ansible/test/integration/targets/openssl_privatekey/tests/validate.yml
Felix Fontein caf7fd2245 openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489)
* Raise OpenSSLBadPassphraseError if passphrase is wrong.

* Improve handling of passphrase errors.

Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail.
Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate.

* Add changelog.

* Add tests.

* Adjustments for some versions of PyOpenSSL.

* Update lib/ansible/modules/crypto/openssl_certificate.py

Improve text.

Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 16:21:18 +00:00

115 lines
4.2 KiB
YAML

---
- name: Validate privatekey1 (test - RSA key with size 4096 bits)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey1
- name: Validate privatekey1 (assert - RSA key with size 4096 bits)
assert:
that:
- privatekey1.stdout == '4096'
- name: Validate privatekey2 (test - RSA key with size 2048 bits)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey2
- name: Validate privatekey2 (assert - RSA key with size 2048 bits)
assert:
that:
- privatekey2.stdout == '2048'
- name: Validate privatekey3 (test - DSA key with size 3072 bits)
shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey3
- name: Validate privatekey3 (assert - DSA key with size 3072 bits)
assert:
that:
- privatekey3.stdout == '3072'
- name: Validate privatekey4 (test - Ensure key has been removed)
stat:
path: '{{ output_dir }}/privatekey4.pem'
register: privatekey4
- name: Validate privatekey4 (assert - Ensure key has been removed)
assert:
that:
- privatekey4.stat.exists == False
- name: Validate privatekey5 (test - Passphrase protected key + idempotence)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey5
# Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
# leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully.
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate privatekey5 (assert - Passphrase protected key + idempotence)
assert:
that:
- privatekey5.stdout == '4096'
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate privatekey5 idempotence (assert - Passphrase protected key + idempotence)
assert:
that:
- privatekey5_idempotence is not changed
- name: Validate privatekey6 (test - Passphrase protected key with non ascii character)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey6
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate privatekey6 (assert - Passphrase protected key with non ascii character)
assert:
that:
- privatekey6.stdout == '4096'
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate ECC generation (dump with OpenSSL)
shell: "openssl ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
loop: "{{ privatekey_ecc_generate.results }}"
register: privatekey_ecc_dump
when: openssl_version.stdout is version('0.9.8zh', '>=') and 'skip_reason' not in item
loop_control:
label: "{{ item.item.curve }}"
- name: Validate ECC generation
assert:
that:
- item is changed
loop: "{{ privatekey_ecc_generate.results }}"
when: "'skip_reason' not in item"
loop_control:
label: "{{ item.item.curve }}"
- name: Validate ECC generation (curve type)
assert:
that:
- "'skip_reason' in item or item.item.item.openssl_name == item.stdout"
loop: "{{ privatekey_ecc_dump.results }}"
when: "'skip_reason' not in item"
loop_control:
label: "{{ item.item.item }} - {{ item.stdout if 'stdout' in item else '<unsupported>' }}"
- name: Validate ECC generation idempotency
assert:
that:
- item is not changed
loop: "{{ privatekey_ecc_idempotency.results }}"
when: "'skip_reason' not in item"
loop_control:
label: "{{ item.item.curve }}"
- name: Validate passphrase changing
assert:
that:
- passphrase_1 is changed
- passphrase_2 is not changed
- passphrase_3 is changed
- passphrase_4 is not changed
- passphrase_5 is changed