openssl_certificate: fix passphrase handling for cryptography backend (#56155)

* Make sure passphrase is bytes string.

* Fix typo.

* Add more passphrase tests.

* Fix test names.

* Add changelog.
This commit is contained in:
Felix Fontein 2019-05-08 05:58:15 +02:00 committed by ansibot
parent 193f69064f
commit 7a957ba64a
5 changed files with 75 additions and 5 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- "openssl_certificate - fix private key passphrase handling for ``cryptography`` backend."

View file

@ -168,7 +168,7 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, content=None,
elif backend == 'cryptography': elif backend == 'cryptography':
try: try:
result = load_pem_private_key(priv_key_detail, result = load_pem_private_key(priv_key_detail,
passphrase, None if passphrase is None else to_bytes(passphrase),
cryptography_backend()) cryptography_backend())
except TypeError as dummy: except TypeError as dummy:
raise OpenSSLBadPassphraseError('Wrong or empty passphrase provided for private key') raise OpenSSLBadPassphraseError('Wrong or empty passphrase provided for private key')

View file

@ -3,6 +3,13 @@
openssl_privatekey: openssl_privatekey:
path: '{{ output_dir }}/ca_privatekey.pem' path: '{{ output_dir }}/ca_privatekey.pem'
- name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey with passphrase
openssl_privatekey:
path: '{{ output_dir }}/ca_privatekey_pw.pem'
passphrase: hunter2
cipher: auto
select_crypto_backend: cryptography
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
openssl_csr: openssl_csr:
path: '{{ output_dir }}/ca_csr.csr' path: '{{ output_dir }}/ca_csr.csr'
@ -14,6 +21,18 @@
- 'CA:TRUE' - 'CA:TRUE'
basic_constraints_critical: yes basic_constraints_critical: yes
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
openssl_csr:
path: '{{ output_dir }}/ca_csr_pw.csr'
privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
privatekey_passphrase: hunter2
subject:
commonName: Example CA
useCommonNameForSAN: no
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
openssl_certificate: openssl_certificate:
path: '{{ output_dir }}/ca_cert.pem' path: '{{ output_dir }}/ca_cert.pem'
@ -23,6 +42,16 @@
selfsigned_digest: sha256 selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
openssl_certificate:
path: '{{ output_dir }}/ca_cert_pw.pem'
csr_path: '{{ output_dir }}/ca_csr_pw.csr'
privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
privatekey_passphrase: hunter2
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
openssl_certificate: openssl_certificate:
path: '{{ output_dir }}/ownca_cert.pem' path: '{{ output_dir }}/ownca_cert.pem'
@ -164,6 +193,18 @@
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
register: ownca_certificate_ecc register: ownca_certificate_ecc
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
openssl_certificate:
path: '{{ output_dir }}/ownca_cert_ecc_2.pem'
csr_path: '{{ output_dir }}/csr_ecc.csr'
ownca_path: '{{ output_dir }}/ca_cert_pw.pem'
ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
ownca_privatekey_passphrase: hunter2
provider: ownca
ownca_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_passphrase
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1) - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1)
openssl_certificate: openssl_certificate:
path: '{{ output_dir }}/ownca_cert_pw1.pem' path: '{{ output_dir }}/ownca_cert_pw1.pem'
@ -179,7 +220,7 @@
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2) - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2)
openssl_certificate: openssl_certificate:
path: '{{ output_dir }}/ownca_cert_pw1.pem' path: '{{ output_dir }}/ownca_cert_pw2.pem'
csr_path: '{{ output_dir }}/csr_ecc.csr' csr_path: '{{ output_dir }}/csr_ecc.csr'
ownca_path: '{{ output_dir }}/ca_cert.pem' ownca_path: '{{ output_dir }}/ca_cert.pem'
ownca_privatekey_path: '{{ output_dir }}/privatekeypw.pem' ownca_privatekey_path: '{{ output_dir }}/privatekeypw.pem'

View file

@ -176,6 +176,25 @@
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_ecc register: selfsigned_certificate_ecc
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR (privatekey passphrase)
openssl_csr:
path: '{{ output_dir }}/csr_pass.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
subject:
commonName: www.example.com
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
openssl_certificate:
path: '{{ output_dir }}/cert_pass.pem'
csr_path: '{{ output_dir }}/csr_pass.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
provider: selfsigned
selfsigned_digest: sha256
select_crypto_backend: '{{ select_crypto_backend }}'
register: selfsigned_certificate_passphrase
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1) - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1)
openssl_certificate: openssl_certificate:
path: '{{ output_dir }}/cert_pw1.pem' path: '{{ output_dir }}/cert_pw1.pem'

View file

@ -249,7 +249,15 @@
cipher: auto cipher: auto
select_crypto_backend: cryptography select_crypto_backend: cryptography
- name: Generate publickey - PEM format - name: Generate CSR with privatekey passphrase
openssl_csr:
path: '{{ output_dir }}/csr_pw.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
select_crypto_backend: '{{ select_crypto_backend }}'
register: passphrase_1
- name: Generate CSR (failed passphrase 1)
openssl_csr: openssl_csr:
path: '{{ output_dir }}/csr_pw1.csr' path: '{{ output_dir }}/csr_pw1.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem' privatekey_path: '{{ output_dir }}/privatekey.pem'
@ -258,7 +266,7 @@
ignore_errors: yes ignore_errors: yes
register: passphrase_error_1 register: passphrase_error_1
- name: Generate publickey - PEM format - name: Generate CSR (failed passphrase 2)
openssl_csr: openssl_csr:
path: '{{ output_dir }}/csr_pw2.csr' path: '{{ output_dir }}/csr_pw2.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem' privatekey_path: '{{ output_dir }}/privatekeypw.pem'
@ -267,7 +275,7 @@
ignore_errors: yes ignore_errors: yes
register: passphrase_error_2 register: passphrase_error_2
- name: Generate publickey - PEM format - name: Generate CSR (failed passphrase 3)
openssl_csr: openssl_csr:
path: '{{ output_dir }}/csr_pw3.csr' path: '{{ output_dir }}/csr_pw3.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem' privatekey_path: '{{ output_dir }}/privatekeypw.pem'