a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
community.crypto/tests/integration/targets/x509_certificate/tasks/selfsigned.yml

486 lines
19 KiB
YAML
Raw Blame History

---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size_certificates }}'
- name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey with password
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size_certificates }}'
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate without CSR
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_no_csr.pem'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
register: selfsigned_certificate_no_csr
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate without CSR - idempotency
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_no_csr.pem'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
register: selfsigned_certificate_no_csr_idempotence
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate without CSR (check mode)
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_no_csr.pem'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: true
register: selfsigned_certificate_no_csr_idempotence_check
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR
openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.example.com
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_minimal_change.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.example.org
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate
x509_certificate:
path: '{{ remote_tmp_dir }}/cert.pem'
csr_path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
register: selfsigned_certificate
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate - idempotency
x509_certificate:
path: '{{ remote_tmp_dir }}/cert.pem'
csr_path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
register: selfsigned_certificate_idempotence
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (check mode)
x509_certificate:
path: '{{ remote_tmp_dir }}/cert.pem'
csr_path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: true
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (check mode, other CSR)
x509_certificate:
path: '{{ remote_tmp_dir }}/cert.pem'
csr_path: '{{ remote_tmp_dir }}/csr_minimal_change.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: true
register: selfsigned_certificate_csr_minimal_change
- name: (Selfsigned, {{select_crypto_backend}}) Get certificate information
community.crypto.x509_certificate_info:
path: '{{ remote_tmp_dir }}/cert.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: (Selfsigned, {{select_crypto_backend}}) Get private key information
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_privatekey
- name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate
assert:
that:
- result.public_key == result_privatekey.public_key
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
- "result.subject.commonName == 'www.example.com'"
- not result.expired
- result.version == 3
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned v2 certificate
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_v2.pem'
csr_path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_version: 2
select_crypto_backend: "{{ select_crypto_backend }}"
register: selfsigned_v2_cert
ignore_errors: true
- name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey2
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey2.pem'
size: '{{ default_rsa_key_size_certificates }}'
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR2
openssl_csr:
subject:
CN: www.example.com
C: US
ST: California
L: Los Angeles
O: ACME Inc.
OU:
- Roadrunner pest control
- Pyrotechnics
path: '{{ remote_tmp_dir }}/csr2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
keyUsage:
- digitalSignature
extendedKeyUsage:
- ipsecUser
- biometricInfo
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate2
x509_certificate:
path: '{{ remote_tmp_dir }}/cert2.pem'
csr_path: '{{ remote_tmp_dir }}/csr2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
- name: (Selfsigned, {{select_crypto_backend}}) Get certificate information
community.crypto.x509_certificate_info:
path: '{{ remote_tmp_dir }}/cert2.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: (Selfsigned, {{select_crypto_backend}}) Get private key information
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey2.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_privatekey
- name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate2
assert:
that:
- result.public_key == result_privatekey.public_key
- "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha256WithECDSAEncryption'"
- "result.subject.commonName == 'www.example.com'"
- "result.subject.countryName == 'US'"
- "result.subject.localityName == 'Los Angeles'" # L
- "result.subject.organizationName == 'ACME Inc.'"
- "['organizationalUnitName', 'Pyrotechnics'] in result.subject_ordered"
- "['organizationalUnitName', 'Roadrunner pest control'] in result.subject_ordered"
- not result.expired
- result.version == 3
- "'Digital Signature' in result.key_usage"
- "'IPSec User' in result.extended_key_usage"
- "'Biometric Info' in result.extended_key_usage"
- name: (Selfsigned, {{select_crypto_backend}}) Create private key 3
openssl_privatekey:
path: "{{ remote_tmp_dir }}/privatekey3.pem"
size: '{{ default_rsa_key_size_certificates }}'
- name: (Selfsigned, {{select_crypto_backend}}) Create CSR 3
openssl_csr:
subject:
CN: www.example.com
privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
path: "{{ remote_tmp_dir }}/csr3.pem"
- name: (Selfsigned, {{select_crypto_backend}}) Create certificate3 with notBefore and notAfter
x509_certificate:
provider: selfsigned
selfsigned_not_before: 20181023133742Z
selfsigned_not_after: 20191023133742Z
path: "{{ remote_tmp_dir }}/cert3.pem"
csr_path: "{{ remote_tmp_dir }}/csr3.pem"
privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
select_crypto_backend: '{{ select_crypto_backend }}'
- name: (Selfsigned, {{select_crypto_backend}}) Create certificate3 with notBefore and notAfter (idempotent)
x509_certificate:
provider: selfsigned
selfsigned_not_before: 20181023133742Z
selfsigned_not_after: 20191023133742Z
ignore_timestamps: false
path: "{{ remote_tmp_dir }}/cert3.pem"
csr_path: "{{ remote_tmp_dir }}/csr3.pem"
privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
select_crypto_backend: '{{ select_crypto_backend }}'
register: cert3_selfsigned_idem
- name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
# ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
subject:
commonName: www.example.com
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_ecc.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_ecc
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR (privatekey passphrase)
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pass.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
subject:
commonName: www.example.com
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_pass.pem'
csr_path: '{{ remote_tmp_dir }}/csr_pass.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_passphrase
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1)
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_pw1.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
privatekey_passphrase: hunter2
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: true
register: passphrase_error_1
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 2)
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_pw2.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: wrong_password
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: true
register: passphrase_error_2
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 3)
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_pw3.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: true
register: passphrase_error_3
- name: (Selfsigned, {{select_crypto_backend}}) Create broken certificate
copy:
dest: "{{ remote_tmp_dir }}/cert_broken.pem"
content: "broken"
- name: (Selfsigned, {{select_crypto_backend}}) Regenerate broken cert
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_broken.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
register: selfsigned_broken
- name: (Selfsigned, {{select_crypto_backend}}) Backup test
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
backup: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_backup_1
- name: (Selfsigned, {{select_crypto_backend}}) Backup test (idempotent)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
backup: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_backup_2
- name: (Selfsigned, {{select_crypto_backend}}) Backup test (change)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem'
csr_path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
backup: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_backup_3
- name: (Selfsigned, {{select_crypto_backend}}) Backup test (remove)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem'
state: absent
provider: selfsigned
backup: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_backup_4
- name: (Selfsigned, {{select_crypto_backend}}) Backup test (remove, idempotent)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_backup.pem'
state: absent
provider: selfsigned
backup: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_backup_5
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_subject_key_identifier_1
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (idempotency)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_subject_key_identifier_2
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: never_create
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_subject_key_identifier_3
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove idempotency)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: never_create
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_subject_key_identifier_4
- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (re-enable)
x509_certificate:
path: '{{ remote_tmp_dir }}/selfsigned_cert_ski.pem'
csr_path: '{{ remote_tmp_dir }}/csr_ecc.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_create_subject_key_identifier: always_create
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_subject_key_identifier_5
- name: (Selfsigned, {{select_crypto_backend}}) Ed25519 and Ed448 tests (for cryptography >= 2.6)
block:
- name: (Selfsigned, {{select_crypto_backend}}) Generate privatekeys
openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
type: '{{ item }}'
loop:
- Ed25519
- Ed448
register: selfsigned_certificate_ed25519_ed448_privatekey
ignore_errors: true
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded
when: selfsigned_certificate_ed25519_ed448_privatekey is not failed
block:
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR
openssl_csr:
path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
loop:
- Ed25519
- Ed448
ignore_errors: true
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
loop:
- Ed25519
- Ed448
register: selfsigned_certificate_ed25519_ed448
ignore_errors: true
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate - idempotency
x509_certificate:
path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
loop:
- Ed25519
- Ed448
register: selfsigned_certificate_ed25519_ed448_idempotence
ignore_errors: true
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')
- import_tasks: ../tests/validate_selfsigned.yml
Reference in New Issue View Git Blame Copy Permalink