openss: fix various test and Python 3 issues (#47188)
(cherry picked from commit 6666b070a9
)
This commit is contained in:
parent
28ed7f722e
commit
7690659f7f
4 changed files with 12 additions and 9 deletions
3
changelogs/fragments/openssl-python3.yaml
Normal file
3
changelogs/fragments/openssl-python3.yaml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
bugfixes:
|
||||||
|
- openssl_csr - fix byte encoding issue on Python 3
|
||||||
|
- openssl_pkcs12 - fix byte encoding issue on Python 3
|
|
@ -465,7 +465,7 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
|
||||||
return _check_keyUsage_(extensions, b'basicConstraints', self.basicConstraints, self.basicConstraints_critical)
|
return _check_keyUsage_(extensions, b'basicConstraints', self.basicConstraints, self.basicConstraints_critical)
|
||||||
|
|
||||||
def _check_ocspMustStaple(extensions):
|
def _check_ocspMustStaple(extensions):
|
||||||
oms_ext = [ext for ext in extensions if ext.get_short_name() == MUST_STAPLE_NAME and str(ext) == MUST_STAPLE_VALUE]
|
oms_ext = [ext for ext in extensions if to_bytes(ext.get_short_name()) == MUST_STAPLE_NAME and to_bytes(ext) == MUST_STAPLE_VALUE]
|
||||||
if OpenSSL.SSL.OPENSSL_VERSION_NUMBER < 0x10100000:
|
if OpenSSL.SSL.OPENSSL_VERSION_NUMBER < 0x10100000:
|
||||||
# Older versions of libssl don't know about OCSP Must Staple
|
# Older versions of libssl don't know about OCSP Must Staple
|
||||||
oms_ext.extend([ext for ext in extensions if ext.get_short_name() == b'UNDEF' and ext.get_data() == b'\x30\x03\x02\x01\x05'])
|
oms_ext.extend([ext for ext in extensions if ext.get_short_name() == b'UNDEF' and ext.get_data() == b'\x30\x03\x02\x01\x05'])
|
||||||
|
|
|
@ -150,7 +150,7 @@ else:
|
||||||
|
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
from ansible.module_utils import crypto as crypto_utils
|
from ansible.module_utils import crypto as crypto_utils
|
||||||
from ansible.module_utils._text import to_native
|
from ansible.module_utils._text import to_bytes, to_native
|
||||||
|
|
||||||
|
|
||||||
class PkcsError(crypto_utils.OpenSSLObjectError):
|
class PkcsError(crypto_utils.OpenSSLObjectError):
|
||||||
|
@ -231,7 +231,7 @@ class Pkcs(crypto_utils.OpenSSLObject):
|
||||||
self.certificate_path))
|
self.certificate_path))
|
||||||
|
|
||||||
if self.friendly_name:
|
if self.friendly_name:
|
||||||
self.pkcs12.set_friendlyname(self.friendly_name)
|
self.pkcs12.set_friendlyname(to_bytes(self.friendly_name))
|
||||||
|
|
||||||
if self.privatekey_path:
|
if self.privatekey_path:
|
||||||
self.pkcs12.set_privatekey(crypto_utils.load_privatekey(
|
self.pkcs12.set_privatekey(crypto_utils.load_privatekey(
|
||||||
|
@ -266,7 +266,7 @@ class Pkcs(crypto_utils.OpenSSLObject):
|
||||||
pkcs12_file = os.open(self.path,
|
pkcs12_file = os.open(self.path,
|
||||||
os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
|
os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
|
||||||
self.mode)
|
self.mode)
|
||||||
os.write(pkcs12_file, '%s%s' % (pkey, crt))
|
os.write(pkcs12_file, b'%s%s' % (pkey, crt))
|
||||||
os.close(pkcs12_file)
|
os.close(pkcs12_file)
|
||||||
|
|
||||||
except IOError as exc:
|
except IOError as exc:
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
- name: Validate privatekey1 (test - RSA key with size 4096 bits)
|
- name: Validate privatekey1 (test - RSA key with size 4096 bits)
|
||||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
|
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA\\s\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||||
register: privatekey1
|
register: privatekey1
|
||||||
|
|
||||||
- name: Validate privatekey1 (assert - RSA key with size 4096 bits)
|
- name: Validate privatekey1 (assert - RSA key with size 4096 bits)
|
||||||
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
|
|
||||||
- name: Validate privatekey2 (test - RSA key with size 2048 bits)
|
- name: Validate privatekey2 (test - RSA key with size 2048 bits)
|
||||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
|
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA\\s\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||||
register: privatekey2
|
register: privatekey2
|
||||||
|
|
||||||
- name: Validate privatekey2 (assert - RSA key with size 2048 bits)
|
- name: Validate privatekey2 (assert - RSA key with size 2048 bits)
|
||||||
|
@ -19,7 +19,7 @@
|
||||||
|
|
||||||
|
|
||||||
- name: Validate privatekey3 (test - DSA key with size 4096 bits)
|
- name: Validate privatekey3 (test - DSA key with size 4096 bits)
|
||||||
shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
|
shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA\\s\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||||
register: privatekey3
|
register: privatekey3
|
||||||
|
|
||||||
- name: Validate privatekey3 (assert - DSA key with size 4096 bits)
|
- name: Validate privatekey3 (assert - DSA key with size 4096 bits)
|
||||||
|
@ -40,7 +40,7 @@
|
||||||
|
|
||||||
|
|
||||||
- name: Validate privatekey5 (test - Passphrase protected key + idempotence)
|
- name: Validate privatekey5 (test - Passphrase protected key + idempotence)
|
||||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
|
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA\\s\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||||
register: privatekey5
|
register: privatekey5
|
||||||
# Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
|
# Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
|
||||||
# leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully.
|
# leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully.
|
||||||
|
@ -59,7 +59,7 @@
|
||||||
|
|
||||||
|
|
||||||
- name: Validate privatekey6 (test - Passphrase protected key with non ascii character)
|
- name: Validate privatekey6 (test - Passphrase protected key with non ascii character)
|
||||||
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
|
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA\\s\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
|
||||||
register: privatekey6
|
register: privatekey6
|
||||||
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
when: openssl_version.stdout is version('0.9.8zh', '>=')
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue