def write(self, module, content, mode=None):
"""Write the PKCS#12 file."""
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, content, mode)
if self.return_content:
self.pkcs12_bytes = content
def generate(self, module):
"""Generate a keypair."""
if not self.check(module, perms_required=False,
ignore_conversion=True) or self.force:
# Regenerate
if self.backup:
self.backup_file = module.backup_local(self.path)
self._generate_private_key()
privatekey_data = self._get_private_key_data()
if self.return_content:
self.privatekey_bytes = privatekey_data
crypto_utils.write_file(module, privatekey_data, 0o600)
self.changed = True
elif not self.check(
module, perms_required=False, ignore_conversion=False):
# Convert
if self.backup:
self.backup_file = module.backup_local(self.path)
privatekey_data = self._get_private_key_data()
if self.return_content:
self.privatekey_bytes = privatekey_data
crypto_utils.write_file(module, privatekey_data, 0o600)
self.changed = True
self.fingerprint = self._get_fingerprint()
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def generate(self, module):
"""Generate the public key."""
if self.privatekey_content is None and not os.path.exists(
self.privatekey_path):
raise PublicKeyError('The private key %s does not exist' %
self.privatekey_path)
if not self.check(module, perms_required=False) or self.force:
try:
publickey_content = self._create_publickey(module)
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, publickey_content)
self.changed = True
except crypto_utils.OpenSSLBadPassphraseError as exc:
raise PublicKeyError(exc)
except (IOError, OSError) as exc:
raise PublicKeyError(exc)
self.fingerprint = crypto_utils.get_fingerprint(
path=self.privatekey_path,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase)
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def _do_generate(self, module):
"""Actually generate the DH params."""
# Generate parameters
params = cryptography.hazmat.primitives.asymmetric.dh.generate_parameters(
generator=2,
key_size=self.size,
backend=self.crypto_backend,
)
# Serialize parameters
result = params.parameter_bytes(
encoding=cryptography.hazmat.primitives.serialization.Encoding.PEM,
format=cryptography.hazmat.primitives.serialization.
ParameterFormat.PKCS3,
)
# Write result
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, result)
def request_cert(self, module):
if not self.check(module) or self.force:
body = {}
# Read the CSR contents
if self.csr and os.path.exists(self.csr):
with open(self.csr, 'r') as csr_file:
body['csr'] = csr_file.read()
# Check if the path is already a cert
# tracking_id may be set as a parameter or by get_cert_details if an entrust cert is in 'path'. If tracking ID is null
# We will be performing a reissue operation.
if self.request_type != 'new' and not self.tracking_id:
module.warn(
'No existing Entrust certificate found in path={0} and no tracking_id was provided, setting request_type to "new" for this task'
'run. Future playbook runs that point to the pathination file in {1} will use request_type={2}'
.format(self.path, self.path, self.request_type))
self.request_type = 'new'
elif self.request_type == 'new' and self.tracking_id:
module.warn(
'Existing certificate being acted upon, but request_type is "new", so will be a new certificate issuance rather than a'
'reissue or renew')
# Use cases where request type is new and no existing certificate, or where request type is reissue/renew and a valid
# existing certificate is found, do not need warnings.
body.update(self.convert_tracking_params(module))
body.update(self.convert_cert_subject_params(module))
body.update(self.convert_general_params(module))
body.update(self.convert_expiry_params(module))
if not module.check_mode:
try:
if self.request_type == 'validate_only':
body['validateOnly'] = 'true'
result = self.ecs_client.NewCertRequest(Body=body)
if self.request_type == 'new':
result = self.ecs_client.NewCertRequest(Body=body)
elif self.request_type == 'renew':
result = self.ecs_client.RenewCertRequest(
trackingId=self.tracking_id, Body=body)
elif self.request_type == 'reissue':
result = self.ecs_client.ReissueCertRequest(
trackingId=self.tracking_id, Body=body)
self.tracking_id = result.get('trackingId')
self.set_cert_details(module)
except RestOperationException as e:
module.fail_json(
msg=
'Failed to request new certificate from Entrust (ECS) {0}'
.format(e.message))
if self.request_type != 'validate_only':
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(
module,
to_bytes(self.cert_details.get('endEntityCert')))
if self.full_chain_path and self.cert_details.get(
'chainCerts'):
if self.backup:
self.backup_full_chain_file = module.backup_local(
self.full_chain_path)
chain_string = '\n'.join(
self.cert_details.get('chainCerts')) + '\n'
crypto_utils.write_file(module,
to_bytes(chain_string),
path=self.full_chain_path)
self.changed = True
# If there is no certificate present in path but a tracking ID was specified, save it to disk
elif not os.path.exists(self.path) and self.tracking_id:
if not module.check_mode:
crypto_utils.write_file(
module, to_bytes(self.cert_details.get('endEntityCert')))
if self.full_chain_path and self.cert_details.get(
'chainCerts'):
chain_string = '\n'.join(
self.cert_details.get('chainCerts')) + '\n'
crypto_utils.write_file(module,
to_bytes(chain_string),
path=self.full_chain_path)
self.changed = True