--- - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - privatekey modulus) shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate modulus) shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert.pem' register: cert_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - issuer value) shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"' register: cert_issuer - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certficate version == default == 3) shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_version - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (assert) assert: that: - cert_modulus.stdout == privatekey_modulus.stdout - cert_version.stdout == '3' - cert_issuer.stdout == 'CN=www.example.com' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate idempotence assert: that: - selfsigned_certificate.serial_number == selfsigned_certificate_idempotence.serial_number - selfsigned_certificate.notBefore == selfsigned_certificate_idempotence.notBefore - selfsigned_certificate.notAfter == selfsigned_certificate_idempotence.notAfter - name: (Selfsigned validation, {{select_crypto_backend}}) Validate data retrieval assert: that: - selfsigned_certificate.certificate == lookup('file', output_dir ~ '/cert.pem', rstrip=False) - selfsigned_certificate.certificate == selfsigned_certificate_idempotence.certificate - name: Make sure that changes in CSR are detected even if private key is specified assert: that: - selfsigned_certificate_csr_minimal_change is changed - block: - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2) shell: 'openssl x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_v2_version - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate version 2 (assert) assert: that: - cert_v2_version.stdout == '2' when: select_crypto_backend != 'cryptography' - block: - name: (Selfsigned validateion, {{ select_crypto_backend }} Validate certificate v2 is failed assert: that: - selfsigned_v2_cert is failed - "'The cryptography backend does not support v2 certificates' in selfsigned_v2_cert.msg" when: select_crypto_backend == 'cryptography' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus) shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem' register: privatekey2_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - certificate modulus) shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert2.pem' register: cert2_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (assert) assert: that: - cert2_modulus.stdout == privatekey2_modulus.stdout - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notBefore) shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"' register: cert3_notBefore - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notAfter) shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"' register: cert3_notAfter - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (assert - notBefore) assert: that: - cert3_notBefore.stdout == 'Oct 23 13:37:42 2018' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (assert - notAfter) assert: that: - cert3_notAfter.stdout == 'Oct 23 13:37:42 2019' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey) shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey_ecc.pem' register: privatekey_ecc_pubkey - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - certificate pubkey) shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem' register: cert_ecc_pubkey - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (assert) assert: that: - cert_ecc_pubkey.stdout == privatekey_ecc_pubkey.stdout - name: (Selfsigned validation, {{select_crypto_backend}}) assert: that: - passphrase_error_1 is failed - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg" - passphrase_error_2 is failed - "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg" - passphrase_error_3 is failed - "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg" - name: (Selfsigned validation, {{select_crypto_backend}}) Verify that broken certificate will be regenerated assert: that: - selfsigned_broken is changed - name: (Selfsigned validation, {{select_crypto_backend}}) Check backup assert: that: - selfsigned_backup_1 is changed - selfsigned_backup_1.backup_file is undefined - selfsigned_backup_2 is not changed - selfsigned_backup_2.backup_file is undefined - selfsigned_backup_3 is changed - selfsigned_backup_3.backup_file is string - selfsigned_backup_4 is changed - selfsigned_backup_4.backup_file is string - selfsigned_backup_5 is not changed - selfsigned_backup_5.backup_file is undefined - name: (Selfsigned validation, {{select_crypto_backend}}) Check create subject key identifier assert: that: - selfsigned_subject_key_identifier_1 is changed - selfsigned_subject_key_identifier_2 is not changed - selfsigned_subject_key_identifier_3 is changed - selfsigned_subject_key_identifier_4 is not changed - selfsigned_subject_key_identifier_5 is changed when: select_crypto_backend != 'pyopenssl' - name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8) assert: that: - selfsigned_certificate_ed25519_ed448.results[0] is failed - selfsigned_certificate_ed25519_ed448.results[1] is failed - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is failed - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is failed when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and selfsigned_certificate_ed25519_ed448_privatekey is not failed - name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) assert: that: - selfsigned_certificate_ed25519_ed448 is succeeded - selfsigned_certificate_ed25519_ed448.results[0] is changed - selfsigned_certificate_ed25519_ed448.results[1] is changed - selfsigned_certificate_ed25519_ed448_idempotence is succeeded - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is not changed - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is not changed when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and selfsigned_certificate_ed25519_ed448_privatekey is not failed