Add openssl_signature module #63
Conversation
|
And so it begins... FreeBSD apparently uses LibreSSL which doesn't support OpenSSL in their eternal wisdom decided that |
|
Out of curiosity: why add a pyOpenSSL backend at all, if you plan to remove it "soon"? |
|
It would be the only one without pyopenssl and it wouldn't run at all on Ubuntu Xenial for example (https://packages.ubuntu.com/de/xenial-updates/python-cryptography). The integration tests only pass there, because they don't actually do anything. Since this is part of the way we create certificates and we also manage some Xenial hosts, there are just a few options, and all of them are ugly. Running pyOpenSSL is maybe the least bad solution in that case. |
|
Urgh, |
|
Otoh OpenSSL in OSX seems to return 0, even if you ask for help for a command it doesn't understand and where it also prints out "openssl:Error: 'pkeyutl' is an invalid command."... |
|
The x509_crl and x509_crl_info modules only have a cryptography backend, so it definitely wouldn't be the only one. But if pyOpenSSL is the way to get it to work on a platform you need to support, feel free to support it :) |
|
The bigger pain point at the moment is anyways OpenSSL itself... I'm close to writing some feature detection for that whole mess, but I'm afraid that that would again mean a lot of edge cases. There aren't even that many distros tested in shippable! :-/ |
|
Hm, pyopenssl (and OpenSSL too) seems to have issues in general with Ed25519 and Ed448 signatures. |
MarkusTeufelberger
force-pushed
the
openssl_signature
branch
from
df9977c to
fd1618f
Compare
|
FreeBSD 11 manages to die quite spectacularly when signing with |
MarkusTeufelberger
changed the title
|
Alright, this is now ready for review. I'll squash down my commits before merging. |
plugins/modules/openssl_signature.py
Outdated
| DOCUMENTATION = r''' | ||
| --- | ||
| module: openssl_signature | ||
| short_description: Sign and verify data with openssl |
There was a problem hiding this comment.
| short_description: Sign and verify data with openssl | |
| short_description: Sign and verify data with openssl | |
| version_added: 1.1.0 |
There was a problem hiding this comment.
Should be 1.1.0 now :)
plugins/modules/openssl_signature.py
Outdated
| - The module can use the cryptography Python library, or the pyOpenSSL Python | ||
| library. By default, it tries to detect which one is available. This can be | ||
| overridden with the I(select_crypto_backend) option. Please note that the PyOpenSSL backend | ||
| was deprecated in Ansible 2.9 and will be removed in Ansible 2.13. |
There was a problem hiding this comment.
| was deprecated in Ansible 2.9 and will be removed in Ansible 2.13. | |
| was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0. |
plugins/modules/openssl_signature.py
Outdated
| - Markus Teufelberger (@MarkusTeufelberger) | ||
| options: | ||
| action: | ||
| description: Action to be executed |
There was a problem hiding this comment.
| description: Action to be executed | |
| description: Action to be executed. |
plugins/modules/openssl_signature.py
Outdated
| module: openssl_signature | ||
| short_description: Sign and verify data with openssl | ||
| description: | ||
| - This module allows one to sign and verify data via a certificate and a private key |
There was a problem hiding this comment.
| - This module allows one to sign and verify data via a certificate and a private key | |
| - This module allows one to sign and verify data via a certificate and a private key. |
plugins/modules/openssl_signature.py
Outdated
| choices: [ sign, verify ] | ||
| privatekey_path: | ||
| description: | ||
| - The path to the private key to use when signing |
There was a problem hiding this comment.
| - The path to the private key to use when signing | |
| - The path to the private key to use when signing. |
plugins/modules/openssl_signature.py
Outdated
| RETURN = r''' | ||
| signature: | ||
| description: Base64 encoded signature | ||
| returned: changed or success |
There was a problem hiding this comment.
| returned: changed or success | |
| returned: success |
Changed is part of success :)
plugins/modules/openssl_signature.py
Outdated
| module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)), | ||
| exception=PYOPENSSL_IMP_ERR) | ||
| module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated', | ||
| version='2.13') |
There was a problem hiding this comment.
| version='2.13') | |
| version='2.0.0', collection_name='community.crypto') |
plugins/modules/openssl_signature.py
Outdated
|
|
||
| EXAMPLES = r''' | ||
| - name: Sign example file | ||
| openssl_signature: |
There was a problem hiding this comment.
| openssl_signature: | |
| community.crypto.openssl_signature: |
plugins/modules/openssl_signature.py
Outdated
| register: sig | ||
|
|
||
| - name: Verify signature of example file | ||
| openssl_signature: |
There was a problem hiding this comment.
| openssl_signature: | |
| community.crypto.openssl_signature: |
plugins/modules/openssl_signature.py
Outdated
| description: Action to be executed | ||
| type: str | ||
| required: true | ||
| choices: [ sign, verify ] |
There was a problem hiding this comment.
Conceptually, I think it would be better to have two modules, one for signing, the other for verifying. I think the idea of having modules which do different actions depending on a module option is nowadays discouraged in Ansible.
How about having something like openssl_signature_sign and openssl_signature_verify?
There was a problem hiding this comment.
I'm not opposed, though the content to boilerplate/docs ratio there would be even higher.
Instead of openssl_signature_verify there could also be an openssl_signature_info module that tells you if a signature is valid/verified? That would follow the current pattern here maybe even more...
There was a problem hiding this comment.
Yep, it definitely would increase the content/boilerplate ratio.
_info is probably better. I first thought about that too, and was wondering whether it is a good fit and first decided against it, but now (after thinking some more about it) I guess it's better.
There was a problem hiding this comment.
Alright, I'll go the openssl_signature/openssl_signature_info route. Time to train those Ctrl + c / Ctrl + v skills! :-D
MarkusTeufelberger
force-pushed
the
openssl_signature
branch
from
c2294d7 to
d2f60d2
Compare
|
rebased + rewrote to 2 different modules. The tests are identical for now, not sure if there's much point in separating them? Things that would be nice, but could be implemented later as additional features:
|
No; I would only keep one copy, and add the other module in |
|
|
||
| - name: Create statement to be signed | ||
| copy: | ||
| content: "Erst wenn der Subwoofer die Katze inhaliert, fickt der Bass richtig übel. -- W.A. Mozart" |
There was a problem hiding this comment.
| content: "Erst wenn der Subwoofer die Katze inhaliert, fickt der Bass richtig übel. -- W.A. Mozart" | |
| content: "Erst wenn der Subwoofer die Katze inhaliert, fickt der Bass richtig übel. -- W.A. Mozart" |
:D
|
Still needs a squash, hoped to do it this weekend, but alas... I'm still on it though and will merge then. |
|
@MarkusTeufelberger the GitHub merge configured for this repo will already squash all commits :) |
|
Yeah, but it will likely preserve all these ugly commit messages... |
|
True :) |
* Use module_utils from collection, clean up code a bit * add DSA keys, because why not... * sign/verify was added in pyOpenSSL 0.11 apparently * Add signing capability detection to module_utils.crypto.basic * Rework feature detection of signature types. * Rename parameters to match other modules * Add initial version of integration tests * fix whitespace in tests * More whitespace fixes * small fixes for issues in testing * Organize integration tests as test matrix * another indentation fix to make pep8 happy * use openssl pkeyutl when possible, otherwise fall back to openssl dgst * More linter fixes * openssl pkeyutl -help can apparently return 1 * ignore errors on openssl call and another try at formatting * Remove the OpenSSL calls in tests * Add collection name to deprecation notice and deprecate at version 2.0.0 * Exclude Ed448/25519 tests on pyopenssl * revert the collection name in the deprecation notice (breaks 2.9) * limit test platforms even more * disable FreeBSD DSA and ECC tests * Add module name to README * rewrite and split into 2 modules instead * add module to README and fix whitespace issue * remove duplicated tests * address review remarks * resolve another comment
felixfontein
force-pushed
the
openssl_signature
branch
from
fd7f12f to
0153eab
Compare
|
I've squashed the commits into two commits (one per author). I'll rebase-merge once the tests pass. |
|
Gna. Why does GitHub always changes the merge button selection when reloading?! This is exactly what I wanted to prevent... |
* Use module_utils from collection, clean up code a bit * add DSA keys, because why not... * sign/verify was added in pyOpenSSL 0.11 apparently * Add signing capability detection to module_utils.crypto.basic * Rework feature detection of signature types. * Rename parameters to match other modules * Add initial version of integration tests * fix whitespace in tests * More whitespace fixes * small fixes for issues in testing * Organize integration tests as test matrix * another indentation fix to make pep8 happy * use openssl pkeyutl when possible, otherwise fall back to openssl dgst * More linter fixes * openssl pkeyutl -help can apparently return 1 * ignore errors on openssl call and another try at formatting * Remove the OpenSSL calls in tests * Add collection name to deprecation notice and deprecate at version 2.0.0 * Exclude Ed448/25519 tests on pyopenssl * revert the collection name in the deprecation notice (breaks 2.9) * limit test platforms even more * disable FreeBSD DSA and ECC tests * Add module name to README * rewrite and split into 2 modules instead * add module to README and fix whitespace issue * remove duplicated tests * address review remarks * resolve another comment
|
With @gundalow's help I purged the commit from |
|
@MarkusTeufelberger and Patrick Pichler, thanks a lot for contributing these new modules! :) |
SUMMARY
Adds a new module to create or verify a Base64 encoded signature of a file.
ISSUE TYPE
COMPONENT NAME
openssl_signature
ADDITIONAL INFORMATION
Originally written by @aveexy, his version is the initial commit in this PR.
Changes + tests (+ bugs/errors) are by me.
Currently still working a bit on making tests a bit more exhaustive, maybe also adding a few more features (choosing padding and hashing algorithms, allowing private keys to be used as content not only paths, allowing to verify with public keys only and not certificates, signing strings instead of files...) if they seem useful. The current state is the one that we used internally at https://mgit.at/ as part of a larger project and it seemed useful and general enough to release in this format.
Main focus of reviews should probably be also how it adheres to in-collection "standards" (parameter names, code structure), functionality wise it is not that complex fortunately.