 +01:00
Felix Fontein 15a0be6107
Deprecate returning orders when retrieve_orders=url_list. (#178)
This allows to get rid of the ignore.txt entries for the return value syntax
error since then orders will always have the same type when returned.
2021-01-27 09:03:34 +01:00
Felix Fontein c7ef362d7a
openssl_pkcs12: allow to specify certificate bundles in other_certificates (#166)
* Rename identify.py to pem.py.

* Move split PEM list code to pem.py crypto module_utils.

* Extend and use global certificate splitting code in acme_certificate.

* openssl_pkcs12: allow to load multiple certificates from files mentioned in other_certificates.

* Add changelog and module_utils redirect.

* Remove old check.

* Fix typo.

* Apply suggestions from code review

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

* Add example.

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2021-01-26 10:21:49 +01:00
Felix Fontein d8ccebce60
openssl_csr: allow to specify CRL distribution endpoints (#167)
* Improve error messages for name decoding (not all names appear in SANs).

* Refactor DN parsing, add relative DN parsing code.

* Allow to specify CRL distribution points.

* Add changelog fragment.

* Fix typo.

* Make sure value argument to x509.NameAttribute is a text.

* Update changelogs/fragments/167-openssl_csr-crl-distribution-points.yml

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

* Add example.

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2021-01-26 09:57:40 +01:00
Felix Fontein 4f7ab6733d
Add Ubuntu 20.04 to CI (#176)
* Add Ubuntu 20.04 to CI.

* Also use longer keys for Ubuntu 20.04.

* Fix condition.
2021-01-22 21:39:53 +01:00
Felix Fontein 7714893294
Bump CI to FreeBSD 11.4, 12.2, add FreeBSD 12.1 to remote 2.10 tests (#174)
* Bump CI to FreeBSD 11.4, 12.2, add FreeBSD 12.1 to remote 2.10 tests.

* Use correct package prefix.

* Make more future-proof.
2021-01-22 15:52:43 +01:00
Felix Fontein d921ff1f68
Allow to configure PBKDF (#163)
* Allow to configure PBKDF.

* Also add PBKDF options to key add operation.

* Simplify code.

* Update plugins/modules/luks_device.py

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

* Fix indent.

* Use more of the options.

* Bump iteration count.

* Increase memory limit.

* Fall back to default PBKDF.

* Apply suggestions from code review

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2021-01-22 12:21:03 +00:00
NorthFuture 2031787506
Added sever name option to use for SNI (#172)
* Added sever name option to use for SNI

* cleanup code

Co-authored-by: Felix Fontein <felix@fontein.de>

* added module version for new parameter

Co-authored-by: Felix Fontein <felix@fontein.de>

* added SNI explanation

Co-authored-by: Felix Fontein <felix@fontein.de>

* added SNI link to module description

* linting

* cleanup code

* Update plugins/modules/get_certificate.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* integration test for SNI server_name option

Co-authored-by: Felix Fontein <felix@fontein.de>
2021-01-17 12:21:12 +01:00
Felix Fontein ccb25eab36
luks_device - make add/removal of keyfile/passphrase idempotent (#168)
* Update documentation, adjust tests, add changelog fragment.

* Move module unit test to correct place.

* Implement keyfile / passphrase test.
2021-01-03 11:22:41 +01:00
Felix Fontein 4d8dcad190
Speed up tests (#153)
* Improve openssh_* tests.

* Use 2048 instead of 4096 bit keys in many places.

ci_complete

* Parameterize default RSA key length for tests.

* Reduce default RSA key size to 1024.

ci_complete

* Fix error.

ci_complete

* Use variable more often.

* Use 2048 bits for RSA keys for certificates on RHEL8 and CentOS8.

ci_complete

* Fix missing constant.

ci_complete

* Print default key sizes.
2020-12-04 13:08:14 +00:00
Felix Fontein 69335a8bac
Refactor x509_certificate module, add x509_certificate_pipe module (#135)
* Move documentation to doc fragment.

* Prepare module backends.

* Linting.

* Fix comments.

* First shot at actually moving code.

* Forgot SKI check.

* Remove unused imports.

* Improve check mode.

* Fix 'returned'.

* Move csr_* checks.

* Explicitly specify parameter.

* Add x509_certificate_pipe module.

* Update other seealsos.

* Forgot to remove doc fragment.

* Adjust to work with macOS 10.15.

* Update plugins/module_utils/crypto/module_backends/certificate_entrust.py

Co-authored-by: Chris Trufan <31186388+ctrufan@users.noreply.github.com>

* Add changelog fragments for entrust bugfix and module refactorings.

* Restore old behavior of Entrust backend when existing certificate cannot be parsed.

* Update plugins/modules/x509_certificate_pipe.py

Co-authored-by: Chris Trufan <31186388+ctrufan@users.noreply.github.com>

* Remove Entrust provider from x509_certificate_pipe for now.

* Add own CA tests.

* One more fix for Entrust provider, when csr_content is used.

* Update plugins/modules/x509_certificate_pipe.py

Co-authored-by: Chris Trufan <31186388+ctrufan@users.noreply.github.com>

* Fix another broken example.

* Revert "Remove Entrust provider from x509_certificate_pipe for now."

This reverts commit 6ee5d7d4f99f0fe2218276a2d3f1f38b676c29b9.

* ci_complete

* Apply suggestions from code review

Co-authored-by: MarkusTeufelberger <mteufelberger@mgit.at>

* Improve example.

* Improve readability of example, add another one.

* Extend descriptions of csr_* for selfsigned.

* Improve documentation.

* Move deprecation message up.

* Explain empty choices.

Co-authored-by: Chris Trufan <31186388+ctrufan@users.noreply.github.com>
Co-authored-by: MarkusTeufelberger <mteufelberger@mgit.at>
2020-11-24 17:21:52 +01:00
Norman Ziegner 86b39733e1
openssl_pkcs12: Add a check for parsed pkcs12 files (#145)
* openssl_pkcs12: Add a check for parsed pkcs12 files

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Add changelog fragment

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* openssl_pkcs12: Report changed state when a pkcs12 file is dumped

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Add a basic test for dumping a pkcs12 file

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Update changelog fragment

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Add test for dumped pkcs12 file in check mode

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
2020-11-23 09:14:45 +01:00
Felix Fontein 942255923b
Add x509_certificate tests for ACME provider (#142)
* Add x509_certificate tests for ACME provider.

* Make it work with Python 2.x.

* Cleanup.

* Add more tests.
2020-11-13 08:22:32 +01:00
Felix Fontein 5ffe97f874
Work around problem with cryptography being upgraded while installing pyOpenSSL (#137)
* Work around problem with cryptography being upgraded while installing pyOpenSSL.

* Avoid another instability.
2020-11-03 12:39:58 +01:00
Felix Fontein ec55161cb1
Run tests with macOS 10.15. (#112)
* Run tests with macOS 10.15.

* Update prepare_http_tests as in https://github.com/ansible/ansible/pull/71841/files.

* Also skip luks_device tests on macOS.

* Temporarily restrict to macOS/OSX nodes.

* Show full OpenSSL version.

* Show pyOpenSSL debug details.

* Make location of openssl binary configurable.

* Try to upgrade openssl on macOS when LibreSSL is found.

* Use other variable.

* Use found binary instead of default.

* Revert "Temporarily restrict to macOS/OSX nodes."

This reverts commit ea379382e5.

ci_complete

* Avoid crashing when OpenSSL.debug does not exist.

* Combine setup_openssl_cli with setup_openssl

* Split up setup_openssl in setup_openssl (openssl + cryptography) and setup_pyopenssl.

* Fix package name.

* Don't install cryptography on CentOS 6, print environment.

* Work around ansible-test limitation.
2020-11-03 08:45:32 +01:00
Felix Fontein 3c21079afa
Refactor openssl_privatekey module, move add openssl_privatekey_pipe module (#119)
* Move disk-independent parts of openssl_privatekey to module_utils and doc_fragments.

* Improve documentation.

* Add openssl_privatekey_pipe module.

* Fallback in case no fingerprints are returned.

* Prevent no_log=True for content to stop module from working correctly.

* Forgot version_added.

* Update copyright. All the interesting code is no longer in this file anyway.

* Remove file arguments.

* Add framework for action modules.

* Convert openssl_privatekey_pipe to action plugin.

* Linting.

* Bump version.

* Add return_current_key option.

* Add no_log to examples.

* Remove preparation for potential later extensibility (easy to re-add when needed).

* Fix deprecation version in docs.

* Use new ArgumentSpec object for AnsibleActionModule as well.
2020-10-28 21:52:54 +01:00
Felix Fontein 9792188b0e
Refactor openssl_csr module, add openssl_csr_pipe module (#123)
* Extract doc fragment from openssl_csr.

* Refactor openssl_csr module into backend + module.

* Add openssl_csr_pipe module.

* Add seealso references.

* ...

* Use /dev/stdin instead of -, which seems to be only supported by newer openssl versions.

* Bump version.

* DRY: use select_message_digest.

* Fix deprecation version in docs.

* Docs improvements.

* Improve argument spec handling for module backends.

* Linting.

* Fix linting problems by using kwargs.
2020-10-27 12:37:40 +01:00
Felix Fontein fd7871ae7d
Allow to run x509_certificate selfsigned provider without providing a CSR (#129)
* Allow to run x509_certificate selfsigned provider without providing a CSR.

* Add missing prefixes (unrelated).
2020-10-19 18:09:40 +02:00
Doug Stanley b32adcce78
Implement use_agent option to get signing key from ssh-agent. (#117) 2020-10-19 18:07:36 +02:00
Felix Fontein 7d0e5e814e
Return certificate fingerprints from x509_certificate_info (#121)
* Return certificate fingerprints from x509_certificate_info.

* Update plugins/modules/x509_certificate_info.py

Co-authored-by: MarkusTeufelberger <mteufelberger@mgit.at>

Co-authored-by: MarkusTeufelberger <mteufelberger@mgit.at>
2020-10-13 10:41:09 +02:00
Felix Fontein 42dd19c387
Allow to pass CSR to acme_certificate as csr_content (#115)
* Allow to pass CSR to acme_certificate as csr_content.

* Make sure contents are bytes.

* No need to write CSR to disk.

* Forgot version_added.

* Fix documentation.
2020-10-09 14:01:34 +02:00
Felix Fontein 8e10e1e590
Always show current backend during tests in `name:`. (#118)
* Always show current backend during tests.

* Remove double prefix.
2020-10-09 11:10:53 +02:00
Andrew Klychkov 010b54f0af
CI tests: add a note not to use tests as an example of writing roles (#111) 2020-09-25 09:25:48 +03:00