fa70690e5c
* Add support for SubjectKeyIdentifier and AuthorityKeyIdentifier to _info modules. * Adding SubjectKeyIdentifier and AuthorityKeyIdentifier support to openssl_certificate and openssl_csr. * Fix type of authority_cert_issuer. * Add basic tests. * Add changelog. * Added proper tests for _info modules. * Fix docs bug. * Make sure new features are only used when cryptography backend for openssl_csr is available. * Work around jinja2 being too old on some CI hosts. * Add tests for openssl_csr. * Add openssl_certificate tests. * Fix idempotence test. * Move one level up. * Add ownca_create_authority_key_identifier option. * Add ownca_create_authority_key_identifier option. * Add idempotency check. * Apparently the function call expected different args for cryptography < 2.7. * Fix copy'n'paste errors and typos. * string -> general name. * Add disclaimer. * Implement always_create / create_if_not_provided / never_create for openssl_certificate. * Update changelog and porting guide. * Add comments for defaults.
138 lines
6 KiB
YAML
138 lines
6 KiB
YAML
---
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - privatekey modulus)
|
|
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
|
|
register: privatekey_modulus
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate modulus)
|
|
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert.pem'
|
|
register: cert_modulus
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - issuer value)
|
|
shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"'
|
|
register: cert_issuer
|
|
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certficate version == default == 3)
|
|
shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: cert_version
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (assert)
|
|
assert:
|
|
that:
|
|
- cert_modulus.stdout == privatekey_modulus.stdout
|
|
- cert_version.stdout == '3'
|
|
- cert_issuer.stdout == 'CN=www.example.com'
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate idempotence
|
|
assert:
|
|
that:
|
|
- selfsigned_certificate.serial_number == selfsigned_certificate_idempotence.serial_number
|
|
- selfsigned_certificate.notBefore == selfsigned_certificate_idempotence.notBefore
|
|
- selfsigned_certificate.notAfter == selfsigned_certificate_idempotence.notAfter
|
|
|
|
- name: Make sure that changes in CSR are detected even if private key is specified
|
|
assert:
|
|
that:
|
|
- selfsigned_certificate_csr_minimal_change is changed
|
|
|
|
- block:
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2)
|
|
shell: 'openssl x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: cert_v2_version
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate version 2 (assert)
|
|
assert:
|
|
that:
|
|
- cert_v2_version.stdout == '2'
|
|
when: select_crypto_backend != 'cryptography'
|
|
|
|
- block:
|
|
- name: (Selfsigned validateion, {{ select_crypto_backend }} Validate certificate v2 is failed
|
|
assert:
|
|
that:
|
|
- selfsigned_v2_cert is failed
|
|
- "'The cryptography backend does not support v2 certificates' in selfsigned_v2_cert.msg"
|
|
when: select_crypto_backend == 'cryptography'
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus)
|
|
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem'
|
|
register: privatekey2_modulus
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - certificate modulus)
|
|
shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert2.pem'
|
|
register: cert2_modulus
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (assert)
|
|
assert:
|
|
that:
|
|
- cert2_modulus.stdout == privatekey2_modulus.stdout
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notBefore)
|
|
shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: cert3_notBefore
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notAfter)
|
|
shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
|
|
register: cert3_notAfter
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (assert - notBefore)
|
|
assert:
|
|
that:
|
|
- cert3_notBefore.stdout == 'Oct 23 13:37:42 2018'
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (assert - notAfter)
|
|
assert:
|
|
that:
|
|
- cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey)
|
|
shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey_ecc.pem'
|
|
register: privatekey_ecc_pubkey
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - certificate pubkey)
|
|
shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem'
|
|
register: cert_ecc_pubkey
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (assert)
|
|
assert:
|
|
that:
|
|
- cert_ecc_pubkey.stdout == privatekey_ecc_pubkey.stdout
|
|
|
|
- name: (Selfsigned validation, {{select_crypto_backend}})
|
|
assert:
|
|
that:
|
|
- passphrase_error_1 is failed
|
|
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
|
|
- passphrase_error_2 is failed
|
|
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
|
|
- passphrase_error_3 is failed
|
|
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
|
|
|
|
- name: Verify that broken certificate will be regenerated
|
|
assert:
|
|
that:
|
|
- selfsigned_broken is changed
|
|
|
|
- name: Check backup
|
|
assert:
|
|
that:
|
|
- selfsigned_backup_1 is changed
|
|
- selfsigned_backup_1.backup_file is undefined
|
|
- selfsigned_backup_2 is not changed
|
|
- selfsigned_backup_2.backup_file is undefined
|
|
- selfsigned_backup_3 is changed
|
|
- selfsigned_backup_3.backup_file is string
|
|
- selfsigned_backup_4 is changed
|
|
- selfsigned_backup_4.backup_file is string
|
|
- selfsigned_backup_5 is not changed
|
|
- selfsigned_backup_5.backup_file is undefined
|
|
|
|
- name: Check create subject key identifier
|
|
assert:
|
|
that:
|
|
- selfsigned_subject_key_identifier_1 is changed
|
|
- selfsigned_subject_key_identifier_2 is not changed
|
|
- selfsigned_subject_key_identifier_3 is changed
|
|
- selfsigned_subject_key_identifier_4 is not changed
|
|
- selfsigned_subject_key_identifier_5 is changed
|
|
when: select_crypto_backend != 'pyopenssl'
|