cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/test/integration/targets/openssl_privatekey/tasks/impl.yml

821 lines
28 KiB
YAML
Raw Normal View History

openssl_privatekey: add ECC support (#49416) * Add cryptography backend for openssl_privatekey. * Adding ECC support. No support for X25519 and X449, since they don't support serialization. * Improve finterprint calculation to work with Python 3. * Add fingerprint check. * Fix typo. * Use separate curve option for elliptic curves, and use type 'ECC'. * Using curve names as defined in IANA registry. * Bump minimal supported cryptography version. Older versions might work as well, but I couldn't test them. * Improve documentation.
2018-12-18 10:07:36 +01:00
---
- name: Generate privatekey1 - standard
openssl_privatekey:
path: '{{ output_dir }}/privatekey1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
return_content: yes
register: privatekey1
- name: Generate privatekey1 - standard (idempotence)
openssl_privatekey:
path: '{{ output_dir }}/privatekey1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: yes
register: privatekey1_idempotence
openssl_privatekey: add ECC support (#49416) * Add cryptography backend for openssl_privatekey. * Adding ECC support. No support for X25519 and X449, since they don't support serialization. * Improve finterprint calculation to work with Python 3. * Add fingerprint check. * Fix typo. * Use separate curve option for elliptic curves, and use type 'ECC'. * Using curve names as defined in IANA registry. * Bump minimal supported cryptography version. Older versions might work as well, but I couldn't test them. * Improve documentation.
2018-12-18 10:07:36 +01:00
- name: Generate privatekey2 - size 2048
openssl_privatekey:
path: '{{ output_dir }}/privatekey2.pem'
size: 2048
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate privatekey3 - type DSA
openssl_privatekey:
path: '{{ output_dir }}/privatekey3.pem'
type: DSA
size: 3072
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate privatekey4 - standard
openssl_privatekey:
path: '{{ output_dir }}/privatekey4.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Delete privatekey4 - standard
openssl_privatekey:
state: absent
path: '{{ output_dir }}/privatekey4.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
return_content: yes
register: privatekey4_delete
- name: Delete privatekey4 - standard (idempotence)
openssl_privatekey:
state: absent
path: '{{ output_dir }}/privatekey4.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey4_delete_idempotence
openssl_privatekey: add ECC support (#49416) * Add cryptography backend for openssl_privatekey. * Adding ECC support. No support for X25519 and X449, since they don't support serialization. * Improve finterprint calculation to work with Python 3. * Add fingerprint check. * Fix typo. * Use separate curve option for elliptic curves, and use type 'ECC'. * Using curve names as defined in IANA registry. * Bump minimal supported cryptography version. Older versions might work as well, but I couldn't test them. * Improve documentation.
2018-12-18 10:07:36 +01:00
- name: Generate privatekey5 - standard - with passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekey5.pem'
passphrase: ansible
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate privatekey5 - standard - idempotence
openssl_privatekey:
path: '{{ output_dir }}/privatekey5.pem'
passphrase: ansible
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey5_idempotence
- name: Generate privatekey6 - standard - with non-ASCII passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekey6.pem'
passphrase: ànsïblé
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
- set_fact:
ecc_types: []
when: select_crypto_backend == 'pyopenssl'
- set_fact:
ecc_types:
- curve: secp384r1
openssl_name: secp384r1
min_cryptography_version: "0.5"
- curve: secp521r1
openssl_name: secp521r1
min_cryptography_version: "0.5"
- curve: secp224r1
openssl_name: secp224r1
min_cryptography_version: "0.5"
- curve: secp192r1
openssl_name: prime192v1
min_cryptography_version: "0.5"
openssl_privatekey: forgot to add secp256r1 (#58605) * Forgot to add secp256r1. This one is the interoperable one. * Add changelog.
2019-07-01 23:08:54 +02:00
- curve: secp256r1
openssl_name: secp256r1
min_cryptography_version: "0.5"
openssl_privatekey: add ECC support (#49416) * Add cryptography backend for openssl_privatekey. * Adding ECC support. No support for X25519 and X449, since they don't support serialization. * Improve finterprint calculation to work with Python 3. * Add fingerprint check. * Fix typo. * Use separate curve option for elliptic curves, and use type 'ECC'. * Using curve names as defined in IANA registry. * Bump minimal supported cryptography version. Older versions might work as well, but I couldn't test them. * Improve documentation.
2018-12-18 10:07:36 +01:00
- curve: secp256k1
openssl_name: secp256k1
min_cryptography_version: "0.9"
- curve: brainpoolP256r1
openssl_name: brainpoolP256r1
min_cryptography_version: "2.2"
- curve: brainpoolP384r1
openssl_name: brainpoolP384r1
min_cryptography_version: "2.2"
- curve: brainpoolP512r1
openssl_name: brainpoolP512r1
min_cryptography_version: "2.2"
- curve: sect571k1
openssl_name: sect571k1
min_cryptography_version: "0.5"
- curve: sect409k1
openssl_name: sect409k1
min_cryptography_version: "0.5"
- curve: sect283k1
openssl_name: sect283k1
min_cryptography_version: "0.5"
- curve: sect233k1
openssl_name: sect233k1
min_cryptography_version: "0.5"
- curve: sect163k1
openssl_name: sect163k1
min_cryptography_version: "0.5"
- curve: sect571r1
openssl_name: sect571r1
min_cryptography_version: "0.5"
- curve: sect409r1
openssl_name: sect409r1
min_cryptography_version: "0.5"
- curve: sect283r1
openssl_name: sect283r1
min_cryptography_version: "0.5"
- curve: sect233r1
openssl_name: sect233r1
min_cryptography_version: "0.5"
- curve: sect163r2
openssl_name: sect163r2
min_cryptography_version: "0.5"
when: select_crypto_backend == 'cryptography'
- name: Test ECC key generation
openssl_privatekey:
path: '{{ output_dir }}/privatekey-{{ item.curve }}.pem'
type: ECC
curve: "{{ item.curve }}"
select_crypto_backend: '{{ select_crypto_backend }}'
when: |
cryptography_version.stdout is version(item.min_cryptography_version, '>=') and
item.openssl_name in openssl_ecc_list
loop: "{{ ecc_types }}"
loop_control:
label: "{{ item.curve }}"
register: privatekey_ecc_generate
- name: Test ECC key generation (idempotency)
openssl_privatekey:
path: '{{ output_dir }}/privatekey-{{ item.curve }}.pem'
type: ECC
curve: "{{ item.curve }}"
select_crypto_backend: '{{ select_crypto_backend }}'
when: |
cryptography_version.stdout is version(item.min_cryptography_version, '>=') and
item.openssl_name in openssl_ecc_list
loop: "{{ ecc_types }}"
loop_control:
label: "{{ item.curve }}"
register: privatekey_ecc_idempotency
openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489) * Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 17:21:18 +01:00
Implement Ed25519, Ed448, X25519 and X448 support (cryptography backend). (#54947)
2019-04-08 10:30:05 +02:00
- block:
- name: Test other type generation
openssl_privatekey:
path: '{{ output_dir }}/privatekey-{{ item.type }}.pem'
type: "{{ item.type }}"
select_crypto_backend: '{{ select_crypto_backend }}'
when: cryptography_version.stdout is version(item.min_version, '>=')
loop: "{{ types }}"
loop_control:
label: "{{ item.type }}"
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
Implement Ed25519, Ed448, X25519 and X448 support (cryptography backend). (#54947)
2019-04-08 10:30:05 +02:00
register: privatekey_t1_generate
- name: Test other type generation (idempotency)
openssl_privatekey:
path: '{{ output_dir }}/privatekey-{{ item.type }}.pem'
type: "{{ item.type }}"
select_crypto_backend: '{{ select_crypto_backend }}'
when: cryptography_version.stdout is version(item.min_version, '>=')
loop: "{{ types }}"
loop_control:
label: "{{ item.type }}"
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
Implement Ed25519, Ed448, X25519 and X448 support (cryptography backend). (#54947)
2019-04-08 10:30:05 +02:00
register: privatekey_t1_idempotency
when: select_crypto_backend == 'cryptography'
vars:
types:
- type: X25519
min_version: '2.5'
- type: Ed25519
min_version: '2.6'
- type: Ed448
min_version: '2.6'
- type: X448
min_version: '2.6'
openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489) * Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 17:21:18 +01:00
- name: Generate privatekey with passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_privatekey: add backup option (#53593) * Add backup option to openssl_privatekey. * Add changelog fragment. * Make module available in remove(). * Add tests for backup. * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py
2019-03-18 17:34:47 +01:00
backup: yes
openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489) * Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 17:21:18 +01:00
register: passphrase_1
- name: Generate privatekey with passphrase (idempotent)
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_privatekey: add backup option (#53593) * Add backup option to openssl_privatekey. * Add changelog fragment. * Make module available in remove(). * Add tests for backup. * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py
2019-03-18 17:34:47 +01:00
backup: yes
openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489) * Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 17:21:18 +01:00
register: passphrase_2
- name: Regenerate privatekey without passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_privatekey: add backup option (#53593) * Add backup option to openssl_privatekey. * Add changelog fragment. * Make module available in remove(). * Add tests for backup. * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py
2019-03-18 17:34:47 +01:00
backup: yes
openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489) * Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 17:21:18 +01:00
register: passphrase_3
- name: Regenerate privatekey without passphrase (idempotent)
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_privatekey: add backup option (#53593) * Add backup option to openssl_privatekey. * Add changelog fragment. * Make module available in remove(). * Add tests for backup. * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py
2019-03-18 17:34:47 +01:00
backup: yes
openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489) * Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 17:21:18 +01:00
register: passphrase_4
- name: Regenerate privatekey with passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_privatekey: add backup option (#53593) * Add backup option to openssl_privatekey. * Add changelog fragment. * Make module available in remove(). * Add tests for backup. * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py
2019-03-18 17:34:47 +01:00
backup: yes
openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489) * Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 17:21:18 +01:00
register: passphrase_5
openssl_privatekey: add backup option (#53593) * Add backup option to openssl_privatekey. * Add changelog fragment. * Make module available in remove(). * Add tests for backup. * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py
2019-03-18 17:34:47 +01:00
openssl_* modules: private key errors (#54088) * Improve error handling, in particular with respect to private key loading problems. * Add tests to validate that modules regenerate invalid input and don't crash. * Don't crash when input is invalid. * Create 'better' broken input. * Fix paths. * Simplifying pyOpenSSL error handling.
2019-03-30 14:28:10 +01:00
- name: Create broken key
copy:
dest: "{{ output_dir }}/broken"
content: "broken"
- name: Regenerate broken key
openssl_privatekey:
path: '{{ output_dir }}/broken.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: output_broken
openssl_privatekey: add backup option (#53593) * Add backup option to openssl_privatekey. * Add changelog fragment. * Make module available in remove(). * Add tests for backup. * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py Co-Authored-By: felixfontein <felix@fontein.de> * Update lib/ansible/modules/crypto/openssl_privatekey.py
2019-03-18 17:34:47 +01:00
- name: Remove module
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
backup: yes
state: absent
register: remove_1
- name: Remove module (idempotent)
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
backup: yes
state: absent
register: remove_2
openssl_*: proper mode support (#54085) * Add write helper. * Adjust modules (except openssl_certificate). * Adding tests for mode (with openssl_privatekey). * Add openssl_certificate support. * Never, ever remove the output file before actually trying to generate new content for it. Removal is only allowed when state=absent, or when the object has been regenerated and the result needs to be written to that place. * Add changelog. * Extend test.
2019-03-25 14:20:53 +01:00
- name: Generate privatekey_mode (mode 0400)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_mode.pem'
mode: '0400'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_mode_1
- name: Stat for privatekey_mode
stat:
path: '{{ output_dir }}/privatekey_mode.pem'
register: privatekey_mode_1_stat
- name: Generate privatekey_mode (mode 0400, idempotency)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_mode.pem'
mode: '0400'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_mode_2
- name: Generate privatekey_mode (mode 0400, force)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_mode.pem'
mode: '0400'
force: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_mode_3
- name: Stat for privatekey_mode
stat:
path: '{{ output_dir }}/privatekey_mode.pem'
register: privatekey_mode_3_stat
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
- block:
- name: Generate privatekey_fmt_1 - auto format
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: auto
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_1
- name: Generate privatekey_fmt_1 - auto format (idempotent)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: auto
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_2
- name: Generate privatekey_fmt_1 - PKCS1 format
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: pkcs1
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_3
- name: Generate privatekey_fmt_1 - PKCS8 format
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: pkcs8
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_4
- name: Generate privatekey_fmt_1 - PKCS8 format (idempotent)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: pkcs8
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_5
- name: Generate privatekey_fmt_1 - auto format (ignore)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: auto_ignore
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_6
- name: Generate privatekey_fmt_1 - auto format (no ignore)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: auto
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_7
- name: Generate privatekey_fmt_1 - raw format (fail)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: raw
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: yes
register: privatekey_fmt_1_step_8
- name: Generate privatekey_fmt_1 - PKCS8 format (convert)
openssl_privatekey_info:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_9_before
- name: Generate privatekey_fmt_1 - PKCS8 format (convert)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
format: pkcs8
format_mismatch: convert
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_9
- name: Generate privatekey_fmt_1 - PKCS8 format (convert)
openssl_privatekey_info:
path: '{{ output_dir }}/privatekey_fmt_1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_9_after
when: 'select_crypto_backend == "cryptography"'
- block:
- name: Generate privatekey_fmt_2 - PKCS8 format
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_2.pem'
type: X448
format: pkcs8
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
register: privatekey_fmt_2_step_1
- name: Generate privatekey_fmt_2 - PKCS8 format (idempotent)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_2.pem'
type: X448
format: pkcs8
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
register: privatekey_fmt_2_step_2
- name: Generate privatekey_fmt_2 - raw format
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_2.pem'
type: X448
format: raw
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
return_content: yes
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
register: privatekey_fmt_2_step_3
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
- name: Read privatekey_fmt_2.pem
slurp:
src: "{{ output_dir }}/privatekey_fmt_2.pem"
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
register: content
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
assert:
that:
- privatekey_fmt_2_step_3.privatekey == content.content
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
when: privatekey_fmt_2_step_1 is not failed
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
- name: Generate privatekey_fmt_2 - raw format (idempotent)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_2.pem'
type: X448
format: raw
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
return_content: yes
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
register: privatekey_fmt_2_step_4
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
- name: Read privatekey_fmt_2.pem
slurp:
src: "{{ output_dir }}/privatekey_fmt_2.pem"
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
register: content
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
assert:
that:
- privatekey_fmt_2_step_4.privatekey == content.content
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
when: privatekey_fmt_2_step_1 is not failed
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
- name: Generate privatekey_fmt_2 - auto format (ignore)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_2.pem'
Fix bug in format handling. (#65642)
2019-12-09 14:26:15 +01:00
type: X448
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
format: auto_ignore
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
return_content: yes
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
Fix bug in format handling. (#65642)
2019-12-09 14:26:15 +01:00
register: privatekey_fmt_2_step_5
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
- name: Read privatekey_fmt_2.pem
slurp:
src: "{{ output_dir }}/privatekey_fmt_2.pem"
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
register: content
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
assert:
that:
- privatekey_fmt_2_step_5.privatekey == content.content
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
when: privatekey_fmt_2_step_1 is not failed
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
- name: Generate privatekey_fmt_2 - auto format (no ignore)
openssl_privatekey:
path: '{{ output_dir }}/privatekey_fmt_2.pem'
Fix bug in format handling. (#65642)
2019-12-09 14:26:15 +01:00
type: X448
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
format: auto
select_crypto_backend: '{{ select_crypto_backend }}'
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
return_content: yes
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
ignore_errors: yes
Fix bug in format handling. (#65642)
2019-12-09 14:26:15 +01:00
register: privatekey_fmt_2_step_6
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
- name: Generate privatekey_fmt_2 - verify that returned content is not base64 encoded
assert:
that:
- privatekey_fmt_2_step_6.privatekey == lookup('file', output_dir ~ '/privatekey_fmt_2.pem', rstrip=False)
openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
2020-02-19 18:24:46 +01:00
when: privatekey_fmt_2_step_1 is not failed
openssl_* modules: allow direct input and output for some files (#65400) * Allow to return generated object. * Use slurp module instead of file lookup + b64encode. * Rename return_xxx_content -> return_content.
2020-02-02 12:42:52 +01:00
openssl_privatekey: add support for format option (#60388) * Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
2019-10-17 10:40:13 +02:00
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
openssh_keypair and openssl_privatekey: add regenerate option (#67038) * Add regenerate option to openssh_keypair and openssl_privatekey. * Add changelog.
2020-02-15 15:39:36 +01:00
# Test regenerate option
- name: Regenerate - setup simple keys
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: 1024
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
- name: Regenerate - setup password protected keys
openssl_privatekey:
path: '{{ output_dir }}/regenerate-b-{{ item }}.pem'
type: RSA
size: 1024
passphrase: hunter2
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
- name: Regenerate - setup broken keys
copy:
dest: '{{ output_dir }}/regenerate-c-{{ item }}.pem'
content: 'broken key'
mode: '0700'
loop: "{{ regenerate_values }}"
- name: Regenerate - modify broken keys (check mode)
openssl_privatekey:
path: '{{ output_dir }}/regenerate-c-{{ item }}.pem'
type: RSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg or 'Cannot load raw key' in result.results[0].msg"
- result.results[1] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg or 'Cannot load raw key' in result.results[1].msg"
- result.results[2] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg or 'Cannot load raw key' in result.results[2].msg"
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - modify broken keys
openssl_privatekey:
path: '{{ output_dir }}/regenerate-c-{{ item }}.pem'
type: RSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg or 'Cannot load raw key' in result.results[0].msg"
- result.results[1] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg or 'Cannot load raw key' in result.results[1].msg"
- result.results[2] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg or 'Cannot load raw key' in result.results[2].msg"
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - modify password protected keys (check mode)
openssl_privatekey:
path: '{{ output_dir }}/regenerate-b-{{ item }}.pem'
type: RSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg"
- result.results[1] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg"
- result.results[2] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg"
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - modify password protected keys
openssl_privatekey:
path: '{{ output_dir }}/regenerate-b-{{ item }}.pem'
type: RSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg"
- result.results[1] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg"
- result.results[2] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg"
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - not modify regular keys (check mode)
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
loop: "{{ regenerate_values }}"
register: result
- assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
- result.results[2] is not changed
- result.results[3] is not changed
- result.results[4] is changed
- name: Regenerate - not modify regular keys
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
register: result
- assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
- result.results[2] is not changed
- result.results[3] is not changed
- result.results[4] is changed
- name: Regenerate - adjust key size (check mode)
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: 1048
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - adjust key size
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: 1048
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - redistribute keys
copy:
src: '{{ output_dir }}/regenerate-a-always.pem'
dest: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
remote_src: true
loop: "{{ regenerate_values }}"
when: "item != 'always'"
- name: Regenerate - adjust key type (check mode)
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - adjust key type
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: 1024
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
- block:
- name: Regenerate - redistribute keys
copy:
src: '{{ output_dir }}/regenerate-a-always.pem'
dest: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
remote_src: true
loop: "{{ regenerate_values }}"
when: "item != 'always'"
- name: Regenerate - format mismatch (check mode)
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: 1024
format: pkcs8
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
- "'Key has wrong format. Will not proceed.' in result.results[1].msg"
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - format mismatch
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: 1024
format: pkcs8
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
ignore_errors: yes
register: result
- assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
- "'Key has wrong format. Will not proceed.' in result.results[1].msg"
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - redistribute keys
copy:
src: '{{ output_dir }}/regenerate-a-always.pem'
dest: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
remote_src: true
loop: "{{ regenerate_values }}"
when: "item != 'always'"
- name: Regenerate - convert format (check mode)
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: 1024
format: pkcs1
format_mismatch: convert
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
loop: "{{ regenerate_values }}"
register: result
- assert:
that:
- result.results[0] is changed
- result.results[1] is changed
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
- name: Regenerate - convert format
openssl_privatekey:
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: 1024
format: pkcs1
format_mismatch: convert
regenerate: '{{ item }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
register: result
- assert:
that:
- result.results[0] is changed
- result.results[1] is changed
- result.results[2] is changed
- result.results[3] is changed
- result.results[4] is changed
# for all values but 'always', the key should have not been regenerated.
# verify this by comparing fingerprints:
- result.results[0].fingerprint == result.results[1].fingerprint
- result.results[0].fingerprint == result.results[2].fingerprint
- result.results[0].fingerprint == result.results[3].fingerprint
- result.results[0].fingerprint != result.results[4].fingerprint
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
Reference in a new issue Copy permalink