a-c-m
/
community.general
mirror of https://github.com/ansible-collections/community.general.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
community.general/lib/ansible/modules/crypto/openssl_csr.py

521 lines
20 KiB
Python
Raw Normal View History

crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
Get rid of more wildcard imports and add boilerplate to more modules This commit cleans up the following module categories: * messaging * inventory * crypto * commands * clustering * cloud/webfaction * cloud/docker * cloud/digital_ocean
2017-07-29 07:20:36 +00:00
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
Update metadata to 1.1
2017-08-16 03:16:38 +00:00
ANSIBLE_METADATA = {'metadata_version': '1.1',
Update metadata for openssl_csr
2017-04-06 17:16:50 +00:00
'status': ['preview'],
'supported_by': 'community'}
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
DOCUMENTATION = '''
---
module: openssl_csr
author: "Yanis Guenane (@Spredzy)"
crypto/openssl_csr: Specify proper Ansible version The commit was started before 2.3 was branched, but was only merged once 2.3 was actually branched. This leads to documentation stating this module is new in 2.3 when it will be actually new in 2.4
2017-04-17 19:46:12 +00:00
version_added: "2.4"
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
short_description: Generate OpenSSL Certificate Signing Request (CSR)
description:
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
- "This module allows one to (re)generate OpenSSL certificate signing requests.
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
It uses the pyOpenSSL python library to interact with openssl. This module supports
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
the subjectAltName as well as the keyUsage and extendedKeyUsage extensions."
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
requirements:
Add simple integration test for openssl_certificate (#29038) * openssl_certificate: Fix parameter assertion in Python3 Parameter assertion in Python3 is broken. pyOpenSSL get_X() functions returns b'' type string and tries to compare it with '' string, leading to failure. The error mentionned above has been fixed by sanitizing the inputs from a user to the assert only backend. Also, this error was hidden by the fact that the improper check method was called in the generate() functions. * Add simple integration test for openssl_certificate * remove subject == issuer assertion * run integration tests only on supported hosts * change min supported version to 0.15.x * Add test for more CSR fields * also convert dict members to bytes * fix version_compare * openssl_{csr, certificate}: Fail if pyOpenSSL <= 0.15 Previous 0.13 pyOpenSSL was a C-binding, and required the parameter passed to add_extention to be in ASN.1. This has changed with the move to 0.14 and it is now all pythong and string based. Previous the 0.15 release, the `get_extensions()` method didn't exist, since the modules rely heavily on it we ensure pyOpenSSL version is at last 0.15.0. * check pyopenssl version in openssl_csr integration test
2017-09-13 21:39:32 +00:00
- "python-pyOpenSSL >= 0.15"
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
options:
state:
required: false
default: "present"
choices: [ present, absent ]
description:
- Whether the certificate signing request should exist or not, taking action if the state is different from what is stated.
digest:
required: false
default: "sha256"
description:
- Digest used when signing the certificate signing request with the private key
privatekey_path:
required: true
description:
- Path to the privatekey to use when signing the certificate signing request
openssl_*: Allow user to specify privatekey passphrase Allow a user to specify the privatekey passphrase when dealing with openssl modules.
2017-07-19 10:02:29 +00:00
privatekey_passphrase:
required: false
description:
- The passphrase for the privatekey.
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
version:
required: false
openssl_certificate: Correctly set the version (#30314) Current openssl_certificate is mistakenly taking its derivating its version number from the csr version number. Thos two fields are completly unrelated and hence the version number of the certificate should be able to be directly specified (via selfsigned_version parameter).
2017-09-14 13:21:32 +00:00
default: 1
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
- Version of the certificate signing request
force:
required: false
default: False
choices: [ True, False ]
description:
- Should the certificate signing request be forced regenerated by this ansible module
path:
required: true
description:
Change documentation for path: in openssl_csr to match reality (#35045)
2018-01-18 14:43:05 +00:00
- Name of the file into which the generated OpenSSL certificate signing request will be written
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
subject:
required: false
description:
- Key/value pairs that will be present in the subject name field of the certificate signing request.
- If you need to specify more than one value with the same key, use a list as value.
version_added: '2.5'
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
country_name:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'C', 'countryName' ]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
- countryName field of the certificate signing request subject
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
state_or_province_name:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'ST', 'stateOrProvinceName' ]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
- stateOrProvinceName field of the certificate signing request subject
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
locality_name:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'L', 'localityName' ]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
- localityName field of the certificate signing request subject
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
organization_name:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'O', 'organizationName' ]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
- organizationName field of the certificate signing request subject
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
organizational_unit_name:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'OU', 'organizationalUnitName' ]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
openssl_csr: Fix typo in the documentation (#27028) Documentation state 'organizationUnitName' when the actual name of the param is 'organizationalUnitName'
2017-07-19 09:17:45 +00:00
- organizationalUnitName field of the certificate signing request subject
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
common_name:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'CN', 'commonName' ]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
- commonName field of the certificate signing request subject
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
email_address:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'E', 'emailAddress' ]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description:
- emailAddress field of the certificate signing request subject
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
subject_alt_name:
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'subjectAltName' ]
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
description:
- SAN extension to attach to the certificate signing request
- This can either be a 'comma separated string' or a YAML list.
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
subject_alt_name_critical:
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'subjectAltName_critical' ]
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
description:
- Should the subjectAltName extension be considered as critical
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
key_usage:
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'keyUsage' ]
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
description:
- This defines the purpose (e.g. encipherment, signature, certificate signing)
of the key contained in the certificate.
- This can either be a 'comma separated string' or a YAML list.
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
key_usage_critical:
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'keyUsage_critical' ]
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
description:
- Should the keyUsage extension be considered as critical
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
extended_key_usage:
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'extKeyUsage', 'extendedKeyUsage' ]
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
description:
- Additional restrictions (e.g. client authentication, server authentication)
on the allowed purposes for which the public key may be used.
- This can either be a 'comma separated string' or a YAML list.
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
extended_key_usage_critical:
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
required: false
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
aliases: [ 'extKeyUsage_critical', 'extendedKeyUsage_critical' ]
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
description:
- Should the extkeyUsage extension be considered as critical
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
basic_constraints:
required: false
aliases: ['basicConstraints']
description:
- Indicates basic constraints, such as if the certificate is a CA.
version_added: 2.5
basic_constraints_critical:
required: false
aliases: [ 'basicConstraints_critical' ]
description:
- Should the basicConstraints extension be considered as critical
version_added: 2.5
Adding extends_documenation_fragment in crypto/* (#33253) All crypto modules uses file common arguments to specify generated file permissions. This commits aims to add the extends_documentation_fragment in the doc so it is automatically stated.
2017-11-25 21:50:28 +00:00
extends_documentation_fragment: files
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
notes:
- "If the certificate signing request already exists it will be checked whether subjectAltName,
keyUsage and extendedKeyUsage only contain the requested values and if the request was signed
by the given private key"
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
'''
EXAMPLES = '''
# Generate an OpenSSL Certificate Signing Request
- openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
common_name: www.ansible.com
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
openssl_*: Allow user to specify privatekey passphrase Allow a user to specify the privatekey passphrase when dealing with openssl modules.
2017-07-19 10:02:29 +00:00
# Generate an OpenSSL Certificate Signing Request with a
# passphrase protected private key
- openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
privatekey_passphrase: ansible
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
common_name: www.ansible.com
openssl_*: Allow user to specify privatekey passphrase Allow a user to specify the privatekey passphrase when dealing with openssl modules.
2017-07-19 10:02:29 +00:00
Fix spelling mistakes (comments only) (#25564) Original Author : klemens <ka7@github.com> Taking over previous PR as per https://github.com/ansible/ansible/pull/23644#issuecomment-307334525 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2017-06-12 06:55:19 +00:00
# Generate an OpenSSL Certificate Signing Request with Subject information
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
- openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
country_name: FR
organization_name: Ansible
email_address: jdoe@ansible.com
common_name: www.ansible.com
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
# Generate an OpenSSL Certificate Signing Request with subjectAltName extension
- openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
subject_alt_name: 'DNS:www.ansible.com,DNS:m.ansible.com'
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
# Force re-generate an OpenSSL Certificate Signing Request
- openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
force: True
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
common_name: www.ansible.com
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
# Generate an OpenSSL Certificate Signing Request with special key usages
- openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
common_name: www.ansible.com
key_usage:
Fix a typo in the examples (#32599)
2017-11-06 18:39:10 +00:00
- digitalSignature
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
- keyAgreement
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
extended_key_usage:
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
- clientAuth
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
'''
RETURN = '''
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
privatekey:
description: Path to the TLS/SSL private key the CSR was generated for
returned: changed or success
type: string
sample: /etc/ssl/private/ansible.com.pem
filename:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
description: Path to the generated Certificate Signing Request
fixed RETURN docs for modules (#24011) * fixed RETURN docs for remaining modules * updated proxymysql_mysql_users 'sample' to yaml dict * fixed whitespace errors
2017-04-26 14:56:13 +00:00
returned: changed or success
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
type: string
sample: /etc/ssl/csr/www.ansible.com.csr
subject:
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
description: A list of the subject tuples attached to the CSR
fixed RETURN docs for modules (#24011) * fixed RETURN docs for remaining modules * updated proxymysql_mysql_users 'sample' to yaml dict * fixed whitespace errors
2017-04-26 14:56:13 +00:00
returned: changed or success
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
type: list
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
sample: "[('CN', 'www.ansible.com'), ('O', 'Ansible')]"
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
subjectAltName:
description: The alternative names this CSR is valid for
fixed RETURN docs for modules (#24011) * fixed RETURN docs for remaining modules * updated proxymysql_mysql_users 'sample' to yaml dict * fixed whitespace errors
2017-04-26 14:56:13 +00:00
returned: changed or success
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
type: list
sample: [ 'DNS:www.ansible.com', 'DNS:m.ansible.com' ]
keyUsage:
description: Purpose for which the public key may be used
returned: changed or success
type: list
sample: [ 'digitalSignature', 'keyAgreement' ]
extendedKeyUsage:
description: Additional restriction on the public key purposes
returned: changed or success
type: list
sample: [ 'clientAuth' ]
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
basicConstraints:
description: Indicates if the certificate belongs to a CA
returned: changed or success
type: list
sample: ['CA:TRUE', 'pathLenConstraint:0']
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
'''
Fix imports and pep8 problems so CI can pass again.
2017-04-06 17:41:18 +00:00
import os
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
from ansible.module_utils import crypto as crypto_utils
from ansible.module_utils.basic import AnsibleModule
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316
2017-09-14 16:03:00 +00:00
from ansible.module_utils._text import to_native, to_bytes
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
try:
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316
2017-09-14 16:03:00 +00:00
import OpenSSL
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
from OpenSSL import crypto
except ImportError:
pyopenssl_found = False
else:
pyopenssl_found = True
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
class CertificateSigningRequestError(crypto_utils.OpenSSLObjectError):
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
pass
Fix imports and pep8 problems so CI can pass again.
2017-04-06 17:41:18 +00:00
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
class CertificateSigningRequest(crypto_utils.OpenSSLObject):
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
def __init__(self, module):
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
super(CertificateSigningRequest, self).__init__(
module.params['path'],
module.params['state'],
module.params['force'],
module.check_mode
)
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
self.digest = module.params['digest']
self.privatekey_path = module.params['privatekey_path']
openssl_*: Allow user to specify privatekey passphrase Allow a user to specify the privatekey passphrase when dealing with openssl modules.
2017-07-19 10:02:29 +00:00
self.privatekey_passphrase = module.params['privatekey_passphrase']
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
self.version = module.params['version']
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
self.subjectAltName = module.params['subjectAltName']
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
self.subjectAltName_critical = module.params['subjectAltName_critical']
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
self.keyUsage = module.params['keyUsage']
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
self.keyUsage_critical = module.params['keyUsage_critical']
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
self.extendedKeyUsage = module.params['extendedKeyUsage']
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
self.extendedKeyUsage_critical = module.params['extendedKeyUsage_critical']
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
self.basicConstraints = module.params['basicConstraints']
self.basicConstraints_critical = module.params['basicConstraints_critical']
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
self.request = None
self.privatekey = None
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
self.subject = [
('C', module.params['countryName']),
('ST', module.params['stateOrProvinceName']),
('L', module.params['localityName']),
('O', module.params['organizationName']),
('OU', module.params['organizationalUnitName']),
('CN', module.params['commonName']),
('emailAddress', module.params['emailAddress']),
]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
if module.params['subject']:
self.subject = self.subject + crypto_utils.parse_name_field(module.params['subject'])
self.subject = [(entry[0], entry[1]) for entry in self.subject if entry[1]]
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
if not self.subjectAltName:
for sub in self.subject:
if OpenSSL._util.lib.OBJ_txt2nid(to_bytes(sub[0])) == 13: # 13 is the NID for "commonName"
self.subjectAltName = ['DNS:%s' % sub[1]]
break
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
def generate(self, module):
'''Generate the certificate signing request.'''
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
if not self.check(module, perms_required=False) or self.force:
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
req = crypto.X509Req()
openssl_certificate: Correctly set the version (#30314) Current openssl_certificate is mistakenly taking its derivating its version number from the csr version number. Thos two fields are completly unrelated and hence the version number of the certificate should be able to be directly specified (via selfsigned_version parameter).
2017-09-14 13:21:32 +00:00
req.set_version(self.version - 1)
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
subject = req.get_subject()
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
for entry in self.subject:
if entry[1] is not None:
# Workaround for https://github.com/pyca/pyopenssl/issues/165
nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0]))
OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0)
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
extensions = []
if self.subjectAltName:
altnames = ', '.join(self.subjectAltName)
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
if self.keyUsage:
usages = ', '.join(self.keyUsage)
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
extensions.append(crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii')))
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
if self.extendedKeyUsage:
usages = ', '.join(self.extendedKeyUsage)
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii')))
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
if self.basicConstraints:
usages = ', '.join(self.basicConstraints)
extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii')))
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
if extensions:
req.add_extensions(extensions)
Enable integration tests for the crypto/ namespace (#26684) Crypto namespace contains the openssl modules. It has no integration testing as of now. This commits aims to add integration tests for the crypto namespace. This will make it easier to spot breaking changes in the future. This tests currently apply to: * openssl_privatekey * openssl_publickey * openssl_csr
2017-07-25 11:18:18 +00:00
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
req.set_pubkey(self.privatekey)
req.sign(self.privatekey, self.digest)
self.request = req
try:
Openssl csr fixes (#26110) * openssl_csr: fix for python3 * openssl_csr: actually check for existence of pyOpenSSL * pep8 compliance * fixes for python 2.6 and 3
2017-07-13 13:42:48 +00:00
csr_file = open(self.path, 'wb')
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request))
csr_file.close()
Remove get_exception from crypto namespace Fix removes get_exception in favor of native Python exception handling. Also, added to_native to manage exception message.
2017-07-03 10:07:42 +00:00
except (IOError, OSError) as exc:
raise CertificateSigningRequestError(exc)
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
self.changed = True
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
def check(self, module, perms_required=True):
"""Ensure the resource is in its desired state."""
state_and_perms = super(CertificateSigningRequest, self).check(module, perms_required)
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
self.privatekey = crypto_utils.load_privatekey(self.privatekey_path, self.privatekey_passphrase)
def _check_subject(csr):
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
subject = [(OpenSSL._util.lib.OBJ_txt2nid(to_bytes(sub[0])), to_bytes(sub[1])) for sub in self.subject]
current_subject = [(OpenSSL._util.lib.OBJ_txt2nid(to_bytes(sub[0])), to_bytes(sub[1])) for sub in csr.get_subject().get_components()]
if not set(subject) == set(current_subject):
return False
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
return True
def _check_subjectAltName(extensions):
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
altnames_ext = next((ext for ext in extensions if ext.get_short_name() == b'subjectAltName'), '')
altnames = [altname.strip() for altname in str(altnames_ext).split(',')]
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
# apperently openssl returns 'IP address' not 'IP' as specifier when converting the subjectAltName to string
# although it won't accept this specifier when generating the CSR. (https://github.com/openssl/openssl/issues/4004)
altnames = [name if not name.startswith('IP Address:') else "IP:" + name.split(':', 1)[1] for name in altnames]
if self.subjectAltName:
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
if set(altnames) != set(self.subjectAltName) or altnames_ext.get_critical() != self.subjectAltName_critical:
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
return False
else:
if altnames:
return False
return True
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316
2017-09-14 16:03:00 +00:00
def _check_keyUsage_(extensions, extName, expected, critical):
openssl_csr: Allow user to specify criticality of extensions (#28173) Allow user to mark the x509v3 extensions as critical, by specifying the $extension_critical boolean, where $extension is the name of the extension. Currently this module supports only 3 differents x509v3 extensions: * keyUsage * extendedKeyUsage * subjectAtlName There are more to come.
2017-08-15 08:29:29 +00:00
usages_ext = [ext for ext in extensions if ext.get_short_name() == extName]
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
if (not usages_ext and expected) or (usages_ext and not expected):
return False
elif not usages_ext and not expected:
return True
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
else:
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316
2017-09-14 16:03:00 +00:00
current = [OpenSSL._util.lib.OBJ_txt2nid(to_bytes(usage.strip())) for usage in str(usages_ext[0]).split(',')]
expected = [OpenSSL._util.lib.OBJ_txt2nid(to_bytes(usage)) for usage in expected]
openssl_csr: Ensure array comparison is deterministic (#28265) When comparing expected and current value for keyUsage and extendedKeyUsage current behavior is not deterministic. As we compare two arrays, based on the order the value have been specified, False might be returned when the two arrays actually matches. In order to have a deterministic comparison we compare sets rather than arrays.
2017-08-16 12:35:25 +00:00
return set(current) == set(expected) and usages_ext[0].get_critical() == critical
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
def _check_keyUsage(extensions):
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316
2017-09-14 16:03:00 +00:00
return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical)
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
def _check_extenededKeyUsage(extensions):
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316
2017-09-14 16:03:00 +00:00
return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical)
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
def _check_basicConstraints(extensions):
return _check_keyUsage_(extensions, b'basicConstraints', self.basicConstraints, self.basicConstraints_critical)
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
def _check_extensions(csr):
extensions = csr.get_extensions()
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
return (_check_subjectAltName(extensions) and _check_keyUsage(extensions) and
_check_extenededKeyUsage(extensions) and _check_basicConstraints(extensions))
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
def _check_signature(csr):
try:
return csr.verify(self.privatekey)
except crypto.Error:
return False
if not state_and_perms:
return False
csr = crypto_utils.load_certificate_request(self.path)
return _check_subject(csr) and _check_extensions(csr) and _check_signature(csr)
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
def dump(self):
Fix spelling mistakes (comments only) (#25564) Original Author : klemens <ka7@github.com> Taking over previous PR as per https://github.com/ansible/ansible/pull/23644#issuecomment-307334525 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2017-06-12 06:55:19 +00:00
'''Serialize the object into a dictionary.'''
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
result = {
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
'privatekey': self.privatekey_path,
'filename': self.path,
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
'subject': self.subject,
'subjectAltName': self.subjectAltName,
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
'keyUsage': self.keyUsage,
'extendedKeyUsage': self.extendedKeyUsage,
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
'basicConstraints': self.basicConstraints,
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
'changed': self.changed
}
return result
def main():
module = AnsibleModule(
Fix imports and pep8 problems so CI can pass again.
2017-04-06 17:41:18 +00:00
argument_spec=dict(
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
state=dict(default='present', choices=['present', 'absent'], type='str'),
digest=dict(default='sha256', type='str'),
privatekey_path=dict(require=True, type='path'),
openssl_*: Allow user to specify privatekey passphrase Allow a user to specify the privatekey passphrase when dealing with openssl modules.
2017-07-19 10:02:29 +00:00
privatekey_passphrase=dict(type='str', no_log=True),
openssl_certificate: Correctly set the version (#30314) Current openssl_certificate is mistakenly taking its derivating its version number from the csr version number. Thos two fields are completly unrelated and hence the version number of the certificate should be able to be directly specified (via selfsigned_version parameter).
2017-09-14 13:21:32 +00:00
version=dict(default='1', type='int'),
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
force=dict(default=False, type='bool'),
path=dict(required=True, type='path'),
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2017-12-12 12:35:22 +00:00
subject=dict(type='dict'),
openssl_csr: consistent param namings (#29604) * harmonize openssl-csr argument names * the module has been introduced by 2.4 not only the privatekey_passphrase
2017-09-11 19:05:15 +00:00
countryName=dict(aliases=['C', 'country_name'], type='str'),
stateOrProvinceName=dict(aliases=['ST', 'state_or_province_name'], type='str'),
localityName=dict(aliases=['L', 'locality_name'], type='str'),
organizationName=dict(aliases=['O', 'organization_name'], type='str'),
organizationalUnitName=dict(aliases=['OU', 'organizational_unit_name'], type='str'),
commonName=dict(aliases=['CN', 'common_name'], type='str'),
emailAddress=dict(aliases=['E', 'email_address'], type='str'),
subjectAltName=dict(aliases=['subject_alt_name'], type='list'),
subjectAltName_critical=dict(aliases=['subject_alt_name_critical'], default=False, type='bool'),
keyUsage=dict(aliases=['key_usage'], type='list'),
keyUsage_critical=dict(aliases=['key_usage_critical'], default=False, type='bool'),
extendedKeyUsage=dict(aliases=['extKeyUsage', 'extended_key_usage'], type='list'),
extendedKeyUsage_critical=dict(aliases=['extKeyUsage_critical', 'extended_key_usage_critical'], default=False, type='bool'),
Support basicConstraints in openssl_csr (#32632)
2017-11-30 13:50:45 +00:00
basicConstraints=dict(aliases=['basic_constraints'], type='list'),
basicConstraints_critical=dict(aliases=['basic_constraints_critical'], default=False, type='bool'),
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
),
Fix imports and pep8 problems so CI can pass again.
2017-04-06 17:41:18 +00:00
add_file_common_args=True,
supports_check_mode=True,
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
)
Openssl csr fixes (#26110) * openssl_csr: fix for python3 * openssl_csr: actually check for existence of pyOpenSSL * pep8 compliance * fixes for python 2.6 and 3
2017-07-13 13:42:48 +00:00
if not pyopenssl_found:
module.fail_json(msg='the python pyOpenSSL module is required')
Add simple integration test for openssl_certificate (#29038) * openssl_certificate: Fix parameter assertion in Python3 Parameter assertion in Python3 is broken. pyOpenSSL get_X() functions returns b'' type string and tries to compare it with '' string, leading to failure. The error mentionned above has been fixed by sanitizing the inputs from a user to the assert only backend. Also, this error was hidden by the fact that the improper check method was called in the generate() functions. * Add simple integration test for openssl_certificate * remove subject == issuer assertion * run integration tests only on supported hosts * change min supported version to 0.15.x * Add test for more CSR fields * also convert dict members to bytes * fix version_compare * openssl_{csr, certificate}: Fail if pyOpenSSL <= 0.15 Previous 0.13 pyOpenSSL was a C-binding, and required the parameter passed to add_extention to be in ASN.1. This has changed with the move to 0.14 and it is now all pythong and string based. Previous the 0.15 release, the `get_extensions()` method didn't exist, since the modules rely heavily on it we ensure pyOpenSSL version is at last 0.15.0. * check pyopenssl version in openssl_csr integration test
2017-09-13 21:39:32 +00:00
try:
getattr(crypto.X509Req, 'get_extensions')
except AttributeError:
module.fail_json(msg='You need to have PyOpenSSL>=0.15 to generate CSRs')
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
base_dir = os.path.dirname(module.params['path'])
if not os.path.isdir(base_dir):
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir)
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
csr = CertificateSigningRequest(module)
if module.params['state'] == 'present':
if module.check_mode:
result = csr.dump()
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
result['changed'] = module.params['force'] or not csr.check(module)
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
module.exit_json(**result)
try:
csr.generate(module)
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
except (CertificateSigningRequestError, crypto_utils.OpenSSLObjectError) as exc:
Remove get_exception from crypto namespace Fix removes get_exception in favor of native Python exception handling. Also, added to_native to manage exception message.
2017-07-03 10:07:42 +00:00
module.fail_json(msg=to_native(exc))
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
else:
if module.check_mode:
result = csr.dump()
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
result['changed'] = os.path.exists(module.params['path'])
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
module.exit_json(**result)
try:
csr.remove()
crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281) * openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2017-08-03 11:27:17 +00:00
except (CertificateSigningRequestError, crypto_utils.OpenSSLObjectError) as exc:
Remove get_exception from crypto namespace Fix removes get_exception in favor of native Python exception handling. Also, added to_native to manage exception message.
2017-07-03 10:07:42 +00:00
module.fail_json(msg=to_native(exc))
crypto: Add new module openssl_csr (#21004) This new module allows one to automate the generation of OpenSSL Certificate Signing Request. It supports SAN extension.
2017-04-06 16:09:07 +00:00
result = csr.dump()
module.exit_json(**result)
if __name__ == "__main__":
main()