openssl_publickey: fix handling of OpenSSH private keys with passphrase (#54192)

* Cleanup. * Make sure that OpenSSH passphrases are handled correctly. * Add changelog. (cherry picked from commit 1a94cf140c)
2019-03-22 11:45:55 +01:00 · 2019-03-22 11:45:55 +01:00 · e1c53bdfed
commit e1c53bdfed
parent d983dbad27
2 changed files with 10 additions and 6 deletions
--- a/changelogs/fragments/54192-openssl_publickey-openssh-passphrase.yml
+++ b/changelogs/fragments/54192-openssl_publickey-openssh-passphrase.yml
@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_publickey - fixed crash on Python 3 when OpenSSH private keys were used with passphrases."
--- a/lib/ansible/modules/crypto/openssl_publickey.py
+++ b/lib/ansible/modules/crypto/openssl_publickey.py
@ -123,7 +123,6 @@ fingerprint:
      sha512: "fd:ed:5e:39:48:5f:9f:fe:7f:25:06:3f:79:08:cd:ee:a5:e7:b3:3d:13:82:87:1f:84:e1:f5:c7:28:77:53:94:86:56:38:69:f0:d9:35:22:01:1e:a6:60:...:0f:9b"
 '''

-import hashlib
 import os

 try:
@ -136,7 +135,7 @@ else:
    pyopenssl_found = True

 from ansible.module_utils import crypto as crypto_utils
-from ansible.module_utils._text import to_native
+from ansible.module_utils._text import to_native, to_bytes
 from ansible.module_utils.basic import AnsibleModule


@ -170,10 +169,13 @@ class PublicKey(crypto_utils.OpenSSLObject):
        if not self.check(module, perms_required=False) or self.force:
            try:
                if self.format == 'OpenSSH':
-                    privatekey_content = open(self.privatekey_path, 'rb').read()
-                    key = crypto_serialization.load_pem_private_key(privatekey_content,
-                                                                    password=self.privatekey_passphrase,
-                                                                    backend=default_backend())
+                    with open(self.privatekey_path, 'rb') as private_key_fh:
+                        privatekey_content = private_key_fh.read()
+                    key = crypto_serialization.load_pem_private_key(
+                        privatekey_content,
+                        password=None if self.privatekey_passphrase is None else to_bytes(self.privatekey_passphrase),
+                        backend=default_backend()
+                    )
                    publickey_content = key.public_key().public_bytes(
                        crypto_serialization.Encoding.OpenSSH,
                        crypto_serialization.PublicFormat.OpenSSH