ansible/test/integration/targets/openssl_csr/tests/validate.yml

---
- name: Validate CSR (test - privatekey modulus)
  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
  register: privatekey_modulus

- name: Validate CSR (test - Common Name)
  shell: "openssl req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"
  register: csr_cn

- name: Validate CSR (test - csr modulus)
  shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr'
  register: csr_modulus

- name: Validate CSR (assert)
  assert:
    that:
      - csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
      - csr_modulus.stdout == privatekey_modulus.stdout

- name: Validate CSR (check mode, idempotency)
  assert:
    that:
      - generate_csr_check is changed
      - generate_csr is changed
      - generate_csr_check_idempotent is not changed
      - generate_csr_check_idempotent_check is not changed

- name: Validate CSR without SAN (check mode, idempotency)
  assert:
    that:
      - generate_csr_nosan_check is changed
      - generate_csr_nosan is changed
      - generate_csr_nosan_check_idempotent is not changed
      - generate_csr_nosan_check_idempotent_check is not changed

- name: Validate CSR_KU_XKU (assert idempotency, change)
  assert:
    that:
      - csr_ku_xku is not changed
      - csr_ku_xku_change is changed
      - csr_ku_xku_change_2 is changed

- name: Validate old_API CSR (test - Common Name)
  shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
  register: csr_oldapi_cn

- name: Validate old_API CSR (test - csr modulus)
  shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
  register: csr_oldapi_modulus

- name: Validate old_API CSR (assert)
  assert:
    that:
      - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
      - csr_oldapi_modulus.stdout == privatekey_modulus.stdout

- name: Validate invalid SAN
  assert:
    that:
      - generate_csr_invalid_san is failed
      - "'Subject Alternative Name' in generate_csr_invalid_san.msg"

- name: Validate OCSP Must Staple CSR (test - everything)
  shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
  register: csr_ocsp

- name: Validate OCSP Must Staple CSR (assert)
  assert:
    that:
      - "(csr_ocsp.stdout is search('\\s+TLS Feature:\\s*\\n\\s+status_request\\s+')) or
         (csr_ocsp.stdout is search('\\s+1.3.6.1.5.5.7.1.24:\\s*\\n\\s+0\\.\\.\\.\\.\\s+'))"

- name: Validate OCSP Must Staple CSR (assert idempotency)
  assert:
    that:
      - csr_ocsp_idempotency is not changed

- name: Validate ECC CSR (test - privatekey's public key)
  shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem'
  register: privatekey_ecc_key

- name: Validate ECC CSR (test - Common Name)
  shell: "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"
  register: csr_ecc_cn

- name: Validate ECC CSR (test - CSR pubkey)
  shell: 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr'
  register: csr_ecc_pubkey

- name: Validate ECC CSR (assert)
  assert:
    that:
      - csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com'
      - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout

- name: Validate CSR (text common name - Common Name)
  shell: "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
  register: csr3_cn

- name: Validate CSR (assert)
  assert:
    that:
      - csr3_cn.stdout.split('=')[-1] == 'This is for Ansible'

- name: Validate country name idempotency and validation
  assert:
    that:
      - country_idempotent_1 is changed
      - country_idempotent_2 is not changed
      - country_idempotent_3 is not changed
      - country_fail_4 is failed

- name:
  assert:
    that:
      - passphrase_error_1 is failed
      - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
      - passphrase_error_2 is failed
      - "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
      - passphrase_error_3 is failed
      - "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"

- name: Verify that broken CSR will be regenerated
  assert:
    that:
      - output_broken is changed

- name: Verify that subject key identifier handling works
  assert:
    that:
      - subject_key_identifier_1 is changed
      - subject_key_identifier_2 is not changed
      - subject_key_identifier_3 is changed
      - subject_key_identifier_4 is changed
      - subject_key_identifier_5 is not changed
      - subject_key_identifier_6 is changed
  when: select_crypto_backend != 'pyopenssl'

- name: Verify that authority key identifier handling works
  assert:
    that:
      - authority_key_identifier_1 is changed
      - authority_key_identifier_2 is not changed
      - authority_key_identifier_3 is changed
      - authority_key_identifier_4 is changed
  when: select_crypto_backend != 'pyopenssl'

- name: Verify that authority cert issuer / serial number handling works
  assert:
    that:
      - authority_cert_issuer_sn_1 is changed
      - authority_cert_issuer_sn_2 is not changed
      - authority_cert_issuer_sn_3 is changed
      - authority_cert_issuer_sn_4 is changed
      - authority_cert_issuer_sn_5 is changed
  when: select_crypto_backend != 'pyopenssl'

- name: Check backup
  assert:
    that:
      - csr_backup_1 is changed
      - csr_backup_1.backup_file is undefined
      - csr_backup_2 is not changed
      - csr_backup_2.backup_file is undefined
      - csr_backup_3 is changed
      - csr_backup_3.backup_file is string
      - csr_backup_4 is changed
      - csr_backup_4.backup_file is string
      - csr_backup_5 is not changed
      - csr_backup_5.backup_file is undefined

- name: Check CSR with everything
  assert:
    that:
      - everything_1 is changed
      - everything_2 is not changed
      - everything_3 is not changed

- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
  assert:
    that:
      - generate_csr_ed25519_ed448.results[0] is failed
      - generate_csr_ed25519_ed448.results[1] is failed
      - generate_csr_ed25519_ed448.results[0].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
      - generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
      - generate_csr_ed25519_ed448_idempotent.results[0] is failed
      - generate_csr_ed25519_ed448_idempotent.results[1] is failed
  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<')

- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
  assert:
    that:
      - generate_csr_ed25519_ed448 is succeeded
      - generate_csr_ed25519_ed448.results[0] is changed
      - generate_csr_ed25519_ed448.results[1] is changed
      - generate_csr_ed25519_ed448_idempotent is succeeded
      - generate_csr_ed25519_ed448_idempotent.results[0] is not changed
      - generate_csr_ed25519_ed448_idempotent.results[1] is not changed
  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=')
Elliptic curve tests for crypto modules (#50109) * Add openssl_csr ECC test. * Add openssl_publickey ECC test. * Add openssl_certificate ECC test. 2018-12-23 10:23:31 +01:00			`---`
Enable integration tests for the crypto/ namespace (#26684) Crypto namespace contains the openssl modules. It has no integration testing as of now. This commits aims to add integration tests for the crypto namespace. This will make it easier to spot breaking changes in the future. This tests currently apply to: * openssl_privatekey * openssl_publickey * openssl_csr 2017-07-25 13:18:18 +02:00			`- name: Validate CSR (test - privatekey modulus)`
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo 2017-12-12 13:35:22 +01:00			`shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'`
Enable integration tests for the crypto/ namespace (#26684) Crypto namespace contains the openssl modules. It has no integration testing as of now. This commits aims to add integration tests for the crypto namespace. This will make it easier to spot breaking changes in the future. This tests currently apply to: * openssl_privatekey * openssl_publickey * openssl_csr 2017-07-25 13:18:18 +02:00			`register: privatekey_modulus`

			`- name: Validate CSR (test - Common Name)`
			`shell: "openssl req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"`
			`register: csr_cn`

			`- name: Validate CSR (test - csr modulus)`
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo 2017-12-12 13:35:22 +01:00			`shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr'`
Enable integration tests for the crypto/ namespace (#26684) Crypto namespace contains the openssl modules. It has no integration testing as of now. This commits aims to add integration tests for the crypto namespace. This will make it easier to spot breaking changes in the future. This tests currently apply to: * openssl_privatekey * openssl_publickey * openssl_csr 2017-07-25 13:18:18 +02:00			`register: csr_modulus`

			`- name: Validate CSR (assert)`
			`assert:`
			`that:`
			`- csr_cn.stdout.split('=')[-1] == 'www.ansible.com'`
			`- csr_modulus.stdout == privatekey_modulus.stdout`
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316 2017-09-14 18:03:00 +02:00
openssl_csr: idempotency doesn't work correctly for keyUsage (#50361) * Fix key usage idempotency bug. * Extend tests. * Add changelog. 2019-01-03 12:34:24 +01:00			`- name: Validate CSR (check mode, idempotency)`
			`assert:`
			`that:`
			`- generate_csr_check is changed`
			`- generate_csr is changed`
			`- generate_csr_check_idempotent is not changed`
			`- generate_csr_check_idempotent_check is not changed`

openssl_csr: ignore empty strings in altnames (#51473) * Ignore empty strings in altnames. * Add changelog. * Add idempotence check without SAN. * Fix bug in cryptography backend. 2019-02-11 11:30:56 +01:00			`- name: Validate CSR without SAN (check mode, idempotency)`
			`assert:`
			`that:`
			`- generate_csr_nosan_check is changed`
			`- generate_csr_nosan is changed`
			`- generate_csr_nosan_check_idempotent is not changed`
			`- generate_csr_nosan_check_idempotent_check is not changed`

openssl_csr: idempotency doesn't work correctly for keyUsage (#50361) * Fix key usage idempotency bug. * Extend tests. * Add changelog. 2019-01-03 12:34:24 +01:00			`- name: Validate CSR_KU_XKU (assert idempotency, change)`
openssl: remove static dict for keyUsage (#30339) keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316 2017-09-14 18:03:00 +02:00			`assert:`
			`that:`
openssl_csr: added support for the OCSP Must Staple extension (#35082) * Added support for the OCSP Must Staple extension. * Trying to clean up magic constants a bit. 2018-02-08 13:03:28 +01:00			`- csr_ku_xku is not changed`
openssl_csr: idempotency doesn't work correctly for keyUsage (#50361) * Fix key usage idempotency bug. * Extend tests. * Add changelog. 2019-01-03 12:34:24 +01:00			`- csr_ku_xku_change is changed`
			`- csr_ku_xku_change_2 is changed`
Allow multiple values per key in name fields in openssl_certificate/csr (#30338) * allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo 2017-12-12 13:35:22 +01:00
			`- name: Validate old_API CSR (test - Common Name)`
			`shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"`
			`register: csr_oldapi_cn`

			`- name: Validate old_API CSR (test - csr modulus)`
			`shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'`
			`register: csr_oldapi_modulus`

			`- name: Validate old_API CSR (assert)`
			`assert:`
			`that:`
			`- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'`
			`- csr_oldapi_modulus.stdout == privatekey_modulus.stdout`
openssl_csr: added support for the OCSP Must Staple extension (#35082) * Added support for the OCSP Must Staple extension. * Trying to clean up magic constants a bit. 2018-02-08 13:03:28 +01:00
openssl_csr: improve invalid SAN error messages (#53201) * Improve invalid SAN error messages. * Add changelog. 2019-03-05 17:07:07 +01:00			`- name: Validate invalid SAN`
			`assert:`
			`that:`
			`- generate_csr_invalid_san is failed`
			`- "'Subject Alternative Name' in generate_csr_invalid_san.msg"`

openssl_csr: added support for the OCSP Must Staple extension (#35082) * Added support for the OCSP Must Staple extension. * Trying to clean up magic constants a bit. 2018-02-08 13:03:28 +01:00			`- name: Validate OCSP Must Staple CSR (test - everything)`
			`shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"`
			`register: csr_ocsp`

			`- name: Validate OCSP Must Staple CSR (assert)`
			`assert:`
			`that:`
			`- "(csr_ocsp.stdout is search('\\s+TLS Feature:\\s*\\n\\s+status_request\\s+')) or`
			`(csr_ocsp.stdout is search('\\s+1.3.6.1.5.5.7.1.24:\\s*\\n\\s+0\\.\\.\\.\\.\\s+'))"`

			`- name: Validate OCSP Must Staple CSR (assert idempotency)`
			`assert:`
			`that:`
			`- csr_ocsp_idempotency is not changed`
Elliptic curve tests for crypto modules (#50109) * Add openssl_csr ECC test. * Add openssl_publickey ECC test. * Add openssl_certificate ECC test. 2018-12-23 10:23:31 +01:00
			`- name: Validate ECC CSR (test - privatekey's public key)`
			`shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem'`
			`register: privatekey_ecc_key`

			`- name: Validate ECC CSR (test - Common Name)`
			`shell: "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"`
			`register: csr_ecc_cn`

			`- name: Validate ECC CSR (test - CSR pubkey)`
			`shell: 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr'`
			`register: csr_ecc_pubkey`

			`- name: Validate ECC CSR (assert)`
			`assert:`
			`that:`
			`- csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com'`
			`- csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout`
openssl_csr cryptography backend, try II (#50894) * Revert "Revert "openssl_csr: Allow to use cryptography as backend (#50324)"" This reverts commit bbd2e31e9fc278ffe74ce5e5ae0788ba90956d03. * Remove more complicated selection copy'n'pasted from openssl_privatekey. * Add tests for backend selection. * Add openssl_csr test for arbitrary string commonName. * Allow to disable commonName -> SAN copying (fixes #36690). 2019-01-21 18:19:05 +01:00
			`- name: Validate CSR (text common name - Common Name)`
			`shell: "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"`
			`register: csr3_cn`

			`- name: Validate CSR (assert)`
			`assert:`
			`that:`
			`- csr3_cn.stdout.split('=')[-1] == 'This is for Ansible'`
openssl_csr: improve subject validation (#53198) * Improve subject field validation. * Add country name idempotency test. * Add failed country name test. * Add changelog. 2019-03-07 16:29:35 +01:00
			`- name: Validate country name idempotency and validation`
			`assert:`
			`that:`
			`- country_idempotent_1 is changed`
			`- country_idempotent_2 is not changed`
			`- country_idempotent_3 is not changed`
			`- country_fail_4 is failed`
openssl_: improve passphrase handling for private keys in PyOpenSSL (#53489) Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de> 2019-03-08 17:21:18 +01:00
			`- name:`
			`assert:`
			`that:`
			`- passphrase_error_1 is failed`
			`- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"`
			`- passphrase_error_2 is failed`
openssl_* modules: private key errors (#54088) * Improve error handling, in particular with respect to private key loading problems. * Add tests to validate that modules regenerate invalid input and don't crash. * Don't crash when input is invalid. * Create 'better' broken input. * Fix paths. * Simplifying pyOpenSSL error handling. 2019-03-30 14:28:10 +01:00			`- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"`
openssl_: improve passphrase handling for private keys in PyOpenSSL (#53489) Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de> 2019-03-08 17:21:18 +01:00			`- passphrase_error_3 is failed`
openssl_* modules: private key errors (#54088) * Improve error handling, in particular with respect to private key loading problems. * Add tests to validate that modules regenerate invalid input and don't crash. * Don't crash when input is invalid. * Create 'better' broken input. * Fix paths. * Simplifying pyOpenSSL error handling. 2019-03-30 14:28:10 +01:00			`- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"`

			`- name: Verify that broken CSR will be regenerated`
			`assert:`
			`that:`
			`- output_broken is changed`
openssl_*: add backup option (#54294) 2019-03-30 15:38:43 +01:00
openssl_certificate/csr(_info): add support for SubjectKeyIdentifier and AuthorityKeyIdentifier (#60741) * Add support for SubjectKeyIdentifier and AuthorityKeyIdentifier to _info modules. * Adding SubjectKeyIdentifier and AuthorityKeyIdentifier support to openssl_certificate and openssl_csr. * Fix type of authority_cert_issuer. * Add basic tests. * Add changelog. * Added proper tests for _info modules. * Fix docs bug. * Make sure new features are only used when cryptography backend for openssl_csr is available. * Work around jinja2 being too old on some CI hosts. * Add tests for openssl_csr. * Add openssl_certificate tests. * Fix idempotence test. * Move one level up. * Add ownca_create_authority_key_identifier option. * Add ownca_create_authority_key_identifier option. * Add idempotency check. * Apparently the function call expected different args for cryptography < 2.7. * Fix copy'n'paste errors and typos. * string -> general name. * Add disclaimer. * Implement always_create / create_if_not_provided / never_create for openssl_certificate. * Update changelog and porting guide. * Add comments for defaults. 2019-08-23 14:01:42 +02:00			`- name: Verify that subject key identifier handling works`
			`assert:`
			`that:`
			`- subject_key_identifier_1 is changed`
			`- subject_key_identifier_2 is not changed`
			`- subject_key_identifier_3 is changed`
			`- subject_key_identifier_4 is changed`
			`- subject_key_identifier_5 is not changed`
openssl_csr: fix tests (#63994) * Make sure tests are validated with correct backend in mind. * Fix tests. 2019-10-29 07:07:17 +01:00			`- subject_key_identifier_6 is changed`
openssl_certificate/csr(_info): add support for SubjectKeyIdentifier and AuthorityKeyIdentifier (#60741) * Add support for SubjectKeyIdentifier and AuthorityKeyIdentifier to _info modules. * Adding SubjectKeyIdentifier and AuthorityKeyIdentifier support to openssl_certificate and openssl_csr. * Fix type of authority_cert_issuer. * Add basic tests. * Add changelog. * Added proper tests for _info modules. * Fix docs bug. * Make sure new features are only used when cryptography backend for openssl_csr is available. * Work around jinja2 being too old on some CI hosts. * Add tests for openssl_csr. * Add openssl_certificate tests. * Fix idempotence test. * Move one level up. * Add ownca_create_authority_key_identifier option. * Add ownca_create_authority_key_identifier option. * Add idempotency check. * Apparently the function call expected different args for cryptography < 2.7. * Fix copy'n'paste errors and typos. * string -> general name. * Add disclaimer. * Implement always_create / create_if_not_provided / never_create for openssl_certificate. * Update changelog and porting guide. * Add comments for defaults. 2019-08-23 14:01:42 +02:00			`when: select_crypto_backend != 'pyopenssl'`

			`- name: Verify that authority key identifier handling works`
			`assert:`
			`that:`
			`- authority_key_identifier_1 is changed`
			`- authority_key_identifier_2 is not changed`
			`- authority_key_identifier_3 is changed`
			`- authority_key_identifier_4 is changed`
			`when: select_crypto_backend != 'pyopenssl'`

			`- name: Verify that authority cert issuer / serial number handling works`
			`assert:`
			`that:`
			`- authority_cert_issuer_sn_1 is changed`
			`- authority_cert_issuer_sn_2 is not changed`
			`- authority_cert_issuer_sn_3 is changed`
			`- authority_cert_issuer_sn_4 is changed`
			`- authority_cert_issuer_sn_5 is changed`
			`when: select_crypto_backend != 'pyopenssl'`

openssl_*: add backup option (#54294) 2019-03-30 15:38:43 +01:00			`- name: Check backup`
			`assert:`
			`that:`
			`- csr_backup_1 is changed`
			`- csr_backup_1.backup_file is undefined`
			`- csr_backup_2 is not changed`
			`- csr_backup_2.backup_file is undefined`
			`- csr_backup_3 is changed`
			`- csr_backup_3.backup_file is string`
			`- csr_backup_4 is changed`
			`- csr_backup_4.backup_file is string`
			`- csr_backup_5 is not changed`
			`- csr_backup_5.backup_file is undefined`
openssl_csr: fix idempotency problems (#55142) * Add test for generating a CSR with everything, and testing idempotency. * Proper SAN normalization before comparison. * Fix check in cryptography backend. * Convert SANs to text. Update comments. * Add changelog. 2019-04-15 09:15:08 +02:00
			`- name: Check CSR with everything`
			`assert:`
			`that:`
			`- everything_1 is changed`
			`- everything_2 is not changed`
			`- everything_3 is not changed`
openssl_csr and openssl_certificate: fix support for Ed25519 and Ed448 private keys (#63984) * Move X25519, X448, Ed25519 and Ed448 feature tests to module_utils. * Correctly sign with Ed25519 and Ed448 keys. * Fix public key comparison. Ed25519 and Ed448 do not have public_numbers(). * Add tests. * Add changelog. * Give better errors for cryptography 2.6.x and 2.7.x. * Test for new errors. * Forgot one. * Used wrong private key. * Use private key password for CA key. Add more stuff to its certificate. 2019-10-30 21:36:36 +01:00
			`- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)`
			`assert:`
			`that:`
			`- generate_csr_ed25519_ed448.results[0] is failed`
			`- generate_csr_ed25519_ed448.results[1] is failed`
			`- generate_csr_ed25519_ed448.results[0].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'`
			`- generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'`
			`- generate_csr_ed25519_ed448_idempotent.results[0] is failed`
			`- generate_csr_ed25519_ed448_idempotent.results[1] is failed`
			`when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<')`

			`- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)`
			`assert:`
			`that:`
			`- generate_csr_ed25519_ed448 is succeeded`
			`- generate_csr_ed25519_ed448.results[0] is changed`
			`- generate_csr_ed25519_ed448.results[1] is changed`
			`- generate_csr_ed25519_ed448_idempotent is succeeded`
			`- generate_csr_ed25519_ed448_idempotent.results[0] is not changed`
			`- generate_csr_ed25519_ed448_idempotent.results[1] is not changed`
			`when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=')`