openssl_publickey: Do not fail on empty existing file (#33255)

Currently during the check phase, the code considers the file to be
a public key if the file exist - which is not necessarily true.

This commits aims to ensure that the file is actually a publickey else
returns false for the check.
This commit is contained in:
Yanis Guenane 2017-11-25 04:29:07 +01:00 committed by Abhijeet Kasurde
parent 748107d369
commit 32635577a3
3 changed files with 33 additions and 4 deletions

View file

@ -211,10 +211,13 @@ class PublicKey(crypto_utils.OpenSSLObject):
if not os.path.exists(self.privatekey_path): if not os.path.exists(self.privatekey_path):
return False return False
current_publickey = crypto.dump_publickey( try:
crypto.FILETYPE_ASN1, current_publickey = crypto.dump_publickey(
crypto.load_publickey(crypto.FILETYPE_PEM, open(self.path, 'rb').read()) crypto.FILETYPE_ASN1,
) crypto.load_publickey(crypto.FILETYPE_PEM, open(self.path, 'rb').read())
)
except crypto.Error:
return False
desired_publickey = crypto.dump_publickey( desired_publickey = crypto.dump_publickey(
crypto.FILETYPE_ASN1, crypto.FILETYPE_ASN1,

View file

@ -48,6 +48,16 @@
privatekey_passphrase: ansible privatekey_passphrase: ansible
register: publickey3_idempotence register: publickey3_idempotence
- name: Generate empty file that will hold a public key (issue 33072)
file:
path: '{{ output_dir }}/publickey4.pub'
state: touch
- name: Generate publickey in empty existing file (issue 33072)
openssl_publickey:
path: '{{ output_dir }}/publickey4.pub'
privatekey_path: '{{ output_dir }}/privatekey.pem'
- import_tasks: ../tests/validate.yml - import_tasks: ../tests/validate.yml
when: pyopenssl_version.stdout|version_compare('16.0.0', '>=') when: pyopenssl_version.stdout|version_compare('16.0.0', '>=')

View file

@ -59,3 +59,19 @@
assert: assert:
that: that:
- not publickey3_idempotence|changed - not publickey3_idempotence|changed
- name: Validate publickey4 (test - privatekey modulus)
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem | openssl md5'
register: privatekey4_modulus
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate publickey4 (test - publickey modulus)
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub | openssl md5'
register: publickey4_modulus
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate publickey4 (assert)
assert:
that:
- publickey4_modulus.stdout == privatekey4_modulus.stdout
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')