def write(self, module, content, mode=None):
"""Write the PKCS#12 file."""
if self.backup:
self.backup_file = module.backup_local(self.path)
write_file(module, content, mode)
if self.return_content:
self.pkcs12_bytes = content
def generate(self, module):
"""Generate the public key."""
if self.privatekey_content is None and not os.path.exists(
self.privatekey_path):
raise PublicKeyError('The private key %s does not exist' %
self.privatekey_path)
if not self.check(module, perms_required=False) or self.force:
try:
publickey_content = self._create_publickey(module)
if self.return_content:
self.publickey_bytes = publickey_content
if self.backup:
self.backup_file = module.backup_local(self.path)
write_file(module, publickey_content)
self.changed = True
except OpenSSLBadPassphraseError as exc:
raise PublicKeyError(exc)
except (IOError, OSError) as exc:
raise PublicKeyError(exc)
self.fingerprint = get_fingerprint(
path=self.privatekey_path,
content=self.privatekey_content,
passphrase=self.privatekey_passphrase,
backend=self.backend,
)
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def generate(self, module):
"""Generate a keypair."""
if self.module_backend.needs_regeneration():
# Regenerate
if not self.check_mode:
if self.backup:
self.backup_file = module.backup_local(self.path)
self.module_backend.generate_private_key()
privatekey_data = self.module_backend.get_private_key_data()
if self.return_content:
self.privatekey_bytes = privatekey_data
write_file(module, privatekey_data, 0o600)
self.changed = True
elif self.module_backend.needs_conversion():
# Convert
if not self.check_mode:
if self.backup:
self.backup_file = module.backup_local(self.path)
self.module_backend.convert_private_key()
privatekey_data = self.module_backend.get_private_key_data()
if self.return_content:
self.privatekey_bytes = privatekey_data
write_file(module, privatekey_data, 0o600)
self.changed = True
file_args = module.load_file_common_arguments(module.params)
self.changed = module.set_fs_attributes_if_different(
file_args, self.changed)
def generate(self, module):
"""Generate a keypair."""
if not self.check(module, perms_required=False, ignore_conversion=True) or self.force:
# Regenerate
if self.backup:
self.backup_file = module.backup_local(self.path)
self._generate_private_key()
privatekey_data = self._get_private_key_data()
if self.return_content:
self.privatekey_bytes = privatekey_data
write_file(module, privatekey_data, 0o600)
self.changed = True
elif not self.check(module, perms_required=False, ignore_conversion=False):
# Convert
if self.backup:
self.backup_file = module.backup_local(self.path)
self._ensure_private_key_loaded()
privatekey_data = self._get_private_key_data()
if self.return_content:
self.privatekey_bytes = privatekey_data
write_file(module, privatekey_data, 0o600)
self.changed = True
self.fingerprint = self._get_fingerprint()
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def generate(self):
result = None
if not self.check(perms_required=False,
ignore_conversion=True) or self.force:
result = self._generate_crl()
elif not self.check(perms_required=False,
ignore_conversion=False) and self.crl:
if self.format == 'pem':
result = self.crl.public_bytes(Encoding.PEM)
else:
result = self.crl.public_bytes(Encoding.DER)
if result is not None:
if self.return_content:
if self.format == 'pem':
self.crl_content = result
else:
self.crl_content = base64.b64encode(result)
if self.backup:
self.backup_file = self.module.backup_local(self.path)
write_file(self.module, result)
self.changed = True
file_args = self.module.load_file_common_arguments(self.module.params)
if self.module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def generate(self, module):
if self.module_backend.needs_regeneration():
if not self.check_mode:
self.module_backend.generate_certificate()
result = self.module_backend.get_certificate_data()
if self.backup:
self.backup_file = module.backup_local(self.path)
write_file(module, result)
self.changed = True
file_args = module.load_file_common_arguments(module.params)
self.changed = module.set_fs_attributes_if_different(file_args, self.changed)
def generate(self, module):
'''Generate the certificate signing request.'''
if self.force or self.module_backend.needs_regeneration():
if not self.check_mode:
self.module_backend.generate_csr()
result = self.module_backend.get_csr_data()
if self.backup:
self.backup_file = module.backup_local(self.path)
write_file(module, result)
self.changed = True
file_args = module.load_file_common_arguments(module.params)
if module.check_file_absent_if_check_mode(file_args['path']):
self.changed = True
else:
self.changed = module.set_fs_attributes_if_different(
file_args, self.changed)
def _do_generate(self, module):
"""Actually generate the DH params."""
# Generate parameters
params = cryptography.hazmat.primitives.asymmetric.dh.generate_parameters(
generator=2,
key_size=self.size,
backend=self.crypto_backend,
)
# Serialize parameters
result = params.parameter_bytes(
encoding=cryptography.hazmat.primitives.serialization.Encoding.PEM,
format=cryptography.hazmat.primitives.serialization.
ParameterFormat.PKCS3,
)
# Write result
if self.backup:
self.backup_file = module.backup_local(self.path)
write_file(module, result)
def request_cert(self, module):
if not self.check(module) or self.force:
body = {}
# Read the CSR contents
if self.csr and os.path.exists(self.csr):
with open(self.csr, 'r') as csr_file:
body['csr'] = csr_file.read()
# Check if the path is already a cert
# tracking_id may be set as a parameter or by get_cert_details if an entrust cert is in 'path'. If tracking ID is null
# We will be performing a reissue operation.
if self.request_type != 'new' and not self.tracking_id:
module.warn(
'No existing Entrust certificate found in path={0} and no tracking_id was provided, setting request_type to "new" for this task'
'run. Future playbook runs that point to the pathination file in {1} will use request_type={2}'
.format(self.path, self.path, self.request_type))
self.request_type = 'new'
elif self.request_type == 'new' and self.tracking_id:
module.warn(
'Existing certificate being acted upon, but request_type is "new", so will be a new certificate issuance rather than a'
'reissue or renew')
# Use cases where request type is new and no existing certificate, or where request type is reissue/renew and a valid
# existing certificate is found, do not need warnings.
body.update(self.convert_tracking_params(module))
body.update(self.convert_cert_subject_params(module))
body.update(self.convert_general_params(module))
body.update(self.convert_expiry_params(module))
if not module.check_mode:
try:
if self.request_type == 'validate_only':
body['validateOnly'] = 'true'
result = self.ecs_client.NewCertRequest(Body=body)
if self.request_type == 'new':
result = self.ecs_client.NewCertRequest(Body=body)
elif self.request_type == 'renew':
result = self.ecs_client.RenewCertRequest(
trackingId=self.tracking_id, Body=body)
elif self.request_type == 'reissue':
result = self.ecs_client.ReissueCertRequest(
trackingId=self.tracking_id, Body=body)
self.tracking_id = result.get('trackingId')
self.set_cert_details(module)
except RestOperationException as e:
module.fail_json(
msg=
'Failed to request new certificate from Entrust (ECS) {0}'
.format(e.message))
if self.request_type != 'validate_only':
if self.backup:
self.backup_file = module.backup_local(self.path)
write_file(
module,
to_bytes(self.cert_details.get('endEntityCert')))
if self.full_chain_path and self.cert_details.get(
'chainCerts'):
if self.backup:
self.backup_full_chain_file = module.backup_local(
self.full_chain_path)
chain_string = '\n'.join(
self.cert_details.get('chainCerts')) + '\n'
write_file(module,
to_bytes(chain_string),
path=self.full_chain_path)
self.changed = True
# If there is no certificate present in path but a tracking ID was specified, save it to disk
elif not os.path.exists(self.path) and self.tracking_id:
if not module.check_mode:
write_file(module,
to_bytes(self.cert_details.get('endEntityCert')))
if self.full_chain_path and self.cert_details.get(
'chainCerts'):
chain_string = '\n'.join(
self.cert_details.get('chainCerts')) + '\n'
write_file(module,
to_bytes(chain_string),
path=self.full_chain_path)
self.changed = True
def request_cert(self, module):
if self.force:
body = {}
# Read the CSR contents
if self.csr and os.path.exists(self.csr):
with open(self.csr, 'r') as csr_file:
body['certificate_request'] = csr_file.read()
# Check if the path is already a cert
# set details by get_cert_details if an ejbca cert is in 'path'.
if self.request_type != 'new':
module.warn('No existing certificate found in path={0}, setting request_type to "new" for this task'
'run. Future playbook runs that point to the pathination file in {1} will use request_type={2}'
.format(self.path, self.path, self.request_type))
self.request_type = 'new'
elif self.request_type == 'new':
module.warn('Existing certificate being acted upon, but request_type is "new", so will be a new certificate issuance rather than a '
'reissue or renew')
# Use cases where request type is new and no existing certificate, or where request type is reissue/renew and a valid
# existing certificate is found, do not need warnings.
#body['certificate_profile_name'] = 'Client';
body['certificate_profile_name'] = self.certificate_profile;
#body['end_entity_profile_name'] = 'User';
body['end_entity_profile_name'] = self.end_entity_profile;
#body['certificate_authority_name'] = 'ManagementCA';
body['certificate_authority_name'] = self.certificate_authority;
body['include_chain'] = 'true';
# TODO: random username and password
body['username'] = '******';
body['password'] = '******';
if not module.check_mode:
try:
if self.request_type == 'validate_only':
body['validateOnly'] = 'true'
result = self.ejbca_client.NewCertRequest(Body=body) #TODO
if self.request_type == 'new':
result = self.ejbca_client.Pkcs10Enroll(Body=body)
elif self.request_type == 'renew':
result = self.ejbca_client.RenewCertRequest(trackingId=self.tracking_id, Body=body)#TODO
elif self.request_type == 'reissue':
result = self.ejbca_client.ReissueCertRequest(trackingId=self.tracking_id, Body=body)#TODO
self.serial_number = result.get('serial_number')
except RestOperationException as e:
module.fail_json(msg='Failed to request new certificate from EJBCA {0}'.format(e.message))
if self.request_type != 'validate_only':
if self.backup:
self.backup_file = module.backup_local(self.path)
# We get certbytes just base64 encoded, but without PEM headers
certbytes = base64.b64decode(result.get('certificate'))
cert_PEM = ssl.DER_cert_to_PEM_cert(certbytes);
write_file(module, to_bytes(cert_PEM))
if self.full_chain_path and result.get('certificate_chain'):
if self.backup:
self.backup_full_chain_file = module.backup_local(self.full_chain_path)
chain_string = '\n'.join(result.get('certificate_chain')) + '\n'
write_file(module, to_bytes(chain_string), path=self.full_chain_path)
self.changed = True
