java_keystore - Prefer SHA256 and solve SHA256 keytool in java11 version (#57302)

2019-07-15 18:44:30 +02:00 · 2019-07-15 18:44:30 +02:00 · a1dcba63b3
commit a1dcba63b3
parent 2a07123fdd
3 changed files with 11 additions and 9 deletions
--- a/changelogs/fragments/57302-java_keystore_sha256.yaml
+++ b/changelogs/fragments/57302-java_keystore_sha256.yaml
@ -0,0 +1,2 @@
+bugfixes:
+- java_keystore - Use SHA256 to check the fingerprints' certs. The module is compatible with java<=8 (SHA1 by default) and Java>=9 (SHA256 by default) now.
--- a/lib/ansible/modules/system/java_keystore.py
+++ b/lib/ansible/modules/system/java_keystore.py
@ -106,7 +106,7 @@ cmd:
  description: Executed command to get action done
  returned: changed and failure
  type: str
-  sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha1"
+  sample: "openssl x509 -noout -in /tmp/cert.crt -fingerprint -sha256"
 '''


@ -116,7 +116,7 @@ import re


 def read_certificate_fingerprint(module, openssl_bin, certificate_path):
-    current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha1" % (openssl_bin, certificate_path)
+    current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha256" % (openssl_bin, certificate_path)
    (rc, current_certificate_fingerprint_out, current_certificate_fingerprint_err) = run_commands(module, current_certificate_fingerprint_cmd)
    if rc != 0:
        return module.fail_json(msg=current_certificate_fingerprint_out,
@ -136,7 +136,7 @@ def read_certificate_fingerprint(module, openssl_bin, certificate_path):


 def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password):
-    stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s'" % (keytool_bin, alias, keystore_path, keystore_password)
+    stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s' -v" % (keytool_bin, alias, keystore_path, keystore_password)
    (rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd)
    if rc != 0:
        if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out:
@ -147,7 +147,7 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat
        else:
            return None
    else:
-        stored_certificate_match = re.search(r": ([\w:]+)", stored_certificate_fingerprint_out)
+        stored_certificate_match = re.search(r"SHA256: ([\w:]+)", stored_certificate_fingerprint_out)
        if not stored_certificate_match:
            return module.fail_json(
                msg="Unable to find the stored certificate fingerprint in %s" % stored_certificate_fingerprint_out,
--- a/test/units/modules/system/test_java_keystore.py
+++ b/test/units/modules/system/test_java_keystore.py
@ -168,7 +168,7 @@ class TestCertChanged(ModuleTestCase):
        )

        with patch('os.remove', return_value=True):
-            self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: abcd:1234:efgh', '')]
+            self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: abcd:1234:efgh', '')]
            result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
            self.assertFalse(result, 'Fingerprint is identical')

@ -187,7 +187,7 @@ class TestCertChanged(ModuleTestCase):
        )

        with patch('os.remove', return_value=True):
-            self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'foo: wxyz:9876:stuv', '')]
+            self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''), (0, 'SHA256: wxyz:9876:stuv', '')]
            result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
            self.assertTrue(result, 'Fingerprint mismatch')

@ -228,10 +228,10 @@ class TestCertChanged(ModuleTestCase):
        module.fail_json = Mock()

        with patch('os.remove', return_value=True):
-            self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'foo: wxyz:9876:stuv', '')]
+            self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'SHA256: wxyz:9876:stuv', '')]
            cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
            module.fail_json.assert_called_once_with(
-                cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha1",
+                cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha256",
                msg='',
                err='Oops',
                rc=1
@ -257,7 +257,7 @@ class TestCertChanged(ModuleTestCase):
            self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')]
            cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
            module.fail_json.assert_called_with(
-                cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit'",
+                cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit' -v",
                msg='',
                err='Oops',
                rc=1