* Show timings with devel, and skip everything else.
* Move to other group.
* Try smaller SSH key size (i.e. make tests run faster).
* Add implicit size that now must be explicit.
* Change group of luks_device.
* Revert "Show timings with devel, and skip everything else."
This reverts commit 7b73f7e4d7.
* Update CI scripts to be more close to the ones in ansible-core.
* Extend CI matrix.
* Mark more VMs.
* Revert "Mark more VMs."
This reverts commit 8bc79af636.
* Disable alpine VMs for get_certificate due to httptester problems.
* Improve retrieval of cryptsetup version.
* ACME 'emulator' won't work on Alpine either.
* Improve luks test setup.
* Make sure wipefs is installed on Alpine.
* dmsetup (from device-mapper) is used by the tests.
* Fix bcrypt install failure handling.
* String, not float.
* openssl_privatekey_convert is not an action module.
* Update Python info.
* Try out which VMs can be used by now.
* Enable ACME tests on all VMs but Alpine; update comment.
* Adjust acme-tiny shebang.
* Remove new entries from CI matrix.
The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is.
Handling is exactly the same since they reside in the same OID space and have the same data type.
Tests have also been added based on the integration test certificates.
Signed-off-by: benaryorg <binary@benary.org>
Signed-off-by: benaryorg <binary@benary.org>
* tests.unit.compat.mock: Remove legacy compat code
This removes old Python 3.4 compatibility code that is no longer needed.
* Prefer unitest.mock by universally using compat.mock
`mock` is a backport of the `unittest.mock` module from the stdlib, and
there's no reason to use it on newer Python versions.
* Extend tests to check for privatekey_content together with privatekey_passphrase.
* Also test privatekey_content for private keys without passphrases.
* ci: enable rhel9.0 tests for openssh_cert
* ci: allow openssh_cert second signature algorithm test for versions >8.7
* ci: narrowing condition to not attempt RSA1 signing exclusively on RHEL >=9
* ci: grouping and documenting condition
* Add RHEL 9.0 and FreeBSD 13.1 to CI.
* Add Ubuntu 22.04 and Fedora 36 to CI.
* Switch orders so that root doesn't have a SHA1 signature.
* Skip openssh_cert test on RHEL 9.0.
* Make it possible that pyOpenSSL isn't installed *at all*.
* Work with default.
* Prepare IDNA/Unicode conversion code. Use to normalize input.
* Use IDNA library first (IDNA2008) and Python's IDNA2003 implementation as a fallback.
* Make sure idna is installed.
* Add changelog fragment.
* 'punycode' → 'idna'.
* Add name_encoding options and tests.
* Avoid invalid character for IDNA2008.
* Linting.
* Forgot to upate value.
* Work around cryptography bug. Fix port handling for URIs.
* Forgot other place sensitive to cryptography bug.
* Forgot one. (Will likely still fail.)
* Decode IDNA in _compress_entry() to avoid comparison screw-ups.
* Work around Python 3.5 problem in Ansible 2.9's default test container.
* Update changelog fragment.
* Fix error, add tests.
* Python 2 compatibility.
* Update requirements.
* Add EE files.
* Install cryptography and PyOpenSSL from PyPi.
* Revert "Install cryptography and PyOpenSSL from PyPi."
This reverts commit 6b90a1efae.
* Only run test when cryptography has a new enough version.
* And another one.
* Extend changelog.
* Fix empty check for openssl_pkcs12 tests.
* Remove unnecessary imports.
* Prevent crash if PyOpenSSL cannot be imported because of an AttributeError.
* Add changelog fragment.
* Fix constraints file.
* Use Python 2.7 instead of 3.5 for 2.9 cloud tests (pip module is broken).
* Prevent upgrading cryptography on ansible-core 2.12's default container with Python 3.9.
Read and write work queue significantly degrades performance on
SSD/NVME devices[1].
In Debian 11 crypttab does not support no-read-workqueue and
no-write-workqueue flags, so the persistent flag is workaround: once
opened with perf parameters persists forever.
[1] https://blog.cloudflare.com/speeding-up-linux-disk-encryption/
Signed-off-by: Yauhen Artsiukhou <jsirex@gmail.com>
* Use community ansible-test images.
* Adjust tests for new operating systems, and pass on Python version as well.
* Fix Python version.
Co-authored-by: David Moreau Simard <moi@dmsimard.com>
* Fix package name.
Co-authored-by: David Moreau Simard <moi@dmsimard.com>
* Allow multiple intermediate CAs to have same subject.
* Add tests.
* Fix test name.
* Don't use CN for SAN.
* Make a bit more compatible.
* Include jinja2 compat for CentOS 6.
* Add basic crypto_info module.
* Improve check.
* Actually test capabilities.
* Also output EC curve list.
* Fix detections.
* Ed25519 and Ed448 are not supported on FreeBSD 12.1.
* Refactor.
* Also retrieve information on the OpenSSL binary.
* Improve splitting.
* Update plugins/modules/crypto_info.py
Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>
* Replace list by tuple.
Co-authored-by: Andrew Pantuso <ajpantuso@gmail.com>
* Name test tasks in a more explicite manner
* Space test + verification blocks apart
* Apply suggestions from code review
Co-authored-by: Jens Heinrich <github.com/JensHeinrich>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add new code as fallback which re-serializes de-serialized extensions using the new cryptography API.
* Forgot Base64 encoding.
* Add extension by OID tests.
* There's one value which is different with the new code.
* Differences in CI.
* Working around older Jinjas.
* Value depends on which SAN was included.
* Force complete CI run now since cryptography 36.0.0 is out.
ci_complete
* Remove assertonly backend.
* Remove assertonly tests.
* The expired test is basically a test of assertonly.
* Replace assertonly verification by _info + assert.
* Remove vendored copy of ipaddress.
* Forgot an import.
* Remove sanity ignores and checks related to ipaddress.
* Remove octal IPv4 address.
Such IPs are no longer accepted by ipaddress in Python's standard library (CVE-2021-29921).
* Remove unused import.
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
* Adjust dirName serialization to RFC 4514.
* Adjust deserialization to RFC 4514.
* Add changelog fragment.
* Use Unicode strings, and work around Python 2 and Python 3 differences and problems with old cryptography versions.
* Work with bytes, not Unicode strings, to handle escaping of Unicode endpoints correctly.
* Remove Ubuntu 16.04 (Xenial Xerus) from CI.
* Removing PyOpenSSL backend from everywhere but openssl_pkcs12.
* Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12.
* Add changelog fragment.
* Run all tests on all targets. Remove hack in setup_acme.
* Fix some failing tests.
* OpenSSH tests do not work yet with default image on Ansible 2.9. Let's skip them on the cloud target.
* Make tests pass again.
* Make sure to install *latest* versions of cryptography and pyOpenSSL when not installing system packages, whenever possible.
ci_complete
* Update/fix aliases files.
* Install PyOpenSSL and cryptography from PyPi if target Python != system Python.
* Work around some CentOS6, 7, Ubuntu 16.04 problems. Improve jinja2 compatibility handling.
* Skip tasks that require properties that aren't always there.
* Only install OpenSSL when not present.
* Improve output.
* Improve get_certificate integration test graceful failing.
* Fix tests.
* Fix assert.
* OpenSSL peculiarities.
* Fix condition.
* Initial commit
* Matching tests to overwritten permissions behavior with cryptography
* Ensuring key validation only occurs when state=present and accomodating CentOS6 restrictions
* Making ssh-keygen behavior explicit by version in tests
* Ensuring cyrptography not excluded in new conditions
* Adding changelog fragment
* Fixing sanity checks
* Improving readability
* Applying review suggestions
* addressing restore_on_failure conflict
* Initial commit
* Fixed CRLF and ed25519 handling on CentOS6
* Separated expected test results for file permissions between backends
* Fixed unprotected key base directory
* Fixed PEM encoded file test
* Initial commit
* Fixing unit tests
* More unit fixes
* Adding changelog fragment
* Minor refactor in Certificate.generate()
* Addressing option case-sensitivity and directive overrides
* Renaming idempotency to regenerate
* updating changelog
* Minor refactoring of default options
* Cleaning up with inline functions
* Fixing false failures when regenerate=fail and improving clarity
* Applying second round of review suggestions
* adding helper for safe atomic moves
* Initial commit
* Fixing units
* Adding changelog fragment
* Enhanced encapsulation of certificate data
* Avoiding failure when path is not parseable
* Diff refactor
* Applying initial review suggestions
* Initial commit
* Adding informational comments
* Adding changelog fragment
* Fixing CRLF changelog fragment
* Refactoring public number parsing and added chaining for writer methods
* Adding more descriptive error for invalid certificate data
* Fixing signature data parsing
* Correcting ed25519 signature type to binary
* Applying initial review suggestions and fixing option-list writer
* Applying review suggestions
* Making OpensshWriter private
Felix Fontein
Katze
Andrew Pantuso
Maxwell G
Andrew Pantuso
Yauhen
JochenKorge
Jens Heinrich