* Add new code as fallback which re-serializes de-serialized extensions using the new cryptography API.
* Forgot Base64 encoding.
* Add extension by OID tests.
* There's one value which is different with the new code.
* Differences in CI.
* Working around older Jinjas.
* Value depends on which SAN was included.
* Force complete CI run now since cryptography 36.0.0 is out.
ci_complete
* Use new PKCS#12 deserialization code from cryptography 36.0.0 if available.
* Refactor into smaller functions.
* Force complete CI run now since cryptography 36.0.0 is out.
ci_complete
* Add warning that ASN.1 encoded extension values returned by some modules might not reflect the exact byte sequence in the source file anymore depending on the cryptography version.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Remove assertonly backend.
* Remove assertonly tests.
* The expired test is basically a test of assertonly.
* Replace assertonly verification by _info + assert.
* Remove vendored copy of ipaddress.
* Forgot an import.
* Remove sanity ignores and checks related to ipaddress.
* Remove octal IPv4 address.
Such IPs are no longer accepted by ipaddress in Python's standard library (CVE-2021-29921).
* Remove unused import.
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
* Add some workarounds for cryptography 35.0.0.
* Make fix work with very old cryptography versions as well (which supported multiple backends).
* [TEMP] Disable openssl_pkcs12 tests to see whether everything else works.
* Revert "[TEMP] Disable openssl_pkcs12 tests to see whether everything else works."
This reverts commit 3f905bc795.
* Add changelog fragment.
* Remove unnecessary assignment.
* Simplify code change.
* [TEMP] Disable openssl_pkcs12 tests to see whether everything else works.
* Revert "[TEMP] Disable openssl_pkcs12 tests to see whether everything else works."
This reverts commit fdb210528e.
* Adjust dirName serialization to RFC 4514.
* Adjust deserialization to RFC 4514.
* Add changelog fragment.
* Use Unicode strings, and work around Python 2 and Python 3 differences and problems with old cryptography versions.
* Work with bytes, not Unicode strings, to handle escaping of Unicode endpoints correctly.
* Remove Ubuntu 16.04 (Xenial Xerus) from CI.
* Removing PyOpenSSL backend from everywhere but openssl_pkcs12.
* Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12.
* Add changelog fragment.
* Initial commit
* Matching tests to overwritten permissions behavior with cryptography
* Ensuring key validation only occurs when state=present and accomodating CentOS6 restrictions
* Making ssh-keygen behavior explicit by version in tests
* Ensuring cyrptography not excluded in new conditions
* Adding changelog fragment
* Fixing sanity checks
* Improving readability
* Applying review suggestions
* addressing restore_on_failure conflict
* Initial commit
* Fixing unit tests
* More unit fixes
* Adding changelog fragment
* Minor refactor in Certificate.generate()
* Addressing option case-sensitivity and directive overrides
* Renaming idempotency to regenerate
* updating changelog
* Minor refactoring of default options
* Cleaning up with inline functions
* Fixing false failures when regenerate=fail and improving clarity
* Applying second round of review suggestions
* adding helper for safe atomic moves
Use of the confusingly-named _permissions_changed() on both
sides of an `or` was resulting in the second invocation not
being reached if the first invocation returned True, which it
does any time it applied custom attributes to the private key.
As a result, custom file attributes were only ever being
applied to the private key (except in one specific case)
This is fixed by explicitly updating attributes of both files
before checking if changes have been made.
Signed-off-by: Charlie Wheeler-Robinson <cwheeler@redhat.com>
* Initial commit
* Fixing units
* Adding changelog fragment
* Enhanced encapsulation of certificate data
* Avoiding failure when path is not parseable
* Diff refactor
* Applying initial review suggestions
* Initial commit
* Adding informational comments
* Adding changelog fragment
* Fixing CRLF changelog fragment
* Refactoring public number parsing and added chaining for writer methods
* Adding more descriptive error for invalid certificate data
* Fixing signature data parsing
* Correcting ed25519 signature type to binary
* Applying initial review suggestions and fixing option-list writer
* Applying review suggestions
* Making OpensshWriter private
* Refactoring openssh_keypair for multiple backends
* Fixing cryptography backend validations
* Simplifying conditionals and excess variable assignments
* Fixing docs and adding cleanup for integration tests
* Fixing docs and public key validation bugs in crypto backend
* Enhancing cryptogagraphy utils to raise OpenSSHErrors when file not found
* Adding missed copyright and cleanup for idempotency test keys
* Fixing doc style
* Readding crypto/openssh for backwards compatibility
* Adding changelog fragment and final simplifications of conditional statements
* Applied initial review suggestions
* Add diff support to openssl_privatekey.
* Add diff support to openssl_csr.
* Add diff support to x509_crl.
* Add diff support to x509_certificate.
* Add diff support to openssl_publickey.
* Add changelog fragment.
* Prefer one fingerprint for diff infos to reduce noise.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Began refactoring.
* Continue.
* Factor PyOpenSSL backend out.
* Add basic cryptography backend.
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Only run tests when new enough pyOpenSSL or cryptography is around.
* Reduce required pyOpenSSL version from 17.1.0 to 0.15.
I have no idea why 17.1.0 was there (in the tests), and not something smaller.
The module itself did not mention any version.
* Linting.
* Linting.
* Increase compatibility by selecting pyopenssl backend when iter_size or maciter_size is used.
* Improve docs, add changelog fragment.
* Move hackish code to cryptography_support.
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Update plugins/modules/openssl_pkcs12.py
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Streamline cert creation.
* Convert range to list.
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Return more public key information.
* Make sure bit size is converted to int first.
* Apply suggestions from code review
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Remove no longer necessary code.
* Use correct return value's name.
* Add trailing commas.
Co-authored-by: Ajpantuso <ajpantuso@gmail.com>
* Integrating openssh module utils with openssh_keypair
* Added explicit PEM formatting for OpenSSH < 7.8
* Adding changelog fragment
* Adding OpenSSL/cryptography dependency for integration tests
* Adding private_key_format option and removing forced cryptography update for CI
* Fixed version check for bcrypt and key_format option name
* Setting no_log=False for private_key_format
* Docs correction and simplification of control flow for private_key_format
* Adding openssh utils and unit tests
* Adding changelog fragment and correcting RSA default size
* Adding changelog fragment
* Added passphrase update, test cases, and check for SSH private key loader
* corrected ecdsa type when loading
* Resolving inital review comments
* Fixed import in unit tests
* Cleaning up validation functions
* Separating private/public key related errors; Adding verify method
* Expressed generate/load functions as classmethods and cleaned up method comments
* Added support for loading asymmetric key pairs of PEM and DER formats
* Refactored loading/generation for Asym keypairs into classmethods
* Rescoped helper functions and classmethods for OpenSSH Keypair
* Corrected docstring for OpenSSH_Keypair.generate()
* Fixed import errors for sanity tests
* Improvements to comparison, key verification, and password validation
* Added comparison tests, simplified password validation, fixed Ed25519 load bug
* Adding additional equivalence tests with passphrases
* Fix wrong usages of ACMEProtocolException.
* Add changelog fragment.
* Fix error handling when content could not be decoded.
* Make sure that content_json is a dict or None.
* Improve acme_inspect's ACMEProtocolException handling.
* Improve error handling.
* Add tests.
* Fix challenge error.
* Add challenges tests.
* Provide content if available.
* Add some order tests.
* Linting.
* Move acme.py to acme/__init__.py to prepare splitup.
* Began moving generic code out.
* Creating backends.
* Update unit tests.
* Move remaining new code out.
* Use new interface.
* Rewrite module init code.
* Add changelog.
* Add BackendException for crypto backend errors.
* Improve / uniformize ACME error reporting.
* Create ACMELegacyAccount for backwards compatibility.
* Split up ACMEAccount into ACMEClient and ACMEAccount.
* Move get_keyauthorization into module_utils.acme.challenges.
* Improve error handling.
* Move challenge and authorization handling code into module_utils.
* Add split_identifier helper.
* Move order code into module_utils.
* Move ACME v2 certificate handling code to module_utils.
* Fix/move ACME v1 certificate retrieval to module_utils as well.
* Refactor alternate chain handling code by splitting it up into simpler functions.
* Make chain matcher creation part of backend.
* Rename identify.py to pem.py.
* Move split PEM list code to pem.py crypto module_utils.
* Extend and use global certificate splitting code in acme_certificate.
* openssl_pkcs12: allow to load multiple certificates from files mentioned in other_certificates.
* Add changelog and module_utils redirect.
* Remove old check.
* Fix typo.
* Apply suggestions from code review
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Add example.
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Improve error messages for name decoding (not all names appear in SANs).
* Refactor DN parsing, add relative DN parsing code.
* Allow to specify CRL distribution points.
* Add changelog fragment.
* Fix typo.
* Make sure value argument to x509.NameAttribute is a text.
* Update changelogs/fragments/167-openssl_csr-crl-distribution-points.yml
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Add example.
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Allow to configure PBKDF.
* Also add PBKDF options to key add operation.
* Simplify code.
* Update plugins/modules/luks_device.py
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Fix indent.
* Use more of the options.
* Bump iteration count.
* Increase memory limit.
* Fall back to default PBKDF.
* Apply suggestions from code review
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* openssl_pkcs12: Add a check for parsed pkcs12 files
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
* Add changelog fragment
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
* openssl_pkcs12: Report changed state when a pkcs12 file is dumped
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
* Add a basic test for dumping a pkcs12 file
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
* Update changelog fragment
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
* Add test for dumped pkcs12 file in check mode
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
* Improve error handling in support code for cryptography backend.
* Update changelogs/fragments/139-improve-error-handling.yml
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
* Allow to pass CSR to acme_certificate as csr_content.
* Make sure contents are bytes.
* No need to write CSR to disk.
* Forgot version_added.
* Fix documentation.
* Do not crash when PKCS#12 file contains no private key and/or main certificate.
* Add changelog fragment.
* Call getters only once each, check explicitly for None.
* Add test.
* Also 'parse' correctly PKCS#12 file with no private key.
* Increase # of bits for random serial numbers of certificates with PyOpenSSL backend.
* Adjust algorithm to return a random number between 1000 and 2^160-1.
* acme_account: add support for External Account Binding.
* Add changelog fragment.
* Error if externalAccountRequired is set in ACME directory meta, but external account data is not provided.
* Validate that EAB key is Base64URL encoded.
* Improve documentation.
* Add padding to Base64 encoded key if necessary.
* Make account creation idempotent with ZeroSSL.
This adds the parameter pkcs11_provider, which can be set to the name of
or path to a PKCS#11 library (e.g. libpkcs11.so). ssh-keygen will then
use this library to have the token make any required signatures.
If this is used, signing_key needs to be set to a file containing the
public key that matches the private key on the token.
* get_certificate - Add support of SNI
For python versions supporting `create_default_context` support SNI by using low-level
SSLContext.wrap_socket().getpeercert().
Add also more information in the error message
fixes#69
* Make sure default CA certificates are not loaded when ca_cert is specified.
* Refactor to combine common code.
* Update changelogs/fragments/get_certificate-add_support_for_SNI.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Improve changelog generator config.
* We don't have docs at that URL.
* Require Ansible(-base) 2.9.10 or newer.
Needed for deprecation syntax.
* Update all deprecations from Ansible 2.1x to community.crypto 2.0.0.
* Forgot to check in fixes.
* Shorten lines.
* Fix unit test requirements.
* Fix YAML strings which only had a closing quote.
* Galaxy neither likes uppercase nor spaces in tags.
* General README improvements.
* Add roadmap section to README.
* Next release will be 1.0.0.
* Extend using instructions.
* Tags with dashes are also not allowed.
* Fix changelog link.
* Support otherName in subAltName in CSR for UTF8 strings
* Remove uneeded docs and added changelog fragment
* Missed a merge conflict
* Fix up sanity issues and added test expectation
* Rename function
* Prepare extra sanity tests.
* Run some extra sanity tests.
* Linting.
* Experimenting
* Linting.
* Run tests in docker container.
* Improve run code.
* Use requests instead of Ansible code (which needs to be installed first).
* Refactor and add more debugging.
* More ls.
* More ls.
* More ls in container.
* Copy cwd into container.
* Improve container handling.
* Make tests configurable.
* Using proper argument parser.
* Add colors.
* Allow to disable test.
* Always run all tests for now. (Change detection needs to know about git I think).
* Use argument parser for main executable. Force colors for CI.
* Allow to specify targets.
* Linting.
* Switch to ansibulled-changelog.
* Use runner from community.internal_test_tools (current dev branch for runner).
* Clone official repository instead of my fork/branch.
Felix Fontein
Ajpantuso
Charlie Wheeler-Robinson
Ed Schaller
Norman Ziegner
Doug Stanley
Arnoways
s-hamann
Baptiste Mille-Mathias
Jordan Borean