Use c.c modules for key generation, add first passphrase tests.

ansible-collections · Mar 21, 2021 · cf84219 · cf84219
1 parent e0099f7
commit cf84219
Show file tree

Hide file tree

Showing 7 changed files with 131 additions and 52 deletions.
diff --git a/tests/integration/targets/acme_account/tasks/impl.yml b/tests/integration/targets/acme_account/tasks/impl.yml
@@ -1,20 +1,29 @@
-- name: Generate account keys
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem"
-  loop:
-    - accountkey
-    - accountkey2
-    - accountkey3
-    - accountkey4
-    - accountkey5
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      passphrase: "{{ item.pass | default(omit, true) }}"
+      cipher: "{{ 'auto' if item.pass | default() else omit }}"
+      type: ECC
+      curve: secp256r1
+      force: true
+    loop: "{{ account_keys }}"
 
-- name: Parse account keys (to ease debugging some test failures)
-  command: "{{ openssl_binary }} ec -in {{ output_dir }}/{{ item }}.pem -noout -text"
-  loop:
-    - accountkey
-    - accountkey2
-    - accountkey3
-    - accountkey4
-    - accountkey5
+  - name: Parse account keys (to ease debugging some test failures)
+    openssl_privatekey_info:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      passphrase: "{{ item.pass | default(omit, true) }}"
+      return_private_key_data: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: accountkey
+      - name: accountkey2
+        pass: "{{ 'hunter2' if select_crypto_backend != 'openssl' else '' }}"
+      - name: accountkey3
+      - name: accountkey4
+      - name: accountkey5
 
 - name: Do not try to create account
   acme_account:
@@ -173,6 +182,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
     new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+    new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     state: changed_key
     contact:
     - mailto:example@example.com
@@ -188,6 +198,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
     new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+    new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     state: changed_key
     contact:
     - mailto:example@example.com
@@ -197,6 +208,7 @@
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -209,6 +221,7 @@
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -219,6 +232,7 @@
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -229,6 +243,7 @@
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no

diff --git a/tests/integration/targets/acme_account_info/tasks/impl.yml b/tests/integration/targets/acme_account_info/tasks/impl.yml
@@ -1,12 +1,23 @@
 ---
-- name: Generate account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      type: ECC
+      curve: secp256r1
+      force: true
+    loop: "{{ account_keys }}"
 
-- name: Generate second account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem"
+  - name: Parse account keys (to ease debugging some test failures)
+    openssl_privatekey_info:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      return_private_key_data: true
+    loop: "{{ account_keys }}"
 
-- name: Parse account key (to ease debugging some test failures)
-  command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
+  vars:
+    account_keys:
+      - accountkey
+      - accountkey2
 
 - name: Check that account does not exist
   acme_account_info:

diff --git a/tests/integration/targets/acme_certificate/tasks/impl.yml b/tests/integration/targets/acme_certificate/tasks/impl.yml
@@ -1,11 +1,26 @@
 ---
 ## SET UP ACCOUNT KEYS ########################################################################
-- name: Create ECC256 account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
-- name: Create ECC384 account key
-  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
-- name: Create RSA account key
-  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa.pem {{ default_rsa_key_size }}"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      type: "{{ item.type }}"
+      size: "{{ item.size | default(omit) }}"
+      curve: "{{ item.curve | default(omit) }}"
+      force: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: account-ec256
+        type: ECC
+        curve: secp256r1
+      - name: account-ec384
+        type: ECC
+        curve: secp384r1
+      - name: account-rsa
+        type: RSA
+        size: "{{ default_rsa_key_size }}"
 ## SET UP ACCOUNTS ############################################################################
 - name: Make sure ECC256 account hasn't been created yet
   acme_account:

diff --git a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml
@@ -1,11 +1,26 @@
 ---
 ## SET UP ACCOUNT KEYS ########################################################################
-- name: Create ECC256 account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
-- name: Create ECC384 account key
-  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
-- name: Create RSA account key
-  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa.pem {{ default_rsa_key_size }}"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item.name }}.pem"
+      type: "{{ item.type }}"
+      size: "{{ item.size | default(omit) }}"
+      curve: "{{ item.curve | default(omit) }}"
+      force: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: account-ec256
+        type: ECC
+        curve: secp256r1
+      - name: account-ec384
+        type: ECC
+        curve: secp384r1
+      - name: account-rsa
+        type: RSA
+        size: "{{ default_rsa_key_size }}"
 ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
 - name: Obtain cert 1
   include_tasks: obtain-cert.yml

diff --git a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
@@ -5,8 +5,12 @@
 ####################################################################
 
 - block:
-  - name: Create ECC256 account key
-    command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
+  - name: Generate ECC256 accoun keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/account-ec256.pem"
+      type: ECC
+      curve: secp256r1
+      force: true
   - name: Obtain cert 1
     include_tasks: obtain-cert.yml
     vars:

diff --git a/tests/integration/targets/acme_inspect/tasks/impl.yml b/tests/integration/targets/acme_inspect/tasks/impl.yml
@@ -1,9 +1,22 @@
 ---
-- name: Generate account key
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      type: ECC
+      curve: secp256r1
+      force: true
+    loop: "{{ account_keys }}"
 
-- name: Parse account key (to ease debugging some test failures)
-  command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
+  - name: Parse account keys (to ease debugging some test failures)
+    openssl_privatekey_info:
+      path: "{{ output_dir }}/{{ item }}.pem"
+      return_private_key_data: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - accountkey
 
 - name: Get directory
   acme_inspect:

diff --git a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml
@@ -1,22 +1,25 @@
 ---
 ## PRIVATE KEY ################################################################################
-- name: ({{ certgen_title }}) Create cert private key (RSA)
-  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else default_rsa_key_size }}"
-  when: "key_type == 'rsa'"
-- name: ({{ certgen_title }}) Create cert private key (ECC 256)
-  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
-  when: "key_type == 'ec256'"
-- name: ({{ certgen_title }}) Create cert private key (ECC 384)
-  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
-  when: "key_type == 'ec384'"
-- name: ({{ certgen_title }}) Create cert private key (ECC 512)
-  command: "{{ openssl_binary }} ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
-  when: "key_type == 'ec521'"
+- name: ({{ certgen_title }}) Create cert private key
+  openssl_privatekey:
+    path: "{{ output_dir }}/{{ certificate_name }}.key"
+    type: "{{ 'RSA' if key_type == 'rsa' else 'ECC' }}"
+    size: "{{ rsa_bits if key_type == 'rsa' else omit }}"
+    curve: >-
+      {{ omit if key_type == 'rsa' else
+         'secp256r1' if key_type == 'ec256' else
+         'secp384r1' if key_type == 'ec384' else
+         'secp521r1' if key_type == 'ec521' else
+         'invalid value for key_type!' }}
+    passphrase: "{{ certificate_passphrase | default(omit, true) }}"
+    cipher: "{{ 'auto' if certificate_passphrase | default() else omit }}"
+    force: true
 ## CSR ########################################################################################
 - name: ({{ certgen_title }}) Create cert CSR
   openssl_csr:
     path: "{{ output_dir }}/{{ certificate_name }}.csr"
     privatekey_path: "{{ output_dir }}/{{ certificate_name }}.key"
+    privatekey_passphrase: "{{ certificate_passphrase | default(omit, true) }}"
     subject_alt_name: "{{ subject_alt_name }}"
     subject_alt_name_critical: "{{ subject_alt_name_critical }}"
     return_content: true
@@ -30,6 +33,7 @@
     validate_certs: no
     account_key: "{{ (output_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}"
     account_key_content: "{{ account_key_content | default(omit) }}"
+    account_key_passphrase: "{{ account_key_passphrase | default(omit, true) }}"
     modify_account: "{{ modify_account }}"
     csr: "{{ omit if use_csr_content | default(false) else output_dir ~ '/' ~ certificate_name ~ '.csr' }}"
     csr_content: "{{ csr_result.csr if use_csr_content | default(false) else omit }}"
@@ -69,6 +73,7 @@
     challenge: tls-alpn-01
     challenge_data: "{{ item.value['tls-alpn-01'] }}"
     private_key_src: "{{ output_dir }}/{{ certificate_name }}.key"
+    private_key_passphrase: "{{ certificate_passphrase | default(omit, true) }}"
   with_dict: "{{ challenge_data.challenge_data }}"
   register: tls_alpn_challenges
   when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
@@ -101,6 +106,7 @@
     validate_certs: no
     account_key: "{{ (output_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}"
     account_key_content: "{{ account_key_content | default(omit) }}"
+    account_key_passphrase: "{{ account_key_passphrase | default(omit, true) }}"
     account_uri: "{{ challenge_data.account_uri }}"
     modify_account: "{{ modify_account }}"
     csr: "{{ omit if use_csr_content | default(false) else output_dir ~ '/' ~ certificate_name ~ '.csr' }}"