diff --git a/plugins/filter/openssl_csr_info.py b/plugins/filter/openssl_csr_info.py new file mode 100644 index 000000000..851dfe2a4 --- /dev/null +++ b/plugins/filter/openssl_csr_info.py @@ -0,0 +1,313 @@ +# -*- coding: utf-8 -*- + +# Copyright (c) 2022, Felix Fontein +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = ''' +name: openssl_csr_info +short_description: Retrieve information from OpenSSL Certificate Signing Requests (CSR) +version_added: 2.10.0 +author: + - Felix Fontein (@felixfontein) +description: + - Provided an OpenSSL Certificate Signing Requests (CSR), retrieve information. + - This is a filter version of the M(community.crypto.openssl_csr_info) module. +options: + _input: + description: + - The content of the OpenSSL CSR. + type: string + required: true +extends_documentation_fragment: + - community.crypto.name_encoding +seealso: + - module: community.crypto.openssl_csr_info +''' + +EXAMPLES = ''' +- name: Show the Subject Alt Names of the CSR + ansible.builtin.debug: + msg: >- + {{ + ( + lookup('ansible.builtin.file', '/path/to/cert.csr') + | community.crypto.openssl_csr_info + ).subject_alt_name | join(', ') + }} +''' + +RETURN = ''' +_value: + description: + - Information on the certificate. + type: dict + contains: + signature_valid: + description: + - Whether the CSR's signature is valid. + - In case the check returns C(false), the module will fail. + returned: success + type: bool + basic_constraints: + description: Entries in the C(basic_constraints) extension, or C(none) if extension is not present. + returned: success + type: list + elements: str + sample: ['CA:TRUE', 'pathlen:1'] + basic_constraints_critical: + description: Whether the C(basic_constraints) extension is critical. + returned: success + type: bool + extended_key_usage: + description: Entries in the C(extended_key_usage) extension, or C(none) if extension is not present. + returned: success + type: list + elements: str + sample: [Biometric Info, DVCS, Time Stamping] + extended_key_usage_critical: + description: Whether the C(extended_key_usage) extension is critical. + returned: success + type: bool + extensions_by_oid: + description: Returns a dictionary for every extension OID + returned: success + type: dict + contains: + critical: + description: Whether the extension is critical. + returned: success + type: bool + value: + description: + - The Base64 encoded value (in DER format) of the extension. + - B(Note) that depending on the C(cryptography) version used, it is + not possible to extract the ASN.1 content of the extension, but only + to provide the re-encoded content of the extension in case it was + parsed by C(cryptography). This should usually result in exactly the + same value, except if the original extension value was malformed. + returned: success + type: str + sample: "MAMCAQU=" + sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}} + key_usage: + description: Entries in the C(key_usage) extension, or C(none) if extension is not present. + returned: success + type: str + sample: [Key Agreement, Data Encipherment] + key_usage_critical: + description: Whether the C(key_usage) extension is critical. + returned: success + type: bool + subject_alt_name: + description: + - Entries in the C(subject_alt_name) extension, or C(none) if extension is not present. + - See I(name_encoding) for how IDNs are handled. + returned: success + type: list + elements: str + sample: ["DNS:www.ansible.com", "IP:1.2.3.4"] + subject_alt_name_critical: + description: Whether the C(subject_alt_name) extension is critical. + returned: success + type: bool + ocsp_must_staple: + description: C(true) if the OCSP Must Staple extension is present, C(none) otherwise. + returned: success + type: bool + ocsp_must_staple_critical: + description: Whether the C(ocsp_must_staple) extension is critical. + returned: success + type: bool + name_constraints_permitted: + description: List of permitted subtrees to sign certificates for. + returned: success + type: list + elements: str + sample: ['email:.somedomain.com'] + name_constraints_excluded: + description: + - List of excluded subtrees the CA cannot sign certificates for. + - Is C(none) if extension is not present. + - See I(name_encoding) for how IDNs are handled. + returned: success + type: list + elements: str + sample: ['email:.com'] + name_constraints_critical: + description: + - Whether the C(name_constraints) extension is critical. + - Is C(none) if extension is not present. + returned: success + type: bool + subject: + description: + - The CSR's subject as a dictionary. + - Note that for repeated values, only the last one will be returned. + returned: success + type: dict + sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"} + subject_ordered: + description: The CSR's subject as an ordered list of tuples. + returned: success + type: list + elements: list + sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]] + public_key: + description: CSR's public key in PEM format + returned: success + type: str + sample: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A..." + public_key_type: + description: + - The CSR's public key's type. + - One of C(RSA), C(DSA), C(ECC), C(Ed25519), C(X25519), C(Ed448), or C(X448). + - Will start with C(unknown) if the key type cannot be determined. + returned: success + type: str + sample: RSA + public_key_data: + description: + - Public key data. Depends on the public key's type. + returned: success + type: dict + contains: + size: + description: + - Bit size of modulus (RSA) or prime number (DSA). + type: int + returned: When C(public_key_type=RSA) or C(public_key_type=DSA) + modulus: + description: + - The RSA key's modulus. + type: int + returned: When C(public_key_type=RSA) + exponent: + description: + - The RSA key's public exponent. + type: int + returned: When C(public_key_type=RSA) + p: + description: + - The C(p) value for DSA. + - This is the prime modulus upon which arithmetic takes place. + type: int + returned: When C(public_key_type=DSA) + q: + description: + - The C(q) value for DSA. + - This is a prime that divides C(p - 1), and at the same time the order of the subgroup of the + multiplicative group of the prime field used. + type: int + returned: When C(public_key_type=DSA) + g: + description: + - The C(g) value for DSA. + - This is the element spanning the subgroup of the multiplicative group of the prime field used. + type: int + returned: When C(public_key_type=DSA) + curve: + description: + - The curve's name for ECC. + type: str + returned: When C(public_key_type=ECC) + exponent_size: + description: + - The maximum number of bits of a private key. This is basically the bit size of the subgroup used. + type: int + returned: When C(public_key_type=ECC) + x: + description: + - The C(x) coordinate for the public point on the elliptic curve. + type: int + returned: When C(public_key_type=ECC) + y: + description: + - For C(public_key_type=ECC), this is the C(y) coordinate for the public point on the elliptic curve. + - For C(public_key_type=DSA), this is the publicly known group element whose discrete logarithm w.r.t. C(g) is the private key. + type: int + returned: When C(public_key_type=DSA) or C(public_key_type=ECC) + public_key_fingerprints: + description: + - Fingerprints of CSR's public key. + - For every hash algorithm available, the fingerprint is computed. + returned: success + type: dict + sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', + 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..." + subject_key_identifier: + description: + - The CSR's subject key identifier. + - The identifier is returned in hexadecimal, with C(:) used to separate bytes. + - Is C(none) if the C(SubjectKeyIdentifier) extension is not present. + returned: success + type: str + sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33' + authority_key_identifier: + description: + - The CSR's authority key identifier. + - The identifier is returned in hexadecimal, with C(:) used to separate bytes. + - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present. + returned: success + type: str + sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33' + authority_cert_issuer: + description: + - The CSR's authority cert issuer as a list of general names. + - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present. + - See I(name_encoding) for how IDNs are handled. + returned: success + type: list + elements: str + sample: ["DNS:www.ansible.com", "IP:1.2.3.4"] + authority_cert_serial_number: + description: + - The CSR's authority cert serial number. + - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present. + returned: success + type: int + sample: 12345 +''' + +from ansible.errors import AnsibleFilterError +from ansible.module_utils.six import string_types +from ansible.module_utils.common.text.converters import to_bytes, to_native + +from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import ( + OpenSSLObjectError, +) + +from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.csr_info import ( + get_csr_info, +) + +from ansible_collections.community.crypto.plugins.plugin_utils.filter_module import FilterModuleMock + + +def openssl_csr_info_filter(data, name_encoding='ignore'): + '''Extract information from X.509 PEM certificate.''' + if not isinstance(data, string_types): + raise AnsibleFilterError('The community.crypto.openssl_csr_info input must be a text type, not %s' % type(data)) + if not isinstance(name_encoding, string_types): + raise AnsibleFilterError('The name_encoding option must be of a text type, not %s' % type(name_encoding)) + name_encoding = to_native(name_encoding) + if name_encoding not in ('ignore', 'idna', 'unicode'): + raise AnsibleFilterError('The name_encoding option must be one of the values "ignore", "idna", or "unicode", not "%s"' % name_encoding) + + module = FilterModuleMock({'name_encoding': name_encoding}) + try: + return get_csr_info(module, 'cryptography', content=to_bytes(data), validate_signature=True) + except OpenSSLObjectError as exc: + raise AnsibleFilterError(to_native(exc)) + + +class FilterModule(object): + '''Ansible jinja2 filters''' + + def filters(self): + return { + 'openssl_csr_info': openssl_csr_info_filter, + } diff --git a/plugins/module_utils/crypto/module_backends/csr_info.py b/plugins/module_utils/crypto/module_backends/csr_info.py index fa9f95dc7..fc3d0d3dc 100644 --- a/plugins/module_utils/crypto/module_backends/csr_info.py +++ b/plugins/module_utils/crypto/module_backends/csr_info.py @@ -133,7 +133,7 @@ def get_info(self, prefer_one_fingerprint=False): result['name_constraints_critical'], ) = self._get_name_constraints() - result['public_key'] = self._get_public_key_pem() + result['public_key'] = to_native(self._get_public_key_pem()) public_key_info = get_publickey_info( self.module, diff --git a/plugins/modules/openssl_csr_info.py b/plugins/modules/openssl_csr_info.py index 08a28668c..7ed0b1c42 100644 --- a/plugins/modules/openssl_csr_info.py +++ b/plugins/modules/openssl_csr_info.py @@ -50,8 +50,12 @@ choices: [ auto, cryptography ] seealso: -- module: community.crypto.openssl_csr -- module: community.crypto.openssl_csr_pipe + - module: community.crypto.openssl_csr + - module: community.crypto.openssl_csr_pipe + - ref: community.crypto.openssl_csr_info filter + # - plugin: community.crypto.openssl_csr_info + # plugin_type: filter + description: A filter variant of this module. ''' EXAMPLES = r''' diff --git a/tests/integration/targets/filter_openssl_csr_info/aliases b/tests/integration/targets/filter_openssl_csr_info/aliases new file mode 100644 index 000000000..4602f1185 --- /dev/null +++ b/tests/integration/targets/filter_openssl_csr_info/aliases @@ -0,0 +1,7 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +azp/generic/2 +azp/posix/2 +destructive diff --git a/tests/integration/targets/filter_openssl_csr_info/meta/main.yml b/tests/integration/targets/filter_openssl_csr_info/meta/main.yml new file mode 100644 index 000000000..7c2b42405 --- /dev/null +++ b/tests/integration/targets/filter_openssl_csr_info/meta/main.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +dependencies: + - setup_openssl + - setup_remote_tmp_dir + - prepare_jinja2_compat diff --git a/tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml b/tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml new file mode 100644 index 000000000..0af558932 --- /dev/null +++ b/tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml @@ -0,0 +1,144 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: "Get CSR info" + set_fact: + result: >- + {{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info }} + result_idna: >- + {{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info(name_encoding='idna') }} + result_unicode: >- + {{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info(name_encoding='unicode') }} + +- name: "Check whether subject and extensions behaves as expected" + assert: + that: + - result.subject.organizationalUnitName == 'ACME Department' + - "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered" + - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered" + - result.public_key_type == 'RSA' + - result.public_key_data.size == default_rsa_key_size + # TLS Feature + - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].critical == false + - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].value == 'MAMCAQU=' + # Key Usage + - result.extensions_by_oid['2.5.29.15'].critical == true + - result.extensions_by_oid['2.5.29.15'].value in ['AwMA/4A=', 'AwMH/4A='] + # Subject Alternative Names + - result.subject_alt_name[1] == ("DNS:âņsïbłè.com" if cryptography_version.stdout is version('2.1', '<') else "DNS:xn--sb-oia0a7a53bya.com") + - result_unicode.subject_alt_name[1] == "DNS:âņsïbłè.com" + - result_idna.subject_alt_name[1] == "DNS:xn--sb-oia0a7a53bya.com" + - result.extensions_by_oid['2.5.29.17'].critical == false + - result.extensions_by_oid['2.5.29.17'].value == 'MHmCD3d3dy5hbnNpYmxlLmNvbYIXeG4tLXNiLW9pYTBhN2E1M2J5YS5jb22HBAECAwSHEAAAAAAAAAAAAAAAAAAAAAGBEHRlc3RAZXhhbXBsZS5vcmeGI2h0dHBzOi8vZXhhbXBsZS5vcmcvdGVzdC9pbmRleC5odG1s' + # Basic Constraints + - result.extensions_by_oid['2.5.29.19'].critical == true + - result.extensions_by_oid['2.5.29.19'].value == 'MAYBAf8CARc=' + # Extended Key Usage + - result.extensions_by_oid['2.5.29.37'].critical == false + - result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg==' + +- name: "Check SubjectKeyIdentifier and AuthorityKeyIdentifier" + assert: + that: + - result.subject_key_identifier == "00:11:22:33" + - result.authority_key_identifier == "44:55:66:77" + - result.authority_cert_issuer == expected_authority_cert_issuer + - result.authority_cert_serial_number == 12345 + # Subject Key Identifier + - result.extensions_by_oid['2.5.29.14'].critical == false + # Authority Key Identifier + - result.extensions_by_oid['2.5.29.35'].critical == false + vars: + expected_authority_cert_issuer: + - "DNS:ca.example.org" + - "IP:1.2.3.4" + when: cryptography_version.stdout is version('1.3', '>=') + +- name: "Get CSR info" + set_fact: + result: >- + {{ lookup('file', remote_tmp_dir ~ '/csr_2.csr') | community.crypto.openssl_csr_info }} + +- name: "Get CSR info" + set_fact: + result: >- + {{ lookup('file', remote_tmp_dir ~ '/csr_3.csr') | community.crypto.openssl_csr_info }} + +- name: "Check AuthorityKeyIdentifier" + assert: + that: + - result.authority_key_identifier is none + - result.authority_cert_issuer == expected_authority_cert_issuer + - result.authority_cert_serial_number == 12345 + vars: + expected_authority_cert_issuer: + - "DNS:ca.example.org" + - "IP:1.2.3.4" + when: cryptography_version.stdout is version('1.3', '>=') + +- name: "Get CSR info" + set_fact: + result: >- + {{ lookup('file', remote_tmp_dir ~ '/csr_4.csr') | community.crypto.openssl_csr_info }} + +- name: "Check AuthorityKeyIdentifier" + assert: + that: + - result.authority_key_identifier == "44:55:66:77" + - result.authority_cert_issuer is none + - result.authority_cert_serial_number is none + when: cryptography_version.stdout is version('1.3', '>=') + +- name: Get invalid certificate info + set_fact: + result: >- + {{ [] | community.crypto.openssl_csr_info }} + ignore_errors: true + register: output + +- name: Check that task failed and error message is OK + assert: + that: + - output is failed + - output.msg is search("^The community.crypto.openssl_csr_info input must be a text type, not <(?:class|type) 'list'>$") + +- name: Get invalid certificate info + set_fact: + result: >- + {{ 'foo' | community.crypto.openssl_csr_info }} + ignore_errors: true + register: output + +- name: Check that task failed and error message is OK + assert: + that: + - output is failed + - output.msg is search("^Unable to load (?:request|PEM file)(?:\.|$)") + +- name: Get invalid certificate info + set_fact: + result: >- + {{ 'foo' | community.crypto.openssl_csr_info(name_encoding=[]) }} + ignore_errors: true + register: output + +- name: Check that task failed and error message is OK + assert: + that: + - output is failed + - output.msg is search("^The name_encoding option must be of a text type, not <(?:class|type) 'list'>$") + +- name: Get invalid name_encoding parameter + set_fact: + result: >- + {{ 'bar' | community.crypto.openssl_csr_info(name_encoding='foo') }} + ignore_errors: true + register: output + +- name: Check that task failed and error message is OK + assert: + that: + - output is failed + - output.msg is search("^The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$") diff --git a/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml new file mode 100644 index 000000000..e68c04103 --- /dev/null +++ b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml @@ -0,0 +1,133 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### + +- name: Make sure the Python idna library is installed + pip: + name: idna + state: present + +- name: Generate privatekey + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey.pem' + size: '{{ default_rsa_key_size }}' + +- name: Generate privatekey with password + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekeypw.pem' + passphrase: hunter2 + cipher: auto + size: '{{ default_rsa_key_size }}' + +- name: Generate CSR 1 + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_1.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' + subject: + commonName: www.example.com + C: de + L: Somewhere + ST: Zurich + streetAddress: Welcome Street + O: Ansible + organizationalUnitName: + - Crypto Department + - ACME Department + serialNumber: "1234" + SN: Last Name + GN: First Name + title: Chief + pseudonym: test + UID: asdf + emailAddress: test@example.com + postalAddress: 1234 Somewhere + postalCode: "1234" + useCommonNameForSAN: no + key_usage: + - digitalSignature + - keyAgreement + - Non Repudiation + - Key Encipherment + - dataEncipherment + - Certificate Sign + - cRLSign + - Encipher Only + - decipherOnly + key_usage_critical: yes + extended_key_usage: + - serverAuth # the same as "TLS Web Server Authentication" + - TLS Web Server Authentication + - TLS Web Client Authentication + - Code Signing + - E-mail Protection + - timeStamping + - OCSPSigning + - Any Extended Key Usage + - qcStatements + - DVCS + - IPSec User + - biometricInfo + subject_alt_name: + - "DNS:www.ansible.com" + - "DNS:âņsïbłè.com" + - "IP:1.2.3.4" + - "IP:::1" + - "email:test@example.org" + - "URI:https://example.org/test/index.html" + basic_constraints: + - "CA:TRUE" + - "pathlen:23" + basic_constraints_critical: yes + ocsp_must_staple: yes + subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}' + vars: + value_for_authority_cert_issuer: + - "DNS:ca.example.org" + - "IP:1.2.3.4" + +- name: Generate CSR 2 + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_2.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' + privatekey_passphrase: hunter2 + useCommonNameForSAN: no + basic_constraints: + - "CA:TRUE" + +- name: Generate CSR 3 + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_3.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' + useCommonNameForSAN: no + subject_alt_name: + - "DNS:*.ansible.com" + - "DNS:*.example.org" + - "IP:DEAD:BEEF::1" + basic_constraints: + - "CA:FALSE" + authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}' + authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}' + vars: + value_for_authority_cert_issuer: + - "DNS:ca.example.org" + - "IP:1.2.3.4" + +- name: Generate CSR 4 + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_4.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' + useCommonNameForSAN: no + authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}' + +- name: Running tests + include_tasks: impl.yml + when: cryptography_version.stdout is version('1.3', '>=')