d00d0c81b3
* Add support for format option. * Improve private key format detection. * Fix raw format handling. * Improve error handling. * Improve raw key handling. * Add failed raw test. * Improve raw key loading. * Simplify tests. * Add raw format tests. * Fail if format != 'auto_ignore' is specified for pyopenssl backend. * Fix quoting. * Bump version. * Allow to convert private keys between different formats. * Improve description.
108 lines
3.2 KiB
YAML
108 lines
3.2 KiB
YAML
---
|
|
- name: Find out which elliptic curves are supported by installed OpenSSL
|
|
command: openssl ecparam -list_curves
|
|
register: openssl_ecc
|
|
|
|
- name: Compile list of elliptic curves supported by OpenSSL
|
|
set_fact:
|
|
openssl_ecc_list: |
|
|
{{
|
|
openssl_ecc.stdout_lines
|
|
| map('regex_search', '^ *([a-zA-Z0-9_-]+) *: .*$')
|
|
| select()
|
|
| map('regex_replace', '^ *([a-zA-Z0-9_-]+) *: .*$', '\1')
|
|
| list
|
|
}}
|
|
when: ansible_distribution != 'CentOS' or ansible_distribution_major_version != '6'
|
|
# CentOS comes with a very old jinja2 which does not include the map() filter...
|
|
- name: Compile list of elliptic curves supported by OpenSSL (CentOS 6)
|
|
set_fact:
|
|
openssl_ecc_list:
|
|
- secp384r1
|
|
- secp521r1
|
|
- prime256v1
|
|
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
|
|
|
|
- name: List of elliptic curves supported by OpenSSL
|
|
debug: var=openssl_ecc_list
|
|
|
|
- name: Run module with backend autodetection
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_backend_selection.pem'
|
|
|
|
- block:
|
|
- name: Running tests with pyOpenSSL backend
|
|
include_tasks: impl.yml
|
|
vars:
|
|
select_crypto_backend: pyopenssl
|
|
|
|
- import_tasks: ../tests/validate.yml
|
|
vars:
|
|
select_crypto_backend: pyopenssl
|
|
|
|
# FIXME: minimal pyOpenSSL version?!
|
|
when: pyopenssl_version.stdout is version('0.6', '>=')
|
|
|
|
- name: Remove output directory
|
|
file:
|
|
path: "{{ output_dir }}"
|
|
state: absent
|
|
|
|
- name: Re-create output directory
|
|
file:
|
|
path: "{{ output_dir }}"
|
|
state: directory
|
|
|
|
- block:
|
|
- name: Running tests with cryptography backend
|
|
include_tasks: impl.yml
|
|
vars:
|
|
select_crypto_backend: cryptography
|
|
|
|
- import_tasks: ../tests/validate.yml
|
|
vars:
|
|
select_crypto_backend: pyopenssl
|
|
|
|
when: cryptography_version.stdout is version('0.5', '>=')
|
|
|
|
- name: Check that fingerprints do not depend on the backend
|
|
block:
|
|
- name: "Fingerprint comparison: pyOpenSSL"
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/fingerprint-{{ item }}.pem'
|
|
type: "{{ item }}"
|
|
size: 1024
|
|
select_crypto_backend: pyopenssl
|
|
loop:
|
|
- RSA
|
|
- DSA
|
|
register: fingerprint_pyopenssl
|
|
|
|
- name: "Fingerprint comparison: cryptography"
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/fingerprint-{{ item }}.pem'
|
|
type: "{{ item }}"
|
|
size: 1024
|
|
select_crypto_backend: cryptography
|
|
loop:
|
|
- RSA
|
|
- DSA
|
|
register: fingerprint_cryptography
|
|
|
|
- name: Verify that keys were not regenerated
|
|
assert:
|
|
that:
|
|
- fingerprint_cryptography is not changed
|
|
|
|
- name: Verify that fingerprints match
|
|
assert:
|
|
that: item.0.fingerprint[item.2] == item.1.fingerprint[item.2]
|
|
when: item.0 is not skipped and item.1 is not skipped
|
|
loop: |
|
|
{{ query('nested',
|
|
fingerprint_pyopenssl.results | zip(fingerprint_cryptography.results),
|
|
fingerprint_pyopenssl.results[0].fingerprint.keys()
|
|
) if fingerprint_pyopenssl.results[0].fingerprint else [] }}
|
|
loop_control:
|
|
label: "{{ [item.0.item, item.2] }}"
|
|
when: pyopenssl_version.stdout is version('0.6', '>=') and cryptography_version.stdout is version('0.5', '>=')
|