b1de5d43fc
* Add regenerate option to openssh_keypair and openssl_privatekey. * Add changelog.
805 lines
27 KiB
YAML
805 lines
27 KiB
YAML
---
|
|
- name: Generate privatekey1 - standard
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey1.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: privatekey1
|
|
|
|
- name: Generate privatekey1 - standard (idempotence)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey1.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: privatekey1_idempotence
|
|
|
|
- name: Generate privatekey2 - size 2048
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey2.pem'
|
|
size: 2048
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate privatekey3 - type DSA
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey3.pem'
|
|
type: DSA
|
|
size: 3072
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate privatekey4 - standard
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey4.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Delete privatekey4 - standard
|
|
openssl_privatekey:
|
|
state: absent
|
|
path: '{{ output_dir }}/privatekey4.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: privatekey4_delete
|
|
|
|
- name: Delete privatekey4 - standard (idempotence)
|
|
openssl_privatekey:
|
|
state: absent
|
|
path: '{{ output_dir }}/privatekey4.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey4_delete_idempotence
|
|
|
|
- name: Generate privatekey5 - standard - with passphrase
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey5.pem'
|
|
passphrase: ansible
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- name: Generate privatekey5 - standard - idempotence
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey5.pem'
|
|
passphrase: ansible
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey5_idempotence
|
|
|
|
- name: Generate privatekey6 - standard - with non-ASCII passphrase
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey6.pem'
|
|
passphrase: ànsïblé
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
|
|
- set_fact:
|
|
ecc_types: []
|
|
when: select_crypto_backend == 'pyopenssl'
|
|
- set_fact:
|
|
ecc_types:
|
|
- curve: secp384r1
|
|
openssl_name: secp384r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: secp521r1
|
|
openssl_name: secp521r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: secp224r1
|
|
openssl_name: secp224r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: secp192r1
|
|
openssl_name: prime192v1
|
|
min_cryptography_version: "0.5"
|
|
- curve: secp256r1
|
|
openssl_name: secp256r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: secp256k1
|
|
openssl_name: secp256k1
|
|
min_cryptography_version: "0.9"
|
|
- curve: brainpoolP256r1
|
|
openssl_name: brainpoolP256r1
|
|
min_cryptography_version: "2.2"
|
|
- curve: brainpoolP384r1
|
|
openssl_name: brainpoolP384r1
|
|
min_cryptography_version: "2.2"
|
|
- curve: brainpoolP512r1
|
|
openssl_name: brainpoolP512r1
|
|
min_cryptography_version: "2.2"
|
|
- curve: sect571k1
|
|
openssl_name: sect571k1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect409k1
|
|
openssl_name: sect409k1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect283k1
|
|
openssl_name: sect283k1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect233k1
|
|
openssl_name: sect233k1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect163k1
|
|
openssl_name: sect163k1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect571r1
|
|
openssl_name: sect571r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect409r1
|
|
openssl_name: sect409r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect283r1
|
|
openssl_name: sect283r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect233r1
|
|
openssl_name: sect233r1
|
|
min_cryptography_version: "0.5"
|
|
- curve: sect163r2
|
|
openssl_name: sect163r2
|
|
min_cryptography_version: "0.5"
|
|
when: select_crypto_backend == 'cryptography'
|
|
|
|
- name: Test ECC key generation
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey-{{ item.curve }}.pem'
|
|
type: ECC
|
|
curve: "{{ item.curve }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: |
|
|
cryptography_version.stdout is version(item.min_cryptography_version, '>=') and
|
|
item.openssl_name in openssl_ecc_list
|
|
loop: "{{ ecc_types }}"
|
|
loop_control:
|
|
label: "{{ item.curve }}"
|
|
register: privatekey_ecc_generate
|
|
|
|
- name: Test ECC key generation (idempotency)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey-{{ item.curve }}.pem'
|
|
type: ECC
|
|
curve: "{{ item.curve }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: |
|
|
cryptography_version.stdout is version(item.min_cryptography_version, '>=') and
|
|
item.openssl_name in openssl_ecc_list
|
|
loop: "{{ ecc_types }}"
|
|
loop_control:
|
|
label: "{{ item.curve }}"
|
|
register: privatekey_ecc_idempotency
|
|
|
|
- block:
|
|
- name: Test other type generation
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey-{{ item.type }}.pem'
|
|
type: "{{ item.type }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: cryptography_version.stdout is version(item.min_version, '>=')
|
|
loop: "{{ types }}"
|
|
loop_control:
|
|
label: "{{ item.type }}"
|
|
register: privatekey_t1_generate
|
|
|
|
- name: Test other type generation (idempotency)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey-{{ item.type }}.pem'
|
|
type: "{{ item.type }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: cryptography_version.stdout is version(item.min_version, '>=')
|
|
loop: "{{ types }}"
|
|
loop_control:
|
|
label: "{{ item.type }}"
|
|
register: privatekey_t1_idempotency
|
|
|
|
when: select_crypto_backend == 'cryptography'
|
|
vars:
|
|
types:
|
|
- type: X25519
|
|
min_version: '2.5'
|
|
- type: Ed25519
|
|
min_version: '2.6'
|
|
- type: Ed448
|
|
min_version: '2.6'
|
|
- type: X448
|
|
min_version: '2.6'
|
|
|
|
- name: Generate privatekey with passphrase
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
backup: yes
|
|
register: passphrase_1
|
|
|
|
- name: Generate privatekey with passphrase (idempotent)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
backup: yes
|
|
register: passphrase_2
|
|
|
|
- name: Regenerate privatekey without passphrase
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
backup: yes
|
|
register: passphrase_3
|
|
|
|
- name: Regenerate privatekey without passphrase (idempotent)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
backup: yes
|
|
register: passphrase_4
|
|
|
|
- name: Regenerate privatekey with passphrase
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
backup: yes
|
|
register: passphrase_5
|
|
|
|
- name: Create broken key
|
|
copy:
|
|
dest: "{{ output_dir }}/broken"
|
|
content: "broken"
|
|
- name: Regenerate broken key
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/broken.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: output_broken
|
|
|
|
- name: Remove module
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
backup: yes
|
|
state: absent
|
|
register: remove_1
|
|
|
|
- name: Remove module (idempotent)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
backup: yes
|
|
state: absent
|
|
register: remove_2
|
|
|
|
- name: Generate privatekey_mode (mode 0400)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_mode.pem'
|
|
mode: '0400'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_mode_1
|
|
- name: Stat for privatekey_mode
|
|
stat:
|
|
path: '{{ output_dir }}/privatekey_mode.pem'
|
|
register: privatekey_mode_1_stat
|
|
|
|
- name: Generate privatekey_mode (mode 0400, idempotency)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_mode.pem'
|
|
mode: '0400'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_mode_2
|
|
|
|
- name: Generate privatekey_mode (mode 0400, force)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_mode.pem'
|
|
mode: '0400'
|
|
force: yes
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_mode_3
|
|
- name: Stat for privatekey_mode
|
|
stat:
|
|
path: '{{ output_dir }}/privatekey_mode.pem'
|
|
register: privatekey_mode_3_stat
|
|
|
|
- block:
|
|
- name: Generate privatekey_fmt_1 - auto format
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: auto
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_1
|
|
|
|
- name: Generate privatekey_fmt_1 - auto format (idempotent)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: auto
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_2
|
|
|
|
- name: Generate privatekey_fmt_1 - PKCS1 format
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: pkcs1
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_3
|
|
|
|
- name: Generate privatekey_fmt_1 - PKCS8 format
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: pkcs8
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_4
|
|
|
|
- name: Generate privatekey_fmt_1 - PKCS8 format (idempotent)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: pkcs8
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_5
|
|
|
|
- name: Generate privatekey_fmt_1 - auto format (ignore)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: auto_ignore
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_6
|
|
|
|
- name: Generate privatekey_fmt_1 - auto format (no ignore)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: auto
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_7
|
|
|
|
- name: Generate privatekey_fmt_1 - raw format (fail)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: raw
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: yes
|
|
register: privatekey_fmt_1_step_8
|
|
|
|
- name: Generate privatekey_fmt_1 - PKCS8 format (convert)
|
|
openssl_privatekey_info:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_9_before
|
|
|
|
- name: Generate privatekey_fmt_1 - PKCS8 format (convert)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
format: pkcs8
|
|
format_mismatch: convert
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_9
|
|
|
|
- name: Generate privatekey_fmt_1 - PKCS8 format (convert)
|
|
openssl_privatekey_info:
|
|
path: '{{ output_dir }}/privatekey_fmt_1.pem'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_1_step_9_after
|
|
|
|
when: 'select_crypto_backend == "cryptography"'
|
|
|
|
- block:
|
|
- name: Generate privatekey_fmt_2 - PKCS8 format
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_2.pem'
|
|
type: X448
|
|
format: pkcs8
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_2_step_1
|
|
|
|
- name: Generate privatekey_fmt_2 - PKCS8 format (idempotent)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_2.pem'
|
|
type: X448
|
|
format: pkcs8
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: privatekey_fmt_2_step_2
|
|
|
|
- name: Generate privatekey_fmt_2 - raw format
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_2.pem'
|
|
type: X448
|
|
format: raw
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: privatekey_fmt_2_step_3
|
|
|
|
- name: Read privatekey_fmt_2.pem
|
|
slurp:
|
|
src: "{{ output_dir }}/privatekey_fmt_2.pem"
|
|
register: content
|
|
|
|
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
|
|
assert:
|
|
that:
|
|
- privatekey_fmt_2_step_3.privatekey == content.content
|
|
|
|
- name: Generate privatekey_fmt_2 - raw format (idempotent)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_2.pem'
|
|
type: X448
|
|
format: raw
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: privatekey_fmt_2_step_4
|
|
|
|
- name: Read privatekey_fmt_2.pem
|
|
slurp:
|
|
src: "{{ output_dir }}/privatekey_fmt_2.pem"
|
|
register: content
|
|
|
|
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
|
|
assert:
|
|
that:
|
|
- privatekey_fmt_2_step_4.privatekey == content.content
|
|
|
|
- name: Generate privatekey_fmt_2 - auto format (ignore)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_2.pem'
|
|
type: X448
|
|
format: auto_ignore
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: privatekey_fmt_2_step_5
|
|
|
|
- name: Read privatekey_fmt_2.pem
|
|
slurp:
|
|
src: "{{ output_dir }}/privatekey_fmt_2.pem"
|
|
register: content
|
|
|
|
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
|
|
assert:
|
|
that:
|
|
- privatekey_fmt_2_step_5.privatekey == content.content
|
|
|
|
- name: Generate privatekey_fmt_2 - auto format (no ignore)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_fmt_2.pem'
|
|
type: X448
|
|
format: auto
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
return_content: yes
|
|
register: privatekey_fmt_2_step_6
|
|
|
|
- name: Generate privatekey_fmt_2 - verify that returned content is not base64 encoded
|
|
assert:
|
|
that:
|
|
- privatekey_fmt_2_step_6.privatekey == lookup('file', output_dir ~ '/privatekey_fmt_2.pem', rstrip=False)
|
|
|
|
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
|
|
|
|
|
|
|
|
# Test regenerate option
|
|
|
|
- name: Regenerate - setup simple keys
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
- name: Regenerate - setup password protected keys
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-b-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
passphrase: hunter2
|
|
cipher: "{{ 'aes256' if select_crypto_backend == 'pyopenssl' else 'auto' }}"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
- name: Regenerate - setup broken keys
|
|
copy:
|
|
dest: '{{ output_dir }}/regenerate-c-{{ item }}.pem'
|
|
content: 'broken key'
|
|
mode: '0700'
|
|
loop: "{{ regenerate_values }}"
|
|
|
|
- name: Regenerate - modify broken keys (check mode)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-c-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg or 'Cannot load raw key' in result.results[0].msg"
|
|
- result.results[1] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg or 'Cannot load raw key' in result.results[1].msg"
|
|
- result.results[2] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg or 'Cannot load raw key' in result.results[2].msg"
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - modify broken keys
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-c-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg or 'Cannot load raw key' in result.results[0].msg"
|
|
- result.results[1] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg or 'Cannot load raw key' in result.results[1].msg"
|
|
- result.results[2] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg or 'Cannot load raw key' in result.results[2].msg"
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - modify password protected keys (check mode)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-b-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg"
|
|
- result.results[1] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg"
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - modify password protected keys
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-b-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg"
|
|
- result.results[1] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is failed
|
|
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[2].msg"
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - not modify regular keys (check mode)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
loop: "{{ regenerate_values }}"
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is not changed
|
|
- result.results[1] is not changed
|
|
- result.results[2] is not changed
|
|
- result.results[3] is not changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - not modify regular keys
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is not changed
|
|
- result.results[1] is not changed
|
|
- result.results[2] is not changed
|
|
- result.results[3] is not changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - adjust key size (check mode)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1048
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is success and result.results[0] is not changed
|
|
- result.results[1] is failed
|
|
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - adjust key size
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: RSA
|
|
size: 1048
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is success and result.results[0] is not changed
|
|
- result.results[1] is failed
|
|
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - redistribute keys
|
|
copy:
|
|
src: '{{ output_dir }}/regenerate-a-always.pem'
|
|
dest: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
remote_src: true
|
|
loop: "{{ regenerate_values }}"
|
|
when: "item != 'always'"
|
|
|
|
- name: Regenerate - adjust key type (check mode)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: DSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is success and result.results[0] is not changed
|
|
- result.results[1] is failed
|
|
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - adjust key type
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: DSA
|
|
size: 1024
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is success and result.results[0] is not changed
|
|
- result.results[1] is failed
|
|
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- block:
|
|
- name: Regenerate - redistribute keys
|
|
copy:
|
|
src: '{{ output_dir }}/regenerate-a-always.pem'
|
|
dest: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
remote_src: true
|
|
loop: "{{ regenerate_values }}"
|
|
when: "item != 'always'"
|
|
|
|
- name: Regenerate - format mismatch (check mode)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: DSA
|
|
size: 1024
|
|
format: pkcs8
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is success and result.results[0] is not changed
|
|
- result.results[1] is failed
|
|
- "'Key has wrong format. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - format mismatch
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: DSA
|
|
size: 1024
|
|
format: pkcs8
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
ignore_errors: yes
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is success and result.results[0] is not changed
|
|
- result.results[1] is failed
|
|
- "'Key has wrong format. Will not proceed.' in result.results[1].msg"
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - redistribute keys
|
|
copy:
|
|
src: '{{ output_dir }}/regenerate-a-always.pem'
|
|
dest: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
remote_src: true
|
|
loop: "{{ regenerate_values }}"
|
|
when: "item != 'always'"
|
|
|
|
- name: Regenerate - convert format (check mode)
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: DSA
|
|
size: 1024
|
|
format: pkcs1
|
|
format_mismatch: convert
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
check_mode: yes
|
|
loop: "{{ regenerate_values }}"
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is changed
|
|
- result.results[1] is changed
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
|
|
- name: Regenerate - convert format
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/regenerate-a-{{ item }}.pem'
|
|
type: DSA
|
|
size: 1024
|
|
format: pkcs1
|
|
format_mismatch: convert
|
|
regenerate: '{{ item }}'
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
loop: "{{ regenerate_values }}"
|
|
register: result
|
|
- assert:
|
|
that:
|
|
- result.results[0] is changed
|
|
- result.results[1] is changed
|
|
- result.results[2] is changed
|
|
- result.results[3] is changed
|
|
- result.results[4] is changed
|
|
# for all values but 'always', the key should have not been regenerated.
|
|
# verify this by comparing fingerprints:
|
|
- result.results[0].fingerprint == result.results[1].fingerprint
|
|
- result.results[0].fingerprint == result.results[2].fingerprint
|
|
- result.results[0].fingerprint == result.results[3].fingerprint
|
|
- result.results[0].fingerprint != result.results[4].fingerprint
|
|
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
|