[x509_crl] ValueError: Algorithm must be None when signing via ed25519 or ed448

[fhemberger]

SUMMARY

Module x509_crl fails to create a certificate revocation list if the key algorithm is ed25519 or ed448.
(Not sure if it's an issue with the x509_crl module itself or an upstream issue with cryptography.)

ISSUE TYPE

• Bug Report

COMPONENT NAME

x509_crl

ANSIBLE VERSION

ansible [core 2.12.6]
  config file = /home/frederic/.ansible.cfg
  configured module search path = ['/home/frederic/common_roles_ansible/library']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/frederic/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True

COLLECTION VERSION

community.crypto 2.3.2

CONFIGURATION

—

OS / ENVIRONMENT

• Ubuntu 20.04 LTS
• cryptography==37.0.2

STEPS TO REPRODUCE

- name: Create CA key
  delegate_to: localhost
  run_once: true
  become: no
  openssl_privatekey:
    type: Ed25519
    path: "root-ca.key"
    mode: 0600
  register: root_ca_key

- name: Generate a CRL
  delegate_to: localhost
  run_once: true
  become: no
  x509_crl:
    path: "root-ca.crl"
    attributes: 0600
    privatekey_path: "{{ root_ca_key.filename }}"
    issuer:
      CN: My CA
    last_update: "+0s"
    next_update: "+7d"
    revoked_certificates: []

EXPECTED RESULTS

Expecting the file root-ca.crlto be created.

ACTUAL RESULTS

ValueError: Algorithm must be None when signing via ed25519 or ed448
fatal: [localhost]: FAILED! => changed=false
  module_stderr: |-
    Traceback (most recent call last):
      File "/home/frederic/.ansible/tmp/ansible-tmp-1655121256.3966506-50959-200302723393491/AnsiballZ_x509_crl.py", line 107, in <module>
        _ansiballz_main()
      File "/home/frederic/.ansible/tmp/ansible-tmp-1655121256.3966506-50959-200302723393491/AnsiballZ_x509_crl.py", line 99, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/frederic/.ansible/tmp/ansible-tmp-1655121256.3966506-50959-200302723393491/AnsiballZ_x509_crl.py", line 47, in invoke_module
        runpy.run_module(mod_name='ansible_collections.community.crypto.plugins.modules.x509_crl', init_globals=dict(_module_fqn='ansible_collections.community.crypto.plugins.modules.x509_crl', _modlib_path=modlib_path),
      File "/usr/lib/python3.8/runpy.py", line 207, in run_module
        return _run_module_code(code, init_globals, run_name, mod_spec)
      File "/usr/lib/python3.8/runpy.py", line 97, in _run_module_code
        _run_code(code, mod_globals, init_globals,
      File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
        exec(code, run_globals)
      File "/tmp/ansible_x509_crl_payload_elucupsh/ansible_x509_crl_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_crl.py", line 898, in <module>
      File "/tmp/ansible_x509_crl_payload_elucupsh/ansible_x509_crl_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_crl.py", line 882, in main
      File "/tmp/ansible_x509_crl_payload_elucupsh/ansible_x509_crl_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_crl.py", line 731, in generate
      File "/tmp/ansible_x509_crl_payload_elucupsh/ansible_x509_crl_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_crl.py", line 722, in _generate_crl
      File "/home/frederic/.local/lib/python3.8/site-packages/cryptography/x509/base.py", line 1013, in sign
        return rust_x509.create_x509_crl(self, private_key, algorithm)
    ValueError: Algorithm must be None when signing via ed25519 or ed448
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

[felixfontein]

Thanks for reporting this! This is a bug in the collection, and something very easy to fix (since the code for checking that condition already exists for the x509_certificate module...). I'll have a PR ready soon.

[felixfontein]

#475 should fix this.