ansible/test/integration/targets/openssl_csr/tasks/impl.yml
Felix Fontein 7a957ba64a openssl_certificate: fix passphrase handling for cryptography backend (#56155)
* Make sure passphrase is bytes string.

* Fix typo.

* Add more passphrase tests.

* Fix test names.

* Add changelog.
2019-05-07 23:58:15 -04:00

521 lines
15 KiB
YAML

---
- name: Generate privatekey
openssl_privatekey:
path: '{{ output_dir }}/privatekey.pem'
- name: Generate CSR (check mode)
openssl_csr:
path: '{{ output_dir }}/csr.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
register: generate_csr_check
- name: Generate CSR
openssl_csr:
path: '{{ output_dir }}/csr.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr
- name: Generate CSR (idempotent)
openssl_csr:
path: '{{ output_dir }}/csr.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_check_idempotent
- name: Generate CSR (idempotent, check mode)
openssl_csr:
path: '{{ output_dir }}/csr.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
register: generate_csr_check_idempotent_check
- name: Generate CSR without SAN (check mode)
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
register: generate_csr_nosan_check
- name: Generate CSR without SAN
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_nosan
- name: Generate CSR without SAN (idempotent)
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_nosan_check_idempotent
- name: Generate CSR without SAN (idempotent, check mode)
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
register: generate_csr_nosan_check_idempotent_check
# keyUsage longname and shortname should be able to be used
# interchangeably. Hence the long name is specified here
# but the short name is used to test idempotency for ipsecuser
# and vice-versa for biometricInfo
- name: Generate CSR with KU and XKU
openssl_csr:
path: '{{ output_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
CN: www.ansible.com
keyUsage:
- digitalSignature
- keyAgreement
extendedKeyUsage:
- qcStatements
- DVCS
- IPSec User
- biometricInfo
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate CSR with KU and XKU (test idempotency)
openssl_csr:
path: '{{ output_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: 'www.ansible.com'
keyUsage:
- Key Agreement
- digitalSignature
extendedKeyUsage:
- ipsecUser
- qcStatements
- DVCS
- Biometric Info
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_ku_xku
- name: Generate CSR with KU and XKU (test XKU change)
openssl_csr:
path: '{{ output_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: 'www.ansible.com'
keyUsage:
- digitalSignature
- keyAgreement
extendedKeyUsage:
- ipsecUser
- qcStatements
- Biometric Info
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_ku_xku_change
- name: Generate CSR with KU and XKU (test KU change)
openssl_csr:
path: '{{ output_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: 'www.ansible.com'
keyUsage:
- digitalSignature
extendedKeyUsage:
- ipsecUser
- qcStatements
- Biometric Info
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_ku_xku_change_2
- name: Generate CSR with old API
openssl_csr:
path: '{{ output_dir }}/csr_oldapi.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate CSR with invalid SAN
openssl_csr:
path: '{{ output_dir }}/csrinvsan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject_alt_name: invalid-san.example.com
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_invalid_san
ignore_errors: yes
- name: Generate CSR with OCSP Must Staple
openssl_csr:
path: '{{ output_dir }}/csr_ocsp.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject_alt_name: "DNS:www.ansible.com"
ocsp_must_staple: true
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate CSR with OCSP Must Staple (test idempotency)
openssl_csr:
path: '{{ output_dir }}/csr_ocsp.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject_alt_name: "DNS:www.ansible.com"
ocsp_must_staple: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_ocsp_idempotency
- name: Generate ECC privatekey
openssl_privatekey:
path: '{{ output_dir }}/privatekey2.pem'
type: ECC
curve: secp384r1
- name: Generate CSR with ECC privatekey
openssl_csr:
path: '{{ output_dir }}/csr2.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
subject:
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate CSR with text common name
openssl_csr:
path: '{{ output_dir }}/csr3.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
subject:
commonName: This is for Ansible
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate CSR with country name
openssl_csr:
path: '{{ output_dir }}/csr4.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
country_name: de
select_crypto_backend: '{{ select_crypto_backend }}'
register: country_idempotent_1
- name: Generate CSR with country name (idempotent)
openssl_csr:
path: '{{ output_dir }}/csr4.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
country_name: de
select_crypto_backend: '{{ select_crypto_backend }}'
register: country_idempotent_2
- name: Generate CSR with country name (idempotent 2)
openssl_csr:
path: '{{ output_dir }}/csr4.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
subject:
C: de
select_crypto_backend: '{{ select_crypto_backend }}'
register: country_idempotent_3
- name: Generate CSR with country name (bad country name)
openssl_csr:
path: '{{ output_dir }}/csr4.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
subject:
C: dex
select_crypto_backend: '{{ select_crypto_backend }}'
register: country_fail_4
ignore_errors: yes
- name: Generate privatekey with password
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: auto
select_crypto_backend: cryptography
- name: Generate CSR with privatekey passphrase
openssl_csr:
path: '{{ output_dir }}/csr_pw.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
select_crypto_backend: '{{ select_crypto_backend }}'
register: passphrase_1
- name: Generate CSR (failed passphrase 1)
openssl_csr:
path: '{{ output_dir }}/csr_pw1.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
privatekey_passphrase: hunter2
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: yes
register: passphrase_error_1
- name: Generate CSR (failed passphrase 2)
openssl_csr:
path: '{{ output_dir }}/csr_pw2.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
privatekey_passphrase: wrong_password
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: yes
register: passphrase_error_2
- name: Generate CSR (failed passphrase 3)
openssl_csr:
path: '{{ output_dir }}/csr_pw3.csr'
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: yes
register: passphrase_error_3
- name: Create broken CSR
copy:
dest: "{{ output_dir }}/csrbroken.csr"
content: "broken"
- name: Regenerate broken CSR
openssl_csr:
path: '{{ output_dir }}/csrbroken.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
subject:
commonName: This is for Ansible
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
register: output_broken
- name: Generate CSR
openssl_csr:
path: '{{ output_dir }}/csr_backup.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
backup: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_1
- name: Generate CSR (idempotent)
openssl_csr:
path: '{{ output_dir }}/csr_backup.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
backup: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_2
- name: Generate CSR (change)
openssl_csr:
path: '{{ output_dir }}/csr_backup.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: ansible.com
backup: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_3
- name: Generate CSR (remove)
openssl_csr:
path: '{{ output_dir }}/csr_backup.csr'
state: absent
backup: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_4
- name: Generate CSR (remove, idempotent)
openssl_csr:
path: '{{ output_dir }}/csr_backup.csr'
state: absent
backup: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_5
- name: Generate CSR with everything
openssl_csr:
path: '{{ output_dir }}/csr_everything.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.example.com
C: de
L: Somewhere
ST: Zurich
streetAddress: Welcome Street
O: Ansible
organizationalUnitName: Crypto Department
serialNumber: "1234"
SN: Last Name
GN: First Name
title: Chief
pseudonym: test
UID: asdf
emailAddress: test@example.com
postalAddress: 1234 Somewhere
postalCode: "1234"
useCommonNameForSAN: no
key_usage:
- digitalSignature
- keyAgreement
- Non Repudiation
- Key Encipherment
- dataEncipherment
- Certificate Sign
- cRLSign
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
subject_alt_name:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
ocsp_must_staple: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: everything_1
- name: Generate CSR with everything (idempotent, check mode)
openssl_csr:
path: '{{ output_dir }}/csr_everything.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.example.com
C: de
L: Somewhere
ST: Zurich
streetAddress: Welcome Street
O: Ansible
organizationalUnitName: Crypto Department
serialNumber: "1234"
SN: Last Name
GN: First Name
title: Chief
pseudonym: test
UID: asdf
emailAddress: test@example.com
postalAddress: 1234 Somewhere
postalCode: "1234"
useCommonNameForSAN: no
key_usage:
- digitalSignature
- keyAgreement
- Non Repudiation
- Key Encipherment
- dataEncipherment
- Certificate Sign
- cRLSign
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
subject_alt_name:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
ocsp_must_staple: yes
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
register: everything_2
- name: Generate CSR with everything (idempotent)
openssl_csr:
path: '{{ output_dir }}/csr_everything.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.example.com
C: de
L: Somewhere
ST: Zurich
streetAddress: Welcome Street
O: Ansible
organizationalUnitName: Crypto Department
serialNumber: "1234"
SN: Last Name
GN: First Name
title: Chief
pseudonym: test
UID: asdf
emailAddress: test@example.com
postalAddress: 1234 Somewhere
postalCode: "1234"
useCommonNameForSAN: no
key_usage:
- digitalSignature
- keyAgreement
- Non Repudiation
- Key Encipherment
- dataEncipherment
- Certificate Sign
- cRLSign
- Encipher Only
- decipherOnly
key_usage_critical: yes
extended_key_usage:
- serverAuth # the same as "TLS Web Server Authentication"
- TLS Web Server Authentication
- TLS Web Client Authentication
- Code Signing
- E-mail Protection
- timeStamping
- OCSPSigning
- Any Extended Key Usage
- qcStatements
- DVCS
- IPSec User
- biometricInfo
subject_alt_name:
- "DNS:www.ansible.com"
- "IP:1.2.3.4"
- "IP:::1"
- "email:test@example.org"
- "URI:https://example.org/test/index.html"
basic_constraints:
- "CA:TRUE"
- "pathlen:23"
basic_constraints_critical: yes
ocsp_must_staple: yes
select_crypto_backend: '{{ select_crypto_backend }}'
register: everything_3