* Fix quick_is_not_prime() for small primes. Add some tests.
* Fix return value of convert_int_to_bytes(0, 0) on Python 2.
* Add some more test cases.
* Simplify the changelog and point out that these errors only happen for cases not happening in regular use.
(cherry picked from commit 0c62837296)
* Disable consistency checking of RSA keys for cryptography 42.0.0 which no longer gives access to the required function. (#702)
(cherry picked from commit 87af1f2761)
* Adjust tests to ignore key_is_consistent.
* Handle pyOpenSSL 23.3.0, which removed PKCS#12 support (at least partially). (#666)
(cherry picked from commit d1299c11d6)
* Try to fix FreeBSD 13.1 failures in CI.
* Always generate a new key pair if the private key doesn't exist (#597)
This commit updates `KeypairBackend._should_generate()` to first check
if the original private key named by the `path` argument exists, and
return True if it does not. This brings the code in line with
the documentation, which says that a new key will always be generated if
the key file doesn't already exist.
As an alternative to the approach implemented here, I also considered
only modifying the condition in the `fail` branch of the if statement,
but I thought that would not map as cleanly to the behavior specified in
the documentation, so doing it the way I did should make it easier to
check that the code is doing the right thing just by looking at it.
I also considered doing something to make the logic more similar to
`PrivateKeyBackend.needs_regeneration()` (the openssl version of this
functionality), because the two are supposed to be acting the same way,
but I thought that'd be going beyond the scope of just fixing this bug.
If it'd be useful to make both methods work the same way, someone can
refactor the code in a future commit.
* Test different regenerate values with nonexistent keys
This commit changes the test task that generates new keys to use each of
the different values for the `regenerate` argument, which will ensure
that the module is capable of generating a key when no previous key
exists regardless of the value of `regenerate`. Previously, the task
would always run with the `partial_idempotence` value, and that obscured
a bug (#597) that would occur when it was set to `fail`. The bug was
fixed in the previous commit.
(cherry picked from commit ce3299f106)
Co-authored-by: David Zaslavsky <diazona@ellipsix.net>
* Do extra docs validation. Explicitly disallow semantic markup in docs.
* Forgot to add new requirement.
* Improve test.
* TEMP - make CI fail.
* Revert "TEMP - make CI fail."
This reverts commit a71b8901c1.
* Remove unnecessary import.
* Make sure ANSIBLE_COLLECTIONS_PATH is set.
* Make sure sanity tests from older Ansible versions don't complain.
(cherry picked from commit ceabef7e58)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Work around stupid ssh-agent output format.
* Workaround for Ansible 2.9.
* Old jinja2...
* Jinja2 on CentOS 6 is really annoying.
(cherry picked from commit e4ebca0945)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix empty check for openssl_pkcs12 tests.
* Prevent crash if PyOpenSSL cannot be imported because of an AttributeError.
* Add changelog fragment.
* Fix constraints file.
* Use Python 2.7 instead of 3.5 for 2.9 cloud tests (pip module is broken).
* Prevent upgrading cryptography on ansible-core 2.12's default container with Python 3.9.
* Regenerate certificate on CA's subject change. (#402)
(cherry picked from commit 3ebc132c03)
* Add fix for PyOpenSSL backend.
* x509_certificate: check existing certificate's signature for selfsigned and ownca provider (#407)
* Verify whether signature matches.
* Add changelog fragment.
* Forgot imports.
* Fix wrong name.
* Check whether the CA private key fits to the CA certificate. Use correct key in tests.
* Refactor code.
(cherry picked from commit 28729657ac)
* There doesn't seem a way to do this with pyOpenSSL.
* Allow multiple intermediate CAs to have same subject.
* Add tests.
* Fix test name.
* Don't use CN for SAN.
* Make a bit more compatible.
* Include jinja2 compat for CentOS 6.
(cherry picked from commit 11a14543c8)
Co-authored-by: Felix Fontein <felix@fontein.de>
* PyOpenSSL 22.0.0 no longer supports Python 2.7. (#387)
(cherry picked from commit 5abfe8fca9)
* Do not install PyOpenSSL from PyPi if cryptography cannot be updated - at least on FreeBSD 13.0, latest PyOpenSSL requires a cryptography upgrade, which breaks CI.
* Revert "Do not install PyOpenSSL from PyPi if cryptography cannot be updated - at least on FreeBSD 13.0, latest PyOpenSSL requires a cryptography upgrade, which breaks CI."
This reverts commit 16f9145653.
* Try another approach.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update CI matrix for Remote Devel.
* Add Python info entries.
(cherry picked from commit cd5ed011a5)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Avoid infinite loops, and double roots when root certificate was already part of chain.
* Refactor tests for readability.
(cherry picked from commit 6ee238d961)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Use modules from internal_test_tools instead of stat workaround to check whether file actually changed.
* Properly add testing dependency.
(cherry picked from commit 471506c5d4)
Co-authored-by: Felix Fontein <felix@fontein.de>
* Name test tasks in a more explicite manner
* Space test + verification blocks apart
* Apply suggestions from code review
Co-authored-by: Jens Heinrich <github.com/JensHeinrich>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 2c05221d89)
Co-authored-by: Jens Heinrich <59469646+JensHeinrich@users.noreply.github.com>
* Extension parsing: add new fallback code which uses the new cryptography API (#331)
* Add new code as fallback which re-serializes de-serialized extensions using the new cryptography API.
* Forgot Base64 encoding.
* Add extension by OID tests.
* There's one value which is different with the new code.
* Differences in CI.
* Working around older Jinjas.
* Value depends on which SAN was included.
* Force complete CI run now since cryptography 36.0.0 is out.
ci_complete
(cherry picked from commit 3f40795a98)
* Adjust tests.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Improve Python 2 Unicode handling. (#313)
(cherry picked from commit eb8dabce84)
* Remove test since it doesn't work with pyOpenSSL.
* Completely remove test.
* Update plugins/module_utils/crypto/cryptography_support.py
* Run all tests on all targets. Remove hack in setup_acme.
* Fix some failing tests.
* OpenSSH tests do not work yet with default image on Ansible 2.9. Let's skip them on the cloud target.
* Make tests pass again.
* Make sure to install *latest* versions of cryptography and pyOpenSSL when not installing system packages, whenever possible.
ci_complete
* Update/fix aliases files.
* Install PyOpenSSL and cryptography from PyPi if target Python != system Python.
* Work around some CentOS6, 7, Ubuntu 16.04 problems. Improve jinja2 compatibility handling.
* Skip tasks that require properties that aren't always there.
* Only install OpenSSL when not present.
* Improve output.
* Improve get_certificate integration test graceful failing.
* Fix tests.
* Fix assert.
* OpenSSL peculiarities.
* Fix condition.
patchback[bot]
Felix Fontein
Andrew Pantuso