openssl_certificate: check for existence before loading CSR / private keys / ... (#60740)

* Check file existence before loading files. * Remove superfluous import. * Add changelog.
2019-08-18 11:41:50 +02:00 · 2019-08-18 11:41:50 +02:00 · 16056f4978
commit 16056f4978
parent 13364fc530
2 changed files with 50 additions and 1 deletions
--- a/changelogs/fragments/60740-openssl_certificate-check-existence.yml
+++ b/changelogs/fragments/60740-openssl_certificate-check-existence.yml
@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - improve behavior when required files are missing."
--- a/lib/ansible/modules/crypto/openssl_certificate.py
+++ b/lib/ansible/modules/crypto/openssl_certificate.py
@ -809,7 +809,6 @@ try:
    from cryptography import x509
    from cryptography.hazmat.backends import default_backend
    from cryptography.hazmat.primitives.serialization import Encoding
-    from cryptography.hazmat.primitives.hashes import SHA1
    from cryptography.x509 import NameAttribute, Name
    from cryptography.x509.oid import NameOID
    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
@ -1000,6 +999,16 @@ class SelfSignedCertificateCryptography(Certificate):
        self.digest = crypto_utils.select_message_digest(module.params['selfsigned_digest'])
        self.version = module.params['selfsigned_version']
        self.serial_number = x509.random_serial_number()
+
+        if not os.path.exists(self.csr_path):
+            raise CertificateError(
+                'The certificate signing request file {0} does not exist'.format(self.csr_path)
+            )
+        if not os.path.exists(self.privatekey_path):
+            raise CertificateError(
+                'The private key file {0} does not exist'.format(self.privatekey_path)
+            )
+
        self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend)
        self._module = module

@ -1093,6 +1102,16 @@ class SelfSignedCertificate(Certificate):
        self.digest = module.params['selfsigned_digest']
        self.version = module.params['selfsigned_version']
        self.serial_number = randint(1000, 99999)
+
+        if not os.path.exists(self.csr_path):
+            raise CertificateError(
+                'The certificate signing request file {0} does not exist'.format(self.csr_path)
+            )
+        if not os.path.exists(self.privatekey_path):
+            raise CertificateError(
+                'The private key file {0} does not exist'.format(self.privatekey_path)
+            )
+
        self.csr = crypto_utils.load_certificate_request(self.csr_path)
        try:
            self.privatekey = crypto_utils.load_privatekey(
@ -1175,6 +1194,20 @@ class OwnCACertificateCryptography(Certificate):
        self.ca_cert_path = module.params['ownca_path']
        self.ca_privatekey_path = module.params['ownca_privatekey_path']
        self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase']
+
+        if not os.path.exists(self.csr_path):
+            raise CertificateError(
+                'The certificate signing request file {0} does not exist'.format(self.csr_path)
+            )
+        if not os.path.exists(self.ca_cert_path):
+            raise CertificateError(
+                'The CA certificate file {0} does not exist'.format(self.ca_cert_path)
+            )
+        if not os.path.exists(self.ca_privatekey_path):
+            raise CertificateError(
+                'The CA private key file {0} does not exist'.format(self.ca_privatekey_path)
+            )
+
        self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend)
        self.ca_cert = crypto_utils.load_certificate(self.ca_cert_path, backend=self.backend)
        try:
@ -1272,6 +1305,20 @@ class OwnCACertificate(Certificate):
        self.ca_cert_path = module.params['ownca_path']
        self.ca_privatekey_path = module.params['ownca_privatekey_path']
        self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase']
+
+        if not os.path.exists(self.csr_path):
+            raise CertificateError(
+                'The certificate signing request file {0} does not exist'.format(self.csr_path)
+            )
+        if not os.path.exists(self.ca_cert_path):
+            raise CertificateError(
+                'The CA certificate file {0} does not exist'.format(self.ca_cert_path)
+            )
+        if not os.path.exists(self.ca_privatekey_path):
+            raise CertificateError(
+                'The CA private key file {0} does not exist'.format(self.ca_privatekey_path)
+            )
+
        self.csr = crypto_utils.load_certificate_request(self.csr_path)
        self.ca_cert = crypto_utils.load_certificate(self.ca_cert_path)
        try: