--- # Copyright (c) Ansible Project # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later - name: Create CRL 1 (check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z check_mode: true register: crl_1_check - name: Create CRL 1 x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z register: crl_1 - assert: that: - crl_1_check is changed - crl_1 is changed - name: Retrieve CRL 1 infos x509_crl_info: path: '{{ remote_tmp_dir }}/ca-crl1.crl' register: crl_1_info_1 - name: Read ca-crl1.crl slurp: src: '{{ remote_tmp_dir }}/ca-crl1.crl' register: slurp - name: Retrieve CRL 1 infos via file content x509_crl_info: content: '{{ slurp.content | b64decode }}' register: crl_1_info_2 - name: Retrieve CRL 1 infos via file content (Base64) x509_crl_info: content: '{{ slurp.content }}' register: crl_1_info_3 - name: Create CRL 1 (idempotent, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z check_mode: true register: crl_1_idem_check - name: Create CRL 1 (idempotent) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z register: crl_1_idem - name: Read file slurp: src: '{{ remote_tmp_dir }}/{{ item }}' loop: - ca.key - cert-1.pem - cert-2.pem register: slurp - name: Create CRL 1 (idempotent with content, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_content: "{{ slurp.results[0].content | b64decode }}" issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - content: "{{ slurp.results[1].content | b64decode }}" revocation_date: 20191013000000Z - content: "{{ slurp.results[2].content | b64decode }}" revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z check_mode: true register: crl_1_idem_content_check - name: Create CRL 1 (idempotent with content) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_content: "{{ slurp.results[0].content | b64decode }}" issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - content: "{{ slurp.results[1].content | b64decode }}" revocation_date: 20191013000000Z - content: "{{ slurp.results[2].content | b64decode }}" revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z register: crl_1_idem_content - name: Create CRL 1 (format, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' format: der issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z check_mode: true register: crl_1_format_check - name: Create CRL 1 (format) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' format: der issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z register: crl_1_format - name: Create CRL 1 (format, idempotent, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' format: der issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z check_mode: true register: crl_1_format_idem_check - name: Create CRL 1 (format, idempotent) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' format: der issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z return_content: true register: crl_1_format_idem - name: Retrieve CRL 1 infos via file x509_crl_info: path: '{{ remote_tmp_dir }}/ca-crl1.crl' register: crl_1_info_4 - name: Read ca-crl1.crl slurp: src: "{{ remote_tmp_dir }}/ca-crl1.crl" register: content - name: Retrieve CRL 1 infos via file content (Base64) x509_crl_info: content: '{{ content.content }}' register: crl_1_info_5 - name: Create CRL 2 (check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 check_mode: true register: crl_2_check - name: Create CRL 2 x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 register: crl_2 - name: Create CRL 2 (idempotent, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - C: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 ignore_timestamps: true check_mode: true register: crl_2_idem_check - name: Create CRL 2 (idempotent) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 ignore_timestamps: true register: crl_2_idem - name: Create CRL 2 (idempotent update, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - serial_number: 1235 ignore_timestamps: true mode: update check_mode: true register: crl_2_idem_update_change_check - name: Create CRL 2 (idempotent update) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - serial_number: 1235 ignore_timestamps: true mode: update register: crl_2_idem_update_change - name: Create CRL 2 (idempotent update, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z ignore_timestamps: true mode: update check_mode: true register: crl_2_idem_update_check - name: Create CRL 2 (idempotent update) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z ignore_timestamps: true mode: update register: crl_2_idem_update - name: Create CRL 2 (changed timestamps, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z ignore_timestamps: false mode: update check_mode: true register: crl_2_change_check - name: Create CRL 2 (changed timestamps) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - CN: CRL - countryName: US - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z ignore_timestamps: false mode: update return_content: true register: crl_2_change - name: Read ca-crl2.crl slurp: src: '{{ remote_tmp_dir }}/ca-crl2.crl' register: slurp_crl2_1 - name: Retrieve CRL 2 infos x509_crl_info: path: '{{ remote_tmp_dir }}/ca-crl2.crl' list_revoked_certificates: false register: crl_2_info_1 - name: Create CRL 2 (changed order, should be ignored) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: countryName: US CN: - Ansible - CRL - Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z ignore_timestamps: true mode: update return_content: true register: crl_2_change_order_ignore - name: Create CRL 2 (changed order) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl2.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer_ordered: - CN: Ansible - countryName: US - CN: CRL - CN: Test last_update: +0d next_update: +0d revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-2.pem' reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z ignore_timestamps: true mode: update return_content: true register: crl_2_change_order - name: Read ca-crl2.crl slurp: src: '{{ remote_tmp_dir }}/ca-crl2.crl' register: slurp_crl2_2 - name: Retrieve CRL 2 infos again x509_crl_info: path: '{{ remote_tmp_dir }}/ca-crl2.crl' list_revoked_certificates: false register: crl_2_info_2 - name: Create CRL 3 x509_crl: path: '{{ remote_tmp_dir }}/ca-crl3.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: CN: Ansible last_update: +0d next_update: +0d revoked_certificates: - serial_number: 1234 revocation_date: 20191001000000Z # * cryptography < 2.1 strips username and password from URIs. To avoid problems, we do # not pass usernames and passwords for URIs when the cryptography version is < 2.1. # * Python 3.5 before 3.5.8 rc 1 has a bug in urllib.parse.urlparse() that results in an # error if a Unicode netloc has a username or password included. # (https://github.com/ansible-collections/community.crypto/pull/436#issuecomment-1101737134) # This affects the Python 3.5 included in Ansible 2.9's default test container; to avoid # this, we also do not pass usernames and passwords for Python 3.5. issuer: - "DNS:ca.example.org" - "DNS:ffóò.ḃâŗ.çøṁ" - "email:foo@ḃâŗ.çøṁ" - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar" - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de" - "URI:https://straße.de:8080" - "URI:http://gefäß.org" - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1" issuer_critical: true register: crl_3 - name: Create CRL 3 (IDNA encoding) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl3.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: CN: Ansible last_update: +0d next_update: +0d revoked_certificates: - serial_number: 1234 revocation_date: 20191001000000Z issuer: - "DNS:ca.example.org" - "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n" - "email:foo@xn--2ca8uh37e.xn--7ca8a981n" - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar" - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.xn--strae-oqa.de" - "URI:https://xn--strae-oqa.de:8080" - "URI:http://xn--gef-7kay.org" - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}xn--4ca:1" issuer_critical: true ignore_timestamps: true name_encoding: idna register: crl_3_idna - name: Create CRL 3 (Unicode encoding) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl3.crl' privatekey_path: '{{ remote_tmp_dir }}/ca.key' issuer: CN: Ansible last_update: +0d next_update: +0d revoked_certificates: - serial_number: 1234 revocation_date: 20191001000000Z issuer: - "DNS:ca.example.org" - "DNS:ffóò.ḃâŗ.çøṁ" - "email:foo@ḃâŗ.çøṁ" - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar" - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de" - "URI:https://straße.de:8080" - "URI:http://gefäß.org" - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1" issuer_critical: true ignore_timestamps: true name_encoding: unicode register: crl_3_unicode - name: Retrieve CRL 3 infos x509_crl_info: path: '{{ remote_tmp_dir }}/ca-crl3.crl' list_revoked_certificates: true register: crl_3_info - name: Retrieve CRL 3 infos (IDNA encoding) x509_crl_info: path: '{{ remote_tmp_dir }}/ca-crl3.crl' name_encoding: idna list_revoked_certificates: true register: crl_3_info_idna - name: Retrieve CRL 3 infos (Unicode encoding) x509_crl_info: path: '{{ remote_tmp_dir }}/ca-crl3.crl' name_encoding: unicode list_revoked_certificates: true register: crl_3_info_unicode - name: Ed25519 and Ed448 tests (for cryptography >= 2.6) block: - name: Generate private keys openssl_privatekey: path: '{{ remote_tmp_dir }}/ca-{{ item }}.key' type: '{{ item }}' loop: - Ed25519 - Ed448 register: ed25519_ed448_privatekey ignore_errors: true - when: ed25519_ed448_privatekey is not failed block: - name: Create CRL x509_crl: path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl' privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key' issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z register: ed25519_ed448_crl loop: - Ed25519 - Ed448 ignore_errors: true - name: Create CRL (idempotence) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl' privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key' issuer: CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z revoked_certificates: - path: '{{ remote_tmp_dir }}/cert-1.pem' revocation_date: 20191013000000Z - path: '{{ remote_tmp_dir }}/cert-2.pem' revocation_date: 20191013000000Z reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - serial_number: 1234 revocation_date: 20191001000000Z register: ed25519_ed448_crl_idempotence loop: - Ed25519 - Ed448 ignore_errors: true when: cryptography_version.stdout is version('2.6', '>=')