caf7fd2245
* Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
99 lines
3 KiB
YAML
99 lines
3 KiB
YAML
---
|
|
- name: Generate privatekey
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
- name: Generate privatekey with password
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: auto
|
|
select_crypto_backend: cryptography
|
|
|
|
- name: Generate CSR (no extensions)
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_noext.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
useCommonNameForSAN: no
|
|
|
|
- name: Generate selfsigned certificate (no extensions)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
csr_path: '{{ output_dir }}/csr_noext.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
|
|
- name: Assert that subject_alt_name is there (should fail)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
provider: assertonly
|
|
subject_alt_name:
|
|
- "DNS:example.com"
|
|
ignore_errors: yes
|
|
register: extension_missing_san
|
|
|
|
- name: Assert that key_usage is there (should fail)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
provider: assertonly
|
|
key_usage:
|
|
- digitalSignature
|
|
ignore_errors: yes
|
|
register: extension_missing_ku
|
|
|
|
- name: Assert that extended_key_usage is there (should fail)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
provider: assertonly
|
|
extended_key_usage:
|
|
- biometricInfo
|
|
ignore_errors: yes
|
|
register: extension_missing_eku
|
|
|
|
- assert:
|
|
that:
|
|
- extension_missing_san is failed
|
|
- "'Found no subjectAltName extension' in extension_missing_san.msg"
|
|
- extension_missing_ku is failed
|
|
- "'Found no keyUsage extension' in extension_missing_ku.msg"
|
|
- extension_missing_eku is failed
|
|
- "'Found no extendedKeyUsage extension' in extension_missing_eku.msg"
|
|
|
|
- name: Check private key passphrase fail 1
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
privatekey_passphrase: hunter2
|
|
provider: assertonly
|
|
ignore_errors: yes
|
|
register: passphrase_error_1
|
|
|
|
- name: Check private key passphrase fail 2
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
privatekey_passphrase: wrong_password
|
|
provider: assertonly
|
|
ignore_errors: yes
|
|
register: passphrase_error_2
|
|
|
|
- name: Check private key passphrase fail 3
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_noext.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
provider: assertonly
|
|
ignore_errors: yes
|
|
register: passphrase_error_3
|
|
|
|
- name:
|
|
assert:
|
|
that:
|
|
- passphrase_error_1 is failed
|
|
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
|
|
- passphrase_error_2 is failed
|
|
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
|
|
- passphrase_error_3 is failed
|
|
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"
|