openssl_pkcs12: add cryptography backend (#234)

* Began refactoring. * Continue. * Factor PyOpenSSL backend out. * Add basic cryptography backend. * Update plugins/modules/openssl_pkcs12.py Co-authored-by: Ajpantuso <[email protected]> * Only run tests when new enough pyOpenSSL or cryptography is around. * Reduce required pyOpenSSL version from 17.1.0 to 0.15. I have no idea why 17.1.0 was there (in the tests), and not something smaller. The module itself did not mention any version. * Linting. * Linting. * Increase compatibility by selecting pyopenssl backend when iter_size or maciter_size is used. * Improve docs, add changelog fragment. * Move hackish code to cryptography_support. * Update plugins/modules/openssl_pkcs12.py Co-authored-by: Ajpantuso <[email protected]> * Update plugins/modules/openssl_pkcs12.py Co-authored-by: Ajpantuso <[email protected]> * Streamline cert creation. * Convert range to list. Co-authored-by: Ajpantuso <[email protected]>
ansible-collections · May 20, 2021 · e9bc7c7 · e9bc7c7
1 parent 0a0d0f2
commit e9bc7c7
Show file tree

Hide file tree

Showing 6 changed files with 495 additions and 178 deletions.
diff --git a/changelogs/fragments/234-openssl_pkcs12-cryptography.yml b/changelogs/fragments/234-openssl_pkcs12-cryptography.yml
@@ -0,0 +1,4 @@
+minor_changes:
+- "openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography`` backend.
+  This requires cryptography 3.0 or newer, and does not support the ``iter_size`` and ``maciter_size`` options
+  (https://github.com/ansible-collections/community.crypto/pull/234)."
diff --git a/plugins/module_utils/crypto/cryptography_support.py b/plugins/module_utils/crypto/cryptography_support.py
@@ -35,6 +35,15 @@
     # Error handled in the calling module.
     pass
 
+try:
+    # This is a separate try/except since this is only present in cryptography 2.5 or newer
+    from cryptography.hazmat.primitives.serialization.pkcs12 import (
+        load_key_and_certificates as _load_key_and_certificates,
+    )
+except ImportError:
+    # Error handled in the calling module.
+    _load_key_and_certificates = None
+
 from .basic import (
     CRYPTOGRAPHY_HAS_ED25519,
     CRYPTOGRAPHY_HAS_ED448,
@@ -428,3 +437,21 @@ def cryptography_serial_number_of_cert(cert):
     except AttributeError:
         # The property was called "serial" before cryptography 1.4
         return cert.serial
+
+
+def parse_pkcs12(pkcs12_bytes, passphrase=None):
+    '''Returns a tuple (private_key, certificate, additional_certificates, friendly_name).
+    '''
+    if _load_key_and_certificates is None:
+        raise ValueError('load_key_and_certificates() not present in the current cryptography version')
+    private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase)
+
+    friendly_name = None
+    if certificate:
+        # See https://github.com/pyca/cryptography/issues/5760#issuecomment-842687238
+        maybe_name = certificate._backend._lib.X509_alias_get0(
+            certificate._x509, certificate._backend._ffi.NULL)
+        if maybe_name != certificate._backend._ffi.NULL:
+            friendly_name = certificate._backend._ffi.string(maybe_name)
+
+    return private_key, certificate, additional_certificates, friendly_name