community.crypto/tests/integration/targets/x509_certificate_info/tasks/main.yml

---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

####################################################################
# WARNING: These are designed specifically for Ansible tests       #
# and should not be used as examples of how to write Ansible roles #
####################################################################

- name: Make sure the Python idna library is installed
  pip:
    name: idna
    state: present

- name: Generate privatekey
  openssl_privatekey:
    path: '{{ remote_tmp_dir }}/privatekey.pem'
    size: '{{ default_rsa_key_size_certificates }}'

- name: Generate privatekey with password
  openssl_privatekey:
    path: '{{ remote_tmp_dir }}/privatekeypw.pem'
    passphrase: hunter2
    select_crypto_backend: cryptography
    size: '{{ default_rsa_key_size_certificates }}'

- name: Generate CSR 1
  openssl_csr:
    path: '{{ remote_tmp_dir }}/csr_1.csr'
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    subject:
      commonName: www.example.com
      C: de
      L: Somewhere
      ST: Zurich
      streetAddress: Welcome Street
      O: Ansible
      organizationalUnitName:
        - Crypto Department
        - ACME Department
      serialNumber: "1234"
      SN: Last Name
      GN: First Name
      title: Chief
      pseudonym: test
      UID: asdf
      emailAddress: test@example.com
      postalAddress: 1234 Somewhere
      postalCode: "1234"
    useCommonNameForSAN: false
    key_usage:
      - digitalSignature
      - keyAgreement
      - Non Repudiation
      - Key Encipherment
      - dataEncipherment
      - Certificate Sign
      - cRLSign
      - Encipher Only
      - decipherOnly
    key_usage_critical: true
    extended_key_usage:
      - serverAuth  # the same as "TLS Web Server Authentication"
      - TLS Web Server Authentication
      - TLS Web Client Authentication
      - Code Signing
      - E-mail Protection
      - timeStamping
      - OCSPSigning
      - Any Extended Key Usage
      - qcStatements
      - DVCS
      - IPSec User
      - biometricInfo
    subject_alt_name:
      - "DNS:www.ansible.com"
      - "DNS:öç.com"
      # cryptography < 2.1 cannot handle certain Unicode characters
      - "DNS:{{ 'www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺' }}.com"
      - "IP:1.2.3.4"
      - "IP:::1"
      - "email:test@example.org"
      - "URI:https://example.org/test/index.html"
    basic_constraints:
      - "CA:TRUE"
      - "pathlen:23"
    basic_constraints_critical: true
    ocsp_must_staple: true
    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
  vars:
    value_for_authority_cert_issuer:
      - "DNS:ca.example.org"
      - "IP:1.2.3.4"

- name: Generate CSR 2
  openssl_csr:
    path: '{{ remote_tmp_dir }}/csr_2.csr'
    privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
    privatekey_passphrase: hunter2
    useCommonNameForSAN: false
    basic_constraints:
      - "CA:TRUE"

- name: Generate CSR 3
  openssl_csr:
    path: '{{ remote_tmp_dir }}/csr_3.csr'
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    useCommonNameForSAN: false
    subject_alt_name:
      - "DNS:*.ansible.com"
      - "DNS:*.example.org"
      - "IP:DEAD:BEEF::1"
    basic_constraints:
      - "CA:FALSE"
    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
  vars:
    value_for_authority_cert_issuer:
      - "DNS:ca.example.org"
      - "IP:1.2.3.4"

- name: Generate CSR 4
  openssl_csr:
    path: '{{ remote_tmp_dir }}/csr_4.csr'
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    useCommonNameForSAN: false
    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'

- name: Generate selfsigned certificates
  x509_certificate:
    path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
    csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    provider: selfsigned
    selfsigned_digest: sha256
    selfsigned_not_after: "+10d"
    selfsigned_not_before: "-3d"
  loop:
  - 1
  - 2
  - 3
  - 4

- name: Running tests with cryptography backend
  include_tasks: impl.yml
  vars:
    select_crypto_backend: cryptography
  when: cryptography_version.stdout is version('1.6', '>=')