java_keystore - Prefer SHA256 and solve SHA256 keytool in java11 version (#57302)

This commit is contained in:
Alvaro Olmedo Rodriguez 2019-07-15 18:44:30 +02:00 committed by Sam Doran
parent 2a07123fdd
commit a1dcba63b3
3 changed files with 11 additions and 9 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- java_keystore - Use SHA256 to check the fingerprints' certs. The module is compatible with java<=8 (SHA1 by default) and Java>=9 (SHA256 by default) now.

View file

@ -106,7 +106,7 @@ cmd:
description: Executed command to get action done
returned: changed and failure
type: str
sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha1"
sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha256"
'''
@ -116,7 +116,7 @@ import re
def read_certificate_fingerprint(module, openssl_bin, certificate_path):
current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha1" % (openssl_bin, certificate_path)
current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha256" % (openssl_bin, certificate_path)
(rc, current_certificate_fingerprint_out, current_certificate_fingerprint_err) = run_commands(module, current_certificate_fingerprint_cmd)
if rc != 0:
return module.fail_json(msg=current_certificate_fingerprint_out,
@ -136,7 +136,7 @@ def read_certificate_fingerprint(module, openssl_bin, certificate_path):
def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password):
stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s'" % (keytool_bin, alias, keystore_path, keystore_password)
stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s' -v" % (keytool_bin, alias, keystore_path, keystore_password)
(rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd)
if rc != 0:
if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out:
@ -147,7 +147,7 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat
else:
return None
else:
stored_certificate_match = re.search(r": ([\w:]+)", stored_certificate_fingerprint_out)
stored_certificate_match = re.search(r"SHA256: ([\w:]+)", stored_certificate_fingerprint_out)
if not stored_certificate_match:
return module.fail_json(
msg="Unable to find the stored certificate fingerprint in %s" % stored_certificate_fingerprint_out,

View file

@ -168,7 +168,7 @@ class TestCertChanged(ModuleTestCase):
)
with patch('os.remove', return_value=True):
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: abcd:1234:efgh', '')]
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: abcd:1234:efgh', '')]
result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
self.assertFalse(result, 'Fingerprint is identical')
@ -187,7 +187,7 @@ class TestCertChanged(ModuleTestCase):
)
with patch('os.remove', return_value=True):
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: wxyz:9876:stuv', '')]
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: wxyz:9876:stuv', '')]
result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
self.assertTrue(result, 'Fingerprint mismatch')
@ -228,10 +228,10 @@ class TestCertChanged(ModuleTestCase):
module.fail_json = Mock()
with patch('os.remove', return_value=True):
self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'foo: wxyz:9876:stuv', '')]
self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'SHA256: wxyz:9876:stuv', '')]
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
module.fail_json.assert_called_once_with(
cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha1",
cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha256",
msg='',
err='Oops',
rc=1
@ -257,7 +257,7 @@ class TestCertChanged(ModuleTestCase):
self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')]
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
module.fail_json.assert_called_with(
cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit'",
cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit' -v",
msg='',
err='Oops',
rc=1