90c067e947
* Improve error handling, in particular with respect to private key loading problems. * Add tests to validate that modules regenerate invalid input and don't crash. * Don't crash when input is invalid. * Create 'better' broken input. * Fix paths. * Simplifying pyOpenSSL error handling.
106 lines
4 KiB
YAML
106 lines
4 KiB
YAML
---
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Generate privatekey
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Generate privatekey with password
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: auto
|
|
select_crypto_backend: cryptography
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Generate CSR (no extensions)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_noext.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
useCommonNameForSAN: no
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Generate selfsigned certificate (no extensions)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
csr_path: '{{ output_dir }}/csr_noext.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Assert that subject_alt_name is there (should fail)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
provider: assertonly
|
|
subject_alt_name:
|
|
- "DNS:example.com"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: extension_missing_san
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Assert that key_usage is there (should fail)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
provider: assertonly
|
|
key_usage:
|
|
- digitalSignature
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: extension_missing_ku
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Assert that extended_key_usage is there (should fail)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
provider: assertonly
|
|
extended_key_usage:
|
|
- biometricInfo
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: extension_missing_eku
|
|
|
|
- assert:
|
|
that:
|
|
- extension_missing_san is failed
|
|
- "'Found no subjectAltName extension' in extension_missing_san.msg"
|
|
- extension_missing_ku is failed
|
|
- "'Found no keyUsage extension' in extension_missing_ku.msg"
|
|
- extension_missing_eku is failed
|
|
- "'Found no extendedKeyUsage extension' in extension_missing_eku.msg"
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 1
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
privatekey_passphrase: hunter2
|
|
provider: assertonly
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_1
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 2
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
privatekey_passphrase: wrong_password
|
|
provider: assertonly
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_2
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) - Check private key passphrase fail 3
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
provider: assertonly
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: passphrase_error_3
|
|
|
|
- name: (Assertonly, {{select_crypto_backend}}) -
|
|
assert:
|
|
that:
|
|
- passphrase_error_1 is failed
|
|
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
|
|
- passphrase_error_2 is failed
|
|
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
|
|
- passphrase_error_3 is failed
|
|
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
|