cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

java_keystore - Prefer SHA256 and solve SHA256 keytool in java11 version (#57302)

Browse source
This commit is contained in:
Alvaro Olmedo Rodriguez 2019-07-15 18:44:30 +02:00 committed by Sam Doran
parent 2a07123fdd
commit a1dcba63b3
3 changed files with 11 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/57302-java_keystore_sha256.yaml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- java_keystore - Use SHA256 to check the fingerprints' certs. The module is compatible with java<=8 (SHA1 by default) and Java>=9 (SHA256 by default) now.

8
lib/ansible/modules/system/java_keystore.py
View file

@ -106,7 +106,7 @@ cmd:
description: Executed command to get action done description: Executed command to get action done
returned: changed and failure returned: changed and failure
type: str type: str
sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha1" sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha256"
''' '''
@ -116,7 +116,7 @@ import re
def read_certificate_fingerprint(module, openssl_bin, certificate_path): def read_certificate_fingerprint(module, openssl_bin, certificate_path):
current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha1" % (openssl_bin, certificate_path) current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha256" % (openssl_bin, certificate_path)
(rc, current_certificate_fingerprint_out, current_certificate_fingerprint_err) = run_commands(module, current_certificate_fingerprint_cmd) (rc, current_certificate_fingerprint_out, current_certificate_fingerprint_err) = run_commands(module, current_certificate_fingerprint_cmd)
if rc != 0: if rc != 0:
return module.fail_json(msg=current_certificate_fingerprint_out, return module.fail_json(msg=current_certificate_fingerprint_out,
@ -136,7 +136,7 @@ def read_certificate_fingerprint(module, openssl_bin, certificate_path):
def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password): def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password):
stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s'" % (keytool_bin, alias, keystore_path, keystore_password) stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s' -v" % (keytool_bin, alias, keystore_path, keystore_password)
(rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd) (rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd)
if rc != 0: if rc != 0:
if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out: if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out:
@ -147,7 +147,7 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat
else: else:
return None return None
else: else:
stored_certificate_match = re.search(r": ([\w:]+)", stored_certificate_fingerprint_out) stored_certificate_match = re.search(r"SHA256: ([\w:]+)", stored_certificate_fingerprint_out)
if not stored_certificate_match: if not stored_certificate_match:
return module.fail_json( return module.fail_json(
msg="Unable to find the stored certificate fingerprint in %s" % stored_certificate_fingerprint_out, msg="Unable to find the stored certificate fingerprint in %s" % stored_certificate_fingerprint_out,

10
test/units/modules/system/test_java_keystore.py
View file

@ -168,7 +168,7 @@ class TestCertChanged(ModuleTestCase):
) )
with patch('os.remove', return_value=True): with patch('os.remove', return_value=True):
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: abcd:1234:efgh', '')] self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: abcd:1234:efgh', '')]
result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
self.assertFalse(result, 'Fingerprint is identical') self.assertFalse(result, 'Fingerprint is identical')
@ -187,7 +187,7 @@ class TestCertChanged(ModuleTestCase):
) )
with patch('os.remove', return_value=True): with patch('os.remove', return_value=True):
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: wxyz:9876:stuv', '')] self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: wxyz:9876:stuv', '')]
result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
self.assertTrue(result, 'Fingerprint mismatch') self.assertTrue(result, 'Fingerprint mismatch')
@ -228,10 +228,10 @@ class TestCertChanged(ModuleTestCase):
module.fail_json = Mock() module.fail_json = Mock()
with patch('os.remove', return_value=True): with patch('os.remove', return_value=True):
self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'foo: wxyz:9876:stuv', '')] self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'SHA256: wxyz:9876:stuv', '')]
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
module.fail_json.assert_called_once_with( module.fail_json.assert_called_once_with(
cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha1", cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha256",
msg='', msg='',
err='Oops', err='Oops',
rc=1 rc=1
@ -257,7 +257,7 @@ class TestCertChanged(ModuleTestCase):
self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')] self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')]
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo') cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
module.fail_json.assert_called_with( module.fail_json.assert_called_with(
cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit'", cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit' -v",
msg='', msg='',
err='Oops', err='Oops',
rc=1 rc=1