ansible/test/integration/targets/openssl_privatekey/tasks/main.yml
Felix Fontein d00d0c81b3
openssl_privatekey: add support for format option (#60388)
* Add support for format option.

* Improve private key format detection.

* Fix raw format handling.

* Improve error handling.

* Improve raw key handling.

* Add failed raw test.

* Improve raw key loading.

* Simplify tests.

* Add raw format tests.

* Fail if format != 'auto_ignore' is specified for pyopenssl backend.

* Fix quoting.

* Bump version.

* Allow to convert private keys between different formats.

* Improve description.
2019-10-17 10:40:13 +02:00

108 lines
3.2 KiB
YAML

---
- name: Find out which elliptic curves are supported by installed OpenSSL
command: openssl ecparam -list_curves
register: openssl_ecc
- name: Compile list of elliptic curves supported by OpenSSL
set_fact:
openssl_ecc_list: |
{{
openssl_ecc.stdout_lines
| map('regex_search', '^ *([a-zA-Z0-9_-]+) *: .*$')
| select()
| map('regex_replace', '^ *([a-zA-Z0-9_-]+) *: .*$', '\1')
| list
}}
when: ansible_distribution != 'CentOS' or ansible_distribution_major_version != '6'
# CentOS comes with a very old jinja2 which does not include the map() filter...
- name: Compile list of elliptic curves supported by OpenSSL (CentOS 6)
set_fact:
openssl_ecc_list:
- secp384r1
- secp521r1
- prime256v1
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- name: List of elliptic curves supported by OpenSSL
debug: var=openssl_ecc_list
- name: Run module with backend autodetection
openssl_privatekey:
path: '{{ output_dir }}/privatekey_backend_selection.pem'
- block:
- name: Running tests with pyOpenSSL backend
include_tasks: impl.yml
vars:
select_crypto_backend: pyopenssl
- import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: pyopenssl
# FIXME: minimal pyOpenSSL version?!
when: pyopenssl_version.stdout is version('0.6', '>=')
- name: Remove output directory
file:
path: "{{ output_dir }}"
state: absent
- name: Re-create output directory
file:
path: "{{ output_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: pyopenssl
when: cryptography_version.stdout is version('0.5', '>=')
- name: Check that fingerprints do not depend on the backend
block:
- name: "Fingerprint comparison: pyOpenSSL"
openssl_privatekey:
path: '{{ output_dir }}/fingerprint-{{ item }}.pem'
type: "{{ item }}"
size: 1024
select_crypto_backend: pyopenssl
loop:
- RSA
- DSA
register: fingerprint_pyopenssl
- name: "Fingerprint comparison: cryptography"
openssl_privatekey:
path: '{{ output_dir }}/fingerprint-{{ item }}.pem'
type: "{{ item }}"
size: 1024
select_crypto_backend: cryptography
loop:
- RSA
- DSA
register: fingerprint_cryptography
- name: Verify that keys were not regenerated
assert:
that:
- fingerprint_cryptography is not changed
- name: Verify that fingerprints match
assert:
that: item.0.fingerprint[item.2] == item.1.fingerprint[item.2]
when: item.0 is not skipped and item.1 is not skipped
loop: |
{{ query('nested',
fingerprint_pyopenssl.results | zip(fingerprint_cryptography.results),
fingerprint_pyopenssl.results[0].fingerprint.keys()
) if fingerprint_pyopenssl.results[0].fingerprint else [] }}
loop_control:
label: "{{ [item.0.item, item.2] }}"
when: pyopenssl_version.stdout is version('0.6', '>=') and cryptography_version.stdout is version('0.5', '>=')