--- - name: Validate CSR (test - privatekey modulus) shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus - name: Validate CSR (test - Common Name) shell: "openssl req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq" register: csr_cn - name: Validate CSR (test - csr modulus) shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr' register: csr_modulus - name: Validate CSR (assert) assert: that: - csr_cn.stdout.split('=')[-1] == 'www.ansible.com' - csr_modulus.stdout == privatekey_modulus.stdout - name: Validate CSR (check mode, idempotency) assert: that: - generate_csr_check is changed - generate_csr is changed - generate_csr_idempotent is not changed - generate_csr_idempotent_check is not changed - name: Validate CSR (data retrieval) assert: that: - generate_csr_check.csr is none - generate_csr.csr == lookup('file', output_dir ~ '/csr.csr', rstrip=False) - generate_csr.csr == generate_csr_idempotent.csr - generate_csr.csr == generate_csr_idempotent_check.csr - name: Validate CSR without SAN (check mode, idempotency) assert: that: - generate_csr_nosan_check is changed - generate_csr_nosan is changed - generate_csr_nosan_check_idempotent is not changed - generate_csr_nosan_check_idempotent_check is not changed - name: Validate CSR_KU_XKU (assert idempotency, change) assert: that: - csr_ku_xku is not changed - csr_ku_xku_change is changed - csr_ku_xku_change_2 is changed - name: Validate old_API CSR (test - Common Name) shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq" register: csr_oldapi_cn - name: Validate old_API CSR (test - csr modulus) shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr' register: csr_oldapi_modulus - name: Validate old_API CSR (assert) assert: that: - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com' - csr_oldapi_modulus.stdout == privatekey_modulus.stdout - name: Validate invalid SAN assert: that: - generate_csr_invalid_san is failed - "'Subject Alternative Name' in generate_csr_invalid_san.msg" - name: Validate OCSP Must Staple CSR (test - everything) shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text" register: csr_ocsp - name: Validate OCSP Must Staple CSR (assert) assert: that: - "(csr_ocsp.stdout is search('\\s+TLS Feature:\\s*\\n\\s+status_request\\s+')) or (csr_ocsp.stdout is search('\\s+1.3.6.1.5.5.7.1.24:\\s*\\n\\s+0\\.\\.\\.\\.\\s+'))" - name: Validate OCSP Must Staple CSR (assert idempotency) assert: that: - csr_ocsp_idempotency is not changed - name: Validate ECC CSR (test - privatekey's public key) shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem' register: privatekey_ecc_key - name: Validate ECC CSR (test - Common Name) shell: "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq" register: csr_ecc_cn - name: Validate ECC CSR (test - CSR pubkey) shell: 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr' register: csr_ecc_pubkey - name: Validate ECC CSR (assert) assert: that: - csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com' - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout - name: Validate CSR (text common name - Common Name) shell: "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq" register: csr3_cn - name: Validate CSR (assert) assert: that: - csr3_cn.stdout.split('=')[-1] == 'This is for Ansible' - name: Validate country name idempotency and validation assert: that: - country_idempotent_1 is changed - country_idempotent_2 is not changed - country_idempotent_3 is not changed - country_fail_4 is failed - name: assert: that: - passphrase_error_1 is failed - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg" - passphrase_error_2 is failed - "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg" - passphrase_error_3 is failed - "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg" - name: Verify that broken CSR will be regenerated assert: that: - output_broken is changed - name: Verify that subject key identifier handling works assert: that: - subject_key_identifier_1 is changed - subject_key_identifier_2 is not changed - subject_key_identifier_3 is changed - subject_key_identifier_4 is changed - subject_key_identifier_5 is not changed - subject_key_identifier_6 is changed when: select_crypto_backend != 'pyopenssl' - name: Verify that authority key identifier handling works assert: that: - authority_key_identifier_1 is changed - authority_key_identifier_2 is not changed - authority_key_identifier_3 is changed - authority_key_identifier_4 is changed when: select_crypto_backend != 'pyopenssl' - name: Verify that authority cert issuer / serial number handling works assert: that: - authority_cert_issuer_sn_1 is changed - authority_cert_issuer_sn_2 is not changed - authority_cert_issuer_sn_3 is changed - authority_cert_issuer_sn_4 is changed - authority_cert_issuer_sn_5 is changed when: select_crypto_backend != 'pyopenssl' - name: Check backup assert: that: - csr_backup_1 is changed - csr_backup_1.backup_file is undefined - csr_backup_2 is not changed - csr_backup_2.backup_file is undefined - csr_backup_3 is changed - csr_backup_3.backup_file is string - csr_backup_4 is changed - csr_backup_4.backup_file is string - csr_backup_5 is not changed - csr_backup_5.backup_file is undefined - csr_backup_4.csr is none - name: Check CSR with everything assert: that: - everything_1 is changed - everything_2 is not changed - everything_3 is not changed - name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8) assert: that: - generate_csr_ed25519_ed448.results[0] is failed - generate_csr_ed25519_ed448.results[1] is failed - generate_csr_ed25519_ed448.results[0].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.' - generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.' - generate_csr_ed25519_ed448_idempotent.results[0] is failed - generate_csr_ed25519_ed448_idempotent.results[1] is failed when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') - name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) assert: that: - generate_csr_ed25519_ed448 is succeeded - generate_csr_ed25519_ed448.results[0] is changed - generate_csr_ed25519_ed448.results[1] is changed - generate_csr_ed25519_ed448_idempotent is succeeded - generate_csr_ed25519_ed448_idempotent.results[0] is not changed - generate_csr_ed25519_ed448_idempotent.results[1] is not changed when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=')