Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl_pkcs12: add cryptography backend #234

Merged
merged 16 commits into from
May 20, 2021
Merged

openssl_pkcs12: add cryptography backend #234

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
53d2f00
Began refactoring.
felixfontein Feb 8, 2021
4c4d54f
Continue.
felixfontein May 18, 2021
290b526
Factor PyOpenSSL backend out.
felixfontein May 18, 2021
52daf54
Add basic cryptography backend.
felixfontein May 18, 2021
15f177a
Update plugins/modules/openssl_pkcs12.py
felixfontein May 19, 2021
2af1496
Only run tests when new enough pyOpenSSL or cryptography is around.
felixfontein May 19, 2021
e019c80
Reduce required pyOpenSSL version from 17.1.0 to 0.15.
felixfontein May 19, 2021
3dabfa4
Linting.
felixfontein May 19, 2021
c98ae1f
Linting.
felixfontein May 19, 2021
b9190dd
Increase compatibility by selecting pyopenssl backend when iter_size …
felixfontein May 19, 2021
ea8a30d
Improve docs, add changelog fragment.
felixfontein May 19, 2021
9aadb3f
Move hackish code to cryptography_support.
felixfontein May 19, 2021
454243e
Update plugins/modules/openssl_pkcs12.py
felixfontein May 19, 2021
c88d709
Update plugins/modules/openssl_pkcs12.py
felixfontein May 19, 2021
044294f
Streamline cert creation.
felixfontein May 19, 2021
6a92548
Convert range to list.
felixfontein May 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions changelogs/fragments/234-openssl_pkcs12-cryptography.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
minor_changes:
- "openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography`` backend.
This requires cryptography 3.0 or newer, and does not support the ``iter_size`` and ``maciter_size`` options
(https://github.com/ansible-collections/community.crypto/pull/234)."
27 changes: 27 additions & 0 deletions plugins/module_utils/crypto/cryptography_support.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,15 @@
# Error handled in the calling module.
pass

try:
# This is a separate try/except since this is only present in cryptography 2.5 or newer
from cryptography.hazmat.primitives.serialization.pkcs12 import (
load_key_and_certificates as _load_key_and_certificates,
)
except ImportError:
# Error handled in the calling module.
_load_key_and_certificates = None

from .basic import (
CRYPTOGRAPHY_HAS_ED25519,
CRYPTOGRAPHY_HAS_ED448,
Expand Down Expand Up @@ -428,3 +437,21 @@ def cryptography_serial_number_of_cert(cert):
except AttributeError:
# The property was called "serial" before cryptography 1.4
return cert.serial


def parse_pkcs12(pkcs12_bytes, passphrase=None):
'''Returns a tuple (private_key, certificate, additional_certificates, friendly_name).
'''
if _load_key_and_certificates is None:
raise ValueError('load_key_and_certificates() not present in the current cryptography version')
private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase)

friendly_name = None
if certificate:
# See https://github.com/pyca/cryptography/issues/5760#issuecomment-842687238
maybe_name = certificate._backend._lib.X509_alias_get0(
certificate._x509, certificate._backend._ffi.NULL)
if maybe_name != certificate._backend._ffi.NULL:
friendly_name = certificate._backend._ffi.string(maybe_name)

return private_key, certificate, additional_certificates, friendly_name
Loading