29ca9d2d4d
* Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
178 lines
8.8 KiB
YAML
178 lines
8.8 KiB
YAML
---
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - verify CA)
|
|
shell: 'openssl verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"'
|
|
register: ownca_verify_ca
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate modulus)
|
|
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem'
|
|
register: ownca_cert_modulus
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca issuer value)
|
|
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
|
|
register: ownca_cert_issuer
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certficate version == default == 3)
|
|
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: ownca_cert_version
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (assert)
|
|
assert:
|
|
that:
|
|
- ownca_verify_ca.stdout == 'OK'
|
|
- ownca_cert_modulus.stdout == privatekey_modulus.stdout
|
|
- ownca_cert_version.stdout == '3'
|
|
# openssl 1.1.x adds a space between the output
|
|
- ownca_cert_issuer.stdout in ['CN=Example CA', 'CN = Example CA']
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate idempotence
|
|
assert:
|
|
that:
|
|
- ownca_certificate.serial_number == ownca_certificate_idempotence.serial_number
|
|
- ownca_certificate.notBefore == ownca_certificate_idempotence.notBefore
|
|
- ownca_certificate.notAfter == ownca_certificate_idempotence.notAfter
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca data return
|
|
assert:
|
|
that:
|
|
- ownca_certificate.certificate == lookup('file', output_dir ~ '/ownca_cert.pem', rstrip=False)
|
|
- ownca_certificate.certificate == ownca_certificate_idempotence.certificate
|
|
|
|
- block:
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2)
|
|
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: ownca_cert_v2_version
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate version 2 (assert)
|
|
assert:
|
|
that:
|
|
- ownca_cert_v2_version.stdout == '2'
|
|
when: "select_crypto_backend != 'cryptography'"
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2)
|
|
assert:
|
|
that:
|
|
- ownca_v2_certificate is failed
|
|
- "'The cryptography backend does not support v2 certificates' in ownca_v2_certificate.msg"
|
|
when: "select_crypto_backend == 'cryptography'"
|
|
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (test - ownca certificate modulus)
|
|
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem'
|
|
register: ownca_cert2_modulus
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (assert)
|
|
assert:
|
|
that:
|
|
- ownca_cert2_modulus.stdout == privatekey2_modulus.stdout
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate owncal certificate3 (test - notBefore)
|
|
shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: ownca_cert3_notBefore
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (test - notAfter)
|
|
shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: ownca_cert3_notAfter
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (assert - notBefore)
|
|
assert:
|
|
that:
|
|
- ownca_cert3_notBefore.stdout == 'Oct 23 13:37:42 2018'
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (assert - notAfter)
|
|
assert:
|
|
that:
|
|
- ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey)
|
|
shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem'
|
|
register: ownca_cert_ecc_pubkey
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca issuer value)
|
|
shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
|
|
register: ownca_cert_ecc_issuer
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (assert)
|
|
assert:
|
|
that:
|
|
- ownca_cert_ecc_pubkey.stdout == privatekey_ecc_pubkey.stdout
|
|
# openssl 1.1.x adds a space between the output
|
|
- ownca_cert_ecc_issuer.stdout in ['CN=Example CA', 'CN = Example CA']
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}})
|
|
assert:
|
|
that:
|
|
- passphrase_error_1 is failed
|
|
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
|
|
- passphrase_error_2 is failed
|
|
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
|
|
- passphrase_error_3 is failed
|
|
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}})Verify that broken certificate will be regenerated
|
|
assert:
|
|
that:
|
|
- ownca_broken is changed
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Check backup
|
|
assert:
|
|
that:
|
|
- ownca_backup_1 is changed
|
|
- ownca_backup_1.backup_file is undefined
|
|
- ownca_backup_2 is not changed
|
|
- ownca_backup_2.backup_file is undefined
|
|
- ownca_backup_3 is changed
|
|
- ownca_backup_3.backup_file is string
|
|
- ownca_backup_4 is changed
|
|
- ownca_backup_4.backup_file is string
|
|
- ownca_backup_5 is not changed
|
|
- ownca_backup_5.backup_file is undefined
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Check create subject key identifier
|
|
assert:
|
|
that:
|
|
- ownca_subject_key_identifier_1 is changed
|
|
- ownca_subject_key_identifier_2 is not changed
|
|
- ownca_subject_key_identifier_3 is changed
|
|
- ownca_subject_key_identifier_4 is not changed
|
|
- ownca_subject_key_identifier_5 is changed
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Check create authority key identifier
|
|
assert:
|
|
that:
|
|
- ownca_authority_key_identifier_1 is changed
|
|
- ownca_authority_key_identifier_2 is not changed
|
|
- ownca_authority_key_identifier_3 is changed
|
|
- ownca_authority_key_identifier_4 is not changed
|
|
- ownca_authority_key_identifier_5 is changed
|
|
when: select_crypto_backend != 'pyopenssl'
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
|
|
assert:
|
|
that:
|
|
- ownca_certificate_ed25519_ed448.results[0] is failed
|
|
- ownca_certificate_ed25519_ed448.results[1] is failed
|
|
- ownca_certificate_ed25519_ed448_idempotence.results[0] is failed
|
|
- ownca_certificate_ed25519_ed448_idempotence.results[1] is failed
|
|
- ownca_certificate_ed25519_ed448_2.results[0] is failed
|
|
- ownca_certificate_ed25519_ed448_2.results[1] is failed
|
|
- ownca_certificate_ed25519_ed448_2_idempotence.results[0] is failed
|
|
- ownca_certificate_ed25519_ed448_2_idempotence.results[1] is failed
|
|
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ownca_certificate_ed25519_ed448_privatekey is not failed
|
|
|
|
- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
|
|
assert:
|
|
that:
|
|
- ownca_certificate_ed25519_ed448 is succeeded
|
|
- ownca_certificate_ed25519_ed448.results[0] is changed
|
|
- ownca_certificate_ed25519_ed448.results[1] is changed
|
|
- ownca_certificate_ed25519_ed448_idempotence is succeeded
|
|
- ownca_certificate_ed25519_ed448_idempotence.results[0] is not changed
|
|
- ownca_certificate_ed25519_ed448_idempotence.results[1] is not changed
|
|
- ownca_certificate_ed25519_ed448_2 is succeeded
|
|
- ownca_certificate_ed25519_ed448_2.results[0] is changed
|
|
- ownca_certificate_ed25519_ed448_2.results[1] is changed
|
|
- ownca_certificate_ed25519_ed448_2_idempotence is succeeded
|
|
- ownca_certificate_ed25519_ed448_2_idempotence.results[0] is not changed
|
|
- ownca_certificate_ed25519_ed448_2_idempotence.results[1] is not changed
|
|
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ownca_certificate_ed25519_ed448_privatekey is not failed
|