* Added support for DER format
* Updated description
* Adjusted description
The content of the certificate cannot be in DER format due to an input encoding problem in the Ansible module, but it works fine when reading the certificate from a file
* Update support.py
* Added der_support_enabled flag for DER-format support
* Added changelog fragment for #603
* Fixed typo
* Fixed missing import
* Resolved issues found by static code analysis
* Update plugins/module_utils/crypto/support.py
Committed suggested change
Co-authored-by: Felix Fontein <felix@fontein.de>
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adjust EE tests to ansible-builder 3.0.0.
* Remove other CI workflows.
* Use docker instead of podman...
* Support Rocky Linux 9+.
* Add CentOS Stream 9 to EE tests.
* Fix installation of PyOpenSSL on CentOS/RHEL/Rocky.
* ansible-builder only attempts to install EPEL deps on CentOS.
* Make EPEL also available on Rocky Linux 9, even though ansible-builder will ignore it.
* Make sure cryptography is already installed.
* Try ansible-runner < 2.0.0 for CentOS Stream 8 / RHEL 8.
* Show more info.
* Start restricting transitive dependencies...
* Looks like PyOpenSSL is **broken** on CentOS Stream 9 + EPEL.
* ansible-builder will NOT work with Python 3.6.
use Python 3.9 on RHEL8 / CentOS Stream 8. Manually install cryptography and PyOpenSSL for Python 3.9 as well.
* PyOpenSSL isn't available for Python 3.8 or 3.9.
* Revert "Remove other CI workflows."
This reverts commit 3a9d125f45.
* Use podman instead of docker.
* Re-order bindep entries.
* python3-pyOpenSSL does not exist on RHEL/CentOS 6 and 7.
* Always generate a new key pair if the private key doesn't exist (#597)
This commit updates `KeypairBackend._should_generate()` to first check
if the original private key named by the `path` argument exists, and
return True if it does not. This brings the code in line with
the documentation, which says that a new key will always be generated if
the key file doesn't already exist.
As an alternative to the approach implemented here, I also considered
only modifying the condition in the `fail` branch of the if statement,
but I thought that would not map as cleanly to the behavior specified in
the documentation, so doing it the way I did should make it easier to
check that the code is doing the right thing just by looking at it.
I also considered doing something to make the logic more similar to
`PrivateKeyBackend.needs_regeneration()` (the openssl version of this
functionality), because the two are supposed to be acting the same way,
but I thought that'd be going beyond the scope of just fixing this bug.
If it'd be useful to make both methods work the same way, someone can
refactor the code in a future commit.
* Test different regenerate values with nonexistent keys
This commit changes the test task that generates new keys to use each of
the different values for the `regenerate` argument, which will ensure
that the module is capable of generating a key when no previous key
exists regardless of the value of `regenerate`. Previously, the task
would always run with the `partial_idempotence` value, and that obscured
a bug (#597) that would occur when it was set to `fail`. The bug was
fixed in the previous commit.
* Enable custom cipher selection for get_certificate
* get_certificate ciphers desc grammar fix
Co-authored-by: Felix Fontein <felix@fontein.de>
* get_certificate ciphers desc grammar fix
Co-authored-by: Felix Fontein <felix@fontein.de>
* get_certificate ciphers include version_added
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add changelog fragment
* Fail if ciphers is set and Python < 2.7.9
* Standardize ciphers conditionals in get_certificate
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is.
Handling is exactly the same since they reside in the same OID space and have the same data type.
Tests have also been added based on the integration test certificates.
Signed-off-by: benaryorg <binary@benary.org>
Signed-off-by: benaryorg <binary@benary.org>
Felix Fontein
Marcin Słowikowski
David Zaslavsky
Austin Lane
dlehrman
Katze