Refactor module_utils/crypto.py

plugins/module_utils/crypto/__init__.py

@@ -0,0 +1,99 @@
+# -*- coding: utf-8 -*-
+#
+# (c) 2016, Yanis Guenane <[email protected]>
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+# THIS FILE IS FOR COMPATIBILITY ONLY! YOU SHALL NOT IMPORT IT!
+#
+# This fill will be removed eventually, so if you're using it,
+# please stop doing so.
+
+from .basic import (
+    HAS_PYOPENSSL,
+    CRYPTOGRAPHY_HAS_X25519,
+    CRYPTOGRAPHY_HAS_X25519_FULL,
+    CRYPTOGRAPHY_HAS_X448,
+    CRYPTOGRAPHY_HAS_ED25519,
+    CRYPTOGRAPHY_HAS_ED448,
+    HAS_CRYPTOGRAPHY,
+    OpenSSLObjectError,
+    OpenSSLBadPassphraseError,
+)
+
+from .cryptography_crl import (
+    REVOCATION_REASON_MAP,
+    REVOCATION_REASON_MAP_INVERSE,
+    cryptography_decode_revoked_certificate,
+)
+
+from .cryptography_support import (
+    cryptography_get_extensions_from_cert,
+    cryptography_get_extensions_from_csr,
+    cryptography_name_to_oid,
+    cryptography_oid_to_name,
+    cryptography_get_name,
+    cryptography_decode_name,
+    cryptography_parse_key_usage_params,
+    cryptography_get_basic_constraints,
+    cryptography_key_needs_digest_for_signing,
+    cryptography_compare_public_keys,
+)
+
+from .identify import (
+    identify_private_key_format,
+)
+
+from .math import (
+    binary_exp_mod,
+    simple_gcd,
+    quick_is_not_prime,
+    count_bits,
+)
+
+from ._obj2txt import obj2txt as _obj2txt
+
+from ._objects_data import OID_MAP as _OID_MAP
+
+from ._objects import OID_LOOKUP as _OID_LOOKUP
+from ._objects import NORMALIZE_NAMES as _NORMALIZE_NAMES
+from ._objects import NORMALIZE_NAMES_SHORT as _NORMALIZE_NAMES_SHORT
+
+from .pyopenssl_support import (
+    pyopenssl_normalize_name,
+    pyopenssl_get_extensions_from_cert,
+    pyopenssl_get_extensions_from_csr,
+)
+
+from .support import (
+    get_fingerprint_of_bytes,
+    get_fingerprint,
+    load_privatekey,
+    load_certificate,
+    load_certificate_request,
+    parse_name_field,
+    convert_relative_to_datetime,
+    get_relative_time_option,
+    select_message_digest,
+    OpenSSLObject,
+)
+
+from ..io import (
+    load_file_if_exists,
+    write_file,
+)

plugins/module_utils/crypto/_obj2txt.py

@@ -0,0 +1,43 @@
+# This excerpt is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file at
+# https://github.com/pyca/cryptography/blob/master/LICENSE for complete details.
+#
+# Adapted from cryptography's hazmat/backends/openssl/decode_asn1.py
+#
+# Copyright (c) 2015, 2016 Paul Kehrer (@reaperhulk)
+# Copyright (c) 2017 Fraser Tweedale (@frasertweedale)
+
+# Relevant commits from cryptography project (https://github.com/pyca/cryptography):
+#    pyca/cryptography@719d536dd691e84e208534798f2eb4f82aaa2e07
+#    pyca/cryptography@5ab6d6a5c05572bd1c75f05baf264a2d0001894a
+#    pyca/cryptography@2e776e20eb60378e0af9b7439000d0e80da7c7e3
+#    pyca/cryptography@fb309ed24647d1be9e319b61b1f2aa8ebb87b90b
+#    pyca/cryptography@2917e460993c475c72d7146c50dc3bbc2414280d
+#    pyca/cryptography@3057f91ea9a05fb593825006d87a391286a4d828
+#    pyca/cryptography@d607dd7e5bc5c08854ec0c9baff70ba4a35be36f
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+def obj2txt(openssl_lib, openssl_ffi, obj):
+    # Set to 80 on the recommendation of
+    # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values
+    #
+    # But OIDs longer than this occur in real life (e.g. Active
+    # Directory makes some very long OIDs).  So we need to detect
+    # and properly handle the case where the default buffer is not
+    # big enough.
+    #
+    buf_len = 80
+    buf = openssl_ffi.new("char[]", buf_len)
+
+    # 'res' is the number of bytes that *would* be written if the
+    # buffer is large enough.  If 'res' > buf_len - 1, we need to
+    # alloc a big-enough buffer and go again.
+    res = openssl_lib.OBJ_obj2txt(buf, buf_len, obj, 1)
+    if res > buf_len - 1:  # account for terminating null byte
+        buf_len = res + 1
+        buf = openssl_ffi.new("char[]", buf_len)
+        res = openssl_lib.OBJ_obj2txt(buf, buf_len, obj, 1)
+    return openssl_ffi.buffer(buf, res)[:].decode()

plugins/module_utils/crypto/_objects.py

@@ -0,0 +1,46 @@
+# -*- coding: utf-8 -*-
+#
+# (c) 2019, Felix Fontein <[email protected]>
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+from ._objects_data import OID_MAP
+
+OID_LOOKUP = dict()
+NORMALIZE_NAMES = dict()
+NORMALIZE_NAMES_SHORT = dict()
+
+for dotted, names in OID_MAP.items():
+    for name in names:
+        if name in NORMALIZE_NAMES and OID_LOOKUP[name] != dotted:
+            raise AssertionError(
+                'Name collision during setup: "{0}" for OIDs {1} and {2}'
+                .format(name, dotted, OID_LOOKUP[name])
+            )
+        NORMALIZE_NAMES[name] = names[0]
+        NORMALIZE_NAMES_SHORT[name] = names[-1]
+        OID_LOOKUP[name] = dotted
+for alias, original in [('userID', 'userId')]:
+    if alias in NORMALIZE_NAMES:
+        raise AssertionError(
+            'Name collision during adding aliases: "{0}" (alias for "{1}") is already mapped to OID {2}'
+            .format(alias, original, OID_LOOKUP[alias])
+        )
+    NORMALIZE_NAMES[alias] = original
+    NORMALIZE_NAMES_SHORT[alias] = NORMALIZE_NAMES_SHORT[original]
+    OID_LOOKUP[alias] = OID_LOOKUP[original]