From 38b7c80217c4e72b1d8988eb1e60bb6e77334114 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 18 Apr 2024 07:52:22 +0200 Subject: Adding upstream version 9.4.0+dfsg. Signed-off-by: Daniel Baumann --- .../community/crypto/plugins/doc_fragments/acme.py | 26 ++-- .../plugins/doc_fragments/module_certificate.py | 168 ++++++++++----------- .../crypto/plugins/doc_fragments/module_csr.py | 74 ++++----- .../plugins/doc_fragments/module_privatekey.py | 49 +++--- .../doc_fragments/module_privatekey_convert.py | 4 +- .../crypto/plugins/doc_fragments/name_encoding.py | 10 +- 6 files changed, 165 insertions(+), 166 deletions(-) (limited to 'ansible_collections/community/crypto/plugins/doc_fragments') diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/acme.py b/ansible_collections/community/crypto/plugins/doc_fragments/acme.py index a50cedd69..2b5bfc231 100644 --- a/ansible_collections/community/crypto/plugins/doc_fragments/acme.py +++ b/ansible_collections/community/crypto/plugins/doc_fragments/acme.py @@ -16,10 +16,10 @@ notes: - "If a new enough version of the C(cryptography) library is available (see Requirements for details), it will be used instead of the C(openssl) binary. This can be explicitly disabled - or enabled with the C(select_crypto_backend) option. Note that using + or enabled with the O(select_crypto_backend) option. Note that using the C(openssl) binary will be slower and less secure, as private key contents always have to be stored on disk (see - C(account_key_content))." + O(account_key_content))." - "Although the defaults are chosen so that the module can be used with the L(Let's Encrypt,https://letsencrypt.org/) CA, the module can in principle be used with any CA providing an ACME endpoint, such as @@ -47,15 +47,15 @@ options: RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys can be created with C(openssl ecparam -genkey ...). Any other tool creating private keys in PEM format can be used as well." - - "Mutually exclusive with C(account_key_content)." - - "Required if C(account_key_content) is not used." + - "Mutually exclusive with O(account_key_content)." + - "Required if O(account_key_content) is not used." type: path aliases: [ account_key ] account_key_content: description: - "Content of the ACME account RSA or Elliptic Curve key." - - "Mutually exclusive with C(account_key_src)." - - "Required if C(account_key_src) is not used." + - "Mutually exclusive with O(account_key_src)." + - "Required if O(account_key_src) is not used." - "B(Warning:) the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, @@ -81,9 +81,9 @@ options: acme_version: description: - "The ACME version of the endpoint." - - "Must be C(1) for the classic Let's Encrypt and Buypass ACME endpoints, - or C(2) for standardized ACME v2 endpoints." - - "The value C(1) is deprecated since community.crypto 2.0.0 and will be + - "Must be V(1) for the classic Let's Encrypt and Buypass ACME endpoints, + or V(2) for standardized ACME v2 endpoints." + - "The value V(1) is deprecated since community.crypto 2.0.0 and will be removed from community.crypto 3.0.0." required: true type: int @@ -114,17 +114,17 @@ options: validate_certs: description: - Whether calls to the ACME directory will validate TLS certificates. - - "B(Warning:) Should B(only ever) be set to C(false) for testing purposes, + - "B(Warning:) Should B(only ever) be set to V(false) for testing purposes, for example when testing against a local Pebble server." type: bool default: true select_crypto_backend: description: - Determines which crypto backend to use. - - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to + - The default choice is V(auto), which tries to use C(cryptography) if available, and falls back to C(openssl). - - If set to C(openssl), will try to use the C(openssl) binary. - - If set to C(cryptography), will try to use the + - If set to V(openssl), will try to use the C(openssl) binary. + - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str default: auto diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py index 648d4ce91..5691e7bbf 100644 --- a/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py +++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_certificate.py @@ -17,7 +17,7 @@ description: - This module allows one to (re)generate OpenSSL certificates. - It uses the cryptography python library to interact with OpenSSL. requirements: - - cryptography >= 1.6 (if using C(selfsigned) or C(ownca) provider) + - cryptography >= 1.6 (if using V(selfsigned) or V(ownca) provider) options: force: description: @@ -28,35 +28,35 @@ options: csr_path: description: - Path to the Certificate Signing Request (CSR) used to generate this certificate. - - This is mutually exclusive with I(csr_content). + - This is mutually exclusive with O(csr_content). type: path csr_content: description: - Content of the Certificate Signing Request (CSR) used to generate this certificate. - - This is mutually exclusive with I(csr_path). + - This is mutually exclusive with O(csr_path). type: str privatekey_path: description: - Path to the private key to use when signing the certificate. - - This is mutually exclusive with I(privatekey_content). + - This is mutually exclusive with O(privatekey_content). type: path privatekey_content: description: - Content of the private key to use when signing the certificate. - - This is mutually exclusive with I(privatekey_path). + - This is mutually exclusive with O(privatekey_path). type: str privatekey_passphrase: description: - - The passphrase for the I(privatekey_path) resp. I(privatekey_content). + - The passphrase for the O(privatekey_path) resp. O(privatekey_content). - This is required if the private key is password protected. type: str ignore_timestamps: description: - Whether the "not before" and "not after" timestamps should be ignored for idempotency checks. - - It is better to keep the default value C(true) when using relative timestamps (like C(+0s) for now). + - It is better to keep the default value V(true) when using relative timestamps (like V(+0s) for now). type: bool default: true version_added: 2.0.0 @@ -64,8 +64,8 @@ options: select_crypto_backend: description: - Determines which crypto backend to use. - - The default choice is C(auto), which tries to use C(cryptography) if available. - - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. + - The default choice is V(auto), which tries to use C(cryptography) if available. + - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str default: auto choices: [ auto, cryptography ] @@ -73,7 +73,7 @@ options: notes: - All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern. - Date specified should be UTC. Minutes and seconds are mandatory. - - For security reason, when you use C(ownca) provider, you should NOT run + - For security reason, when you use V(ownca) provider, you should NOT run M(community.crypto.x509_certificate) on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine. @@ -91,26 +91,26 @@ seealso: description: - This module allows one to (re)generate OpenSSL certificates. requirements: - - acme-tiny >= 4.0.0 (if using the C(acme) provider) + - acme-tiny >= 4.0.0 (if using the V(acme) provider) options: acme_accountkey_path: description: - - The path to the accountkey for the C(acme) provider. - - This is only used by the C(acme) provider. + - The path to the accountkey for the V(acme) provider. + - This is only used by the V(acme) provider. type: path acme_challenge_path: description: - The path to the ACME challenge directory that is served on U(http://:80/.well-known/acme-challenge/) - - This is only used by the C(acme) provider. + - This is only used by the V(acme) provider. type: path acme_chain: description: - Include the intermediate certificate to the generated certificate - - This is only used by the C(acme) provider. + - This is only used by the V(acme) provider. - Note that this is only available for older versions of C(acme-tiny). - New versions include the chain automatically, and setting I(acme_chain) to C(true) results in an error. + New versions include the chain automatically, and setting O(acme_chain) to V(true) results in an error. type: bool default: false @@ -127,7 +127,7 @@ options: entrust_cert_type: description: - Specify the type of certificate requested. - - This is only used by the C(entrust) provider. + - This is only used by the V(entrust) provider. type: str default: STANDARD_SSL choices: [ 'STANDARD_SSL', 'ADVANTAGE_SSL', 'UC_SSL', 'EV_SSL', 'WILDCARD_SSL', 'PRIVATE_SSL', 'PD_SSL', 'CDS_ENT_LITE', 'CDS_ENT_PRO', 'SMIME_ENT' ] @@ -135,66 +135,66 @@ options: entrust_requester_email: description: - The email of the requester of the certificate (for tracking purposes). - - This is only used by the C(entrust) provider. - - This is required if the provider is C(entrust). + - This is only used by the V(entrust) provider. + - This is required if the provider is V(entrust). type: str entrust_requester_name: description: - The name of the requester of the certificate (for tracking purposes). - - This is only used by the C(entrust) provider. - - This is required if the provider is C(entrust). + - This is only used by the V(entrust) provider. + - This is required if the provider is V(entrust). type: str entrust_requester_phone: description: - The phone number of the requester of the certificate (for tracking purposes). - - This is only used by the C(entrust) provider. - - This is required if the provider is C(entrust). + - This is only used by the V(entrust) provider. + - This is required if the provider is V(entrust). type: str entrust_api_user: description: - The username for authentication to the Entrust Certificate Services (ECS) API. - - This is only used by the C(entrust) provider. - - This is required if the provider is C(entrust). + - This is only used by the V(entrust) provider. + - This is required if the provider is V(entrust). type: str entrust_api_key: description: - The key (password) for authentication to the Entrust Certificate Services (ECS) API. - - This is only used by the C(entrust) provider. - - This is required if the provider is C(entrust). + - This is only used by the V(entrust) provider. + - This is required if the provider is V(entrust). type: str entrust_api_client_cert_path: description: - The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. - - This is only used by the C(entrust) provider. - - This is required if the provider is C(entrust). + - This is only used by the V(entrust) provider. + - This is required if the provider is V(entrust). type: path entrust_api_client_cert_key_path: description: - The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. - - This is only used by the C(entrust) provider. - - This is required if the provider is C(entrust). + - This is only used by the V(entrust) provider. + - This is required if the provider is V(entrust). type: path entrust_not_after: description: - The point in time at which the certificate stops being valid. - Time can be specified either as relative time or as an absolute timestamp. - - A valid absolute time format is C(ASN.1 TIME) such as C(2019-06-18). - - A valid relative time format is C([+-]timespec) where timespec can be an integer + C([w | d | h | m | s]), such as C(+365d) or C(+32w1d2h)). + - A valid absolute time format is C(ASN.1 TIME) such as V(2019-06-18). + - A valid relative time format is V([+-]timespec) where timespec can be an integer + C([w | d | h | m | s]), such as V(+365d) or V(+32w1d2h)). - Time will always be interpreted as UTC. - Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate. - The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used. - The minimum certificate lifetime is 90 days, and maximum is three years. - If this value is not specified, the certificate will stop being valid 365 days the date of issue. - - This is only used by the C(entrust) provider. - - Please note that this value is B(not) covered by the I(ignore_timestamps) option. + - This is only used by the V(entrust) provider. + - Please note that this value is B(not) covered by the O(ignore_timestamps) option. type: str default: +365d @@ -202,60 +202,60 @@ options: description: - The path to the specification file defining the Entrust Certificate Services (ECS) API configuration. - You can use this to keep a local copy of the specification to avoid downloading it every time the module is used. - - This is only used by the C(entrust) provider. + - This is only used by the V(entrust) provider. type: path default: https://cloud.entrust.net/EntrustCloud/documentation/cms-api-2.1.0.yaml ''' BACKEND_OWNCA_DOCUMENTATION = r''' description: - - The C(ownca) provider is intended for generating an OpenSSL certificate signed with your own + - The V(ownca) provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate). options: ownca_path: description: - Remote absolute path of the CA (Certificate Authority) certificate. - - This is only used by the C(ownca) provider. - - This is mutually exclusive with I(ownca_content). + - This is only used by the V(ownca) provider. + - This is mutually exclusive with O(ownca_content). type: path ownca_content: description: - Content of the CA (Certificate Authority) certificate. - - This is only used by the C(ownca) provider. - - This is mutually exclusive with I(ownca_path). + - This is only used by the V(ownca) provider. + - This is mutually exclusive with O(ownca_path). type: str ownca_privatekey_path: description: - Path to the CA (Certificate Authority) private key to use when signing the certificate. - - This is only used by the C(ownca) provider. - - This is mutually exclusive with I(ownca_privatekey_content). + - This is only used by the V(ownca) provider. + - This is mutually exclusive with O(ownca_privatekey_content). type: path ownca_privatekey_content: description: - Content of the CA (Certificate Authority) private key to use when signing the certificate. - - This is only used by the C(ownca) provider. - - This is mutually exclusive with I(ownca_privatekey_path). + - This is only used by the V(ownca) provider. + - This is mutually exclusive with O(ownca_privatekey_path). type: str ownca_privatekey_passphrase: description: - - The passphrase for the I(ownca_privatekey_path) resp. I(ownca_privatekey_content). - - This is only used by the C(ownca) provider. + - The passphrase for the O(ownca_privatekey_path) resp. O(ownca_privatekey_content). + - This is only used by the V(ownca) provider. type: str ownca_digest: description: - - The digest algorithm to be used for the C(ownca) certificate. - - This is only used by the C(ownca) provider. + - The digest algorithm to be used for the V(ownca) certificate. + - This is only used by the V(ownca) provider. type: str default: sha256 ownca_version: description: - - The version of the C(ownca) certificate. - - Nowadays it should almost always be C(3). - - This is only used by the C(ownca) provider. + - The version of the V(ownca) certificate. + - Nowadays it should almost always be V(3). + - This is only used by the V(ownca) provider. type: int default: 3 @@ -265,12 +265,12 @@ options: - Time can be specified either as relative time or as absolute timestamp. - Time will always be interpreted as UTC. - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer - + C([w | d | h | m | s]) (for example C(+32w1d2h)). + + C([w | d | h | m | s]) (for example V(+32w1d2h)). - If this value is not specified, the certificate will start being valid from now. - Note that this value is B(not used to determine whether an existing certificate should be regenerated). - This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should - avoid relative timestamps when setting I(ignore_timestamps=false). - - This is only used by the C(ownca) provider. + This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should + avoid relative timestamps when setting O(ignore_timestamps=false). + - This is only used by the V(ownca) provider. type: str default: +0s @@ -280,12 +280,12 @@ options: - Time can be specified either as relative time or as absolute timestamp. - Time will always be interpreted as UTC. - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer - + C([w | d | h | m | s]) (for example C(+32w1d2h)). + + C([w | d | h | m | s]) (for example V(+32w1d2h)). - If this value is not specified, the certificate will stop being valid 10 years from now. - Note that this value is B(not used to determine whether an existing certificate should be regenerated). - This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should - avoid relative timestamps when setting I(ignore_timestamps=false). - - This is only used by the C(ownca) provider. + This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should + avoid relative timestamps when setting O(ignore_timestamps=false). + - This is only used by the V(ownca) provider. - On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see U(https://support.apple.com/en-us/HT210176) for more details. type: str @@ -294,12 +294,12 @@ options: ownca_create_subject_key_identifier: description: - Whether to create the Subject Key Identifier (SKI) from the public key. - - A value of C(create_if_not_provided) (default) only creates a SKI when the CSR does not + - A value of V(create_if_not_provided) (default) only creates a SKI when the CSR does not provide one. - - A value of C(always_create) always creates a SKI. If the CSR provides one, that one is + - A value of V(always_create) always creates a SKI. If the CSR provides one, that one is ignored. - - A value of C(never_create) never creates a SKI. If the CSR provides one, that one is used. - - This is only used by the C(ownca) provider. + - A value of V(never_create) never creates a SKI. If the CSR provides one, that one is used. + - This is only used by the V(ownca) provider. - Note that this is only supported if the C(cryptography) backend is used! type: str choices: [create_if_not_provided, always_create, never_create] @@ -311,7 +311,7 @@ options: a authority key identifier, it is ignored. - The Authority Key Identifier is generated from the CA certificate's Subject Key Identifier, if available. If it is not available, the CA certificate's public key will be used. - - This is only used by the C(ownca) provider. + - This is only used by the V(ownca) provider. - Note that this is only supported if the C(cryptography) backend is used! type: bool default: true @@ -319,7 +319,7 @@ options: BACKEND_SELFSIGNED_DOCUMENTATION = r''' notes: - - For the C(selfsigned) provider, I(csr_path) and I(csr_content) are optional. If not provided, a + - For the V(selfsigned) provider, O(csr_path) and O(csr_content) are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created. options: @@ -329,28 +329,28 @@ options: # csr_path: # description: - # - This is optional for the C(selfsigned) provider. If not provided, a certificate + # - This is optional for the V(selfsigned) provider. If not provided, a certificate # without any information (Subject, Subject Alternative Names, Key Usage, etc.) is # created. # csr_content: # description: - # - This is optional for the C(selfsigned) provider. If not provided, a certificate + # - This is optional for the V(selfsigned) provider. If not provided, a certificate # without any information (Subject, Subject Alternative Names, Key Usage, etc.) is # created. selfsigned_version: description: - - Version of the C(selfsigned) certificate. - - Nowadays it should almost always be C(3). - - This is only used by the C(selfsigned) provider. + - Version of the V(selfsigned) certificate. + - Nowadays it should almost always be V(3). + - This is only used by the V(selfsigned) provider. type: int default: 3 selfsigned_digest: description: - Digest algorithm to be used when self-signing the certificate. - - This is only used by the C(selfsigned) provider. + - This is only used by the V(selfsigned) provider. type: str default: sha256 @@ -360,12 +360,12 @@ options: - Time can be specified either as relative time or as absolute timestamp. - Time will always be interpreted as UTC. - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer - + C([w | d | h | m | s]) (for example C(+32w1d2h)). + + C([w | d | h | m | s]) (for example V(+32w1d2h)). - If this value is not specified, the certificate will start being valid from now. - Note that this value is B(not used to determine whether an existing certificate should be regenerated). - This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should - avoid relative timestamps when setting I(ignore_timestamps=false). - - This is only used by the C(selfsigned) provider. + This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should + avoid relative timestamps when setting O(ignore_timestamps=false). + - This is only used by the V(selfsigned) provider. type: str default: +0s aliases: [ selfsigned_notBefore ] @@ -376,12 +376,12 @@ options: - Time can be specified either as relative time or as absolute timestamp. - Time will always be interpreted as UTC. - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer - + C([w | d | h | m | s]) (for example C(+32w1d2h)). + + C([w | d | h | m | s]) (for example V(+32w1d2h)). - If this value is not specified, the certificate will stop being valid 10 years from now. - Note that this value is B(not used to determine whether an existing certificate should be regenerated). - This can be changed by setting the I(ignore_timestamps) option to C(false). Please note that you should - avoid relative timestamps when setting I(ignore_timestamps=false). - - This is only used by the C(selfsigned) provider. + This can be changed by setting the O(ignore_timestamps) option to V(false). Please note that you should + avoid relative timestamps when setting O(ignore_timestamps=false). + - This is only used by the V(selfsigned) provider. - On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see U(https://support.apple.com/en-us/HT210176) for more details. type: str @@ -391,12 +391,12 @@ options: selfsigned_create_subject_key_identifier: description: - Whether to create the Subject Key Identifier (SKI) from the public key. - - A value of C(create_if_not_provided) (default) only creates a SKI when the CSR does not + - A value of V(create_if_not_provided) (default) only creates a SKI when the CSR does not provide one. - - A value of C(always_create) always creates a SKI. If the CSR provides one, that one is + - A value of V(always_create) always creates a SKI. If the CSR provides one, that one is ignored. - - A value of C(never_create) never creates a SKI. If the CSR provides one, that one is used. - - This is only used by the C(selfsigned) provider. + - A value of V(never_create) never creates a SKI. If the CSR provides one, that one is used. + - This is only used by the V(selfsigned) provider. - Note that this is only supported if the C(cryptography) backend is used! type: str choices: [create_if_not_provided, always_create, never_create] diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py index 81c4318a4..e2a0bdd94 100644 --- a/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py +++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_csr.py @@ -27,12 +27,12 @@ options: privatekey_path: description: - The path to the private key to use when signing the certificate signing request. - - Either I(privatekey_path) or I(privatekey_content) must be specified if I(state) is C(present), but not both. + - Either O(privatekey_path) or O(privatekey_content) must be specified if O(state) is V(present), but not both. type: path privatekey_content: description: - The content of the private key to use when signing the certificate signing request. - - Either I(privatekey_path) or I(privatekey_content) must be specified if I(state) is C(present), but not both. + - Either O(privatekey_path) or O(privatekey_content) must be specified if O(state) is V(present), but not both. type: str privatekey_passphrase: description: @@ -53,17 +53,17 @@ options: description: - Key/value pairs that will be present in the subject name field of the certificate signing request. - If you need to specify more than one value with the same key, use a list as value. - - If the order of the components is important, use I(subject_ordered). - - Mutually exclusive with I(subject_ordered). + - If the order of the components is important, use O(subject_ordered). + - Mutually exclusive with O(subject_ordered). type: dict subject_ordered: description: - A list of dictionaries, where every dictionary must contain one key/value pair. This key/value pair will be present in the subject name field of the certificate signing request. - If you want to specify more than one value with the same key in a row, you can use a list as value. - - Mutually exclusive with I(subject), and any other subject field option, such as I(country_name), - I(state_or_province_name), I(locality_name), I(organization_name), I(organizational_unit_name), - I(common_name), or I(email_address). + - Mutually exclusive with O(subject), and any other subject field option, such as O(country_name), + O(state_or_province_name), O(locality_name), O(organization_name), O(organizational_unit_name), + O(common_name), or O(email_address). type: list elements: dict version_added: 2.0.0 @@ -108,8 +108,8 @@ options: - Values must be prefixed by their options. (These are C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName), C(otherName), and the ones specific to your CA). - Note that if no SAN is specified, but a common name, the common - name will be added as a SAN except if C(useCommonNameForSAN) is - set to I(false). + name will be added as a SAN except if O(use_common_name_for_san) is + set to V(false). - More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6). type: list elements: str @@ -122,8 +122,8 @@ options: aliases: [ subjectAltName_critical ] use_common_name_for_san: description: - - If set to C(true), the module will fill the common name in for - C(subject_alt_name) with C(DNS:) prefix if no SAN is specified. + - If set to V(true), the module will fill the common name in for + O(subject_alt_name) with C(DNS:) prefix if no SAN is specified. type: bool default: true aliases: [ useCommonNameForSAN ] @@ -186,16 +186,16 @@ options: description: - For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed to issue certificates for. - - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName), - C(otherName) and the ones specific to your CA). + - Values must be prefixed by their options. (That is, C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName), + C(otherName), and the ones specific to your CA). type: list elements: str name_constraints_excluded: description: - For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is B(not) allowed to issue certificates for. - - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName), - C(otherName) and the ones specific to your CA). + - Values must be prefixed by their options. (That is, C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName), + C(otherName), and the ones specific to your CA). type: list elements: str name_constraints_critical: @@ -206,8 +206,8 @@ options: select_crypto_backend: description: - Determines which crypto backend to use. - - The default choice is C(auto), which tries to use C(cryptography) if available. - - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. + - The default choice is V(auto), which tries to use C(cryptography) if available. + - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str default: auto choices: [ auto, cryptography ] @@ -223,49 +223,51 @@ options: subject_key_identifier: description: - The subject key identifier as a hex string, where two bytes are separated by colons. - - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)" + - "Example: V(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)" - "Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs." - - Note that this option can only be used if I(create_subject_key_identifier) is C(false). + - Note that this option can only be used if O(create_subject_key_identifier) is V(false). - Note that this is only supported if the C(cryptography) backend is used! type: str authority_key_identifier: description: - The authority key identifier as a hex string, where two bytes are separated by colons. - - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)" + - "Example: V(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)" - "Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs." - Note that this is only supported if the C(cryptography) backend is used! - - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier), - I(authority_cert_issuer) and I(authority_cert_serial_number) is specified. + - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier), + O(authority_cert_issuer) and O(authority_cert_serial_number) is specified. type: str authority_cert_issuer: description: - Names that will be present in the authority cert issuer field of the certificate signing request. - - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName), - C(otherName) and the ones specific to your CA) - - "Example: C(DNS:ca.example.org)" - - If specified, I(authority_cert_serial_number) must also be specified. + - Values must be prefixed by their options. (That is, C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName), + C(otherName), and the ones specific to your CA) + - "Example: V(DNS:ca.example.org)" + - If specified, O(authority_cert_serial_number) must also be specified. - "Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs." - Note that this is only supported if the C(cryptography) backend is used! - - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier), - I(authority_cert_issuer) and I(authority_cert_serial_number) is specified. + - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier), + O(authority_cert_issuer) and O(authority_cert_serial_number) is specified. type: list elements: str authority_cert_serial_number: description: - The authority cert serial number. - - If specified, I(authority_cert_issuer) must also be specified. + - If specified, O(authority_cert_issuer) must also be specified. - Note that this is only supported if the C(cryptography) backend is used! - "Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs." - - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier), - I(authority_cert_issuer) and I(authority_cert_serial_number) is specified. + - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier), + O(authority_cert_issuer) and O(authority_cert_serial_number) is specified. + - This option accepts an B(integer). If you want to provide serial numbers as colon-separated hex strings, + such as C(11:22:33), you need to convert them to an integer with P(community.crypto.parse_serial#filter). type: int crl_distribution_points: description: @@ -277,15 +279,15 @@ options: full_name: description: - Describes how the CRL can be retrieved. - - Mutually exclusive with I(relative_name). - - "Example: C(URI:https://ca.example.com/revocations.crl)." + - Mutually exclusive with O(crl_distribution_points[].relative_name). + - "Example: V(URI:https://ca.example.com/revocations.crl)." type: list elements: str relative_name: description: - Describes how the CRL can be retrieved relative to the CRL issuer. - - Mutually exclusive with I(full_name). - - "Example: C(/CN=example.com)." + - Mutually exclusive with O(crl_distribution_points[].full_name). + - "Example: V(/CN=example.com)." - Can only be used when cryptography >= 1.6 is installed. type: list elements: str @@ -322,4 +324,6 @@ seealso: - module: community.crypto.openssl_privatekey_pipe - module: community.crypto.openssl_publickey - module: community.crypto.openssl_csr_info +- plugin: community.crypto.parse_serial + plugin_type: filter ''' diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py index a27b26c7d..d039cf1c0 100644 --- a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py +++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey.py @@ -18,11 +18,6 @@ description: L(ECC,https://en.wikipedia.org/wiki/Elliptic-curve_cryptography) or L(EdDSA,https://en.wikipedia.org/wiki/EdDSA) private keys. - Keys are generated in PEM format. - - "Please note that the module regenerates private keys if they do not match - the module's options. In particular, if you provide another passphrase - (or specify none), change the keysize, etc., the private key will be - regenerated. If you are concerned that this could B(overwrite your private key), - consider using the I(backup) option." requirements: - cryptography >= 1.2.3 (older versions might work as well) options: @@ -34,20 +29,20 @@ options: type: description: - The algorithm used to generate the TLS/SSL private key. - - Note that C(ECC), C(X25519), C(X448), C(Ed25519) and C(Ed448) require the C(cryptography) backend. - C(X25519) needs cryptography 2.5 or newer, while C(X448), C(Ed25519) and C(Ed448) require - cryptography 2.6 or newer. For C(ECC), the minimal cryptography version required depends on the - I(curve) option. + - Note that V(ECC), V(X25519), V(X448), V(Ed25519), and V(Ed448) require the C(cryptography) backend. + V(X25519) needs cryptography 2.5 or newer, while V(X448), V(Ed25519), and V(Ed448) require + cryptography 2.6 or newer. For V(ECC), the minimal cryptography version required depends on the + O(curve) option. type: str default: RSA choices: [ DSA, ECC, Ed25519, Ed448, RSA, X25519, X448 ] curve: description: - Note that not all curves are supported by all versions of C(cryptography). - - For maximal interoperability, C(secp384r1) or C(secp256r1) should be used. + - For maximal interoperability, V(secp384r1) or V(secp256r1) should be used. - We use the curve names as defined in the L(IANA registry for TLS,https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8). - - Please note that all curves except C(secp224r1), C(secp256k1), C(secp256r1), C(secp384r1) and C(secp521r1) + - Please note that all curves except V(secp224r1), V(secp256k1), V(secp256r1), V(secp384r1), and V(secp521r1) are discouraged for new private keys. type: str choices: @@ -76,13 +71,13 @@ options: type: str cipher: description: - - The cipher to encrypt the private key. Must be C(auto). + - The cipher to encrypt the private key. Must be V(auto). type: str select_crypto_backend: description: - Determines which crypto backend to use. - - The default choice is C(auto), which tries to use C(cryptography) if available. - - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. + - The default choice is V(auto), which tries to use C(cryptography) if available. + - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str default: auto choices: [ auto, cryptography ] @@ -90,11 +85,11 @@ options: description: - Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format) is used for all keys which support it. Please note that not every key can be exported in any format. - - The value C(auto) selects a format based on the key format. The value C(auto_ignore) does the same, + - The value V(auto) selects a format based on the key format. The value V(auto_ignore) does the same, but for existing private key files, it will not force a regenerate when its format is not the automatically selected one for generation. - Note that if the format for an existing private key mismatches, the key is B(regenerated) by default. - To change this behavior, use the I(format_mismatch) option. + To change this behavior, use the O(format_mismatch) option. type: str default: auto_ignore choices: [ pkcs1, pkcs8, raw, auto, auto_ignore ] @@ -102,8 +97,8 @@ options: description: - Determines behavior of the module if the format of a private key does not match the expected format, but all other parameters are as expected. - - If set to C(regenerate) (default), generates a new private key. - - If set to C(convert), the key will be converted to the new format instead. + - If set to V(regenerate) (default), generates a new private key. + - If set to V(convert), the key will be converted to the new format instead. - Only supported by the C(cryptography) backend. type: str default: regenerate @@ -114,24 +109,24 @@ options: The module will always generate a new key if the destination file does not exist. - By default, the key will be regenerated when it does not match the module's options, except when the key cannot be read or the passphrase does not match. Please note that - this B(changed) for Ansible 2.10. For Ansible 2.9, the behavior was as if C(full_idempotence) + this B(changed) for Ansible 2.10. For Ansible 2.9, the behavior was as if V(full_idempotence) is specified. - - If set to C(never), the module will fail if the key cannot be read or the passphrase + - If set to V(never), the module will fail if the key cannot be read or the passphrase is not matching, and will never regenerate an existing key. - - If set to C(fail), the module will fail if the key does not correspond to the module's + - If set to V(fail), the module will fail if the key does not correspond to the module's options. - - If set to C(partial_idempotence), the key will be regenerated if it does not conform to + - If set to V(partial_idempotence), the key will be regenerated if it does not conform to the module's options. The key is B(not) regenerated if it cannot be read (broken file), the key is protected by an unknown passphrase, or when they key is not protected by a passphrase, but a passphrase is specified. - - If set to C(full_idempotence), the key will be regenerated if it does not conform to the + - If set to V(full_idempotence), the key will be regenerated if it does not conform to the module's options. This is also the case if the key cannot be read (broken file), the key is protected by an unknown passphrase, or when they key is not protected by a passphrase, but a passphrase is specified. Make sure you have a B(backup) when using this option! - - If set to C(always), the module will always regenerate the key. This is equivalent to - setting I(force) to C(true). - - Note that if I(format_mismatch) is set to C(convert) and everything matches except the - format, the key will always be converted, except if I(regenerate) is set to C(always). + - If set to V(always), the module will always regenerate the key. This is equivalent to + setting O(force) to V(true). + - Note that if O(format_mismatch) is set to V(convert) and everything matches except the + format, the key will always be converted, except if O(regenerate) is set to V(always). type: str choices: - never diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py index f1c6f70ec..973d1fe00 100644 --- a/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py +++ b/ansible_collections/community/crypto/plugins/doc_fragments/module_privatekey_convert.py @@ -18,12 +18,12 @@ options: src_path: description: - Name of the file containing the OpenSSL private key to convert. - - Exactly one of I(src_path) or I(src_content) must be specified. + - Exactly one of O(src_path) or O(src_content) must be specified. type: path src_content: description: - The content of the file containing the OpenSSL private key to convert. - - Exactly one of I(src_path) or I(src_content) must be specified. + - Exactly one of O(src_path) or O(src_content) must be specified. type: str src_passphrase: description: diff --git a/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py b/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py index fec94380d..b51408530 100644 --- a/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py +++ b/ansible_collections/community/crypto/plugins/doc_fragments/name_encoding.py @@ -14,12 +14,12 @@ options: name_encoding: description: - How to encode names (DNS names, URIs, email addresses) in return values. - - C(ignore) will use the encoding returned by the backend. - - C(idna) will convert all labels of domain names to IDNA encoding. + - V(ignore) will use the encoding returned by the backend. + - V(idna) will convert all labels of domain names to IDNA encoding. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 encoding fails. - - C(unicode) will convert all labels of domain names to Unicode. + - V(unicode) will convert all labels of domain names to Unicode. IDNA2008 will be preferred, and IDNA2003 will be used if IDNA2008 decoding fails. - - B(Note) that C(idna) and C(unicode) require the L(idna Python library,https://pypi.org/project/idna/) to be installed. + - B(Note) that V(idna) and V(unicode) require the L(idna Python library,https://pypi.org/project/idna/) to be installed. type: str default: ignore choices: @@ -27,5 +27,5 @@ options: - idna - unicode requirements: - - If I(name_encoding) is set to another value than C(ignore), the L(idna Python library,https://pypi.org/project/idna/) needs to be installed. + - If O(name_encoding) is set to another value than V(ignore), the L(idna Python library,https://pypi.org/project/idna/) needs to be installed. ''' -- cgit v1.2.3