a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
community.crypto/tests/integration/targets/x509_crl/tasks/impl.yml

698 lines
22 KiB
YAML
Raw Blame History

---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create CRL 1 (check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
check_mode: true
register: crl_1_check
- name: Create CRL 1
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
register: crl_1
- assert:
that:
- crl_1_check is changed
- crl_1 is changed
- name: Retrieve CRL 1 infos
x509_crl_info:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
register: crl_1_info_1
- name: Read ca-crl1.crl
slurp:
src: '{{ remote_tmp_dir }}/ca-crl1.crl'
register: slurp
- name: Retrieve CRL 1 infos via file content
x509_crl_info:
content: '{{ slurp.content | b64decode }}'
register: crl_1_info_2
- name: Retrieve CRL 1 infos via file content (Base64)
x509_crl_info:
content: '{{ slurp.content }}'
register: crl_1_info_3
- name: Create CRL 1 (idempotent, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
check_mode: true
register: crl_1_idem_check
- name: Create CRL 1 (idempotent)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
register: crl_1_idem
- name: Read file
slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- ca.key
- cert-1.pem
- cert-2.pem
register: slurp
- name: Create CRL 1 (idempotent with content and octet string serial, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_content: "{{ slurp.results[0].content | b64decode }}"
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
serial_numbers: hex-octets
revoked_certificates:
- content: "{{ slurp.results[1].content | b64decode }}"
revocation_date: 20191013000000Z
- content: "{{ slurp.results[2].content | b64decode }}"
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 04:D2
revocation_date: 20191001000000Z
check_mode: true
register: crl_1_idem_content_check
- name: Create CRL 1 (idempotent with content and octet string serial)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_content: "{{ slurp.results[0].content | b64decode }}"
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
serial_numbers: hex-octets
revoked_certificates:
- content: "{{ slurp.results[1].content | b64decode }}"
revocation_date: 20191013000000Z
- content: "{{ slurp.results[2].content | b64decode }}"
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 04:D2
revocation_date: 20191001000000Z
register: crl_1_idem_content
- name: Create CRL 1 (format, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
check_mode: true
register: crl_1_format_check
- name: Create CRL 1 (format)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
register: crl_1_format
- name: Create CRL 1 (format, idempotent, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: "1234"
revocation_date: 20191001000000Z
check_mode: true
register: crl_1_format_idem_check
- name: Create CRL 1 (format, idempotent)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: "1234"
revocation_date: 20191001000000Z
return_content: true
register: crl_1_format_idem
- name: Retrieve CRL 1 infos via file
x509_crl_info:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
register: crl_1_info_4
- name: Read ca-crl1.crl
slurp:
src: "{{ remote_tmp_dir }}/ca-crl1.crl"
register: content
- name: Retrieve CRL 1 infos via file content (Base64)
x509_crl_info:
content: '{{ content.content }}'
register: crl_1_info_5
- name: Create CRL 2 (check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
check_mode: true
register: crl_2_check
- name: Create CRL 2
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
register: crl_2
- name: Create CRL 2 (idempotent, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- C: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
ignore_timestamps: true
check_mode: true
register: crl_2_idem_check
- name: Create CRL 2 (idempotent)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
ignore_timestamps: true
register: crl_2_idem
- name: Create CRL 2 (idempotent update, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- serial_number: 1235
ignore_timestamps: true
crl_mode: update
check_mode: true
register: crl_2_idem_update_change_check
- name: Create CRL 2 (idempotent update)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- serial_number: 1235
ignore_timestamps: true
crl_mode: update
register: crl_2_idem_update_change
- name: Create CRL 2 (idempotent update, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
ignore_timestamps: true
crl_mode: update
check_mode: true
register: crl_2_idem_update_check
- name: Create CRL 2 (idempotent update)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
ignore_timestamps: true
crl_mode: update
register: crl_2_idem_update
- name: Create CRL 2 (changed timestamps, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
ignore_timestamps: false
crl_mode: update
check_mode: true
register: crl_2_change_check
- name: Create CRL 2 (changed timestamps)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- CN: CRL
- countryName: US
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
ignore_timestamps: false
crl_mode: update
return_content: true
register: crl_2_change
- name: Read ca-crl2.crl
slurp:
src: '{{ remote_tmp_dir }}/ca-crl2.crl'
register: slurp_crl2_1
- name: Retrieve CRL 2 infos
x509_crl_info:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
list_revoked_certificates: false
register: crl_2_info_1
- name: Create CRL 2 (changed order, should be ignored)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
countryName: US
CN:
- Ansible
- CRL
- Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
ignore_timestamps: true
crl_mode: update
return_content: true
register: crl_2_change_order_ignore
- name: Create CRL 2 (changed order)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
- CN: Ansible
- countryName: US
- CN: CRL
- CN: Test
last_update: +0d
next_update: +0d
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-2.pem'
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
ignore_timestamps: true
crl_mode: update
return_content: true
register: crl_2_change_order
- name: Read ca-crl2.crl
slurp:
src: '{{ remote_tmp_dir }}/ca-crl2.crl'
register: slurp_crl2_2
- name: Retrieve CRL 2 infos again
x509_crl_info:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
list_revoked_certificates: false
register: crl_2_info_2
- name: Create CRL 3
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
CN: Ansible
last_update: +0d
next_update: +0d
revoked_certificates:
- serial_number: 1234
revocation_date: 20191001000000Z
# * cryptography < 2.1 strips username and password from URIs. To avoid problems, we do
# not pass usernames and passwords for URIs when the cryptography version is < 2.1.
# * Python 3.5 before 3.5.8 rc 1 has a bug in urllib.parse.urlparse() that results in an
# error if a Unicode netloc has a username or password included.
# (https://github.com/ansible-collections/community.crypto/pull/436#issuecomment-1101737134)
# This affects the Python 3.5 included in Ansible 2.9's default test container; to avoid
# this, we also do not pass usernames and passwords for Python 3.5.
issuer:
- "DNS:ca.example.org"
- "DNS:ffóò.ḃâŗ.çøṁ"
- "email:foo@ḃâŗ.çøṁ"
- "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar"
- "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de"
- "URI:https://straße.de:8080"
- "URI:http://gefäß.org"
- "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1"
issuer_critical: true
register: crl_3
- name: Create CRL 3 (IDNA encoding)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
CN: Ansible
last_update: +0d
next_update: +0d
revoked_certificates:
- serial_number: 1234
revocation_date: 20191001000000Z
issuer:
- "DNS:ca.example.org"
- "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n"
- "email:foo@xn--2ca8uh37e.xn--7ca8a981n"
- "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar"
- "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.xn--strae-oqa.de"
- "URI:https://xn--strae-oqa.de:8080"
- "URI:http://xn--gef-7kay.org"
- "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}xn--4ca:1"
issuer_critical: true
ignore_timestamps: true
name_encoding: idna
register: crl_3_idna
- name: Create CRL 3 (Unicode encoding)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
CN: Ansible
last_update: +0d
next_update: +0d
revoked_certificates:
- serial_number: 1234
revocation_date: 20191001000000Z
issuer:
- "DNS:ca.example.org"
- "DNS:ffóò.ḃâŗ.çøṁ"
- "email:foo@ḃâŗ.çøṁ"
- "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar"
- "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de"
- "URI:https://straße.de:8080"
- "URI:http://gefäß.org"
- "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1"
issuer_critical: true
ignore_timestamps: true
name_encoding: unicode
register: crl_3_unicode
- name: Retrieve CRL 3 infos
x509_crl_info:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
list_revoked_certificates: true
register: crl_3_info
- name: Retrieve CRL 3 infos (IDNA encoding)
x509_crl_info:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
name_encoding: idna
list_revoked_certificates: true
register: crl_3_info_idna
- name: Retrieve CRL 3 infos (Unicode encoding)
x509_crl_info:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
name_encoding: unicode
list_revoked_certificates: true
register: crl_3_info_unicode
- name: Ed25519 and Ed448 tests (for cryptography >= 2.6)
block:
- name: Generate private keys
openssl_privatekey:
path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
type: '{{ item }}'
loop:
- Ed25519
- Ed448
register: ed25519_ed448_privatekey
ignore_errors: true
- when: ed25519_ed448_privatekey is not failed
block:
- name: Create CRL
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
register: ed25519_ed448_crl
loop:
- Ed25519
- Ed448
ignore_errors: true
- name: Create CRL (idempotence)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl-{{ item }}.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca-{{ item }}.key'
issuer:
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
revoked_certificates:
- path: '{{ remote_tmp_dir }}/cert-1.pem'
revocation_date: 20191013000000Z
- path: '{{ remote_tmp_dir }}/cert-2.pem'
revocation_date: 20191013000000Z
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- serial_number: 1234
revocation_date: 20191001000000Z
register: ed25519_ed448_crl_idempotence
loop:
- Ed25519
- Ed448
ignore_errors: true
when: cryptography_version.stdout is version('2.6', '>=')
Reference in New Issue View Git Blame Copy Permalink