diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-26 04:06:02 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-26 04:06:02 +0000 |
| commit | e3eb94c23206603103f3c4faec6c227f59a1544c (patch) | |
| tree | f2639459807ba88f55fc9c54d745bd7075d7f15c /ansible_collections/community/crypto/plugins/module_utils | |
| parent | Releasing progress-linux version 9.4.0+dfsg-1~progress7.99u1. (diff) | |
| download | ansible-e3eb94c23206603103f3c4faec6c227f59a1544c.tar.xz ansible-e3eb94c23206603103f3c4faec6c227f59a1544c.zip | |
Merging upstream version 9.5.1+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/community/crypto/plugins/module_utils')
13 files changed, 253 insertions, 49 deletions
diff --git a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py index 2e388980a..0722c1f99 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py +++ b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py @@ -11,7 +11,6 @@ __metaclass__ = type import base64 import binascii -import datetime import os import traceback @@ -42,11 +41,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.math impor ) from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + get_now_datetime, + ensure_utc_timezone, parse_name_field, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_name_to_oid, + get_not_valid_after, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( @@ -298,31 +301,51 @@ class CryptographyBackend(CryptoBackend): }, } - def get_csr_identifiers(self, csr_filename=None, csr_content=None): + def get_ordered_csr_identifiers(self, csr_filename=None, csr_content=None): ''' - Return a set of requested identifiers (CN and SANs) for the CSR. + Return a list of requested identifiers (CN and SANs) for the CSR. Each identifier is a pair (type, identifier), where type is either 'dns' or 'ip'. + + The list is deduplicated, and if a CNAME is present, it will be returned + as the first element in the result. ''' - identifiers = set([]) if csr_content is None: csr_content = read_file(csr_filename) else: csr_content = to_bytes(csr_content) csr = cryptography.x509.load_pem_x509_csr(csr_content, _cryptography_backend) + + identifiers = set() + result = [] + + def add_identifier(identifier): + if identifier in identifiers: + return + identifiers.add(identifier) + result.append(identifier) + for sub in csr.subject: if sub.oid == cryptography.x509.oid.NameOID.COMMON_NAME: - identifiers.add(('dns', sub.value)) + add_identifier(('dns', sub.value)) for extension in csr.extensions: if extension.oid == cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME: for name in extension.value: if isinstance(name, cryptography.x509.DNSName): - identifiers.add(('dns', name.value)) + add_identifier(('dns', name.value)) elif isinstance(name, cryptography.x509.IPAddress): - identifiers.add(('ip', name.value.compressed)) + add_identifier(('ip', name.value.compressed)) else: raise BackendException('Found unsupported SAN identifier {0}'.format(name)) - return identifiers + return result + + def get_csr_identifiers(self, csr_filename=None, csr_content=None): + ''' + Return a set of requested identifiers (CN and SANs) for the CSR. + Each identifier is a pair (type, identifier), where type is either + 'dns' or 'ip'. + ''' + return set(self.get_ordered_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)) def get_cert_days(self, cert_filename=None, cert_content=None, now=None): ''' @@ -353,8 +376,10 @@ class CryptographyBackend(CryptoBackend): raise BackendException('Cannot parse certificate {0}: {1}'.format(cert_filename, e)) if now is None: - now = datetime.datetime.now() - return (cert.not_valid_after - now).days + now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) + elif CRYPTOGRAPHY_TIMEZONE: + now = ensure_utc_timezone(now) + return (get_not_valid_after(cert) - now).days def create_chain_matcher(self, criterium): ''' diff --git a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py index dabcbdb3b..9a1ed1f5a 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py +++ b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py @@ -225,11 +225,14 @@ class OpenSSLCLIBackend(CryptoBackend): # We do not want to error out on something IPAddress() cannot parse return ip - def get_csr_identifiers(self, csr_filename=None, csr_content=None): + def get_ordered_csr_identifiers(self, csr_filename=None, csr_content=None): ''' - Return a set of requested identifiers (CN and SANs) for the CSR. + Return a list of requested identifiers (CN and SANs) for the CSR. Each identifier is a pair (type, identifier), where type is either 'dns' or 'ip'. + + The list is deduplicated, and if a CNAME is present, it will be returned + as the first element in the result. ''' filename = csr_filename data = None @@ -241,24 +244,40 @@ class OpenSSLCLIBackend(CryptoBackend): dummy, out, dummy = self.module.run_command( openssl_csr_cmd, data=data, check_rc=True, binary_data=True, environ_update=_OPENSSL_ENVIRONMENT_UPDATE) - identifiers = set([]) + identifiers = set() + result = [] + + def add_identifier(identifier): + if identifier in identifiers: + return + identifiers.add(identifier) + result.append(identifier) + common_name = re.search(r"Subject:.* CN\s?=\s?([^\s,;/]+)", to_text(out, errors='surrogate_or_strict')) if common_name is not None: - identifiers.add(('dns', common_name.group(1))) + add_identifier(('dns', common_name.group(1))) subject_alt_names = re.search( r"X509v3 Subject Alternative Name: (?:critical)?\n +([^\n]+)\n", to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL) if subject_alt_names is not None: for san in subject_alt_names.group(1).split(", "): if san.lower().startswith("dns:"): - identifiers.add(('dns', san[4:])) + add_identifier(('dns', san[4:])) elif san.lower().startswith("ip:"): - identifiers.add(('ip', self._normalize_ip(san[3:]))) + add_identifier(('ip', self._normalize_ip(san[3:]))) elif san.lower().startswith("ip address:"): - identifiers.add(('ip', self._normalize_ip(san[11:]))) + add_identifier(('ip', self._normalize_ip(san[11:]))) else: raise BackendException('Found unsupported SAN identifier "{0}"'.format(san)) - return identifiers + return result + + def get_csr_identifiers(self, csr_filename=None, csr_content=None): + ''' + Return a set of requested identifiers (CN and SANs) for the CSR. + Each identifier is a pair (type, identifier), where type is either + 'dns' or 'ip'. + ''' + return set(self.get_ordered_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)) def get_cert_days(self, cert_filename=None, cert_content=None, now=None): ''' diff --git a/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py b/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py index 5c48e1a74..2d95a3ee3 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py +++ b/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py @@ -34,6 +34,23 @@ class CryptoBackend(object): def create_mac_key(self, alg, key): '''Create a MAC key.''' + def get_ordered_csr_identifiers(self, csr_filename=None, csr_content=None): + ''' + Return a list of requested identifiers (CN and SANs) for the CSR. + Each identifier is a pair (type, identifier), where type is either + 'dns' or 'ip'. + + The list is deduplicated, and if a CNAME is present, it will be returned + as the first element in the result. + ''' + self.module.deprecate( + "Every backend must override the get_ordered_csr_identifiers() method." + " The default implementation will be removed in 3.0.0 and this method will be marked as `abstractmethod` by then.", + version='3.0.0', + collection_name='community.crypto', + ) + return sorted(self.get_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)) + @abc.abstractmethod def get_csr_identifiers(self, csr_filename=None, csr_content=None): ''' diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py index 62499e08b..8ef0d65da 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py @@ -19,6 +19,7 @@ from .basic import ( ) from .cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, ) @@ -27,6 +28,11 @@ from ._obj2txt import ( ) +# TODO: once cryptography has a _utc variant of InvalidityDate.invalidity_date, set this +# to True and adjust get_invalidity_date() accordingly. +# (https://github.com/pyca/cryptography/issues/10818) +CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE = False + TIMESTAMP_FORMAT = "%Y%m%d%H%M%SZ" @@ -55,7 +61,7 @@ else: def cryptography_decode_revoked_certificate(cert): result = { 'serial_number': cert.serial_number, - 'revocation_date': cert.revocation_date, + 'revocation_date': get_revocation_date(cert), 'issuer': None, 'issuer_critical': False, 'reason': None, @@ -77,7 +83,7 @@ def cryptography_decode_revoked_certificate(cert): pass try: ext = cert.extensions.get_extension_for_class(x509.InvalidityDate) - result['invalidity_date'] = ext.value.invalidity_date + result['invalidity_date'] = get_invalidity_date(ext.value) result['invalidity_date_critical'] = ext.critical except x509.ExtensionNotFound: pass @@ -112,3 +118,38 @@ def cryptography_get_signature_algorithm_oid_from_crl(crl): crl._x509_crl.sig_alg.algorithm ) return x509.oid.ObjectIdentifier(dotted) + + +def get_next_update(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.next_update_utc + return obj.next_update + + +def get_last_update(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.last_update_utc + return obj.last_update + + +def get_revocation_date(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.revocation_date_utc + return obj.revocation_date + + +def get_invalidity_date(obj): + # TODO: special handling if CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE is True + return obj.invalidity_date + + +def set_next_update(builder, value): + return builder.next_update(value) + + +def set_last_update(builder, value): + return builder.last_update(value) + + +def set_revocation_date(builder, value): + return builder.revocation_date(value) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py index b767d3417..3d07b35b1 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py @@ -29,7 +29,9 @@ try: from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import padding import ipaddress + _HAS_CRYPTOGRAPHY = True except ImportError: + _HAS_CRYPTOGRAPHY = False # Error handled in the calling module. pass @@ -106,6 +108,11 @@ from ._objects import ( from ._obj2txt import obj2txt +CRYPTOGRAPHY_TIMEZONE = False +if _HAS_CRYPTOGRAPHY: + CRYPTOGRAPHY_TIMEZONE = LooseVersion(cryptography.__version__) >= LooseVersion('42.0.0') + + DOTTED_OID = re.compile(r'^\d+(?:\.\d+)+$') @@ -807,3 +814,23 @@ def cryptography_verify_certificate_signature(certificate, signer_public_key): certificate.signature_hash_algorithm, signer_public_key ) + + +def get_not_valid_after(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.not_valid_after_utc + return obj.not_valid_after + + +def get_not_valid_before(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.not_valid_before_utc + return obj.not_valid_before + + +def set_not_valid_after(builder, value): + return builder.not_valid_after(value) + + +def set_not_valid_before(builder, value): + return builder.not_valid_before(value) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py index 7a56d7e9d..7bc93d934 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py @@ -32,6 +32,8 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( cryptography_compare_public_keys, + get_not_valid_after, + get_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import ( @@ -251,12 +253,12 @@ class CertificateBackend(object): # Check not before if not_before is not None and not self.ignore_timestamps: - if self.existing_certificate.not_valid_before != not_before: + if get_not_valid_before(self.existing_certificate) != not_before: return True # Check not after if not_after is not None and not self.ignore_timestamps: - if self.existing_certificate.not_valid_after != not_after: + if get_not_valid_after(self.existing_certificate) != not_after: return True return False diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py index baf53f5de..7dc4641e1 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py @@ -10,7 +10,6 @@ __metaclass__ = type import datetime -import time import os from ansible.module_utils.common.text.converters import to_native, to_bytes @@ -19,11 +18,14 @@ from ansible_collections.community.crypto.plugins.module_utils.ecs.api import EC from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate, + get_now_datetime, get_relative_time_option, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_serial_number_of_cert, + get_not_valid_after, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -99,7 +101,7 @@ class EntrustCertificateBackend(CertificateBackend): # Handle expiration (30 days if not specified) expiry = self.notAfter if not expiry: - gmt_now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime())) + gmt_now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) expiry = gmt_now + datetime.timedelta(days=365) expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z") @@ -154,7 +156,7 @@ class EntrustCertificateBackend(CertificateBackend): expiry = None if self.backend == 'cryptography': serial_number = "{0:X}".format(cryptography_serial_number_of_cert(self.existing_certificate)) - expiry = self.existing_certificate.not_valid_after + expiry = get_not_valid_after(self.existing_certificate) # get some information about the expiry of this certificate expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z") diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py index b10733ceb..5db6c3586 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py @@ -12,7 +12,6 @@ __metaclass__ = type import abc import binascii -import datetime import traceback from ansible.module_utils import six @@ -24,13 +23,17 @@ from ansible_collections.community.crypto.plugins.module_utils.version import Lo from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate, get_fingerprint_of_bytes, + get_now_datetime, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, cryptography_get_extensions_from_cert, cryptography_oid_to_name, cryptography_serial_number_of_cert, + get_not_valid_after, + get_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import ( @@ -169,7 +172,7 @@ class CertificateInfoRetrieval(object): not_after = self.get_not_after() result['not_before'] = not_before.strftime(TIMESTAMP_FORMAT) result['not_after'] = not_after.strftime(TIMESTAMP_FORMAT) - result['expired'] = not_after < datetime.datetime.utcnow() + result['expired'] = not_after < get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) result['public_key'] = to_native(self._get_public_key_pem()) @@ -322,10 +325,10 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval): return None, False def get_not_before(self): - return self.cert.not_valid_before + return get_not_valid_before(self.cert) def get_not_after(self): - return self.cert.not_valid_after + return get_not_valid_after(self.cert) def _get_public_key_pem(self): return self.cert.public_key().public_bytes( diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py index ac1cf845a..4d312e6b7 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py @@ -31,6 +31,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp cryptography_key_needs_digest_for_signing, cryptography_serial_number_of_cert, cryptography_verify_certificate_signature, + get_not_valid_after, + get_not_valid_before, + set_not_valid_after, + set_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -120,8 +124,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend): cert_builder = cert_builder.subject_name(self.csr.subject) cert_builder = cert_builder.issuer_name(self.ca_cert.subject) cert_builder = cert_builder.serial_number(self.serial_number) - cert_builder = cert_builder.not_valid_before(self.notBefore) - cert_builder = cert_builder.not_valid_after(self.notAfter) + cert_builder = set_not_valid_before(cert_builder, self.notBefore) + cert_builder = set_not_valid_after(cert_builder, self.notAfter) cert_builder = cert_builder.public_key(self.csr.public_key()) has_ski = False for extension in self.csr.extensions: @@ -220,8 +224,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend): if self.cert is None: self.cert = self.existing_certificate result.update({ - 'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"), - 'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"), + 'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"), + 'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"), 'serial_number': cryptography_serial_number_of_cert(self.cert), }) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py index 8695d43ee..edd8d8d77 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py @@ -22,6 +22,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp cryptography_key_needs_digest_for_signing, cryptography_serial_number_of_cert, cryptography_verify_certificate_signature, + get_not_valid_after, + get_not_valid_before, + set_not_valid_after, + set_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -95,8 +99,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend): cert_builder = cert_builder.subject_name(self.csr.subject) cert_builder = cert_builder.issuer_name(self.csr.subject) cert_builder = cert_builder.serial_number(self.serial_number) - cert_builder = cert_builder.not_valid_before(self.notBefore) - cert_builder = cert_builder.not_valid_after(self.notAfter) + cert_builder = set_not_valid_before(cert_builder, self.notBefore) + cert_builder = set_not_valid_after(cert_builder, self.notAfter) cert_builder = cert_builder.public_key(self.privatekey.public_key()) has_ski = False for extension in self.csr.extensions: @@ -154,8 +158,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend): if self.cert is None: self.cert = self.existing_certificate result.update({ - 'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"), - 'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"), + 'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"), + 'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"), 'serial_number': cryptography_serial_number_of_cert(self.cert), }) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py index da46548c7..5e6571fe0 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py @@ -9,6 +9,7 @@ __metaclass__ = type PEM_START = '-----BEGIN ' +PEM_END_START = '-----END ' PEM_END = '-----' PKCS8_PRIVATEKEY_NAMES = ('PRIVATE KEY', 'ENCRYPTED PRIVATE KEY') PKCS1_PRIVATEKEY_SUFFIX = ' PRIVATE KEY' @@ -77,3 +78,31 @@ def extract_first_pem(text): if not all_pems: return None return all_pems[0] + + +def _extract_type(line, start=PEM_START): + if not line.startswith(start): + return None + if not line.endswith(PEM_END): + return None + return line[len(start):-len(PEM_END)] + + +def extract_pem(content, strict=False): + lines = content.splitlines() + if len(lines) < 3: + raise ValueError('PEM must have at least 3 lines, have only {count}'.format(count=len(lines))) + header_type = _extract_type(lines[0]) + if header_type is None: + raise ValueError('First line is not of format {start}...{end}: {line!r}'.format(start=PEM_START, end=PEM_END, line=lines[0])) + footer_type = _extract_type(lines[-1], start=PEM_END_START) + if strict: + if header_type != footer_type: + raise ValueError('Header type ({header}) is different from footer type ({footer})'.format(header=header_type, footer=footer_type)) + for idx, line in enumerate(lines[1:-2]): + if len(line) != 64: + raise ValueError('Line {idx} has length {len} instead of 64'.format(idx=idx, len=len(line))) + if not (0 < len(lines[-2]) <= 64): + raise ValueError('Last line has length {len}, should be in (0, 64]'.format(len=len(lines[-2]))) + content = lines[1:-1] + return header_type, ''.join(content) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py index 473246b1b..8b59a3b70 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py @@ -279,7 +279,19 @@ def parse_ordered_name_field(input_list, name_field_name): return result -def convert_relative_to_datetime(relative_time_string): +def get_now_datetime(with_timezone): + if with_timezone: + return datetime.datetime.now(tz=datetime.timezone.utc) + return datetime.datetime.utcnow() + + +def ensure_utc_timezone(timestamp): + if timestamp.tzinfo is not None: + return timestamp + return timestamp.astimezone(datetime.timezone.utc) + + +def convert_relative_to_datetime(relative_time_string, with_timezone=False): """Get a datetime.datetime or None from a string in the time format described in sshd_config(5)""" parsed_result = re.match( @@ -304,13 +316,14 @@ def convert_relative_to_datetime(relative_time_string): offset += datetime.timedelta( seconds=int(parsed_result.group("seconds"))) + now = get_now_datetime(with_timezone=with_timezone) if parsed_result.group("prefix") == "+": - return datetime.datetime.utcnow() + offset + return now + offset else: - return datetime.datetime.utcnow() - offset + return now - offset -def get_relative_time_option(input_string, input_name, backend='cryptography'): +def get_relative_time_option(input_string, input_name, backend='cryptography', with_timezone=False): """Return an absolute timespec if a relative timespec or an ASN1 formatted string is provided. @@ -323,7 +336,7 @@ def get_relative_time_option(input_string, input_name, backend='cryptography'): input_string, input_name) # Relative time if result.startswith("+") or result.startswith("-"): - result_datetime = convert_relative_to_datetime(result) + result_datetime = convert_relative_to_datetime(result, with_timezone=with_timezone) if backend == 'pyopenssl': return result_datetime.strftime("%Y%m%d%H%M%SZ") elif backend == 'cryptography': @@ -332,9 +345,13 @@ def get_relative_time_option(input_string, input_name, backend='cryptography'): if backend == 'cryptography': for date_fmt in ['%Y%m%d%H%M%SZ', '%Y%m%d%H%MZ', '%Y%m%d%H%M%S%z', '%Y%m%d%H%M%z']: try: - return datetime.datetime.strptime(result, date_fmt) + res = datetime.datetime.strptime(result, date_fmt) except ValueError: pass + else: + if with_timezone: + res = res.astimezone(datetime.timezone.utc) + return res raise OpenSSLObjectError( 'The time spec "%s" for %s is invalid' % diff --git a/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py b/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py index 54d1b1ec5..f59766651 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py +++ b/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py @@ -22,7 +22,9 @@ __metaclass__ = type import abc import binascii +import datetime as _datetime import os +import sys from base64 import b64encode from datetime import datetime from hashlib import sha256 @@ -61,8 +63,17 @@ _ECDSA_CURVE_IDENTIFIERS_LOOKUP = { b'nistp521': 'ecdsa-nistp521', } -_ALWAYS = datetime(1970, 1, 1) -_FOREVER = datetime.max +_USE_TIMEZONE = sys.version_info >= (3, 6) + + +def _ensure_utc_timezone_if_use_timezone(value): + if not _USE_TIMEZONE or value.tzinfo is not None: + return value + return value.astimezone(_datetime.timezone.utc) + + +_ALWAYS = _ensure_utc_timezone_if_use_timezone(datetime(1970, 1, 1)) +_FOREVER = datetime(9999, 12, 31, 23, 59, 59, 999999, _datetime.timezone.utc) if _USE_TIMEZONE else datetime.max _CRITICAL_OPTIONS = ( 'force-command', @@ -136,7 +147,7 @@ class OpensshCertificateTimeParameters(object): elif dt == _FOREVER: result = 'forever' else: - result = dt.isoformat() if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S") + result = dt.isoformat().replace('+00:00', '') if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S") elif date_format == 'timestamp': td = dt - _ALWAYS result = int((td.microseconds + (td.seconds + td.days * 24 * 3600) * 10 ** 6) / 10 ** 6) @@ -167,7 +178,10 @@ class OpensshCertificateTimeParameters(object): result = _FOREVER else: try: - result = datetime.utcfromtimestamp(timestamp) + if _USE_TIMEZONE: + result = datetime.fromtimestamp(timestamp, tz=_datetime.timezone.utc) + else: + result = datetime.utcfromtimestamp(timestamp) except OverflowError as e: raise ValueError return result @@ -180,11 +194,11 @@ class OpensshCertificateTimeParameters(object): elif time_string == 'forever': result = _FOREVER elif is_relative_time_string(time_string): - result = convert_relative_to_datetime(time_string) + result = convert_relative_to_datetime(time_string, with_timezone=_USE_TIMEZONE) else: for time_format in ("%Y-%m-%d", "%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S"): try: - result = datetime.strptime(time_string, time_format) + result = _ensure_utc_timezone_if_use_timezone(datetime.strptime(time_string, time_format)) except ValueError: pass if result is None: |