From 67c6a4d1dccb62159b9d9b2dea4e2f487446e276 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 26 Apr 2024 06:05:56 +0200 Subject: Adding upstream version 9.5.1+dfsg. Signed-off-by: Daniel Baumann --- .../crypto/.azure-pipelines/azure-pipelines.yml | 136 ++--- .../crypto/.github/workflows/ansible-test.yml | 19 + .../community/crypto/.github/workflows/reuse.yml | 2 +- ansible_collections/community/crypto/CHANGELOG.md | 620 +++++++++++---------- ansible_collections/community/crypto/CHANGELOG.rst | 29 + ansible_collections/community/crypto/FILES.json | 139 +++-- ansible_collections/community/crypto/MANIFEST.json | 4 +- ansible_collections/community/crypto/README.md | 3 +- .../community/crypto/changelogs/changelog.yaml | 27 + .../community/crypto/docs/docsite/config.yml | 7 + .../module_utils/acme/backend_cryptography.py | 45 +- .../module_utils/acme/backend_openssl_cli.py | 35 +- .../crypto/plugins/module_utils/acme/backends.py | 17 + .../module_utils/crypto/cryptography_crl.py | 45 +- .../module_utils/crypto/cryptography_support.py | 27 + .../crypto/module_backends/certificate.py | 6 +- .../crypto/module_backends/certificate_entrust.py | 8 +- .../crypto/module_backends/certificate_info.py | 11 +- .../crypto/module_backends/certificate_ownca.py | 12 +- .../module_backends/certificate_selfsigned.py | 12 +- .../crypto/plugins/module_utils/crypto/pem.py | 29 + .../crypto/plugins/module_utils/crypto/support.py | 29 +- .../plugins/module_utils/openssh/certificate.py | 26 +- .../crypto/plugins/modules/acme_certificate.py | 2 +- .../plugins/modules/acme_challenge_cert_helper.py | 37 +- .../crypto/plugins/modules/get_certificate.py | 14 +- .../plugins/modules/x509_certificate_convert.py | 280 ++++++++++ .../plugins/modules/x509_certificate_info.py | 6 +- .../community/crypto/plugins/modules/x509_crl.py | 31 +- .../targets/x509_certificate_convert/aliases | 7 + .../targets/x509_certificate_convert/meta/main.yml | 9 + .../x509_certificate_convert/tasks/impl.yml | 212 +++++++ .../x509_certificate_convert/tasks/main.yml | 136 +++++ .../community/crypto/tests/sanity/ignore-2.10.txt | 1 + .../community/crypto/tests/sanity/ignore-2.11.txt | 1 + .../community/crypto/tests/sanity/ignore-2.12.txt | 1 + .../community/crypto/tests/sanity/ignore-2.13.txt | 1 + .../community/crypto/tests/sanity/ignore-2.14.txt | 1 + .../community/crypto/tests/sanity/ignore-2.18.txt | 2 + .../crypto/tests/sanity/ignore-2.18.txt.license | 3 + .../community/crypto/tests/sanity/ignore-2.9.txt | 1 + 41 files changed, 1559 insertions(+), 474 deletions(-) create mode 100644 ansible_collections/community/crypto/docs/docsite/config.yml create mode 100644 ansible_collections/community/crypto/plugins/modules/x509_certificate_convert.py create mode 100644 ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/aliases create mode 100644 ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/meta/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/impl.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/main.yml create mode 100644 ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt create mode 100644 ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt.license (limited to 'ansible_collections/community/crypto') diff --git a/ansible_collections/community/crypto/.azure-pipelines/azure-pipelines.yml b/ansible_collections/community/crypto/.azure-pipelines/azure-pipelines.yml index 8697acd43..19a36fb46 100644 --- a/ansible_collections/community/crypto/.azure-pipelines/azure-pipelines.yml +++ b/ansible_collections/community/crypto/.azure-pipelines/azure-pipelines.yml @@ -65,6 +65,17 @@ stages: test: 'devel/sanity/extra' - name: Units test: 'devel/units/1' + - stage: Ansible_2_17 + displayName: Sanity & Units 2.17 + dependsOn: [] + jobs: + - template: templates/matrix.yml + parameters: + targets: + - name: Sanity + test: '2.17/sanity/1' + - name: Units + test: '2.17/units/1' - stage: Ansible_2_16 displayName: Sanity & Units 2.16 dependsOn: [] @@ -87,17 +98,6 @@ stages: test: '2.15/sanity/1' - name: Units test: '2.15/units/1' - - stage: Ansible_2_14 - displayName: Sanity & Units 2.14 - dependsOn: [] - jobs: - - template: templates/matrix.yml - parameters: - targets: - - name: Sanity - test: '2.14/sanity/1' - - name: Units - test: '2.14/units/1' ### Docker - stage: Docker_devel displayName: Docker devel @@ -111,8 +111,21 @@ stages: test: fedora39 - name: Ubuntu 22.04 test: ubuntu2204 - - name: Alpine 3 - test: alpine3 + - name: Alpine 3.19 + test: alpine319 + groups: + - 1 + - 2 + - stage: Docker_2_17 + displayName: Docker 2.17 + dependsOn: [] + jobs: + - template: templates/matrix.yml + parameters: + testFormat: 2.17/linux/{0} + targets: + - name: Alpine 3.19 + test: alpine319 groups: - 1 - 2 @@ -128,6 +141,8 @@ stages: test: fedora38 - name: openSUSE 15 test: opensuse15 + - name: Alpine 3 + test: alpine3 groups: - 1 - 2 @@ -146,19 +161,6 @@ stages: groups: - 1 - 2 - - stage: Docker_2_14 - displayName: Docker 2.14 - dependsOn: [] - jobs: - - template: templates/matrix.yml - parameters: - testFormat: 2.14/linux/{0} - targets: - - name: Ubuntu 20.04 - test: ubuntu2004 - groups: - - 1 - - 2 ### Community Docker - stage: Docker_community_devel @@ -188,8 +190,8 @@ stages: parameters: testFormat: devel/{0} targets: - - name: Alpine 3.18 - test: alpine/3.18 + - name: Alpine 3.19 + test: alpine/3.19 - name: Fedora 39 test: fedora/39 - name: Ubuntu 22.04 @@ -204,12 +206,25 @@ stages: parameters: testFormat: devel/{0} targets: - - name: macOS 13.2 - test: macos/13.2 + - name: macOS 14.3 + test: macos/14.3 - name: RHEL 9.3 test: rhel/9.3 - - name: FreeBSD 13.2 - test: freebsd/13.2 + - name: FreeBSD 14.0 + test: freebsd/14.0 + groups: + - 1 + - 2 + - stage: Remote_2_17 + displayName: Remote 2.17 + dependsOn: [] + jobs: + - template: templates/matrix.yml + parameters: + testFormat: 2.17/{0} + targets: + - name: FreeBSD 13.3 + test: freebsd/13.3 groups: - 1 - 2 @@ -221,10 +236,14 @@ stages: parameters: testFormat: 2.16/{0} targets: + - name: macOS 13.2 + test: macos/13.2 - name: RHEL 9.2 test: rhel/9.2 - name: RHEL 8.8 test: rhel/8.8 + - name: FreeBSD 13.2 + test: freebsd/13.2 groups: - 1 - 2 @@ -249,38 +268,34 @@ stages: groups: - 1 - 2 - - stage: Remote_2_14 - displayName: Remote 2.14 +### Generic + - stage: Generic_devel + displayName: Generic devel dependsOn: [] jobs: - template: templates/matrix.yml parameters: - testFormat: 2.14/{0} + nameFormat: Python {0} + testFormat: devel/generic/{0} targets: - #- name: macOS 12.0 - # test: macos/12.0 - - name: RHEL 9.0 - test: rhel/9.0 - #- name: FreeBSD 12.4 - # test: freebsd/12.4 + - test: 3.8 + # - test: 3.9 + # - test: "3.10" + - test: "3.11" + - test: "3.12" groups: - 1 - 2 -### Generic - - stage: Generic_devel - displayName: Generic devel + - stage: Generic_2_17 + displayName: Generic 2.17 dependsOn: [] jobs: - template: templates/matrix.yml parameters: nameFormat: Python {0} - testFormat: devel/generic/{0} + testFormat: 2.17/generic/{0} targets: - - test: 3.7 - # - test: 3.8 - # - test: 3.9 - # - test: "3.10" - - test: "3.11" + - test: "3.7" - test: "3.12" groups: - 1 @@ -314,19 +329,6 @@ stages: groups: - 1 - 2 - - stage: Generic_2_14 - displayName: Generic 2.14 - dependsOn: [] - jobs: - - template: templates/matrix.yml - parameters: - nameFormat: Python {0} - testFormat: 2.14/generic/{0} - targets: - - test: 3.9 - groups: - - 1 - - 2 ## Finally @@ -334,22 +336,22 @@ stages: condition: succeededOrFailed() dependsOn: - Ansible_devel + - Ansible_2_17 - Ansible_2_16 - Ansible_2_15 - - Ansible_2_14 - Remote_devel_extra_vms - Remote_devel + - Remote_2_17 - Remote_2_16 - Remote_2_15 - - Remote_2_14 - Docker_devel + - Docker_2_17 - Docker_2_16 - Docker_2_15 - - Docker_2_14 - Docker_community_devel - Generic_devel + - Generic_2_17 - Generic_2_16 - Generic_2_15 - - Generic_2_14 jobs: - template: templates/coverage.yml diff --git a/ansible_collections/community/crypto/.github/workflows/ansible-test.yml b/ansible_collections/community/crypto/.github/workflows/ansible-test.yml index be831028b..d31e861c4 100644 --- a/ansible_collections/community/crypto/.github/workflows/ansible-test.yml +++ b/ansible_collections/community/crypto/.github/workflows/ansible-test.yml @@ -34,6 +34,7 @@ jobs: - '2.11' - '2.12' - '2.13' + - '2.14' # Ansible-test on various stable branches does not yet work well with cgroups v2. # Since ubuntu-latest now uses Ubuntu 22.04, we need to fall back to the ubuntu-20.04 # image for these stable branches. The list of branches where this is necessary will @@ -74,6 +75,7 @@ jobs: - '2.11' - '2.12' - '2.13' + - '2.14' steps: - name: >- @@ -253,6 +255,23 @@ jobs: docker: default python: '3.8' target: azp/generic/2/ + # 2.14 + - ansible: '2.14' + docker: ubuntu2004 + python: '' + target: azp/posix/1/ + - ansible: '2.14' + docker: ubuntu2004 + python: '' + target: azp/posix/2/ + - ansible: '2.14' + docker: default + python: '3.9' + target: azp/generic/1/ + - ansible: '2.14' + docker: default + python: '3.9' + target: azp/generic/2/ steps: - name: >- diff --git a/ansible_collections/community/crypto/.github/workflows/reuse.yml b/ansible_collections/community/crypto/.github/workflows/reuse.yml index 29b1f951a..7646c5cfb 100644 --- a/ansible_collections/community/crypto/.github/workflows/reuse.yml +++ b/ansible_collections/community/crypto/.github/workflows/reuse.yml @@ -29,4 +29,4 @@ jobs: rm -f tests/integration/targets/*/files/roots/*.pem - name: REUSE Compliance Check - uses: fsfe/reuse-action@v2 + uses: fsfe/reuse-action@v3 diff --git a/ansible_collections/community/crypto/CHANGELOG.md b/ansible_collections/community/crypto/CHANGELOG.md index f54352a87..1652a3ad2 100644 --- a/ansible_collections/community/crypto/CHANGELOG.md +++ b/ansible_collections/community/crypto/CHANGELOG.md @@ -1,217 +1,224 @@ # Community Crypto Release Notes **Topics** + +- v2\.19\.0 + - Release Summary + - Minor Changes + - Deprecated Features + - Bugfixes + - New Modules - v2\.18\.0 - - Release Summary - - Minor Changes - - Deprecated Features - - Bugfixes - - New Plugins - - Filter + - Release Summary + - Minor Changes + - Deprecated Features + - Bugfixes + - New Plugins + - Filter - v2\.17\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.17\.0 - - Release Summary - - Minor Changes + - Release Summary + - Minor Changes - v2\.16\.2 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.16\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.16\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v2\.15\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.15\.0 - - Release Summary - - Minor Changes - - Deprecated Features - - Bugfixes - - New Plugins - - Filter - - Lookup + - Release Summary + - Minor Changes + - Deprecated Features + - Bugfixes + - New Plugins + - Filter + - Lookup - v2\.14\.1 - - Release Summary - - Bugfixes - - Known Issues + - Release Summary + - Bugfixes + - Known Issues - v2\.14\.0 - - Release Summary - - Minor Changes + - Release Summary + - Minor Changes - v2\.13\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.13\.0 - - Release Summary - - Minor Changes - - Deprecated Features - - Bugfixes + - Release Summary + - Minor Changes + - Deprecated Features + - Bugfixes - v2\.12\.0 - - Release Summary - - Minor Changes + - Release Summary + - Minor Changes - v2\.11\.1 - - Release Summary + - Release Summary - v2\.11\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v2\.10\.0 - - Release Summary - - Bugfixes - - New Plugins - - Filter + - Release Summary + - Bugfixes + - New Plugins + - Filter - v2\.9\.0 - - Release Summary - - Minor Changes + - Release Summary + - Minor Changes - v2\.8\.1 - - Release Summary + - Release Summary - v2\.8\.0 - - Release Summary - - Minor Changes + - Release Summary + - Minor Changes - v2\.7\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.7\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v2\.6\.0 - - Release Summary - - Minor Changes + - Release Summary + - Minor Changes - v2\.5\.0 - - Release Summary - - Minor Changes + - Release Summary + - Minor Changes - v2\.4\.0 - - Release Summary - - Deprecated Features - - Bugfixes + - Release Summary + - Deprecated Features + - Bugfixes - v2\.3\.4 - - Release Summary + - Release Summary - v2\.3\.3 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.3\.2 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.3\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.3\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v2\.2\.4 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.2\.3 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.2\.2 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.2\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v2\.2\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v2\.1\.0 - - Release Summary - - Minor Changes - - Bugfixes - - New Modules + - Release Summary + - Minor Changes + - Bugfixes + - New Modules - v2\.0\.2 - - Release Summary + - Release Summary - v2\.0\.1 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v2\.0\.0 - - Release Summary - - Minor Changes - - Breaking Changes / Porting Guide - - Deprecated Features - - Removed Features \(previously deprecated\) - - Bugfixes + - Release Summary + - Minor Changes + - Breaking Changes / Porting Guide + - Deprecated Features + - Removed Features \(previously deprecated\) + - Bugfixes - v1\.9\.4 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v1\.9\.3 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v1\.9\.2 - - Release Summary + - Release Summary - v1\.9\.1 - - Release Summary + - Release Summary - v1\.9\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v1\.8\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v1\.7\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v1\.7\.0 - - Release Summary - - Minor Changes - - Bugfixes - - New Modules + - Release Summary + - Minor Changes + - Bugfixes + - New Modules - v1\.6\.2 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v1\.6\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v1\.6\.0 - - Release Summary - - Minor Changes - - Deprecated Features - - Bugfixes + - Release Summary + - Minor Changes + - Deprecated Features + - Bugfixes - v1\.5\.0 - - Release Summary - - Minor Changes - - Deprecated Features - - Bugfixes + - Release Summary + - Minor Changes + - Deprecated Features + - Bugfixes - v1\.4\.0 - - Release Summary - - Minor Changes - - Bugfixes + - Release Summary + - Minor Changes + - Bugfixes - v1\.3\.0 - - Release Summary - - Minor Changes - - Bugfixes - - New Modules + - Release Summary + - Minor Changes + - Bugfixes + - New Modules - v1\.2\.0 - - Release Summary - - Minor Changes - - Security Fixes - - Bugfixes + - Release Summary + - Minor Changes + - Security Fixes + - Bugfixes - v1\.1\.1 - - Release Summary - - Bugfixes + - Release Summary + - Bugfixes - v1\.1\.0 - - Release Summary - - Minor Changes - - Bugfixes - - New Modules + - Release Summary + - Minor Changes + - Bugfixes + - New Modules - v1\.0\.0 - - Release Summary - - Minor Changes - - Deprecated Features - - Removed Features \(previously deprecated\) - - Bugfixes - - New Modules + - Release Summary + - Minor Changes + - Deprecated Features + - Removed Features \(previously deprecated\) + - Bugfixes + - New Modules - -## v2\.18\.0 + +## v2\.19\.0 ### Release Summary @@ -221,16 +228,45 @@ Bugfix and feature release\. ### Minor Changes -* x509\_crl \- the new option serial\_numbers allow to configure in which format serial numbers can be provided to revoked\_certificates\[\]\.serial\_number\. The default is as integers \(serial\_numbers\=integer\) for backwards compatibility\; setting serial\_numbers\=hex\-octets allows to specify colon\-separated hex octet strings like 00\:11\:22\:FF \([https\://github\.com/ansible\-collections/community\.crypto/issues/687](https\://github\.com/ansible\-collections/community\.crypto/issues/687)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/715](https\://github\.com/ansible\-collections/community\.crypto/pull/715)\)\. +* When using cryptography \>\= 42\.0\.0\, use offset\-aware datetime\.datetime objects \(with timezone UTC\) instead of offset\-naive UTC timestamps \([https\://github\.com/ansible\-collections/community\.crypto/issues/726](https\://github\.com/ansible\-collections/community\.crypto/issues/726)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/727](https\://github\.com/ansible\-collections/community\.crypto/pull/727)\)\. +* openssh\_cert \- avoid UTC functions deprecated in Python 3\.12 when using Python 3 \([https\://github\.com/ansible\-collections/community\.crypto/pull/727](https\://github\.com/ansible\-collections/community\.crypto/pull/727)\)\. ### Deprecated Features -* openssl\_csr\_pipe\, openssl\_privatekey\_pipe\, x509\_certificate\_pipe \- the current behavior of check mode is deprecated and will change in community\.crypto 3\.0\.0\. The current behavior is similar to the modules without \_pipe\: if the object needs to be \(re\-\)generated\, only the changed status is set\, but the object is not updated\. From community\.crypto 3\.0\.0 on\, the modules will ignore check mode and always act as if check mode is not active\. This behavior can already achieved now by adding check\_mode\: false to the task\. If you think this breaks your use\-case of this module\, please [create an issue in the community\.crypto repository](https\://github\.com/ansible\-collections/community\.crypto/issues/new/choose) \([https\://github\.com/ansible\-collections/community\.crypto/issues/712](https\://github\.com/ansible\-collections/community\.crypto/issues/712)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/714](https\://github\.com/ansible\-collections/community\.crypto/pull/714)\)\. +* acme\.backends module utils \- from community\.crypto on\, all implementations of CryptoBackend must override get\_ordered\_csr\_identifiers\(\)\. The current default implementation\, which simply sorts the result of get\_csr\_identifiers\(\)\, will then be removed \([https\://github\.com/ansible\-collections/community\.crypto/pull/725](https\://github\.com/ansible\-collections/community\.crypto/pull/725)\)\. ### Bugfixes +* acme\_certificate \- respect the order of the CNAME and SAN identifiers that are passed on when creating an ACME order \([https\://github\.com/ansible\-collections/community\.crypto/issues/723](https\://github\.com/ansible\-collections/community\.crypto/issues/723)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/725](https\://github\.com/ansible\-collections/community\.crypto/pull/725)\)\. + + +### New Modules + +* x509\_certificate\_convert \- Convert X\.509 certificates + + +## v2\.18\.0 + + +### Release Summary + +Bugfix and feature release\. + + +### Minor Changes + +* x509\_crl \- the new option serial\_numbers allow to configure in which format serial numbers can be provided to revoked\_certificates\[\]\.serial\_number\. The default is as integers \(serial\_numbers\=integer\) for backwards compatibility\; setting serial\_numbers\=hex\-octets allows to specify colon\-separated hex octet strings like 00\:11\:22\:FF \([https\://github\.com/ansible\-collections/community\.crypto/issues/687](https\://github\.com/ansible\-collections/community\.crypto/issues/687)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/715](https\://github\.com/ansible\-collections/community\.crypto/pull/715)\)\. + + +### Deprecated Features + +* openssl\_csr\_pipe\, openssl\_privatekey\_pipe\, x509\_certificate\_pipe \- the current behavior of check mode is deprecated and will change in community\.crypto 3\.0\.0\. The current behavior is similar to the modules without \_pipe\: if the object needs to be \(re\-\)generated\, only the changed status is set\, but the object is not updated\. From community\.crypto 3\.0\.0 on\, the modules will ignore check mode and always act as if check mode is not active\. This behavior can already achieved now by adding check\_mode\: false to the task\. If you think this breaks your use\-case of this module\, please [create an issue in the community\.crypto repository](https\://github\.com/ansible\-collections/community\.crypto/issues/new/choose) \([https\://github\.com/ansible\-collections/community\.crypto/issues/712](https\://github\.com/ansible\-collections/community\.crypto/issues/712)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/714](https\://github\.com/ansible\-collections/community\.crypto/pull/714)\)\. + + +### Bugfixes + * luks\_device \- fixed module a bug that prevented using remove\_keyslot with the value 0 \([https\://github\.com/ansible\-collections/community\.crypto/pull/710](https\://github\.com/ansible\-collections/community\.crypto/pull/710)\)\. * luks\_device \- fixed module falsely outputting changed\=false when trying to add a new slot with a key that is already present in another slot\. The module now rejects adding keys that are already present in another slot \([https\://github\.com/ansible\-collections/community\.crypto/pull/710](https\://github\.com/ansible\-collections/community\.crypto/pull/710)\)\. * luks\_device \- fixed testing of LUKS passphrases in when specifying a keyslot for cryptsetup version 2\.0\.3\. The output of this cryptsetup version slightly differs from later versions \([https\://github\.com/ansible\-collections/community\.crypto/pull/710](https\://github\.com/ansible\-collections/community\.crypto/pull/710)\)\. @@ -247,12 +283,12 @@ Bugfix and feature release\. ## v2\.17\.1 - + ### Release Summary Bugfix release for compatibility with cryptography 42\.0\.0\. - + ### Bugfixes * openssl\_dhparam \- was using an internal function instead of the public API to load DH param files when using the cryptography backend\. The internal function was removed in cryptography 42\.0\.0\. The module now uses the public API\, which has been available since support for DH params was added to cryptography \([https\://github\.com/ansible\-collections/community\.crypto/pull/698](https\://github\.com/ansible\-collections/community\.crypto/pull/698)\)\. @@ -262,12 +298,12 @@ Bugfix release for compatibility with cryptography 42\.0\.0\. ## v2\.17\.0 - + ### Release Summary Feature release\. - + ### Minor Changes * luks\_device \- add allow discards option \([https\://github\.com/ansible\-collections/community\.crypto/pull/693](https\://github\.com/ansible\-collections/community\.crypto/pull/693)\)\. @@ -275,12 +311,12 @@ Feature release\. ## v2\.16\.2 - + ### Release Summary Bugfix release\. - + ### Bugfixes * acme\_\* modules \- directly react on bad return data for account creation/retrieval/updating requests \([https\://github\.com/ansible\-collections/community\.crypto/pull/682](https\://github\.com/ansible\-collections/community\.crypto/pull/682)\)\. @@ -291,12 +327,12 @@ Bugfix release\. ## v2\.16\.1 - + ### Release Summary Bugfix release\. - + ### Bugfixes * acme\_\* modules \- also retry requests in case of socket errors\, bad status lines\, and unknown connection errors\; improve error messages in these cases \([https\://github\.com/ansible\-collections/community\.crypto/issues/680](https\://github\.com/ansible\-collections/community\.crypto/issues/680)\)\. @@ -304,17 +340,17 @@ Bugfix release\. ## v2\.16\.0 - + ### Release Summary Bugfix release\. - + ### Minor Changes * luks\_devices \- add new options keyslot\, new\_keyslot\, and remove\_keyslot to allow adding/removing keys to/from specific keyslots \([https\://github\.com/ansible\-collections/community\.crypto/pull/664](https\://github\.com/ansible\-collections/community\.crypto/pull/664)\)\. - + ### Bugfixes * openssl\_pkcs12 \- modify autodetect to not detect pyOpenSSL \>\= 23\.3\.0\, which removed PKCS\#12 support \([https\://github\.com/ansible\-collections/community\.crypto/pull/666](https\://github\.com/ansible\-collections/community\.crypto/pull/666)\)\. @@ -322,12 +358,12 @@ Bugfix release\. ## v2\.15\.1 - + ### Release Summary Bugfix release\. - + ### Bugfixes * acme\_\* modules \- correctly handle error documents without type \([https\://github\.com/ansible\-collections/community\.crypto/issues/651](https\://github\.com/ansible\-collections/community\.crypto/issues/651)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/652](https\://github\.com/ansible\-collections/community\.crypto/pull/652)\)\. @@ -335,22 +371,22 @@ Bugfix release\. ## v2\.15\.0 - + ### Release Summary Bugfix and feature release\. - + ### Minor Changes * openssh\_keypair \- fail when comment cannot be updated \([https\://github\.com/ansible\-collections/community\.crypto/pull/646](https\://github\.com/ansible\-collections/community\.crypto/pull/646)\)\. - + ### Deprecated Features * get\_certificate \- the default false of the asn1\_base64 option is deprecated and will change to true in community\.crypto 3\.0\.0 \([https\://github\.com/ansible\-collections/community\.crypto/pull/600](https\://github\.com/ansible\-collections/community\.crypto/pull/600)\)\. - + ### Bugfixes * openssh\_cert\, openssh\_keypair \- the modules ignored return codes of ssh and ssh\-keygen in some cases \([https\://github\.com/ansible\-collections/community\.crypto/issues/645](https\://github\.com/ansible\-collections/community\.crypto/issues/645)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/646](https\://github\.com/ansible\-collections/community\.crypto/pull/646)\)\. @@ -372,7 +408,7 @@ Bugfix and feature release\. ## v2\.14\.1 - + ### Release Summary Bugfix and maintenance release with updated documentation\. @@ -385,7 +421,7 @@ ansible\-core 2\.15 or later to see it as it is intended\. Alternatively you can look at [the devel docsite](https\://docs\.ansible\.com/ansible/devel/collections/community/crypto/) for the rendered HTML version of the documentation of the latest release\. - + ### Bugfixes * Fix PEM detection/identification to also accept random other lines before the line starting with \-\-\-\-\-BEGIN \([https\://github\.com/ansible\-collections/community\.crypto/issues/627](https\://github\.com/ansible\-collections/community\.crypto/issues/627)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/628](https\://github\.com/ansible\-collections/community\.crypto/pull/628)\)\. @@ -398,12 +434,12 @@ for the rendered HTML version of the documentation of the latest release\. ## v2\.14\.0 - + ### Release Summary Feature release\. - + ### Minor Changes * acme\_certificate \- allow to use no challenge by providing no challenge for the challenge option\. This is needed for ACME servers where validation is done without challenges \([https\://github\.com/ansible\-collections/community\.crypto/issues/613](https\://github\.com/ansible\-collections/community\.crypto/issues/613)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/615](https\://github\.com/ansible\-collections/community\.crypto/pull/615)\)\. @@ -413,12 +449,12 @@ Feature release\. ## v2\.13\.1 - + ### Release Summary Bugfix release\. - + ### Bugfixes * execution environment definition \- fix installation of python3\-pyOpenSSL package on CentOS and RHEL \([https\://github\.com/ansible\-collections/community\.crypto/pull/606](https\://github\.com/ansible\-collections/community\.crypto/pull/606)\)\. @@ -427,22 +463,22 @@ Bugfix release\. ## v2\.13\.0 - + ### Release Summary Bugfix and maintenance release\. - + ### Minor Changes * x509\_crl \- the crl\_mode option has been added to replace the existing mode option \([https\://github\.com/ansible\-collections/community\.crypto/issues/596](https\://github\.com/ansible\-collections/community\.crypto/issues/596)\)\. - + ### Deprecated Features * x509\_crl \- the mode option is deprecated\; use crl\_mode instead\. The mode option will change its meaning in community\.crypto 3\.0\.0\, and will refer to the CRL file\'s mode instead \([https\://github\.com/ansible\-collections/community\.crypto/issues/596](https\://github\.com/ansible\-collections/community\.crypto/issues/596)\)\. - + ### Bugfixes * openssh\_keypair \- always generate a new key pair if the private key does not exist\. Previously\, the module would fail when regenerate\=fail without an existing key\, contradicting the documentation \([https\://github\.com/ansible\-collections/community\.crypto/pull/598](https\://github\.com/ansible\-collections/community\.crypto/pull/598)\)\. @@ -451,12 +487,12 @@ Bugfix and maintenance release\. ## v2\.12\.0 - + ### Release Summary Feature release\. - + ### Minor Changes * get\_certificate \- add asn1\_base64 option to control whether the ASN\.1 included in the extensions return value is binary data or Base64 encoded \([https\://github\.com/ansible\-collections/community\.crypto/pull/592](https\://github\.com/ansible\-collections/community\.crypto/pull/592)\)\. @@ -464,7 +500,7 @@ Feature release\. ## v2\.11\.1 - + ### Release Summary Maintenance release with improved documentation\. @@ -472,17 +508,17 @@ Maintenance release with improved documentation\. ## v2\.11\.0 - + ### Release Summary Feature and bugfix release\. - + ### Minor Changes * get\_certificate \- adds ciphers option for custom cipher selection \([https\://github\.com/ansible\-collections/community\.crypto/pull/571](https\://github\.com/ansible\-collections/community\.crypto/pull/571)\)\. - + ### Bugfixes * action plugin helper \- fix handling of deprecations for ansible\-core 2\.14\.2 \([https\://github\.com/ansible\-collections/community\.crypto/pull/572](https\://github\.com/ansible\-collections/community\.crypto/pull/572)\)\. @@ -492,12 +528,12 @@ Feature and bugfix release\. ## v2\.10\.0 - + ### Release Summary Bugfix and feature release\. - + ### Bugfixes * openssl\_csr\, openssl\_csr\_pipe \- prevent invalid values for crl\_distribution\_points that do not have one of full\_name\, relative\_name\, and crl\_issuer \([https\://github\.com/ansible\-collections/community\.crypto/pull/560](https\://github\.com/ansible\-collections/community\.crypto/pull/560)\)\. @@ -519,12 +555,12 @@ Bugfix and feature release\. ## v2\.9\.0 - + ### Release Summary Regular feature release\. - + ### Minor Changes * x509\_certificate\_info \- adds issuer\_uri field in return value based on Authority Information Access data \([https\://github\.com/ansible\-collections/community\.crypto/pull/530](https\://github\.com/ansible\-collections/community\.crypto/pull/530)\)\. @@ -532,7 +568,7 @@ Regular feature release\. ## v2\.8\.1 - + ### Release Summary Maintenance release with improved documentation\. @@ -540,12 +576,12 @@ Maintenance release with improved documentation\. ## v2\.8\.0 - + ### Release Summary Feature release\. - + ### Minor Changes * acme\_\* modules \- handle more gracefully if CA\'s new nonce call does not return a nonce \([https\://github\.com/ansible\-collections/community\.crypto/pull/525](https\://github\.com/ansible\-collections/community\.crypto/pull/525)\)\. @@ -555,12 +591,12 @@ Feature release\. ## v2\.7\.1 - + ### Release Summary Maintenance release\. - + ### Bugfixes * acme\_\* modules \- improve feedback when importing cryptography does not work \([https\://github\.com/ansible\-collections/community\.crypto/issues/518](https\://github\.com/ansible\-collections/community\.crypto/issues/518)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/519](https\://github\.com/ansible\-collections/community\.crypto/pull/519)\)\. @@ -568,17 +604,17 @@ Maintenance release\. ## v2\.7\.0 - + ### Release Summary Feature release\. - + ### Minor Changes * acme\* modules \- also support the HTTP 503 Service Unavailable and 408 Request Timeout response status for automatic retries \([https\://github\.com/ansible\-collections/community\.crypto/pull/513](https\://github\.com/ansible\-collections/community\.crypto/pull/513)\)\. - + ### Bugfixes * openssl\_privatekey\_pipe \- ensure compatibility with newer versions of ansible\-core \([https\://github\.com/ansible\-collections/community\.crypto/pull/515](https\://github\.com/ansible\-collections/community\.crypto/pull/515)\)\. @@ -586,12 +622,12 @@ Feature release\. ## v2\.6\.0 - + ### Release Summary Feature release\. - + ### Minor Changes * acme\* modules \- support the HTTP 429 Too Many Requests response status \([https\://github\.com/ansible\-collections/community\.crypto/pull/508](https\://github\.com/ansible\-collections/community\.crypto/pull/508)\)\. @@ -600,12 +636,12 @@ Feature release\. ## v2\.5\.0 - + ### Release Summary Maintenance release with improved licensing declaration and documentation fixes\. - + ### Minor Changes * All software licenses are now in the LICENSES/ directory of the collection root\. Moreover\, SPDX\-License\-Identifier\: is used to declare the applicable license for every file that is not automatically generated \([https\://github\.com/ansible\-collections/community\.crypto/pull/491](https\://github\.com/ansible\-collections/community\.crypto/pull/491)\)\. @@ -613,17 +649,17 @@ Maintenance release with improved licensing declaration and documentation fixes\ ## v2\.4\.0 - + ### Release Summary Deprecation and bugfix release\. No new features this time\. - + ### Deprecated Features * Support for Ansible 2\.9 and ansible\-base 2\.10 is deprecated\, and will be removed in the next major release \(community\.crypto 3\.0\.0\)\. Some modules might still work with these versions afterwards\, but we will no longer keep compatibility code that was needed to support them \([https\://github\.com/ansible\-collections/community\.crypto/pull/460](https\://github\.com/ansible\-collections/community\.crypto/pull/460)\)\. - + ### Bugfixes * openssl\_pkcs12 \- when using the pyOpenSSL backend\, do not crash when trying to read non\-existing other certificates \([https\://github\.com/ansible\-collections/community\.crypto/issues/486](https\://github\.com/ansible\-collections/community\.crypto/issues/486)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/487](https\://github\.com/ansible\-collections/community\.crypto/pull/487)\)\. @@ -631,7 +667,7 @@ Deprecation and bugfix release\. No new features this time\. ## v2\.3\.4 - + ### Release Summary Re\-release of what was intended to be 2\.3\.3\. @@ -647,12 +683,12 @@ has been added\. ## v2\.3\.3 - + ### Release Summary Bugfix release\. - + ### Bugfixes * Include Apache\-2\.0\.txt file for plugins/module\_utils/crypto/\_obj2txt\.py and plugins/module\_utils/crypto/\_objects\_data\.py\. @@ -662,12 +698,12 @@ Bugfix release\. ## v2\.3\.2 - + ### Release Summary Maintenance and bugfix release\. - + ### Bugfixes * Include simplified\_bsd\.txt license file for the ECS module utils\. @@ -676,12 +712,12 @@ Maintenance and bugfix release\. ## v2\.3\.1 - + ### Release Summary Maintenance release\. - + ### Bugfixes * Include PSF\-license\.txt file for plugins/module\_utils/\_version\.py\. @@ -689,12 +725,12 @@ Maintenance release\. ## v2\.3\.0 - + ### Release Summary Feature and bugfix release\. - + ### Minor Changes * Prepare collection for inclusion in an Execution Environment by declaring its dependencies\. Please note that system packages are used for cryptography and PyOpenSSL\, which can be rather limited\. If you need features from newer cryptography versions\, you will have to manually force a newer version to be installed by pip by specifying something like cryptography \>\= 37\.0\.0 in your Execution Environment\'s Python dependencies file \([https\://github\.com/ansible\-collections/community\.crypto/pull/440](https\://github\.com/ansible\-collections/community\.crypto/pull/440)\)\. @@ -708,7 +744,7 @@ Feature and bugfix release\. * x509\_crl \- add name\_encoding option to control the encoding \(IDNA\, Unicode\) used to return domain names in general names \([https\://github\.com/ansible\-collections/community\.crypto/pull/436](https\://github\.com/ansible\-collections/community\.crypto/pull/436)\)\. * x509\_crl\_info \- add name\_encoding option to control the encoding \(IDNA\, Unicode\) used to return domain names in general names \([https\://github\.com/ansible\-collections/community\.crypto/pull/436](https\://github\.com/ansible\-collections/community\.crypto/pull/436)\)\. - + ### Bugfixes * Make collection more robust when PyOpenSSL is used with an incompatible cryptography version \([https\://github\.com/ansible\-collections/community\.crypto/pull/445](https\://github\.com/ansible\-collections/community\.crypto/pull/445)\)\. @@ -717,12 +753,12 @@ Feature and bugfix release\. ## v2\.2\.4 - + ### Release Summary Regular maintenance release\. - + ### Bugfixes * openssh\_\* modules \- fix exception handling to report traceback to users for enhanced traceability \([https\://github\.com/ansible\-collections/community\.crypto/pull/417](https\://github\.com/ansible\-collections/community\.crypto/pull/417)\)\. @@ -730,12 +766,12 @@ Regular maintenance release\. ## v2\.2\.3 - + ### Release Summary Regular bugfix release\. - + ### Bugfixes * luks\_device \- fix parsing of lsblk output when device name ends with crypt \([https\://github\.com/ansible\-collections/community\.crypto/issues/409](https\://github\.com/ansible\-collections/community\.crypto/issues/409)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/410](https\://github\.com/ansible\-collections/community\.crypto/pull/410)\)\. @@ -743,14 +779,14 @@ Regular bugfix release\. ## v2\.2\.2 - + ### Release Summary Regular bugfix release\. In this release\, we extended the test matrix to include Alpine 3\, ArchLinux\, Debian Bullseye\, and CentOS Stream 8\. CentOS 8 was removed from the test matrix\. - + ### Bugfixes * certificate\_complete\_chain \- allow multiple potential intermediate certificates to have the same subject \([https\://github\.com/ansible\-collections/community\.crypto/issues/399](https\://github\.com/ansible\-collections/community\.crypto/issues/399)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/403](https\://github\.com/ansible\-collections/community\.crypto/pull/403)\)\. @@ -762,12 +798,12 @@ In this release\, we extended the test matrix to include Alpine 3\, ArchLinux\, ## v2\.2\.1 - + ### Release Summary Bugfix release\. - + ### Bugfixes * openssh\_cert \- fixed false changed status for host certificates when using full\_idempotence \([https\://github\.com/ansible\-collections/community\.crypto/issues/395](https\://github\.com/ansible\-collections/community\.crypto/issues/395)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/396](https\://github\.com/ansible\-collections/community\.crypto/pull/396)\)\. @@ -775,17 +811,17 @@ Bugfix release\. ## v2\.2\.0 - + ### Release Summary Regular bugfix and feature release\. - + ### Minor Changes * openssh\_cert \- added ignore\_timestamps parameter so it can be used semi\-idempotent with relative timestamps in valid\_to/valid\_from \([https\://github\.com/ansible\-collections/community\.crypto/issues/379](https\://github\.com/ansible\-collections/community\.crypto/issues/379)\)\. - + ### Bugfixes * luks\_devices \- set LANG and similar environment variables to avoid translated output\, which can break some of the module\'s functionality like key management \([https\://github\.com/ansible\-collections/community\.crypto/pull/388](https\://github\.com/ansible\-collections/community\.crypto/pull/388)\, [https\://github\.com/ansible\-collections/community\.crypto/issues/385](https\://github\.com/ansible\-collections/community\.crypto/issues/385)\)\. @@ -793,24 +829,24 @@ Regular bugfix and feature release\. ## v2\.1\.0 - + ### Release Summary Feature and bugfix release\. - + ### Minor Changes * Adjust error messages that indicate cryptography is not installed from Can\'t to Cannot \([https\://github\.com/ansible\-collections/community\.crypto/pull/374](https\://github\.com/ansible\-collections/community\.crypto/pull/374)\)\. - + ### Bugfixes * Various modules and plugins \- use vendored version of distutils\.version instead of the deprecated Python standard library distutils \([https\://github\.com/ansible\-collections/community\.crypto/pull/353](https\://github\.com/ansible\-collections/community\.crypto/pull/353)\)\. * certificate\_complete\_chain \- do not append root twice if the chain already ends with a root certificate \([https\://github\.com/ansible\-collections/community\.crypto/pull/360](https\://github\.com/ansible\-collections/community\.crypto/pull/360)\)\. * certificate\_complete\_chain \- do not hang when infinite loop is found \([https\://github\.com/ansible\-collections/community\.crypto/issues/355](https\://github\.com/ansible\-collections/community\.crypto/issues/355)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/360](https\://github\.com/ansible\-collections/community\.crypto/pull/360)\)\. - + ### New Modules * crypto\_info \- Retrieve cryptographic capabilities @@ -819,7 +855,7 @@ Feature and bugfix release\. ## v2\.0\.2 - + ### Release Summary Documentation fix release\. No actual code changes\. @@ -827,17 +863,17 @@ Documentation fix release\. No actual code changes\. ## v2\.0\.1 - + ### Release Summary Bugfix release with extra forward compatibility for newer versions of cryptography\. - + ### Minor Changes * acme\_\* modules \- fix usage of fetch\_url with changes in latest ansible\-core devel branch \([https\://github\.com/ansible\-collections/community\.crypto/pull/339](https\://github\.com/ansible\-collections/community\.crypto/pull/339)\)\. - + ### Bugfixes * acme\_certificate \- avoid passing multiple certificates to cryptography\'s X\.509 certificate loader when fullchain\_dest is used \([https\://github\.com/ansible\-collections/community\.crypto/pull/324](https\://github\.com/ansible\-collections/community\.crypto/pull/324)\)\. @@ -848,12 +884,12 @@ Bugfix release with extra forward compatibility for newer versions of cryptograp ## v2\.0\.0 - + ### Release Summary A new major release of the community\.crypto collection\. The main changes are removal of the PyOpenSSL backends for almost all modules \(openssl\_pkcs12 being the only exception\)\, and removal of the assertonly provider in the x509\_certificate provider\. There are also some other breaking changes which should improve the user interface/experience of this collection long\-term\. - + ### Minor Changes * acme\_certificate \- the subject and issuer fields in in the select\_chain entries are now more strictly validated \([https\://github\.com/ansible\-collections/community\.crypto/pull/316](https\://github\.com/ansible\-collections/community\.crypto/pull/316)\)\. @@ -878,7 +914,7 @@ A new major release of the community\.crypto collection\. The main * openssl\_privatekey\_info \- by default consistency checks are not run\; they need to be explicitly requested by passing check\_consistency\=true \([https\://github\.com/ansible\-collections/community\.crypto/pull/309](https\://github\.com/ansible\-collections/community\.crypto/pull/309)\)\. * x509\_crl \- for idempotency checks\, the issuer order is ignored\. If order is important\, use the new issuer\_ordered option \([https\://github\.com/ansible\-collections/community\.crypto/pull/316](https\://github\.com/ansible\-collections/community\.crypto/pull/316)\)\. - + ### Deprecated Features * acme\_\* modules \- ACME version 1 is now deprecated and support for it will be removed in community\.crypto 2\.0\.0 \([https\://github\.com/ansible\-collections/community\.crypto/pull/288](https\://github\.com/ansible\-collections/community\.crypto/pull/288)\)\. @@ -910,7 +946,7 @@ A new major release of the community\.crypto collection\. The main * x509\_certificate\_info \- removed the pyopenssl backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/273](https\://github\.com/ansible\-collections/community\.crypto/pull/273)\)\. * x509\_certificate\_pipe \- removed the pyopenssl backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/273](https\://github\.com/ansible\-collections/community\.crypto/pull/273)\)\. - + ### Bugfixes * cryptography backend \- improve Unicode handling for Python 2 \([https\://github\.com/ansible\-collections/community\.crypto/pull/313](https\://github\.com/ansible\-collections/community\.crypto/pull/313)\)\. @@ -922,12 +958,12 @@ A new major release of the community\.crypto collection\. The main ## v1\.9\.4 - + ### Release Summary Regular bugfix release\. - + ### Bugfixes * acme\_\* modules \- fix commands composed for OpenSSL backend to retrieve information on CSRs and certificates from stdin to use /dev/stdin instead of \-\. This is needed for OpenSSL 1\.0\.1 and 1\.0\.2\, apparently \([https\://github\.com/ansible\-collections/community\.crypto/pull/279](https\://github\.com/ansible\-collections/community\.crypto/pull/279)\)\. @@ -936,12 +972,12 @@ Regular bugfix release\. ## v1\.9\.3 - + ### Release Summary Regular bugfix release\. - + ### Bugfixes * openssl\_csr and openssl\_csr\_pipe \- make sure that Unicode strings are used to compare strings with the cryptography backend\. This fixes idempotency problems with non\-ASCII letters on Python 2 \([https\://github\.com/ansible\-collections/community\.crypto/issues/270](https\://github\.com/ansible\-collections/community\.crypto/issues/270)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/271](https\://github\.com/ansible\-collections/community\.crypto/pull/271)\)\. @@ -949,7 +985,7 @@ Regular bugfix release\. ## v1\.9\.2 - + ### Release Summary Bugfix release to fix the changelog\. No other change compared to 1\.9\.0\. @@ -957,7 +993,7 @@ Bugfix release to fix the changelog\. No other change compared to 1\.9\.0\. ## v1\.9\.1 - + ### Release Summary Accidental 1\.9\.1 release\. Identical to 1\.9\.0\. @@ -965,18 +1001,18 @@ Accidental 1\.9\.1 release\. Identical to 1\.9\.0\. ## v1\.9\.0 - + ### Release Summary Regular feature release\. - + ### Minor Changes * get\_certificate \- added starttls option to retrieve certificates from servers which require clients to request an encrypted connection \([https\://github\.com/ansible\-collections/community\.crypto/pull/264](https\://github\.com/ansible\-collections/community\.crypto/pull/264)\)\. * openssh\_keypair \- added diff support \([https\://github\.com/ansible\-collections/community\.crypto/pull/260](https\://github\.com/ansible\-collections/community\.crypto/pull/260)\)\. - + ### Bugfixes * keypair\_backend module utils \- simplify code to pass sanity tests \([https\://github\.com/ansible\-collections/community\.crypto/pull/263](https\://github\.com/ansible\-collections/community\.crypto/pull/263)\)\. @@ -987,12 +1023,12 @@ Regular feature release\. ## v1\.8\.0 - + ### Release Summary Regular bugfix and feature release\. - + ### Minor Changes * Avoid internal ansible\-core module\_utils in favor of equivalent public API available since at least Ansible 2\.9 \([https\://github\.com/ansible\-collections/community\.crypto/pull/253](https\://github\.com/ansible\-collections/community\.crypto/pull/253)\)\. @@ -1000,7 +1036,7 @@ Regular bugfix and feature release\. * openssh\_cert \- added regenerate option to validate additional certificate parameters which trigger regeneration of an existing certificate \([https\://github\.com/ansible\-collections/community\.crypto/pull/256](https\://github\.com/ansible\-collections/community\.crypto/pull/256)\)\. * openssh\_cert \- adding diff support \([https\://github\.com/ansible\-collections/community\.crypto/pull/255](https\://github\.com/ansible\-collections/community\.crypto/pull/255)\)\. - + ### Bugfixes * openssh\_cert \- fixed certificate generation to restore original certificate if an error is encountered \([https\://github\.com/ansible\-collections/community\.crypto/pull/255](https\://github\.com/ansible\-collections/community\.crypto/pull/255)\)\. @@ -1009,12 +1045,12 @@ Regular bugfix and feature release\. ## v1\.7\.1 - + ### Release Summary Bugfix release\. - + ### Bugfixes * openssl\_pkcs12 \- fix crash when loading passphrase\-protected PKCS\#12 files with cryptography backend \([https\://github\.com/ansible\-collections/community\.crypto/issues/247](https\://github\.com/ansible\-collections/community\.crypto/issues/247)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/248](https\://github\.com/ansible\-collections/community\.crypto/pull/248)\)\. @@ -1022,12 +1058,12 @@ Bugfix release\. ## v1\.7\.0 - + ### Release Summary Regular feature and bugfix release\. - + ### Minor Changes * cryptography\_openssh module utils \- new module\_utils for managing asymmetric keypairs and OpenSSH formatted/encoded asymmetric keypairs \([https\://github\.com/ansible\-collections/community\.crypto/pull/213](https\://github\.com/ansible\-collections/community\.crypto/pull/213)\)\. @@ -1050,14 +1086,14 @@ Regular feature and bugfix release\. * x509\_crl\_info \- add list\_revoked\_certificates option to avoid enumerating all revoked certificates \([https\://github\.com/ansible\-collections/community\.crypto/pull/232](https\://github\.com/ansible\-collections/community\.crypto/pull/232)\)\. * x509\_crl\_info \- refactor module to allow code reuse for diff mode \([https\://github\.com/ansible\-collections/community\.crypto/pull/203](https\://github\.com/ansible\-collections/community\.crypto/pull/203)\)\. - + ### Bugfixes * openssh\_keypair \- fix check\_mode to populate return values for existing keypairs \([https\://github\.com/ansible\-collections/community\.crypto/issues/113](https\://github\.com/ansible\-collections/community\.crypto/issues/113)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/230](https\://github\.com/ansible\-collections/community\.crypto/pull/230)\)\. * various modules \- prevent crashes when modules try to set attributes on not yet existing files in check mode\. This will be fixed in ansible\-core 2\.12\, but it is not backported to every Ansible version we support \([https\://github\.com/ansible\-collections/community\.crypto/issue/242](https\://github\.com/ansible\-collections/community\.crypto/issue/242)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/243](https\://github\.com/ansible\-collections/community\.crypto/pull/243)\)\. * x509\_certificate \- fix crash when assertonly provider is used and some error conditions should be reported \([https\://github\.com/ansible\-collections/community\.crypto/issues/240](https\://github\.com/ansible\-collections/community\.crypto/issues/240)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/241](https\://github\.com/ansible\-collections/community\.crypto/pull/241)\)\. - + ### New Modules * openssl\_publickey\_info \- Provide information for OpenSSL public keys @@ -1065,12 +1101,12 @@ Regular feature and bugfix release\. ## v1\.6\.2 - + ### Release Summary Bugfix release\. Fixes compatibility issue of ACME modules with step\-ca\. - + ### Bugfixes * acme\_\* modules \- avoid crashing for ACME servers where the meta directory key is not present \([https\://github\.com/ansible\-collections/community\.crypto/issues/220](https\://github\.com/ansible\-collections/community\.crypto/issues/220)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/221](https\://github\.com/ansible\-collections/community\.crypto/pull/221)\)\. @@ -1078,12 +1114,12 @@ Bugfix release\. Fixes compatibility issue of ACME modules with step\-ca\. ## v1\.6\.1 - + ### Release Summary Bugfix release\. - + ### Bugfixes * acme\_\* modules \- fix wrong usages of ACMEProtocolException \([https\://github\.com/ansible\-collections/community\.crypto/pull/216](https\://github\.com/ansible\-collections/community\.crypto/pull/216)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/217](https\://github\.com/ansible\-collections/community\.crypto/pull/217)\)\. @@ -1091,12 +1127,12 @@ Bugfix release\. ## v1\.6\.0 - + ### Release Summary Fixes compatibility issues with the latest ansible\-core 2\.11 beta\, and contains a lot of internal refactoring for the ACME modules and support for private key passphrases for them\. - + ### Minor Changes * acme module\_utils \- the acme module\_utils has been split up into several Python modules \([https\://github\.com/ansible\-collections/community\.crypto/pull/184](https\://github\.com/ansible\-collections/community\.crypto/pull/184)\)\. @@ -1105,12 +1141,12 @@ Fixes compatibility issues with the latest ansible\-core 2\.11 beta\, and contai * acme\_certificate\_revoke \- support revoking by private keys that are passphrase protected for cryptography backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/207](https\://github\.com/ansible\-collections/community\.crypto/pull/207)\)\. * acme\_challenge\_cert\_helper \- add private\_key\_passphrase parameter \([https\://github\.com/ansible\-collections/community\.crypto/pull/207](https\://github\.com/ansible\-collections/community\.crypto/pull/207)\)\. - + ### Deprecated Features * acme module\_utils \- the acme module\_utils \(ansible\_collections\.community\.crypto\.plugins\.module\_utils\.acme\) is deprecated and will be removed in community\.crypto 2\.0\.0\. Use the new Python modules in the acme package instead \(ansible\_collections\.community\.crypto\.plugins\.module\_utils\.acme\.xxx\) \([https\://github\.com/ansible\-collections/community\.crypto/pull/184](https\://github\.com/ansible\-collections/community\.crypto/pull/184)\)\. - + ### Bugfixes * action\_module plugin helper \- make compatible with latest changes in ansible\-core 2\.11\.0b3 \([https\://github\.com/ansible\-collections/community\.crypto/pull/202](https\://github\.com/ansible\-collections/community\.crypto/pull/202)\)\. @@ -1119,23 +1155,23 @@ Fixes compatibility issues with the latest ansible\-core 2\.11 beta\, and contai ## v1\.5\.0 - + ### Release Summary Regular feature and bugfix release\. Deprecates a return value\. - + ### Minor Changes * acme\_account\_info \- when retrieve\_orders is not ignore and the ACME server allows to query orders\, the new return value order\_uris is always populated with a list of URIs \([https\://github\.com/ansible\-collections/community\.crypto/pull/178](https\://github\.com/ansible\-collections/community\.crypto/pull/178)\)\. * luks\_device \- allow to specify sector size for LUKS2 containers with new sector\_size parameter \([https\://github\.com/ansible\-collections/community\.crypto/pull/193](https\://github\.com/ansible\-collections/community\.crypto/pull/193)\)\. - + ### Deprecated Features * acme\_account\_info \- when retrieve\_orders\=url\_list\, orders will no longer be returned in community\.crypto 2\.0\.0\. Use order\_uris instead \([https\://github\.com/ansible\-collections/community\.crypto/pull/178](https\://github\.com/ansible\-collections/community\.crypto/pull/178)\)\. - + ### Bugfixes * openssl\_csr \- no longer fails when comparing CSR without basic constraint when basic\_constraints is specified \([https\://github\.com/ansible\-collections/community\.crypto/issues/179](https\://github\.com/ansible\-collections/community\.crypto/issues/179)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/180](https\://github\.com/ansible\-collections/community\.crypto/pull/180)\)\. @@ -1143,12 +1179,12 @@ Regular feature and bugfix release\. Deprecates a return value\. ## v1\.4\.0 - + ### Release Summary Release with several new features and bugfixes\. - + ### Minor Changes * The ACME module\_utils has been relicensed back from the Simplified BSD License \([https\://opensource\.org/licenses/BSD\-2\-Clause](https\://opensource\.org/licenses/BSD\-2\-Clause)\) to the GPLv3\+ \(same license used by most other code in this collection\)\. This undoes a licensing change when the original GPLv3\+ licensed code was moved to module\_utils in [https\://github\.com/ansible/ansible/pull/40697](https\://github\.com/ansible/ansible/pull/40697) \([https\://github\.com/ansible\-collections/community\.crypto/pull/165](https\://github\.com/ansible\-collections/community\.crypto/pull/165)\)\. @@ -1158,7 +1194,7 @@ Release with several new features and bugfixes\. * openssl\_csr\, openssl\_csr\_pipe \- allow to specify CRL distribution endpoints with crl\_distribution\_points \([https\://github\.com/ansible\-collections/community\.crypto/issues/147](https\://github\.com/ansible\-collections/community\.crypto/issues/147)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/167](https\://github\.com/ansible\-collections/community\.crypto/pull/167)\)\. * openssl\_pkcs12 \- allow to specify certificate bundles in other\_certificates by using new option other\_certificates\_parse\_all \([https\://github\.com/ansible\-collections/community\.crypto/issues/149](https\://github\.com/ansible\-collections/community\.crypto/issues/149)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/166](https\://github\.com/ansible\-collections/community\.crypto/pull/166)\)\. - + ### Bugfixes * acme\_certificate \- error when requested challenge type is not found for non\-valid challenges\, instead of hanging on step 2 \([https\://github\.com/ansible\-collections/community\.crypto/issues/171](https\://github\.com/ansible\-collections/community\.crypto/issues/171)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/173](https\://github\.com/ansible\-collections/community\.crypto/pull/173)\)\. @@ -1166,12 +1202,12 @@ Release with several new features and bugfixes\. ## v1\.3\.0 - + ### Release Summary Contains new modules openssl\_privatekey\_pipe\, openssl\_csr\_pipe and x509\_certificate\_pipe which allow to create or update private keys\, CSRs and X\.509 certificates without having to write them to disk\. - + ### Minor Changes * openssh\_cert \- add module parameter use\_agent to enable using signing keys stored in ssh\-agent \([https\://github\.com/ansible\-collections/community\.crypto/issues/116](https\://github\.com/ansible\-collections/community\.crypto/issues/116)\)\. @@ -1181,14 +1217,14 @@ Contains new modules openssl\_privatekey\_pipe\, openssl\_csr * x509\_certificate \- for the selfsigned provider\, a CSR is not required anymore\. If no CSR is provided\, the module behaves as if a minimal CSR which only contains the public key has been provided \([https\://github\.com/ansible\-collections/community\.crypto/issues/32](https\://github\.com/ansible\-collections/community\.crypto/issues/32)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/129](https\://github\.com/ansible\-collections/community\.crypto/pull/129)\)\. * x509\_certificate \- refactor module to allow code reuse by x509\_certificate\_pipe \([https\://github\.com/ansible\-collections/community\.crypto/pull/135](https\://github\.com/ansible\-collections/community\.crypto/pull/135)\)\. - + ### Bugfixes * openssl\_pkcs12 \- report the correct state when action is parse \([https\://github\.com/ansible\-collections/community\.crypto/issues/143](https\://github\.com/ansible\-collections/community\.crypto/issues/143)\)\. * support code \- improve handling of certificate and certificate signing request \(CSR\) loading with the cryptography backend when errors occur \([https\://github\.com/ansible\-collections/community\.crypto/issues/138](https\://github\.com/ansible\-collections/community\.crypto/issues/138)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/139](https\://github\.com/ansible\-collections/community\.crypto/pull/139)\)\. * x509\_certificate \- fix entrust provider\, which was broken since community\.crypto 0\.1\.0 due to a feature added before the collection move \([https\://github\.com/ansible\-collections/community\.crypto/pull/135](https\://github\.com/ansible\-collections/community\.crypto/pull/135)\)\. - + ### New Modules * openssl\_csr\_pipe \- Generate OpenSSL Certificate Signing Request \(CSR\) @@ -1198,12 +1234,12 @@ Contains new modules openssl\_privatekey\_pipe\, openssl\_csr ## v1\.2\.0 - + ### Release Summary Please note that this release fixes a security issue \(CVE\-2020\-25646\)\. - + ### Minor Changes * acme\_certificate \- allow to pass CSR file as content with new option csr\_content \([https\://github\.com/ansible\-collections/community\.crypto/pull/115](https\://github\.com/ansible\-collections/community\.crypto/pull/115)\)\. @@ -1219,7 +1255,7 @@ Please note that this release fixes a security issue \(CVE\-2020\-25646\)\. * x509\_certificate \- the options privatekey\_content and ownca\_privatekey\_content were not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. * x509\_crl \- the option privatekey\_content was not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. - + ### Bugfixes * openssl\_pkcs12 \- do not crash when reading PKCS\#12 file which has no private key and/or no main certificate \([https\://github\.com/ansible\-collections/community\.crypto/issues/103](https\://github\.com/ansible\-collections/community\.crypto/issues/103)\)\. @@ -1227,12 +1263,12 @@ Please note that this release fixes a security issue \(CVE\-2020\-25646\)\. ## v1\.1\.1 - + ### Release Summary Bugfixes for Ansible 2\.10\.0\. - + ### Bugfixes * meta/runtime\.yml \- convert Ansible version numbers for old names of modules to collection version numbers \([https\://github\.com/ansible\-collections/community\.crypto/pull/108](https\://github\.com/ansible\-collections/community\.crypto/pull/108)\)\. @@ -1241,12 +1277,12 @@ Bugfixes for Ansible 2\.10\.0\. ## v1\.1\.0 - + ### Release Summary Release for Ansible 2\.10\.0\. - + ### Minor Changes * acme\_account \- add external\_account\_binding option to allow creation of ACME accounts with External Account Binding \([https\://github\.com/ansible\-collections/community\.crypto/issues/89](https\://github\.com/ansible\-collections/community\.crypto/issues/89)\)\. @@ -1259,14 +1295,14 @@ Release for Ansible 2\.10\.0\. * openssl\_csr \- add support for name constraints extension \([https\://github\.com/ansible\-collections/community\.crypto/issues/46](https\://github\.com/ansible\-collections/community\.crypto/issues/46)\)\. * openssl\_csr\_info \- add support for name constraints extension \([https\://github\.com/ansible\-collections/community\.crypto/issues/46](https\://github\.com/ansible\-collections/community\.crypto/issues/46)\)\. - + ### Bugfixes * acme\_inspect \- fix problem with Python 3\.5 that JSON was not decoded \([https\://github\.com/ansible\-collections/community\.crypto/issues/86](https\://github\.com/ansible\-collections/community\.crypto/issues/86)\)\. * get\_certificate \- fix ca\_cert option handling when proxy\_host is used \([https\://github\.com/ansible\-collections/community\.crypto/pull/84](https\://github\.com/ansible\-collections/community\.crypto/pull/84)\)\. * openssl\_\*\, x509\_\* modules \- fix handling of general names which refer to IP networks and not IP addresses \([https\://github\.com/ansible\-collections/community\.crypto/pull/92](https\://github\.com/ansible\-collections/community\.crypto/pull/92)\)\. - + ### New Modules * openssl\_signature \- Sign data with openssl @@ -1275,12 +1311,12 @@ Release for Ansible 2\.10\.0\. ## v1\.0\.0 - + ### Release Summary This is the first proper release of the community\.crypto collection\. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2\.9\.0\. - + ### Minor Changes * luks\_device \- accept passphrase\, new\_passphrase and remove\_passphrase\. @@ -1309,7 +1345,7 @@ This is the first proper release of the community\.crypto collectio * openssl\_publickey \- allow to provide private key content via private\_key\_content option\. * openssl\_publickey \- allow to return the existing/generated public key directly as publickey by setting return\_content to yes\. - + ### Deprecated Features * openssl\_csr \- all values for the version option except 1 are deprecated\. The value 1 denotes the current only standardized CSR version\. @@ -1319,7 +1355,7 @@ This is the first proper release of the community\.crypto collectio * The letsencrypt module has been removed\. Use acme\_certificate instead\. - + ### Bugfixes * ACME modules\: fix bug in ACME v1 account update code @@ -1342,7 +1378,7 @@ This is the first proper release of the community\.crypto collectio * openssl\_csr \- the module will now enforce that privatekey\_path is specified when state\=present\. * openssl\_publickey \- fix a module crash caused when pyOpenSSL is not installed \([https\://github\.com/ansible/ansible/issues/67035](https\://github\.com/ansible/ansible/issues/67035)\)\. - + ### New Modules * ecs\_domain \- Request validation of a domain with the Entrust Certificate Services \(ECS\) API diff --git a/ansible_collections/community/crypto/CHANGELOG.rst b/ansible_collections/community/crypto/CHANGELOG.rst index 320169717..b2dca8e3f 100644 --- a/ansible_collections/community/crypto/CHANGELOG.rst +++ b/ansible_collections/community/crypto/CHANGELOG.rst @@ -4,6 +4,35 @@ Community Crypto Release Notes .. contents:: Topics +v2.19.0 +======= + +Release Summary +--------------- + +Bugfix and feature release. + +Minor Changes +------------- + +- When using cryptography >= 42.0.0, use offset-aware ``datetime.datetime`` objects (with timezone UTC) instead of offset-naive UTC timestamps (https://github.com/ansible-collections/community.crypto/issues/726, https://github.com/ansible-collections/community.crypto/pull/727). +- openssh_cert - avoid UTC functions deprecated in Python 3.12 when using Python 3 (https://github.com/ansible-collections/community.crypto/pull/727). + +Deprecated Features +------------------- + +- acme.backends module utils - from community.crypto on, all implementations of ``CryptoBackend`` must override ``get_ordered_csr_identifiers()``. The current default implementation, which simply sorts the result of ``get_csr_identifiers()``, will then be removed (https://github.com/ansible-collections/community.crypto/pull/725). + +Bugfixes +-------- + +- acme_certificate - respect the order of the CNAME and SAN identifiers that are passed on when creating an ACME order (https://github.com/ansible-collections/community.crypto/issues/723, https://github.com/ansible-collections/community.crypto/pull/725). + +New Modules +----------- + +- x509_certificate_convert - Convert X.509 certificates + v2.18.0 ======= diff --git a/ansible_collections/community/crypto/FILES.json b/ansible_collections/community/crypto/FILES.json index 249caaa96..e98f9499c 100644 --- a/ansible_collections/community/crypto/FILES.json +++ b/ansible_collections/community/crypto/FILES.json @@ -109,7 +109,7 @@ "name": ".azure-pipelines/azure-pipelines.yml", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "82056264d02238b30cfe7740554b4dcde7ec173c7a5de5e494f2fad309462455", + "chksum_sha256": "6e277188c1cbc0030cb55f73f6ebde233c77c66e2aa0d19476f9b7bae729d345", "format": 1 }, { @@ -130,7 +130,7 @@ "name": ".github/workflows/ansible-test.yml", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "aac90c499964bd9233fc13565169248e29e9eda7cf97a2d4db56f6fdba9558ed", + "chksum_sha256": "4250c0cd843d1a134c3d806ef9030b55f9a1b949902d1a746ccd19edb9f51a95", "format": 1 }, { @@ -165,7 +165,7 @@ "name": ".github/workflows/reuse.yml", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "907950e209820f04e0122e100c86690cf5ac0f4a15cb950cce4d2af6eaaddb37", + "chksum_sha256": "5d7f877d94901193f7273865244e67010c8196234debbacf6be5f27ec51f417c", "format": 1 }, { @@ -263,7 +263,7 @@ "name": "changelogs/changelog.yaml", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "e03726652f634d6ff4b51599ec42f48c6ff77aaec7d59c186770af2c599b2d3f", + "chksum_sha256": "7dcaea3df82e79d7b11bb628e95889ccfb31077902d6ddaee8655a83f577b418", "format": 1 }, { @@ -315,6 +315,13 @@ "chksum_sha256": "17f1e754f67c08a3c2f873905d3678328bdb9763128ef0f80c63f58f5b3c151e", "format": 1 }, + { + "name": "docs/docsite/config.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "0c5ec9ff76cf4db33b5d3f771419ef50d448e5d510cb7a98fc07dd9ecee69c4e", + "format": 1 + }, { "name": "docs/docsite/extra-docs.yml", "ftype": "file", @@ -564,21 +571,21 @@ "name": "plugins/module_utils/acme/backend_cryptography.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "4b8f578400e6bd0762ba44c0784c6a8e4fc442e436243836ace40317eb936b61", + "chksum_sha256": "5bccf4747fa4ef5853858db1683bfa4d31951fc1da78341c36063617eb4b2719", "format": 1 }, { "name": "plugins/module_utils/acme/backend_openssl_cli.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "5e5e5127e8eb261168dfe60dcd1e1fd63ad1196ca5947a1845c3f7481dcaf431", + "chksum_sha256": "7a722bedddbc63e4d6e66b10659f63531c2675e19740ccc3381b70f6ed3fdba4", "format": 1 }, { "name": "plugins/module_utils/acme/backends.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "cf618865eb9f569e5d775d0539463ce6f7abd3cd593f4528a83f3f1bfb2885e5", + "chksum_sha256": "e2c50aaec5b7404e7a8437d34f8246adcb6a7390dff505ce772d04b9a9530177", "format": 1 }, { @@ -641,7 +648,7 @@ "name": "plugins/module_utils/crypto/module_backends/certificate.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "707b1e0abbd35ffb76d00744ee35b4f5521b7184de04d587f34cc256aa1a7728", + "chksum_sha256": "c8858dddd2447413319f622af45c004f3b64eb6038e3e288454b76418d28d0f2", "format": 1 }, { @@ -655,28 +662,28 @@ "name": "plugins/module_utils/crypto/module_backends/certificate_entrust.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "0046918bf9e870753fb5a24815ada1dcc42077f2ba62e950942f26c36a298b62", + "chksum_sha256": "79486afc80b485e4c4c930b59f44c8320e5ece7eb63408bf5f5ac2bc66c3eeed", "format": 1 }, { "name": "plugins/module_utils/crypto/module_backends/certificate_info.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "20a96ca9b95f652564f49dce0e477a314da3f6cc1e6f51e3ae75992e6f54da5b", + "chksum_sha256": "cd9c993f1c224036eba267820de7e21cec8a06a138d943b776541be214f1d14f", "format": 1 }, { "name": "plugins/module_utils/crypto/module_backends/certificate_ownca.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "8491949f4ed06374834f8ba4cd67edac9bbbeae47247b0e978c92220aaf3cb50", + "chksum_sha256": "6c58c55efbdec1869fc10fe63785242aee81f2dc8fff03397de5b75303ed724d", "format": 1 }, { "name": "plugins/module_utils/crypto/module_backends/certificate_selfsigned.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "c535db42e5267798cb1d12c1329ed3e526ede4afae8dcef10d619e779535ecf6", + "chksum_sha256": "d46e3f53d82fe161efdc94f337126f66fcfb8e49647367c08a68ee2232ca6e8c", "format": 1 }, { @@ -774,14 +781,14 @@ "name": "plugins/module_utils/crypto/cryptography_crl.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "070fbd85edef9007d52574252b31f189dabc6256b828251075d506e6f1186082", + "chksum_sha256": "ad9a5bdd95492d516dc390346b968b0191a8901d7682382e978a7f67e681878a", "format": 1 }, { "name": "plugins/module_utils/crypto/cryptography_support.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "429ae5d529c41a60c0cf15e55b745cbd9adfd569ea315adf693527ba72499451", + "chksum_sha256": "3839218fd95217f9fbb44cb01ac33ec87837021d90fe92dac2ac1509a29f5564", "format": 1 }, { @@ -802,14 +809,14 @@ "name": "plugins/module_utils/crypto/pem.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "9045d933bdb216615500049e5773323f005b2355868f2628c9775cf88e524ae3", + "chksum_sha256": "8a37877e3d15f35f92bb5a28698db59b6c8c605f99d89cf42554418378d7738b", "format": 1 }, { "name": "plugins/module_utils/crypto/support.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "af8b7e736a0383370681a6a9017a9e9f3c9bbcf324c3b6c2bc99e5031bef3183", + "chksum_sha256": "7d27f0bf007ccdb80a8d144381545f6406abad02396dbd39def186147a6efa91", "format": 1 }, { @@ -872,7 +879,7 @@ "name": "plugins/module_utils/openssh/certificate.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "3edc83078c5dee008ccb961123d202b4ea2340772f28137dcef60e945604464c", + "chksum_sha256": "2febea40e9db5c2f560a0e399603812f520b575b00cec33bfae2e536962d24c7", "format": 1 }, { @@ -942,7 +949,7 @@ "name": "plugins/modules/acme_certificate.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "c3f29dfd43f862717692b9ea8a48a186f3bf48f73cbe400ded858aa1286662ac", + "chksum_sha256": "5f0f0039f146654c43e4a2a44e7be9becfc9a1d0566e11bef39ad591b472725d", "format": 1 }, { @@ -956,7 +963,7 @@ "name": "plugins/modules/acme_challenge_cert_helper.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "073bd164227b3dfd709e76288c1d3185474556274257e793e77f7acbd2220904", + "chksum_sha256": "8484e4dc9508cffab80145f63ebabf0e88e6d203a3e466f2c000ca3e465596cb", "format": 1 }, { @@ -998,7 +1005,7 @@ "name": "plugins/modules/get_certificate.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "316e351393face995abc0334f38736f3eb27bd73a9faece5206c061f37122ab0", + "chksum_sha256": "3ea3b665adf3bbc3c2dc8e92cf9efd6c7b273aec0c8f1ef29e6414b0a9c50dd9", "format": 1 }, { @@ -1120,11 +1127,18 @@ "chksum_sha256": "66bb9cda2e07f4bd196b0f309a8ed705668e627ea0d3f9137cf29be408ad73b3", "format": 1 }, + { + "name": "plugins/modules/x509_certificate_convert.py", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "b41327e91bb4111c6b9e4293684a2ad6d4cfa566101303ac4b38507a71c18716", + "format": 1 + }, { "name": "plugins/modules/x509_certificate_info.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "9cdcd6e9d4d11182ff9bf203c1432b0d96d74f31548f8eb34ae5b7beb48d57fc", + "chksum_sha256": "e39c0d16a89cc7cac74d2c81e0406c9e5c1ebe8da0dd9c9c5ef9c26a78d5eae0", "format": 1 }, { @@ -1138,7 +1152,7 @@ "name": "plugins/modules/x509_crl.py", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "bc95c541cd09e5d61f437b7c701e3c3370821618a271f98d4746de8480e9084f", + "chksum_sha256": "eb2dfed3b7ec2739444923eb22812533901e9f6e7b6f19e127db7d34b3f6c6aa", "format": 1 }, { @@ -4578,6 +4592,55 @@ "chksum_sha256": "efd331a62ed0b05469a451ee76dfab1231fee154835999a0cda0473e9bfe30f8", "format": 1 }, + { + "name": "tests/integration/targets/x509_certificate_convert", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/integration/targets/x509_certificate_convert/meta", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/integration/targets/x509_certificate_convert/meta/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "e550791b9b9cf709c4dbec99b2fd8603263883e7eab8c8d99805c2aa4bcaa8a2", + "format": 1 + }, + { + "name": "tests/integration/targets/x509_certificate_convert/tasks", + "ftype": "dir", + "chksum_type": null, + "chksum_sha256": null, + "format": 1 + }, + { + "name": "tests/integration/targets/x509_certificate_convert/tasks/impl.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "c41118537236b6020f57408e488caac150d7f68d5e5c2a1a5b576441d467d710", + "format": 1 + }, + { + "name": "tests/integration/targets/x509_certificate_convert/tasks/main.yml", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "89871cb736941b87c796ec88bd5bb119dc7adf62b9379ecebd1ae620156f939a", + "format": 1 + }, + { + "name": "tests/integration/targets/x509_certificate_convert/aliases", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "efd331a62ed0b05469a451ee76dfab1231fee154835999a0cda0473e9bfe30f8", + "format": 1 + }, { "name": "tests/integration/targets/x509_certificate_info", "ftype": "dir", @@ -4848,7 +4911,7 @@ "name": "tests/sanity/ignore-2.10.txt", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "9c564907d4db67b2eab6b7387740cbf6146bb2f236db4eac52fc320fa2e0eefb", + "chksum_sha256": "0cfffbe82096f8efdba1b354fad867dd681faac5a4029419261c228ca128c97f", "format": 1 }, { @@ -4862,7 +4925,7 @@ "name": "tests/sanity/ignore-2.11.txt", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "1b44914e1e87736a09ebfdabf48dae543323720b6864fb9064052e874d96847d", + "chksum_sha256": "409ff4ad0805b8ac9d20d7c7ae2e76f35ac8ed6c14ea124d75f768e4299af964", "format": 1 }, { @@ -4876,7 +4939,7 @@ "name": "tests/sanity/ignore-2.12.txt", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "a4c87a60391639fdf51e7be2088785d7d1950580d27cbc348d45c2bad0887a4a", + "chksum_sha256": "69653fb8464973ead8ebbdadf67ec37adc5222978de6033fa8c76fe90292fb54", "format": 1 }, { @@ -4890,7 +4953,7 @@ "name": "tests/sanity/ignore-2.13.txt", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "38df4b447aa4f0fa4b168df195dff78362f955ed3c4117266c320045be6d00a7", + "chksum_sha256": "9d1eec057555e6cfcd9757bead5d91d32069ecdb786eebca25c253e85e5e9f47", "format": 1 }, { @@ -4904,7 +4967,7 @@ "name": "tests/sanity/ignore-2.14.txt", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "38df4b447aa4f0fa4b168df195dff78362f955ed3c4117266c320045be6d00a7", + "chksum_sha256": "9d1eec057555e6cfcd9757bead5d91d32069ecdb786eebca25c253e85e5e9f47", "format": 1 }, { @@ -4956,11 +5019,25 @@ "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1", "format": 1 }, + { + "name": "tests/sanity/ignore-2.18.txt", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "88f167104e425a472b8fd111b8b2e9d7b2e1135ace2d5130cef81ca38aeba161", + "format": 1 + }, + { + "name": "tests/sanity/ignore-2.18.txt.license", + "ftype": "file", + "chksum_type": "sha256", + "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1", + "format": 1 + }, { "name": "tests/sanity/ignore-2.9.txt", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "dad1b754c46149195a1a26af8e56bb1aa449d4acec41532bfaf45a8254b11050", + "chksum_sha256": "0ebc63c03bea984b7363e6e7ac6b1cf2ef1a866637ab8564cbad5061a62dc1e8", "format": 1 }, { @@ -5429,7 +5506,7 @@ "name": "CHANGELOG.md", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "5430eaa014f0f010ed69848fea7d36d8dbb9fe9a8d7612887dd52c73389dfef1", + "chksum_sha256": "ca2c6e6efdcfdb7ee6ee1b3bbb095989678081d32fa9aca67b65f57e96a37026", "format": 1 }, { @@ -5443,7 +5520,7 @@ "name": "CHANGELOG.rst", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "124c1a02abb35f4b3e98c6449bd07d7a606a80e34f297b60be1ed43673955bba", + "chksum_sha256": "6ba9093a33e39e50b4a9436cbfdb36c2591a15c0aeadc8e7072b980df760ee6d", "format": 1 }, { @@ -5464,7 +5541,7 @@ "name": "README.md", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "dd847490669a8106ad134aa8c1d21e9620891badee9173763ca0643187e7e735", + "chksum_sha256": "704b9171377cd1c819ac83f7603438188432dfc6296bb7c6bfa7291c85d3b8b6", "format": 1 } ], diff --git a/ansible_collections/community/crypto/MANIFEST.json b/ansible_collections/community/crypto/MANIFEST.json index 2e16020a1..40dbbd275 100644 --- a/ansible_collections/community/crypto/MANIFEST.json +++ b/ansible_collections/community/crypto/MANIFEST.json @@ -2,7 +2,7 @@ "collection_info": { "namespace": "community", "name": "crypto", - "version": "2.18.0", + "version": "2.19.0", "authors": [ "Ansible (github.com/ansible)" ], @@ -41,7 +41,7 @@ "name": "FILES.json", "ftype": "file", "chksum_type": "sha256", - "chksum_sha256": "fc4c33abc854162fe45421f98db891d66b0d614f3c5ddfcb8d14f308db7e9df2", + "chksum_sha256": "b8a70c677576d6f7bda75b45d97af355a4f371b9269a791bdef8976361b39f75", "format": 1 }, "format": 1 diff --git a/ansible_collections/community/crypto/README.md b/ansible_collections/community/crypto/README.md index 64ffd4eae..99c6a4f62 100644 --- a/ansible_collections/community/crypto/README.md +++ b/ansible_collections/community/crypto/README.md @@ -18,7 +18,7 @@ Please note that this collection does **not** support Windows targets. ## Tested with Ansible -Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15, and ansible-core-2.16 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported. +Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15, ansible-core 2.16, and ansible-core-2.17 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported. ## External requirements @@ -54,6 +54,7 @@ If you use the Ansible package and do not update collections independently, use - openssl_signature_info module - openssl_signature module - split_pem filter + - x509_certificate_convert module - x509_certificate_info module and filter - x509_certificate_pipe module - x509_certificate module diff --git a/ansible_collections/community/crypto/changelogs/changelog.yaml b/ansible_collections/community/crypto/changelogs/changelog.yaml index 044bd81a8..856a965ec 100644 --- a/ansible_collections/community/crypto/changelogs/changelog.yaml +++ b/ansible_collections/community/crypto/changelogs/changelog.yaml @@ -1052,6 +1052,33 @@ releases: name: to_serial namespace: null release_date: '2024-02-25' + 2.19.0: + changes: + bugfixes: + - acme_certificate - respect the order of the CNAME and SAN identifiers that + are passed on when creating an ACME order (https://github.com/ansible-collections/community.crypto/issues/723, + https://github.com/ansible-collections/community.crypto/pull/725). + deprecated_features: + - acme.backends module utils - from community.crypto on, all implementations + of ``CryptoBackend`` must override ``get_ordered_csr_identifiers()``. The + current default implementation, which simply sorts the result of ``get_csr_identifiers()``, + will then be removed (https://github.com/ansible-collections/community.crypto/pull/725). + minor_changes: + - When using cryptography >= 42.0.0, use offset-aware ``datetime.datetime`` + objects (with timezone UTC) instead of offset-naive UTC timestamps (https://github.com/ansible-collections/community.crypto/issues/726, + https://github.com/ansible-collections/community.crypto/pull/727). + - openssh_cert - avoid UTC functions deprecated in Python 3.12 when using Python + 3 (https://github.com/ansible-collections/community.crypto/pull/727). + release_summary: Bugfix and feature release. + fragments: + - 2.19.0.yml + - 725-acme_certificate-order.yml + - 727-cryptography-utc.yml + modules: + - description: Convert X.509 certificates + name: x509_certificate_convert + namespace: '' + release_date: '2024-04-20' 2.2.0: changes: bugfixes: diff --git a/ansible_collections/community/crypto/docs/docsite/config.yml b/ansible_collections/community/crypto/docs/docsite/config.yml new file mode 100644 index 000000000..1d6cf8554 --- /dev/null +++ b/ansible_collections/community/crypto/docs/docsite/config.yml @@ -0,0 +1,7 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +changelog: + write_changelog: true diff --git a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py index 2e388980a..0722c1f99 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py +++ b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_cryptography.py @@ -11,7 +11,6 @@ __metaclass__ = type import base64 import binascii -import datetime import os import traceback @@ -42,11 +41,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.math impor ) from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + get_now_datetime, + ensure_utc_timezone, parse_name_field, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_name_to_oid, + get_not_valid_after, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( @@ -298,31 +301,51 @@ class CryptographyBackend(CryptoBackend): }, } - def get_csr_identifiers(self, csr_filename=None, csr_content=None): + def get_ordered_csr_identifiers(self, csr_filename=None, csr_content=None): ''' - Return a set of requested identifiers (CN and SANs) for the CSR. + Return a list of requested identifiers (CN and SANs) for the CSR. Each identifier is a pair (type, identifier), where type is either 'dns' or 'ip'. + + The list is deduplicated, and if a CNAME is present, it will be returned + as the first element in the result. ''' - identifiers = set([]) if csr_content is None: csr_content = read_file(csr_filename) else: csr_content = to_bytes(csr_content) csr = cryptography.x509.load_pem_x509_csr(csr_content, _cryptography_backend) + + identifiers = set() + result = [] + + def add_identifier(identifier): + if identifier in identifiers: + return + identifiers.add(identifier) + result.append(identifier) + for sub in csr.subject: if sub.oid == cryptography.x509.oid.NameOID.COMMON_NAME: - identifiers.add(('dns', sub.value)) + add_identifier(('dns', sub.value)) for extension in csr.extensions: if extension.oid == cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME: for name in extension.value: if isinstance(name, cryptography.x509.DNSName): - identifiers.add(('dns', name.value)) + add_identifier(('dns', name.value)) elif isinstance(name, cryptography.x509.IPAddress): - identifiers.add(('ip', name.value.compressed)) + add_identifier(('ip', name.value.compressed)) else: raise BackendException('Found unsupported SAN identifier {0}'.format(name)) - return identifiers + return result + + def get_csr_identifiers(self, csr_filename=None, csr_content=None): + ''' + Return a set of requested identifiers (CN and SANs) for the CSR. + Each identifier is a pair (type, identifier), where type is either + 'dns' or 'ip'. + ''' + return set(self.get_ordered_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)) def get_cert_days(self, cert_filename=None, cert_content=None, now=None): ''' @@ -353,8 +376,10 @@ class CryptographyBackend(CryptoBackend): raise BackendException('Cannot parse certificate {0}: {1}'.format(cert_filename, e)) if now is None: - now = datetime.datetime.now() - return (cert.not_valid_after - now).days + now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) + elif CRYPTOGRAPHY_TIMEZONE: + now = ensure_utc_timezone(now) + return (get_not_valid_after(cert) - now).days def create_chain_matcher(self, criterium): ''' diff --git a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py index dabcbdb3b..9a1ed1f5a 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py +++ b/ansible_collections/community/crypto/plugins/module_utils/acme/backend_openssl_cli.py @@ -225,11 +225,14 @@ class OpenSSLCLIBackend(CryptoBackend): # We do not want to error out on something IPAddress() cannot parse return ip - def get_csr_identifiers(self, csr_filename=None, csr_content=None): + def get_ordered_csr_identifiers(self, csr_filename=None, csr_content=None): ''' - Return a set of requested identifiers (CN and SANs) for the CSR. + Return a list of requested identifiers (CN and SANs) for the CSR. Each identifier is a pair (type, identifier), where type is either 'dns' or 'ip'. + + The list is deduplicated, and if a CNAME is present, it will be returned + as the first element in the result. ''' filename = csr_filename data = None @@ -241,24 +244,40 @@ class OpenSSLCLIBackend(CryptoBackend): dummy, out, dummy = self.module.run_command( openssl_csr_cmd, data=data, check_rc=True, binary_data=True, environ_update=_OPENSSL_ENVIRONMENT_UPDATE) - identifiers = set([]) + identifiers = set() + result = [] + + def add_identifier(identifier): + if identifier in identifiers: + return + identifiers.add(identifier) + result.append(identifier) + common_name = re.search(r"Subject:.* CN\s?=\s?([^\s,;/]+)", to_text(out, errors='surrogate_or_strict')) if common_name is not None: - identifiers.add(('dns', common_name.group(1))) + add_identifier(('dns', common_name.group(1))) subject_alt_names = re.search( r"X509v3 Subject Alternative Name: (?:critical)?\n +([^\n]+)\n", to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL) if subject_alt_names is not None: for san in subject_alt_names.group(1).split(", "): if san.lower().startswith("dns:"): - identifiers.add(('dns', san[4:])) + add_identifier(('dns', san[4:])) elif san.lower().startswith("ip:"): - identifiers.add(('ip', self._normalize_ip(san[3:]))) + add_identifier(('ip', self._normalize_ip(san[3:]))) elif san.lower().startswith("ip address:"): - identifiers.add(('ip', self._normalize_ip(san[11:]))) + add_identifier(('ip', self._normalize_ip(san[11:]))) else: raise BackendException('Found unsupported SAN identifier "{0}"'.format(san)) - return identifiers + return result + + def get_csr_identifiers(self, csr_filename=None, csr_content=None): + ''' + Return a set of requested identifiers (CN and SANs) for the CSR. + Each identifier is a pair (type, identifier), where type is either + 'dns' or 'ip'. + ''' + return set(self.get_ordered_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)) def get_cert_days(self, cert_filename=None, cert_content=None, now=None): ''' diff --git a/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py b/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py index 5c48e1a74..2d95a3ee3 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py +++ b/ansible_collections/community/crypto/plugins/module_utils/acme/backends.py @@ -34,6 +34,23 @@ class CryptoBackend(object): def create_mac_key(self, alg, key): '''Create a MAC key.''' + def get_ordered_csr_identifiers(self, csr_filename=None, csr_content=None): + ''' + Return a list of requested identifiers (CN and SANs) for the CSR. + Each identifier is a pair (type, identifier), where type is either + 'dns' or 'ip'. + + The list is deduplicated, and if a CNAME is present, it will be returned + as the first element in the result. + ''' + self.module.deprecate( + "Every backend must override the get_ordered_csr_identifiers() method." + " The default implementation will be removed in 3.0.0 and this method will be marked as `abstractmethod` by then.", + version='3.0.0', + collection_name='community.crypto', + ) + return sorted(self.get_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content)) + @abc.abstractmethod def get_csr_identifiers(self, csr_filename=None, csr_content=None): ''' diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py index 62499e08b..8ef0d65da 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_crl.py @@ -19,6 +19,7 @@ from .basic import ( ) from .cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, ) @@ -27,6 +28,11 @@ from ._obj2txt import ( ) +# TODO: once cryptography has a _utc variant of InvalidityDate.invalidity_date, set this +# to True and adjust get_invalidity_date() accordingly. +# (https://github.com/pyca/cryptography/issues/10818) +CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE = False + TIMESTAMP_FORMAT = "%Y%m%d%H%M%SZ" @@ -55,7 +61,7 @@ else: def cryptography_decode_revoked_certificate(cert): result = { 'serial_number': cert.serial_number, - 'revocation_date': cert.revocation_date, + 'revocation_date': get_revocation_date(cert), 'issuer': None, 'issuer_critical': False, 'reason': None, @@ -77,7 +83,7 @@ def cryptography_decode_revoked_certificate(cert): pass try: ext = cert.extensions.get_extension_for_class(x509.InvalidityDate) - result['invalidity_date'] = ext.value.invalidity_date + result['invalidity_date'] = get_invalidity_date(ext.value) result['invalidity_date_critical'] = ext.critical except x509.ExtensionNotFound: pass @@ -112,3 +118,38 @@ def cryptography_get_signature_algorithm_oid_from_crl(crl): crl._x509_crl.sig_alg.algorithm ) return x509.oid.ObjectIdentifier(dotted) + + +def get_next_update(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.next_update_utc + return obj.next_update + + +def get_last_update(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.last_update_utc + return obj.last_update + + +def get_revocation_date(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.revocation_date_utc + return obj.revocation_date + + +def get_invalidity_date(obj): + # TODO: special handling if CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE is True + return obj.invalidity_date + + +def set_next_update(builder, value): + return builder.next_update(value) + + +def set_last_update(builder, value): + return builder.last_update(value) + + +def set_revocation_date(builder, value): + return builder.revocation_date(value) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py index b767d3417..3d07b35b1 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/cryptography_support.py @@ -29,7 +29,9 @@ try: from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import padding import ipaddress + _HAS_CRYPTOGRAPHY = True except ImportError: + _HAS_CRYPTOGRAPHY = False # Error handled in the calling module. pass @@ -106,6 +108,11 @@ from ._objects import ( from ._obj2txt import obj2txt +CRYPTOGRAPHY_TIMEZONE = False +if _HAS_CRYPTOGRAPHY: + CRYPTOGRAPHY_TIMEZONE = LooseVersion(cryptography.__version__) >= LooseVersion('42.0.0') + + DOTTED_OID = re.compile(r'^\d+(?:\.\d+)+$') @@ -807,3 +814,23 @@ def cryptography_verify_certificate_signature(certificate, signer_public_key): certificate.signature_hash_algorithm, signer_public_key ) + + +def get_not_valid_after(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.not_valid_after_utc + return obj.not_valid_after + + +def get_not_valid_before(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.not_valid_before_utc + return obj.not_valid_before + + +def set_not_valid_after(builder, value): + return builder.not_valid_after(value) + + +def set_not_valid_before(builder, value): + return builder.not_valid_before(value) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py index 7a56d7e9d..7bc93d934 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py @@ -32,6 +32,8 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( cryptography_compare_public_keys, + get_not_valid_after, + get_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import ( @@ -251,12 +253,12 @@ class CertificateBackend(object): # Check not before if not_before is not None and not self.ignore_timestamps: - if self.existing_certificate.not_valid_before != not_before: + if get_not_valid_before(self.existing_certificate) != not_before: return True # Check not after if not_after is not None and not self.ignore_timestamps: - if self.existing_certificate.not_valid_after != not_after: + if get_not_valid_after(self.existing_certificate) != not_after: return True return False diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py index baf53f5de..7dc4641e1 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_entrust.py @@ -10,7 +10,6 @@ __metaclass__ = type import datetime -import time import os from ansible.module_utils.common.text.converters import to_native, to_bytes @@ -19,11 +18,14 @@ from ansible_collections.community.crypto.plugins.module_utils.ecs.api import EC from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate, + get_now_datetime, get_relative_time_option, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_serial_number_of_cert, + get_not_valid_after, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -99,7 +101,7 @@ class EntrustCertificateBackend(CertificateBackend): # Handle expiration (30 days if not specified) expiry = self.notAfter if not expiry: - gmt_now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime())) + gmt_now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) expiry = gmt_now + datetime.timedelta(days=365) expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z") @@ -154,7 +156,7 @@ class EntrustCertificateBackend(CertificateBackend): expiry = None if self.backend == 'cryptography': serial_number = "{0:X}".format(cryptography_serial_number_of_cert(self.existing_certificate)) - expiry = self.existing_certificate.not_valid_after + expiry = get_not_valid_after(self.existing_certificate) # get some information about the expiry of this certificate expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z") diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py index b10733ceb..5db6c3586 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_info.py @@ -12,7 +12,6 @@ __metaclass__ = type import abc import binascii -import datetime import traceback from ansible.module_utils import six @@ -24,13 +23,17 @@ from ansible_collections.community.crypto.plugins.module_utils.version import Lo from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate, get_fingerprint_of_bytes, + get_now_datetime, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, cryptography_get_extensions_from_cert, cryptography_oid_to_name, cryptography_serial_number_of_cert, + get_not_valid_after, + get_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import ( @@ -169,7 +172,7 @@ class CertificateInfoRetrieval(object): not_after = self.get_not_after() result['not_before'] = not_before.strftime(TIMESTAMP_FORMAT) result['not_after'] = not_after.strftime(TIMESTAMP_FORMAT) - result['expired'] = not_after < datetime.datetime.utcnow() + result['expired'] = not_after < get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) result['public_key'] = to_native(self._get_public_key_pem()) @@ -322,10 +325,10 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval): return None, False def get_not_before(self): - return self.cert.not_valid_before + return get_not_valid_before(self.cert) def get_not_after(self): - return self.cert.not_valid_after + return get_not_valid_after(self.cert) def _get_public_key_pem(self): return self.cert.public_key().public_bytes( diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py index ac1cf845a..4d312e6b7 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py @@ -31,6 +31,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp cryptography_key_needs_digest_for_signing, cryptography_serial_number_of_cert, cryptography_verify_certificate_signature, + get_not_valid_after, + get_not_valid_before, + set_not_valid_after, + set_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -120,8 +124,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend): cert_builder = cert_builder.subject_name(self.csr.subject) cert_builder = cert_builder.issuer_name(self.ca_cert.subject) cert_builder = cert_builder.serial_number(self.serial_number) - cert_builder = cert_builder.not_valid_before(self.notBefore) - cert_builder = cert_builder.not_valid_after(self.notAfter) + cert_builder = set_not_valid_before(cert_builder, self.notBefore) + cert_builder = set_not_valid_after(cert_builder, self.notAfter) cert_builder = cert_builder.public_key(self.csr.public_key()) has_ski = False for extension in self.csr.extensions: @@ -220,8 +224,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend): if self.cert is None: self.cert = self.existing_certificate result.update({ - 'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"), - 'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"), + 'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"), + 'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"), 'serial_number': cryptography_serial_number_of_cert(self.cert), }) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py index 8695d43ee..edd8d8d77 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py @@ -22,6 +22,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp cryptography_key_needs_digest_for_signing, cryptography_serial_number_of_cert, cryptography_verify_certificate_signature, + get_not_valid_after, + get_not_valid_before, + set_not_valid_after, + set_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -95,8 +99,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend): cert_builder = cert_builder.subject_name(self.csr.subject) cert_builder = cert_builder.issuer_name(self.csr.subject) cert_builder = cert_builder.serial_number(self.serial_number) - cert_builder = cert_builder.not_valid_before(self.notBefore) - cert_builder = cert_builder.not_valid_after(self.notAfter) + cert_builder = set_not_valid_before(cert_builder, self.notBefore) + cert_builder = set_not_valid_after(cert_builder, self.notAfter) cert_builder = cert_builder.public_key(self.privatekey.public_key()) has_ski = False for extension in self.csr.extensions: @@ -154,8 +158,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend): if self.cert is None: self.cert = self.existing_certificate result.update({ - 'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"), - 'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"), + 'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"), + 'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"), 'serial_number': cryptography_serial_number_of_cert(self.cert), }) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py index da46548c7..5e6571fe0 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/pem.py @@ -9,6 +9,7 @@ __metaclass__ = type PEM_START = '-----BEGIN ' +PEM_END_START = '-----END ' PEM_END = '-----' PKCS8_PRIVATEKEY_NAMES = ('PRIVATE KEY', 'ENCRYPTED PRIVATE KEY') PKCS1_PRIVATEKEY_SUFFIX = ' PRIVATE KEY' @@ -77,3 +78,31 @@ def extract_first_pem(text): if not all_pems: return None return all_pems[0] + + +def _extract_type(line, start=PEM_START): + if not line.startswith(start): + return None + if not line.endswith(PEM_END): + return None + return line[len(start):-len(PEM_END)] + + +def extract_pem(content, strict=False): + lines = content.splitlines() + if len(lines) < 3: + raise ValueError('PEM must have at least 3 lines, have only {count}'.format(count=len(lines))) + header_type = _extract_type(lines[0]) + if header_type is None: + raise ValueError('First line is not of format {start}...{end}: {line!r}'.format(start=PEM_START, end=PEM_END, line=lines[0])) + footer_type = _extract_type(lines[-1], start=PEM_END_START) + if strict: + if header_type != footer_type: + raise ValueError('Header type ({header}) is different from footer type ({footer})'.format(header=header_type, footer=footer_type)) + for idx, line in enumerate(lines[1:-2]): + if len(line) != 64: + raise ValueError('Line {idx} has length {len} instead of 64'.format(idx=idx, len=len(line))) + if not (0 < len(lines[-2]) <= 64): + raise ValueError('Last line has length {len}, should be in (0, 64]'.format(len=len(lines[-2]))) + content = lines[1:-1] + return header_type, ''.join(content) diff --git a/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py b/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py index 473246b1b..8b59a3b70 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py +++ b/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py @@ -279,7 +279,19 @@ def parse_ordered_name_field(input_list, name_field_name): return result -def convert_relative_to_datetime(relative_time_string): +def get_now_datetime(with_timezone): + if with_timezone: + return datetime.datetime.now(tz=datetime.timezone.utc) + return datetime.datetime.utcnow() + + +def ensure_utc_timezone(timestamp): + if timestamp.tzinfo is not None: + return timestamp + return timestamp.astimezone(datetime.timezone.utc) + + +def convert_relative_to_datetime(relative_time_string, with_timezone=False): """Get a datetime.datetime or None from a string in the time format described in sshd_config(5)""" parsed_result = re.match( @@ -304,13 +316,14 @@ def convert_relative_to_datetime(relative_time_string): offset += datetime.timedelta( seconds=int(parsed_result.group("seconds"))) + now = get_now_datetime(with_timezone=with_timezone) if parsed_result.group("prefix") == "+": - return datetime.datetime.utcnow() + offset + return now + offset else: - return datetime.datetime.utcnow() - offset + return now - offset -def get_relative_time_option(input_string, input_name, backend='cryptography'): +def get_relative_time_option(input_string, input_name, backend='cryptography', with_timezone=False): """Return an absolute timespec if a relative timespec or an ASN1 formatted string is provided. @@ -323,7 +336,7 @@ def get_relative_time_option(input_string, input_name, backend='cryptography'): input_string, input_name) # Relative time if result.startswith("+") or result.startswith("-"): - result_datetime = convert_relative_to_datetime(result) + result_datetime = convert_relative_to_datetime(result, with_timezone=with_timezone) if backend == 'pyopenssl': return result_datetime.strftime("%Y%m%d%H%M%SZ") elif backend == 'cryptography': @@ -332,9 +345,13 @@ def get_relative_time_option(input_string, input_name, backend='cryptography'): if backend == 'cryptography': for date_fmt in ['%Y%m%d%H%M%SZ', '%Y%m%d%H%MZ', '%Y%m%d%H%M%S%z', '%Y%m%d%H%M%z']: try: - return datetime.datetime.strptime(result, date_fmt) + res = datetime.datetime.strptime(result, date_fmt) except ValueError: pass + else: + if with_timezone: + res = res.astimezone(datetime.timezone.utc) + return res raise OpenSSLObjectError( 'The time spec "%s" for %s is invalid' % diff --git a/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py b/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py index 54d1b1ec5..f59766651 100644 --- a/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py +++ b/ansible_collections/community/crypto/plugins/module_utils/openssh/certificate.py @@ -22,7 +22,9 @@ __metaclass__ = type import abc import binascii +import datetime as _datetime import os +import sys from base64 import b64encode from datetime import datetime from hashlib import sha256 @@ -61,8 +63,17 @@ _ECDSA_CURVE_IDENTIFIERS_LOOKUP = { b'nistp521': 'ecdsa-nistp521', } -_ALWAYS = datetime(1970, 1, 1) -_FOREVER = datetime.max +_USE_TIMEZONE = sys.version_info >= (3, 6) + + +def _ensure_utc_timezone_if_use_timezone(value): + if not _USE_TIMEZONE or value.tzinfo is not None: + return value + return value.astimezone(_datetime.timezone.utc) + + +_ALWAYS = _ensure_utc_timezone_if_use_timezone(datetime(1970, 1, 1)) +_FOREVER = datetime(9999, 12, 31, 23, 59, 59, 999999, _datetime.timezone.utc) if _USE_TIMEZONE else datetime.max _CRITICAL_OPTIONS = ( 'force-command', @@ -136,7 +147,7 @@ class OpensshCertificateTimeParameters(object): elif dt == _FOREVER: result = 'forever' else: - result = dt.isoformat() if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S") + result = dt.isoformat().replace('+00:00', '') if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S") elif date_format == 'timestamp': td = dt - _ALWAYS result = int((td.microseconds + (td.seconds + td.days * 24 * 3600) * 10 ** 6) / 10 ** 6) @@ -167,7 +178,10 @@ class OpensshCertificateTimeParameters(object): result = _FOREVER else: try: - result = datetime.utcfromtimestamp(timestamp) + if _USE_TIMEZONE: + result = datetime.fromtimestamp(timestamp, tz=_datetime.timezone.utc) + else: + result = datetime.utcfromtimestamp(timestamp) except OverflowError as e: raise ValueError return result @@ -180,11 +194,11 @@ class OpensshCertificateTimeParameters(object): elif time_string == 'forever': result = _FOREVER elif is_relative_time_string(time_string): - result = convert_relative_to_datetime(time_string) + result = convert_relative_to_datetime(time_string, with_timezone=_USE_TIMEZONE) else: for time_format in ("%Y-%m-%d", "%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S"): try: - result = datetime.strptime(time_string, time_format) + result = _ensure_utc_timezone_if_use_timezone(datetime.strptime(time_string, time_format)) except ValueError: pass if result is None: diff --git a/ansible_collections/community/crypto/plugins/modules/acme_certificate.py b/ansible_collections/community/crypto/plugins/modules/acme_certificate.py index 9c0b349c4..21a6d6ae9 100644 --- a/ansible_collections/community/crypto/plugins/modules/acme_certificate.py +++ b/ansible_collections/community/crypto/plugins/modules/acme_certificate.py @@ -661,7 +661,7 @@ class ACMECertificateClient(object): raise ModuleFailException("CSR %s not found" % (self.csr)) # Extract list of identifiers from CSR - self.identifiers = self.client.backend.get_csr_identifiers(csr_filename=self.csr, csr_content=self.csr_content) + self.identifiers = self.client.backend.get_ordered_csr_identifiers(csr_filename=self.csr, csr_content=self.csr_content) def is_first_step(self): ''' diff --git a/ansible_collections/community/crypto/plugins/modules/acme_challenge_cert_helper.py b/ansible_collections/community/crypto/plugins/modules/acme_challenge_cert_helper.py index 9740cd16d..48b65f998 100644 --- a/ansible_collections/community/crypto/plugins/modules/acme_challenge_cert_helper.py +++ b/ansible_collections/community/crypto/plugins/modules/acme_challenge_cert_helper.py @@ -165,6 +165,16 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.io import ( read_file, ) +from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + get_now_datetime, +) + +from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, + set_not_valid_after, + set_not_valid_before, +) + CRYPTOGRAPHY_IMP_ERR = None try: import cryptography @@ -244,8 +254,9 @@ def main(): domain = to_text(challenge_data['resource']) identifier_type, identifier = to_text(challenge_data.get('resource_original', 'dns:' + challenge_data['resource'])).split(':', 1) subject = issuer = cryptography.x509.Name([]) - not_valid_before = datetime.datetime.utcnow() - not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(days=10) + now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) + not_valid_before = now + not_valid_after = now + datetime.timedelta(days=10) if identifier_type == 'dns': san = cryptography.x509.DNSName(identifier) elif identifier_type == 'ip': @@ -254,7 +265,7 @@ def main(): raise ModuleFailException('Unsupported identifier type "{0}"'.format(identifier_type)) # Generate regular self-signed certificate - regular_certificate = cryptography.x509.CertificateBuilder().subject_name( + cert_builder = cryptography.x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer @@ -262,14 +273,13 @@ def main(): private_key.public_key() ).serial_number( cryptography.x509.random_serial_number() - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after ).add_extension( cryptography.x509.SubjectAlternativeName([san]), critical=False, - ).sign( + ) + cert_builder = set_not_valid_before(cert_builder, not_valid_before) + cert_builder = set_not_valid_after(cert_builder, not_valid_after) + regular_certificate = cert_builder.sign( private_key, cryptography.hazmat.primitives.hashes.SHA256(), _cryptography_backend @@ -278,7 +288,7 @@ def main(): # Process challenge if challenge == 'tls-alpn-01': value = base64.b64decode(challenge_data['resource_value']) - challenge_certificate = cryptography.x509.CertificateBuilder().subject_name( + cert_builder = cryptography.x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer @@ -286,10 +296,6 @@ def main(): private_key.public_key() ).serial_number( cryptography.x509.random_serial_number() - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after ).add_extension( cryptography.x509.SubjectAlternativeName([san]), critical=False, @@ -299,7 +305,10 @@ def main(): encode_octet_string(value), ), critical=True, - ).sign( + ) + cert_builder = set_not_valid_before(cert_builder, not_valid_before) + cert_builder = set_not_valid_after(cert_builder, not_valid_after) + challenge_certificate = cert_builder.sign( private_key, cryptography.hazmat.primitives.hashes.SHA256(), _cryptography_backend diff --git a/ansible_collections/community/crypto/plugins/modules/get_certificate.py b/ansible_collections/community/crypto/plugins/modules/get_certificate.py index 0f8abc90a..6ae9439d3 100644 --- a/ansible_collections/community/crypto/plugins/modules/get_certificate.py +++ b/ansible_collections/community/crypto/plugins/modules/get_certificate.py @@ -209,7 +209,6 @@ EXAMPLES = ''' import atexit import base64 -import datetime import traceback from os.path import isfile @@ -221,9 +220,16 @@ from ansible.module_utils.common.text.converters import to_bytes from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion +from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + get_now_datetime, +) + from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_oid_to_name, cryptography_get_extensions_from_cert, + get_not_valid_after, + get_not_valid_before, ) MINIMAL_CRYPTOGRAPHY_VERSION = '1.6' @@ -392,7 +398,7 @@ def main(): for attribute in x509.subject: result['subject'][cryptography_oid_to_name(attribute.oid, short=True)] = attribute.value - result['expired'] = x509.not_valid_after < datetime.datetime.utcnow() + result['expired'] = get_not_valid_after(x509) < get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) result['extensions'] = [] for dotted_number, entry in cryptography_get_extensions_from_cert(x509).items(): @@ -410,8 +416,8 @@ def main(): for attribute in x509.issuer: result['issuer'][cryptography_oid_to_name(attribute.oid, short=True)] = attribute.value - result['not_after'] = x509.not_valid_after.strftime('%Y%m%d%H%M%SZ') - result['not_before'] = x509.not_valid_before.strftime('%Y%m%d%H%M%SZ') + result['not_after'] = get_not_valid_after(x509).strftime('%Y%m%d%H%M%SZ') + result['not_before'] = get_not_valid_before(x509).strftime('%Y%m%d%H%M%SZ') result['serial_number'] = x509.serial_number result['signature_algorithm'] = cryptography_oid_to_name(x509.signature_algorithm_oid) diff --git a/ansible_collections/community/crypto/plugins/modules/x509_certificate_convert.py b/ansible_collections/community/crypto/plugins/modules/x509_certificate_convert.py new file mode 100644 index 000000000..d3e39dc11 --- /dev/null +++ b/ansible_collections/community/crypto/plugins/modules/x509_certificate_convert.py @@ -0,0 +1,280 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright (c) 2024, Felix Fontein +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +DOCUMENTATION = r''' +--- +module: x509_certificate_convert +short_description: Convert X.509 certificates +version_added: 2.19.0 +description: + - This module allows to convert X.509 certificates between different formats. +author: + - Felix Fontein (@felixfontein) +extends_documentation_fragment: + - ansible.builtin.files + - community.crypto.attributes + - community.crypto.attributes.files +attributes: + check_mode: + support: full + diff_mode: + support: none + safe_file_operations: + support: full +options: + src_path: + description: + - Name of the file containing the X.509 certificate to convert. + - Exactly one of O(src_path) or O(src_content) must be specified. + type: path + src_content: + description: + - The content of the file containing the X.509 certificate to convert. + - This must be text. If you are not sure that the input file is PEM, you must Base64 encode + the value and set O(src_content_base64=true). You can use the + P(ansible.builtin.b64encode#filter) filter plugin for this. + - Exactly one of O(src_path) or O(src_content) must be specified. + type: str + src_content_base64: + description: + - If set to V(true) when O(src_content) is provided, the module assumes that the value + of O(src_content) is Base64 encoded. + type: bool + default: false + format: + description: + - Determines which format the destination X.509 certificate should be written in. + - Please note that not every key can be exported in any format, and that not every + format supports encryption. + type: str + choices: + - pem + - der + required: true + strict: + description: + - If the input is a PEM file, ensure that it contains a single PEM object, that + the header and footer match, and are of type C(CERTIFICATE) or C(X509 CERTIFICATE). + type: bool + default: false + dest_path: + description: + - Name of the file in which the generated TLS/SSL X.509 certificate will be written. + type: path + required: true + backup: + description: + - Create a backup file including a timestamp so you can get + the original X.509 certificate back if you overwrote it with a new one by accident. + type: bool + default: false +seealso: + - plugin: ansible.builtin.b64encode + plugin_type: filter + - module: community.crypto.x509_certificate + - module: community.crypto.x509_certificate_pipe + - module: community.crypto.x509_certificate_info +''' + +EXAMPLES = r''' +- name: Convert PEM X.509 certificate to DER format + community.crypto.x509_certificate_convert: + src_path: /etc/ssl/cert/ansible.com.pem + dest_path: /etc/ssl/cert/ansible.com.der + format: der +''' + +RETURN = r''' +backup_file: + description: Name of backup file created. + returned: changed and if O(backup) is V(true) + type: str + sample: /path/to/cert.pem.2019-03-09@11:22~ +''' + +import base64 +import os + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.common.text.converters import to_native, to_bytes, to_text + +from ansible_collections.community.crypto.plugins.module_utils.io import ( + load_file_if_exists, + write_file, +) + +from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import ( + OpenSSLObjectError, +) + +from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( + PEM_START, + PEM_END_START, + PEM_END, + identify_pem_format, + split_pem_list, + extract_pem, +) + +from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + OpenSSLObject, +) + + +def parse_certificate(input, strict=False): + input_format = 'pem' if identify_pem_format(input) else 'der' + if input_format == 'pem': + pems = split_pem_list(to_text(input)) + if len(pems) > 1 and strict: + raise ValueError('The input contains {count} PEM objects, expecting only one since strict=true'.format(count=len(pems))) + pem_header_type, content = extract_pem(pems[0], strict=strict) + if strict and pem_header_type not in ('CERTIFICATE', 'X509 CERTIFICATE'): + raise ValueError('type is {type!r}, expecting CERTIFICATE or X509 CERTIFICATE'.format(type=pem_header_type)) + input = base64.b64decode(content) + else: + pem_header_type = None + return input, input_format, pem_header_type + + +class X509CertificateConvertModule(OpenSSLObject): + def __init__(self, module): + super(X509CertificateConvertModule, self).__init__( + module.params['dest_path'], + 'present', + False, + module.check_mode, + ) + + self.src_path = module.params['src_path'] + self.src_content = module.params['src_content'] + self.src_content_base64 = module.params['src_content_base64'] + if self.src_content is not None: + self.input = to_bytes(self.src_content) + if self.src_content_base64: + try: + self.input = base64.b64decode(self.input) + except Exception as exc: + module.fail_json(msg='Cannot Base64 decode src_content: {exc}'.format(exc=exc)) + else: + try: + with open(self.src_path, 'rb') as f: + self.input = f.read() + except Exception as exc: + module.fail_json(msg='Failure while reading file {fn}: {exc}'.format(fn=self.src_path, exc=exc)) + + self.format = module.params['format'] + self.strict = module.params['strict'] + self.wanted_pem_type = 'CERTIFICATE' + + try: + self.input, self.input_format, dummy = parse_certificate(self.input, strict=self.strict) + except Exception as exc: + module.fail_json(msg='Error while parsing PEM: {exc}'.format(exc=exc)) + + self.backup = module.params['backup'] + self.backup_file = None + + module.params['path'] = self.path + + self.dest_content = load_file_if_exists(self.path, module) + self.dest_content_format = None + self.dest_content_pem_type = None + if self.dest_content is not None: + try: + self.dest_content, self.dest_content_format, self.dest_content_pem_type = parse_certificate( + self.dest_content, strict=True) + except Exception: + pass + + def needs_conversion(self): + if self.dest_content is None or self.dest_content_format is None: + return True + if self.dest_content_format != self.format: + return True + if self.input != self.dest_content: + return True + if self.format == 'pem' and self.dest_content_pem_type != self.wanted_pem_type: + return True + return False + + def get_dest_certificate(self): + if self.format == 'der': + return self.input + data = to_bytes(base64.b64encode(self.input)) + lines = [to_bytes('{0}{1}{2}'.format(PEM_START, self.wanted_pem_type, PEM_END))] + lines += [data[i:i + 64] for i in range(0, len(data), 64)] + lines.append(to_bytes('{0}{1}{2}\n'.format(PEM_END_START, self.wanted_pem_type, PEM_END))) + return b'\n'.join(lines) + + def generate(self, module): + """Do conversion.""" + if self.needs_conversion(): + # Convert + cert_data = self.get_dest_certificate() + if not self.check_mode: + if self.backup: + self.backup_file = module.backup_local(self.path) + write_file(module, cert_data) + self.changed = True + + file_args = module.load_file_common_arguments(module.params) + if module.check_file_absent_if_check_mode(file_args['path']): + self.changed = True + else: + self.changed = module.set_fs_attributes_if_different(file_args, self.changed) + + def dump(self): + """Serialize the object into a dictionary.""" + result = dict( + changed=self.changed, + ) + if self.backup_file: + result['backup_file'] = self.backup_file + + return result + + +def main(): + argument_spec = dict( + src_path=dict(type='path'), + src_content=dict(type='str'), + src_content_base64=dict(type='bool', default=False), + format=dict(type='str', required=True, choices=['pem', 'der']), + strict=dict(type='bool', default=False), + dest_path=dict(type='path', required=True), + backup=dict(type='bool', default=False), + ) + module = AnsibleModule( + argument_spec, + supports_check_mode=True, + add_file_common_args=True, + required_one_of=[('src_path', 'src_content')], + mutually_exclusive=[('src_path', 'src_content')], + ) + + base_dir = os.path.dirname(module.params['dest_path']) or '.' + if not os.path.isdir(base_dir): + module.fail_json( + name=base_dir, + msg='The directory %s does not exist or the file is not a directory' % base_dir + ) + + try: + cert = X509CertificateConvertModule(module) + cert.generate(module) + result = cert.dump() + module.exit_json(**result) + except OpenSSLObjectError as exc: + module.fail_json(msg=to_native(exc)) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py b/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py index d89f610c5..8379937f7 100644 --- a/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py +++ b/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py @@ -410,6 +410,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im get_relative_time_option, ) +from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, +) + from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import ( select_backend, ) @@ -451,7 +455,7 @@ def main(): module.fail_json( msg='The value for valid_at.{0} must be of type string (got {1})'.format(k, type(v)) ) - valid_at[k] = get_relative_time_option(v, 'valid_at.{0}'.format(k)) + valid_at[k] = get_relative_time_option(v, 'valid_at.{0}'.format(k), with_timezone=CRYPTOGRAPHY_TIMEZONE) try: result = module_backend.get_info(der_support_enabled=module.params['content'] is None) diff --git a/ansible_collections/community/crypto/plugins/modules/x509_crl.py b/ansible_collections/community/crypto/plugins/modules/x509_crl.py index 1ac97005a..527975b88 100644 --- a/ansible_collections/community/crypto/plugins/modules/x509_crl.py +++ b/ansible_collections/community/crypto/plugins/modules/x509_crl.py @@ -475,6 +475,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, cryptography_get_name, cryptography_key_needs_digest_for_signing, @@ -484,11 +485,17 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_crl import ( + CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE, REVOCATION_REASON_MAP, TIMESTAMP_FORMAT, cryptography_decode_revoked_certificate, cryptography_dump_revoked, cryptography_get_signature_algorithm_oid_from_crl, + get_next_update, + get_last_update, + set_next_update, + set_last_update, + set_revocation_date, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( @@ -560,8 +567,8 @@ class CRL(OpenSSLObject): except (TypeError, ValueError) as exc: module.fail_json(msg=to_native(exc)) - self.last_update = get_relative_time_option(module.params['last_update'], 'last_update') - self.next_update = get_relative_time_option(module.params['next_update'], 'next_update') + self.last_update = get_relative_time_option(module.params['last_update'], 'last_update', with_timezone=CRYPTOGRAPHY_TIMEZONE) + self.next_update = get_relative_time_option(module.params['next_update'], 'next_update', with_timezone=CRYPTOGRAPHY_TIMEZONE) self.digest = select_message_digest(module.params['digest']) if self.digest is None: @@ -607,7 +614,8 @@ class CRL(OpenSSLObject): result['issuer_critical'] = rc['issuer_critical'] result['revocation_date'] = get_relative_time_option( rc['revocation_date'], - path_prefix + 'revocation_date' + path_prefix + 'revocation_date', + with_timezone=CRYPTOGRAPHY_TIMEZONE, ) if rc['reason']: result['reason'] = REVOCATION_REASON_MAP[rc['reason']] @@ -615,7 +623,8 @@ class CRL(OpenSSLObject): if rc['invalidity_date']: result['invalidity_date'] = get_relative_time_option( rc['invalidity_date'], - path_prefix + 'invalidity_date' + path_prefix + 'invalidity_date', + with_timezone=CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE, ) result['invalidity_date_critical'] = rc['invalidity_date_critical'] self.revoked_certificates.append(result) @@ -731,9 +740,9 @@ class CRL(OpenSSLObject): if self.crl is None: return False - if self.last_update != self.crl.last_update and not self.ignore_timestamps: + if self.last_update != get_last_update(self.crl) and not self.ignore_timestamps: return False - if self.next_update != self.crl.next_update and not self.ignore_timestamps: + if self.next_update != get_next_update(self.crl) and not self.ignore_timestamps: return False if cryptography_key_needs_digest_for_signing(self.privatekey): if self.crl.signature_hash_algorithm is None or self.digest.name != self.crl.signature_hash_algorithm.name: @@ -780,8 +789,8 @@ class CRL(OpenSSLObject): except ValueError as e: raise CRLError(e) - crl = crl.last_update(self.last_update) - crl = crl.next_update(self.next_update) + crl = set_last_update(crl, self.last_update) + crl = set_next_update(crl, self.next_update) if self.update and self.crl: new_entries = set([self._compress_entry(entry) for entry in self.revoked_certificates]) @@ -792,7 +801,7 @@ class CRL(OpenSSLObject): for entry in self.revoked_certificates: revoked_cert = RevokedCertificateBuilder() revoked_cert = revoked_cert.serial_number(entry['serial_number']) - revoked_cert = revoked_cert.revocation_date(entry['revocation_date']) + revoked_cert = set_revocation_date(revoked_cert, entry['revocation_date']) if entry['issuer'] is not None: revoked_cert = revoked_cert.add_extension( x509.CertificateIssuer(entry['issuer']), @@ -876,8 +885,8 @@ class CRL(OpenSSLObject): for entry in self.revoked_certificates: result['revoked_certificates'].append(cryptography_dump_revoked(entry, idn_rewrite=self.name_encoding)) elif self.crl: - result['last_update'] = self.crl.last_update.strftime(TIMESTAMP_FORMAT) - result['next_update'] = self.crl.next_update.strftime(TIMESTAMP_FORMAT) + result['last_update'] = get_last_update(self.crl).strftime(TIMESTAMP_FORMAT) + result['next_update'] = get_next_update(self.crl).strftime(TIMESTAMP_FORMAT) result['digest'] = cryptography_oid_to_name(cryptography_get_signature_algorithm_oid_from_crl(self.crl)) issuer = [] for attribute in self.crl.issuer: diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/aliases b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/aliases new file mode 100644 index 000000000..4602f1185 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/aliases @@ -0,0 +1,7 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +azp/generic/2 +azp/posix/2 +destructive diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/meta/main.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/meta/main.yml new file mode 100644 index 000000000..7c2b42405 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/meta/main.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +dependencies: + - setup_openssl + - setup_remote_tmp_dir + - prepare_jinja2_compat diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/impl.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/impl.yml new file mode 100644 index 000000000..e0c438937 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/impl.yml @@ -0,0 +1,212 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Read PEM cert + slurp: + src: '{{ remote_tmp_dir }}/cert_2.pem' + register: slurp_pem + +- name: Read DER cert + slurp: + src: '{{ remote_tmp_dir }}/cert_2.der' + register: slurp_der + +- name: Convert PEM cert (check mode) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.pem' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_1 + check_mode: true + +- name: Convert PEM cert + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.pem' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_2 + +- name: Convert PEM cert (idempotent, check mode) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.pem' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_3 + check_mode: true + +- name: Convert PEM cert (idempotent) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.pem' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_4 + +- name: Convert PEM cert (overwrite, check mode) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_2.pem' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_5 + check_mode: true + +- name: Convert PEM cert (overwrite) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_2.pem' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_6 + +- name: Convert PEM cert (idempotent, content) + x509_certificate_convert: + src_content: '{{ slurp_pem.content | b64decode }}' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_7 + +- name: Convert PEM cert (idempotent, content, base64) + x509_certificate_convert: + src_content: '{{ slurp_pem.content }}' + src_content_base64: true + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_8 + +- name: Convert PEM cert (idempotent, content, base64, from DER) + x509_certificate_convert: + src_content: '{{ slurp_der.content }}' + src_content_base64: true + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_9 + +- name: Convert PEM cert (idempotent, from DER) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_2.der' + format: pem + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.pem' + register: result_10 + +- name: Check conditions + assert: + that: + - result_1 is changed + - result_2 is changed + - result_3 is not changed + - result_4 is not changed + - result_5 is changed + - result_6 is changed + - result_7 is not changed + - result_8 is not changed + - result_9 is not changed + - result_10 is not changed + +- name: Convert DER cert (check mode) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.der' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_1 + check_mode: true + +- name: Convert DER cert + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.der' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_2 + +- name: Convert DER cert (idempotent, check mode) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.der' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_3 + check_mode: true + +- name: Convert DER cert (idempotent) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_1.der' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_4 + +- name: Convert DER cert (overwrite, check mode) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_2.der' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_5 + check_mode: true + +- name: Convert DER cert (overwrite) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_2.der' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_6 + +- name: Convert DER cert (idempotent, content, base64) + x509_certificate_convert: + src_content: '{{ slurp_der.content }}' + src_content_base64: true + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_7 + +- name: Convert DER cert (idempotent, content, from PEM) + x509_certificate_convert: + src_content: '{{ slurp_pem.content | b64decode }}' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_8 + +- name: Convert DER cert (idempotent, content, base64, from PEM) + x509_certificate_convert: + src_content: '{{ slurp_pem.content }}' + src_content_base64: true + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_9 + +- name: Convert DER cert (idempotent, from PEM) + x509_certificate_convert: + src_path: '{{ remote_tmp_dir }}/cert_2.pem' + format: der + strict: true + dest_path: '{{ remote_tmp_dir }}/out_1.der' + register: result_10 + +- name: Check conditions + assert: + that: + - result_1 is changed + - result_2 is changed + - result_3 is not changed + - result_4 is not changed + - result_5 is changed + - result_6 is changed + - result_7 is not changed + - result_8 is not changed + - result_9 is not changed + - result_10 is not changed diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/main.yml new file mode 100644 index 000000000..291572f1d --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate_convert/tasks/main.yml @@ -0,0 +1,136 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### + +- name: Generate privatekey + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey.pem' + size: '{{ default_rsa_key_size_certifiates }}' + +- name: Generate CSR 1 + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_1.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' + subject: + commonName: www.example.com + C: de + L: Somewhere + ST: Zurich + streetAddress: Welcome Street + O: Ansible + organizationalUnitName: + - Crypto Department + - ACME Department + serialNumber: "1234" + SN: Last Name + GN: First Name + title: Chief + pseudonym: test + UID: asdf + emailAddress: test@example.com + postalAddress: 1234 Somewhere + postalCode: "1234" + useCommonNameForSAN: false + key_usage: + - digitalSignature + - keyAgreement + - Non Repudiation + - Key Encipherment + - dataEncipherment + - Certificate Sign + - cRLSign + - Encipher Only + - decipherOnly + key_usage_critical: true + extended_key_usage: + - serverAuth # the same as "TLS Web Server Authentication" + - TLS Web Server Authentication + - TLS Web Client Authentication + - Code Signing + - E-mail Protection + - timeStamping + - OCSPSigning + - Any Extended Key Usage + - qcStatements + - DVCS + - IPSec User + - biometricInfo + subject_alt_name: + - "DNS:www.ansible.com" + - "DNS:öç.com" + # cryptography < 2.1 cannot handle certain Unicode characters + - "DNS:{{ 'www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺' }}.com" + - "IP:1.2.3.4" + - "IP:::1" + - "email:test@example.org" + - "URI:https://example.org/test/index.html" + basic_constraints: + - "CA:TRUE" + - "pathlen:23" + basic_constraints_critical: true + ocsp_must_staple: true + subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}' + vars: + value_for_authority_cert_issuer: + - "DNS:ca.example.org" + - "IP:1.2.3.4" + +- name: Generate CSR 2 + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_2.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' + useCommonNameForSAN: false + basic_constraints: + - "CA:TRUE" + +- name: Generate CSR 3 + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_3.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' + useCommonNameForSAN: false + subject_alt_name: + - "DNS:*.ansible.com" + - "DNS:*.example.org" + - "IP:DEAD:BEEF::1" + basic_constraints: + - "CA:FALSE" + authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}' + vars: + value_for_authority_cert_issuer: + - "DNS:ca.example.org" + - "IP:1.2.3.4" + +- name: Generate selfsigned certificates + x509_certificate: + path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem' + csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+10d" + selfsigned_not_before: "-3d" + loop: + - 1 + - 2 + - 3 + +- name: Convert PEM files to DER + command: + cmd: openssl x509 -inform PEM -outform DER -in {{ remote_tmp_dir }}/cert_{{ item }}.pem -out {{ remote_tmp_dir }}/cert_{{ item }}.der + loop: + - 1 + - 2 + - 3 + +- name: Running tests + include_tasks: impl.yml diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.10.txt b/ansible_collections/community/crypto/tests/sanity/ignore-2.10.txt index 81d34f186..a2980b921 100644 --- a/ansible_collections/community/crypto/tests/sanity/ignore-2.10.txt +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.10.txt @@ -15,6 +15,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation +plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:return-syntax-error diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.11.txt b/ansible_collections/community/crypto/tests/sanity/ignore-2.11.txt index 2677551db..07a994f88 100644 --- a/ansible_collections/community/crypto/tests/sanity/ignore-2.11.txt +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.11.txt @@ -14,6 +14,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation +plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:return-syntax-error diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.12.txt b/ansible_collections/community/crypto/tests/sanity/ignore-2.12.txt index 26e5b6864..54b6198ba 100644 --- a/ansible_collections/community/crypto/tests/sanity/ignore-2.12.txt +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.12.txt @@ -9,6 +9,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation +plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:return-syntax-error diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.13.txt b/ansible_collections/community/crypto/tests/sanity/ignore-2.13.txt index 74ca94712..389b3f533 100644 --- a/ansible_collections/community/crypto/tests/sanity/ignore-2.13.txt +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.13.txt @@ -8,6 +8,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation +plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:invalid-documentation plugins/modules/x509_crl_info.py validate-modules:invalid-documentation diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.14.txt b/ansible_collections/community/crypto/tests/sanity/ignore-2.14.txt index 74ca94712..389b3f533 100644 --- a/ansible_collections/community/crypto/tests/sanity/ignore-2.14.txt +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.14.txt @@ -8,6 +8,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation +plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:invalid-documentation plugins/modules/x509_crl_info.py validate-modules:invalid-documentation diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt b/ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt new file mode 100644 index 000000000..9ffe1e998 --- /dev/null +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt @@ -0,0 +1,2 @@ +tests/ee/roles/smoke/library/smoke_ipaddress.py shebang +tests/ee/roles/smoke/library/smoke_pyyaml.py shebang diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt.license b/ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt.license new file mode 100644 index 000000000..edff8c768 --- /dev/null +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.18.txt.license @@ -0,0 +1,3 @@ +GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +SPDX-License-Identifier: GPL-3.0-or-later +SPDX-FileCopyrightText: Ansible Project diff --git a/ansible_collections/community/crypto/tests/sanity/ignore-2.9.txt b/ansible_collections/community/crypto/tests/sanity/ignore-2.9.txt index e20c4e5f3..c5b2bb0bf 100644 --- a/ansible_collections/community/crypto/tests/sanity/ignore-2.9.txt +++ b/ansible_collections/community/crypto/tests/sanity/ignore-2.9.txt @@ -14,6 +14,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation +plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:invalid-documentation plugins/modules/x509_crl.py validate-modules:return-syntax-error -- cgit v1.2.3