* Disable consistency checking of RSA keys for cryptography 42.0.0 which no longer gives access to the required function. (#702)
(cherry picked from commit 87af1f2761)
* Adjust tests to ignore key_is_consistent.
* Handle pyOpenSSL 23.3.0, which removed PKCS#12 support (at least partially). (#666)
(cherry picked from commit d1299c11d6)
* Try to fix FreeBSD 13.1 failures in CI.
* Always generate a new key pair if the private key doesn't exist (#597)
This commit updates `KeypairBackend._should_generate()` to first check
if the original private key named by the `path` argument exists, and
return True if it does not. This brings the code in line with
the documentation, which says that a new key will always be generated if
the key file doesn't already exist.
As an alternative to the approach implemented here, I also considered
only modifying the condition in the `fail` branch of the if statement,
but I thought that would not map as cleanly to the behavior specified in
the documentation, so doing it the way I did should make it easier to
check that the code is doing the right thing just by looking at it.
I also considered doing something to make the logic more similar to
`PrivateKeyBackend.needs_regeneration()` (the openssl version of this
functionality), because the two are supposed to be acting the same way,
but I thought that'd be going beyond the scope of just fixing this bug.
If it'd be useful to make both methods work the same way, someone can
refactor the code in a future commit.
* Test different regenerate values with nonexistent keys
This commit changes the test task that generates new keys to use each of
the different values for the `regenerate` argument, which will ensure
that the module is capable of generating a key when no previous key
exists regardless of the value of `regenerate`. Previously, the task
would always run with the `partial_idempotence` value, and that obscured
a bug (#597) that would occur when it was set to `fail`. The bug was
fixed in the previous commit.
(cherry picked from commit ce3299f106)
Co-authored-by: David Zaslavsky <diazona@ellipsix.net>
* Work around stupid ssh-agent output format.
* Workaround for Ansible 2.9.
* Old jinja2...
* Jinja2 on CentOS 6 is really annoying.
(cherry picked from commit e4ebca0945)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix empty check for openssl_pkcs12 tests.
* Prevent crash if PyOpenSSL cannot be imported because of an AttributeError.
* Add changelog fragment.
* Fix constraints file.
* Use Python 2.7 instead of 3.5 for 2.9 cloud tests (pip module is broken).
* Prevent upgrading cryptography on ansible-core 2.12's default container with Python 3.9.
* Regenerate certificate on CA's subject change. (#402)
(cherry picked from commit 3ebc132c03)
* Add fix for PyOpenSSL backend.
* x509_certificate: check existing certificate's signature for selfsigned and ownca provider (#407)
* Verify whether signature matches.
* Add changelog fragment.
* Forgot imports.
* Fix wrong name.
* Check whether the CA private key fits to the CA certificate. Use correct key in tests.
* Refactor code.
(cherry picked from commit 28729657ac)
* There doesn't seem a way to do this with pyOpenSSL.
* Allow multiple intermediate CAs to have same subject.
* Add tests.
* Fix test name.
* Don't use CN for SAN.
* Make a bit more compatible.
* Include jinja2 compat for CentOS 6.
(cherry picked from commit 11a14543c8)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update CI matrix for Remote Devel.
* Add Python info entries.
(cherry picked from commit cd5ed011a5)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Avoid infinite loops, and double roots when root certificate was already part of chain.
* Refactor tests for readability.
(cherry picked from commit 6ee238d961)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Use modules from internal_test_tools instead of stat workaround to check whether file actually changed.
* Properly add testing dependency.
(cherry picked from commit 471506c5d4)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Name test tasks in a more explicite manner
* Space test + verification blocks apart
* Apply suggestions from code review
Co-authored-by: Jens Heinrich <github.com/JensHeinrich>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 2c05221d89)
Co-authored-by: Jens Heinrich <59469646+JensHeinrich@users.noreply.github.com>
* Extension parsing: add new fallback code which uses the new cryptography API (#331)
* Add new code as fallback which re-serializes de-serialized extensions using the new cryptography API.
* Forgot Base64 encoding.
* Add extension by OID tests.
* There's one value which is different with the new code.
* Differences in CI.
* Working around older Jinjas.
* Value depends on which SAN was included.
* Force complete CI run now since cryptography 36.0.0 is out.
ci_complete
(cherry picked from commit 3f40795a98)
* Adjust tests.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Improve Python 2 Unicode handling. (#313)
(cherry picked from commit eb8dabce84)
* Remove test since it doesn't work with pyOpenSSL.
* Completely remove test.
* Update plugins/module_utils/crypto/cryptography_support.py
* Run all tests on all targets. Remove hack in setup_acme.
* Fix some failing tests.
* OpenSSH tests do not work yet with default image on Ansible 2.9. Let's skip them on the cloud target.
* Make tests pass again.
* Make sure to install *latest* versions of cryptography and pyOpenSSL when not installing system packages, whenever possible.
ci_complete
* Update/fix aliases files.
* Install PyOpenSSL and cryptography from PyPi if target Python != system Python.
* Work around some CentOS6, 7, Ubuntu 16.04 problems. Improve jinja2 compatibility handling.
* Skip tasks that require properties that aren't always there.
* Only install OpenSSL when not present.
* Improve output.
* Improve get_certificate integration test graceful failing.
* Fix tests.
* Fix assert.
* OpenSSL peculiarities.
* Fix condition.
* Initial commit
* Matching tests to overwritten permissions behavior with cryptography
* Ensuring key validation only occurs when state=present and accomodating CentOS6 restrictions
* Making ssh-keygen behavior explicit by version in tests
* Ensuring cyrptography not excluded in new conditions
* Adding changelog fragment
* Fixing sanity checks
* Improving readability
* Applying review suggestions
* addressing restore_on_failure conflict
* Initial commit
* Fixed CRLF and ed25519 handling on CentOS6
* Separated expected test results for file permissions between backends
* Fixed unprotected key base directory
* Fixed PEM encoded file test
* Initial commit
* Fixing unit tests
* More unit fixes
* Adding changelog fragment
* Minor refactor in Certificate.generate()
* Addressing option case-sensitivity and directive overrides
* Renaming idempotency to regenerate
* updating changelog
* Minor refactoring of default options
* Cleaning up with inline functions
* Fixing false failures when regenerate=fail and improving clarity
* Applying second round of review suggestions
* adding helper for safe atomic moves
* Initial commit
* Fixing units
* Adding changelog fragment
* Enhanced encapsulation of certificate data
* Avoiding failure when path is not parseable
* Diff refactor
* Applying initial review suggestions
* Refactoring openssh_keypair for multiple backends
* Fixing cryptography backend validations
* Simplifying conditionals and excess variable assignments
* Fixing docs and adding cleanup for integration tests
* Fixing docs and public key validation bugs in crypto backend
* Enhancing cryptogagraphy utils to raise OpenSSHErrors when file not found
* Adding missed copyright and cleanup for idempotency test keys
* Fixing doc style
* Readding crypto/openssh for backwards compatibility
* Adding changelog fragment and final simplifications of conditional statements
* Applied initial review suggestions
* Began refactoring.
* Continue.
* Factor PyOpenSSL backend out.
* Add basic cryptography backend.
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Only run tests when new enough pyOpenSSL or cryptography is around.
* Reduce required pyOpenSSL version from 17.1.0 to 0.15.
I have no idea why 17.1.0 was there (in the tests), and not something smaller.
The module itself did not mention any version.
* Linting.
* Linting.
* Increase compatibility by selecting pyopenssl backend when iter_size or maciter_size is used.
* Improve docs, add changelog fragment.
* Move hackish code to cryptography_support.
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Streamline cert creation.
* Convert range to list.
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Return more public key information.
* Make sure bit size is converted to int first.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Remove no longer necessary code.
* Use correct return value's name.
* Add trailing commas.
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Add openssl_publickey_info module. Share code between openssl_privatekey_info and the new module, and improve documentation of it.
* Move public key loading to support module.
* Require pyOpenSSL 16.0.0 for public key loading.
* Linting.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Felix Fontein
patchback[bot]
Andrew Pantuso