openssl_certificate: fix passphrase handling for cryptography backend (#56155)
* Make sure passphrase is bytes string.
* Fix typo.
* Add more passphrase tests.
* Fix test names.
* Add changelog.
(cherry picked from commit 7a957ba64a
)
This commit is contained in:
parent
7333af4fbb
commit
a07ed8530f
5 changed files with 75 additions and 5 deletions
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- "openssl_certificate - fix private key passphrase handling for ``cryptography`` backend."
|
|
@ -168,7 +168,7 @@ def load_privatekey(path, passphrase=None, check_passphrase=True, content=None,
|
||||||
elif backend == 'cryptography':
|
elif backend == 'cryptography':
|
||||||
try:
|
try:
|
||||||
result = load_pem_private_key(priv_key_detail,
|
result = load_pem_private_key(priv_key_detail,
|
||||||
passphrase,
|
None if passphrase is None else to_bytes(passphrase),
|
||||||
cryptography_backend())
|
cryptography_backend())
|
||||||
except TypeError as dummy:
|
except TypeError as dummy:
|
||||||
raise OpenSSLBadPassphraseError('Wrong or empty passphrase provided for private key')
|
raise OpenSSLBadPassphraseError('Wrong or empty passphrase provided for private key')
|
||||||
|
|
|
@ -3,6 +3,13 @@
|
||||||
openssl_privatekey:
|
openssl_privatekey:
|
||||||
path: '{{ output_dir }}/ca_privatekey.pem'
|
path: '{{ output_dir }}/ca_privatekey.pem'
|
||||||
|
|
||||||
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey with passphrase
|
||||||
|
openssl_privatekey:
|
||||||
|
path: '{{ output_dir }}/ca_privatekey_pw.pem'
|
||||||
|
passphrase: hunter2
|
||||||
|
cipher: auto
|
||||||
|
select_crypto_backend: cryptography
|
||||||
|
|
||||||
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR
|
||||||
openssl_csr:
|
openssl_csr:
|
||||||
path: '{{ output_dir }}/ca_csr.csr'
|
path: '{{ output_dir }}/ca_csr.csr'
|
||||||
|
@ -14,6 +21,18 @@
|
||||||
- 'CA:TRUE'
|
- 'CA:TRUE'
|
||||||
basic_constraints_critical: yes
|
basic_constraints_critical: yes
|
||||||
|
|
||||||
|
- name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR (privatekey passphrase)
|
||||||
|
openssl_csr:
|
||||||
|
path: '{{ output_dir }}/ca_csr_pw.csr'
|
||||||
|
privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
|
||||||
|
privatekey_passphrase: hunter2
|
||||||
|
subject:
|
||||||
|
commonName: Example CA
|
||||||
|
useCommonNameForSAN: no
|
||||||
|
basic_constraints:
|
||||||
|
- 'CA:TRUE'
|
||||||
|
basic_constraints_critical: yes
|
||||||
|
|
||||||
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
|
||||||
openssl_certificate:
|
openssl_certificate:
|
||||||
path: '{{ output_dir }}/ca_cert.pem'
|
path: '{{ output_dir }}/ca_cert.pem'
|
||||||
|
@ -23,6 +42,16 @@
|
||||||
selfsigned_digest: sha256
|
selfsigned_digest: sha256
|
||||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||||
|
|
||||||
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
|
||||||
|
openssl_certificate:
|
||||||
|
path: '{{ output_dir }}/ca_cert_pw.pem'
|
||||||
|
csr_path: '{{ output_dir }}/ca_csr_pw.csr'
|
||||||
|
privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
|
||||||
|
privatekey_passphrase: hunter2
|
||||||
|
provider: selfsigned
|
||||||
|
selfsigned_digest: sha256
|
||||||
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||||
|
|
||||||
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate
|
||||||
openssl_certificate:
|
openssl_certificate:
|
||||||
path: '{{ output_dir }}/ownca_cert.pem'
|
path: '{{ output_dir }}/ownca_cert.pem'
|
||||||
|
@ -164,6 +193,18 @@
|
||||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||||
register: ownca_certificate_ecc
|
register: ownca_certificate_ecc
|
||||||
|
|
||||||
|
- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
|
||||||
|
openssl_certificate:
|
||||||
|
path: '{{ output_dir }}/ownca_cert_ecc_2.pem'
|
||||||
|
csr_path: '{{ output_dir }}/csr_ecc.csr'
|
||||||
|
ownca_path: '{{ output_dir }}/ca_cert_pw.pem'
|
||||||
|
ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_pw.pem'
|
||||||
|
ownca_privatekey_passphrase: hunter2
|
||||||
|
provider: ownca
|
||||||
|
ownca_digest: sha256
|
||||||
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||||
|
register: selfsigned_certificate_passphrase
|
||||||
|
|
||||||
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1)
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 1)
|
||||||
openssl_certificate:
|
openssl_certificate:
|
||||||
path: '{{ output_dir }}/ownca_cert_pw1.pem'
|
path: '{{ output_dir }}/ownca_cert_pw1.pem'
|
||||||
|
@ -179,7 +220,7 @@
|
||||||
|
|
||||||
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2)
|
- name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (failed passphrase 2)
|
||||||
openssl_certificate:
|
openssl_certificate:
|
||||||
path: '{{ output_dir }}/ownca_cert_pw1.pem'
|
path: '{{ output_dir }}/ownca_cert_pw2.pem'
|
||||||
csr_path: '{{ output_dir }}/csr_ecc.csr'
|
csr_path: '{{ output_dir }}/csr_ecc.csr'
|
||||||
ownca_path: '{{ output_dir }}/ca_cert.pem'
|
ownca_path: '{{ output_dir }}/ca_cert.pem'
|
||||||
ownca_privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
ownca_privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
||||||
|
|
|
@ -176,6 +176,25 @@
|
||||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||||
register: selfsigned_certificate_ecc
|
register: selfsigned_certificate_ecc
|
||||||
|
|
||||||
|
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR (privatekey passphrase)
|
||||||
|
openssl_csr:
|
||||||
|
path: '{{ output_dir }}/csr_pass.csr'
|
||||||
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
||||||
|
privatekey_passphrase: hunter2
|
||||||
|
subject:
|
||||||
|
commonName: www.example.com
|
||||||
|
|
||||||
|
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (privatekey passphrase)
|
||||||
|
openssl_certificate:
|
||||||
|
path: '{{ output_dir }}/cert_pass.pem'
|
||||||
|
csr_path: '{{ output_dir }}/csr_pass.csr'
|
||||||
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
||||||
|
privatekey_passphrase: hunter2
|
||||||
|
provider: selfsigned
|
||||||
|
selfsigned_digest: sha256
|
||||||
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||||
|
register: selfsigned_certificate_passphrase
|
||||||
|
|
||||||
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1)
|
- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (failed passphrase 1)
|
||||||
openssl_certificate:
|
openssl_certificate:
|
||||||
path: '{{ output_dir }}/cert_pw1.pem'
|
path: '{{ output_dir }}/cert_pw1.pem'
|
||||||
|
|
|
@ -249,7 +249,15 @@
|
||||||
cipher: auto
|
cipher: auto
|
||||||
select_crypto_backend: cryptography
|
select_crypto_backend: cryptography
|
||||||
|
|
||||||
- name: Generate publickey - PEM format
|
- name: Generate CSR with privatekey passphrase
|
||||||
|
openssl_csr:
|
||||||
|
path: '{{ output_dir }}/csr_pw.csr'
|
||||||
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
||||||
|
privatekey_passphrase: hunter2
|
||||||
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||||
|
register: passphrase_1
|
||||||
|
|
||||||
|
- name: Generate CSR (failed passphrase 1)
|
||||||
openssl_csr:
|
openssl_csr:
|
||||||
path: '{{ output_dir }}/csr_pw1.csr'
|
path: '{{ output_dir }}/csr_pw1.csr'
|
||||||
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
||||||
|
@ -258,7 +266,7 @@
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
register: passphrase_error_1
|
register: passphrase_error_1
|
||||||
|
|
||||||
- name: Generate publickey - PEM format
|
- name: Generate CSR (failed passphrase 2)
|
||||||
openssl_csr:
|
openssl_csr:
|
||||||
path: '{{ output_dir }}/csr_pw2.csr'
|
path: '{{ output_dir }}/csr_pw2.csr'
|
||||||
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
||||||
|
@ -267,7 +275,7 @@
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
register: passphrase_error_2
|
register: passphrase_error_2
|
||||||
|
|
||||||
- name: Generate publickey - PEM format
|
- name: Generate CSR (failed passphrase 3)
|
||||||
openssl_csr:
|
openssl_csr:
|
||||||
path: '{{ output_dir }}/csr_pw3.csr'
|
path: '{{ output_dir }}/csr_pw3.csr'
|
||||||
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
||||||
|
|
Loading…
Reference in a new issue