def _check_pkey_passphrase(): if self.privatekey_passphrase: try: crypto_utils.load_privatekey(self.privatekey_path, self.privatekey_passphrase) except crypto.Error: return False except crypto_utils.OpenSSLBadPassphraseError: return False return True
def _ensure_private_key_loaded(self): """Make sure that the private key has been loaded.""" if self.privatekey is None: try: self.privatekey = privatekey = crypto_utils.load_privatekey(self.path, self.passphrase) except crypto_utils.OpenSSLBadPassphraseError as exc: raise PrivateKeyError(exc)
def generate(self, module): """Generate PKCS#12 file archive.""" self.pkcs12 = crypto.PKCS12() if self.other_certificates: other_certs = [ crypto_utils.load_certificate(other_cert) for other_cert in self.other_certificates ] self.pkcs12.set_ca_certificates(other_certs) if self.certificate_path: self.pkcs12.set_certificate( crypto_utils.load_certificate(self.certificate_path)) if self.friendly_name: self.pkcs12.set_friendlyname(to_bytes(self.friendly_name)) if self.privatekey_path: try: self.pkcs12.set_privatekey( crypto_utils.load_privatekey(self.privatekey_path, self.privatekey_passphrase)) except crypto_utils.OpenSSLBadPassphraseError as exc: raise PkcsError(exc) return self.pkcs12.export(self.passphrase, self.iter_size, self.maciter_size)
def get_info(self): result = dict( can_load_key=False, can_parse_key=False, key_is_consistent=None, ) if self.content is not None: priv_key_detail = self.content.encode('utf-8') result['can_load_key'] = True else: try: with open(self.path, 'rb') as b_priv_key_fh: priv_key_detail = b_priv_key_fh.read() result['can_load_key'] = True except (IOError, OSError) as exc: self.module.fail_json(msg=to_native(exc), **result) try: self.key = crypto_utils.load_privatekey( path=None, content=priv_key_detail, passphrase=to_bytes(self.passphrase) if self.passphrase is not None else self.passphrase, backend=self.backend) result['can_parse_key'] = True except crypto_utils.OpenSSLObjectError as exc: self.module.fail_json(msg=to_native(exc), **result) result['public_key'] = self._get_public_key(binary=False) pk = self._get_public_key(binary=True) result[ 'public_key_fingerprints'] = crypto_utils.get_fingerprint_of_bytes( pk) if pk is not None else dict() key_type, key_public_data, key_private_data = self._get_key_info() result['type'] = key_type result['public_data'] = key_public_data if self.return_private_key_data: result['private_data'] = key_private_data result['key_is_consistent'] = self._is_key_consistent( key_public_data, key_private_data) if result['key_is_consistent'] is False: # Only fail when it is False, to avoid to fail on None (which means "we don't know") result['key_is_consistent'] = False self.module.fail_json( msg="Private key is not consistent! (See " "https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html)", **result) return result
def _create_publickey(self, module): self.privatekey = crypto_utils.load_privatekey( path=self.privatekey_path, content=self.privatekey_content, passphrase=self.privatekey_passphrase, backend=self.backend) if self.backend == 'cryptography': if self.format == 'OpenSSH': return self.privatekey.public_key().public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) else: return self.privatekey.public_key().public_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PublicFormat.SubjectPublicKeyInfo) else: try: return crypto.dump_publickey(crypto.FILETYPE_PEM, self.privatekey) except AttributeError as dummy: raise PublicKeyError( 'You need to have PyOpenSSL>=16.0.0 to generate public keys' )
def __init__(self, module): super(CRL, self).__init__( module.params['path'], module.params['state'], module.params['force'], module.check_mode ) self.update = module.params['mode'] == 'update' self.ignore_timestamps = module.params['ignore_timestamps'] self.return_content = module.params['return_content'] self.crl_content = None self.privatekey_path = module.params['privatekey_path'] self.privatekey_content = module.params['privatekey_content'] if self.privatekey_content is not None: self.privatekey_content = self.privatekey_content.encode('utf-8') self.privatekey_passphrase = module.params['privatekey_passphrase'] self.issuer = crypto_utils.parse_name_field(module.params['issuer']) self.issuer = [(entry[0], entry[1]) for entry in self.issuer if entry[1]] self.last_update = crypto_utils.get_relative_time_option(module.params['last_update'], 'last_update') self.next_update = crypto_utils.get_relative_time_option(module.params['next_update'], 'next_update') self.digest = crypto_utils.select_message_digest(module.params['digest']) if self.digest is None: raise CRLError('The digest "{0}" is not supported'.format(module.params['digest'])) self.revoked_certificates = [] for i, rc in enumerate(module.params['revoked_certificates']): result = { 'serial_number': None, 'revocation_date': None, 'issuer': None, 'issuer_critical': False, 'reason': None, 'reason_critical': False, 'invalidity_date': None, 'invalidity_date_critical': False, } path_prefix = 'revoked_certificates[{0}].'.format(i) if rc['path'] is not None or rc['content'] is not None: # Load certificate from file or content try: if rc['content'] is not None: rc['content'] = rc['content'].encode('utf-8') cert = crypto_utils.load_certificate(rc['path'], content=rc['content'], backend='cryptography') try: result['serial_number'] = cert.serial_number except AttributeError: # The property was called "serial" before cryptography 1.4 result['serial_number'] = cert.serial except crypto_utils.OpenSSLObjectError as e: if rc['content'] is not None: module.fail_json( msg='Cannot parse certificate from {0}content: {1}'.format(path_prefix, to_native(e)) ) else: module.fail_json( msg='Cannot read certificate "{1}" from {0}path: {2}'.format(path_prefix, rc['path'], to_native(e)) ) else: # Specify serial_number (and potentially issuer) directly result['serial_number'] = rc['serial_number'] # All other options if rc['issuer']: result['issuer'] = [crypto_utils.cryptography_get_name(issuer) for issuer in rc['issuer']] result['issuer_critical'] = rc['issuer_critical'] result['revocation_date'] = crypto_utils.get_relative_time_option( rc['revocation_date'], path_prefix + 'revocation_date' ) if rc['reason']: result['reason'] = crypto_utils.REVOCATION_REASON_MAP[rc['reason']] result['reason_critical'] = rc['reason_critical'] if rc['invalidity_date']: result['invalidity_date'] = crypto_utils.get_relative_time_option( rc['invalidity_date'], path_prefix + 'invalidity_date' ) result['invalidity_date_critical'] = rc['invalidity_date_critical'] self.revoked_certificates.append(result) self.module = module self.backup = module.params['backup'] self.backup_file = None try: self.privatekey = crypto_utils.load_privatekey( path=self.privatekey_path, content=self.privatekey_content, passphrase=self.privatekey_passphrase, backend='cryptography' ) except crypto_utils.OpenSSLBadPassphraseError as exc: raise CRLError(exc) self.crl = None try: with open(self.path, 'rb') as f: data = f.read() self.crl = x509.load_pem_x509_crl(data, default_backend()) if self.return_content: self.crl_content = data except Exception as dummy: self.crl_content = None
def _check_passphrase(self): try: crypto_utils.load_privatekey(self.path, self.passphrase) return True except Exception as dummy: return False