cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

openssl_certificate: check for existence before loading CSR / private keys / ... (#60740)

Browse source 
* Check file existence before loading files.

* Remove superfluous import.

* Add changelog.
This commit is contained in:
Felix Fontein 2019-08-18 11:41:50 +02:00 committed by GitHub
parent 13364fc530
commit 16056f4978
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/60740-openssl_certificate-check-existence.yml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- "openssl_certificate - improve behavior when required files are missing."

49
lib/ansible/modules/crypto/openssl_certificate.py
View file

@ -809,7 +809,6 @@ try:
from cryptography import x509 from cryptography import x509
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import Encoding from cryptography.hazmat.primitives.serialization import Encoding
from cryptography.hazmat.primitives.hashes import SHA1
from cryptography.x509 import NameAttribute, Name from cryptography.x509 import NameAttribute, Name
from cryptography.x509.oid import NameOID from cryptography.x509.oid import NameOID
CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__) CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
@ -1000,6 +999,16 @@ class SelfSignedCertificateCryptography(Certificate):
self.digest = crypto_utils.select_message_digest(module.params['selfsigned_digest']) self.digest = crypto_utils.select_message_digest(module.params['selfsigned_digest'])
self.version = module.params['selfsigned_version'] self.version = module.params['selfsigned_version']
self.serial_number = x509.random_serial_number() self.serial_number = x509.random_serial_number()
if not os.path.exists(self.csr_path):
raise CertificateError(
'The certificate signing request file {0} does not exist'.format(self.csr_path)
)
if not os.path.exists(self.privatekey_path):
raise CertificateError(
'The private key file {0} does not exist'.format(self.privatekey_path)
)
self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend) self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend)
self._module = module self._module = module
@ -1093,6 +1102,16 @@ class SelfSignedCertificate(Certificate):
self.digest = module.params['selfsigned_digest'] self.digest = module.params['selfsigned_digest']
self.version = module.params['selfsigned_version'] self.version = module.params['selfsigned_version']
self.serial_number = randint(1000, 99999) self.serial_number = randint(1000, 99999)
if not os.path.exists(self.csr_path):
raise CertificateError(
'The certificate signing request file {0} does not exist'.format(self.csr_path)
)
if not os.path.exists(self.privatekey_path):
raise CertificateError(
'The private key file {0} does not exist'.format(self.privatekey_path)
)
self.csr = crypto_utils.load_certificate_request(self.csr_path) self.csr = crypto_utils.load_certificate_request(self.csr_path)
try: try:
self.privatekey = crypto_utils.load_privatekey( self.privatekey = crypto_utils.load_privatekey(
@ -1175,6 +1194,20 @@ class OwnCACertificateCryptography(Certificate):
self.ca_cert_path = module.params['ownca_path'] self.ca_cert_path = module.params['ownca_path']
self.ca_privatekey_path = module.params['ownca_privatekey_path'] self.ca_privatekey_path = module.params['ownca_privatekey_path']
self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase'] self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase']
if not os.path.exists(self.csr_path):
raise CertificateError(
'The certificate signing request file {0} does not exist'.format(self.csr_path)
)
if not os.path.exists(self.ca_cert_path):
raise CertificateError(
'The CA certificate file {0} does not exist'.format(self.ca_cert_path)
)
if not os.path.exists(self.ca_privatekey_path):
raise CertificateError(
'The CA private key file {0} does not exist'.format(self.ca_privatekey_path)
)
self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend) self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend)
self.ca_cert = crypto_utils.load_certificate(self.ca_cert_path, backend=self.backend) self.ca_cert = crypto_utils.load_certificate(self.ca_cert_path, backend=self.backend)
try: try:
@ -1272,6 +1305,20 @@ class OwnCACertificate(Certificate):
self.ca_cert_path = module.params['ownca_path'] self.ca_cert_path = module.params['ownca_path']
self.ca_privatekey_path = module.params['ownca_privatekey_path'] self.ca_privatekey_path = module.params['ownca_privatekey_path']
self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase'] self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase']
if not os.path.exists(self.csr_path):
raise CertificateError(
'The certificate signing request file {0} does not exist'.format(self.csr_path)
)
if not os.path.exists(self.ca_cert_path):
raise CertificateError(
'The CA certificate file {0} does not exist'.format(self.ca_cert_path)
)
if not os.path.exists(self.ca_privatekey_path):
raise CertificateError(
'The CA private key file {0} does not exist'.format(self.ca_privatekey_path)
)
self.csr = crypto_utils.load_certificate_request(self.csr_path) self.csr = crypto_utils.load_certificate_request(self.csr_path)
self.ca_cert = crypto_utils.load_certificate(self.ca_cert_path) self.ca_cert = crypto_utils.load_certificate(self.ca_cert_path)
try: try: