From e1218ca10f7ecb6a163a59fe18201bc2598a1215 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 23 Dec 2018 10:23:31 +0100 Subject: [PATCH] Elliptic curve tests for crypto modules (#50109) * Add openssl_csr ECC test. * Add openssl_publickey ECC test. * Add openssl_certificate ECC test. --- .../openssl_certificate/tasks/main.yml | 1 + .../openssl_certificate/tasks/ownca.yml | 14 ++++++++++- .../openssl_certificate/tasks/selfsigned.yml | 25 ++++++++++++++++++- .../tests/validate_ownca.yml | 16 ++++++++++++ .../tests/validate_selfsigned.yml | 14 +++++++++++ .../targets/openssl_csr/tasks/main.yml | 14 +++++++++++ .../targets/openssl_csr/tests/validate.yml | 19 ++++++++++++++ .../targets/openssl_publickey/tasks/main.yml | 12 +++++++++ .../openssl_publickey/tests/validate.yml | 15 +++++++++++ 9 files changed, 128 insertions(+), 2 deletions(-) diff --git a/test/integration/targets/openssl_certificate/tasks/main.yml b/test/integration/targets/openssl_certificate/tasks/main.yml index a452f23495..8f846746c9 100644 --- a/test/integration/targets/openssl_certificate/tasks/main.yml +++ b/test/integration/targets/openssl_certificate/tasks/main.yml @@ -1,3 +1,4 @@ +--- - block: - import_tasks: selfsigned.yml diff --git a/test/integration/targets/openssl_certificate/tasks/ownca.yml b/test/integration/targets/openssl_certificate/tasks/ownca.yml index 63edbd2610..db98d118d7 100644 --- a/test/integration/targets/openssl_certificate/tasks/ownca.yml +++ b/test/integration/targets/openssl_certificate/tasks/ownca.yml @@ -1,3 +1,4 @@ +--- - name: Generate CA privatekey openssl_privatekey: path: '{{ output_dir }}/ca_privatekey.pem' @@ -126,5 +127,16 @@ privatekey_path: "{{ output_dir }}/privatekey3.pem" ownca_path: '{{ output_dir }}/ca_cert.pem' ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' - + +- name: Generate ownca ECC certificate + openssl_certificate: + path: '{{ output_dir }}/ownca_cert_ecc.pem' + csr_path: '{{ output_dir }}/csr_ecc.csr' + privatekey_path: '{{ output_dir }}/privatekey_ecc.pem' + ownca_path: '{{ output_dir }}/ca_cert.pem' + ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' + provider: ownca + ownca_digest: sha256 + register: ownca_certificate_ecc + - import_tasks: ../tests/validate_ownca.yml diff --git a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml index b57a11f196..24dbe7737a 100644 --- a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml +++ b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml @@ -1,3 +1,4 @@ +--- - name: Generate privatekey openssl_privatekey: path: '{{ output_dir }}/privatekey.pem' @@ -133,5 +134,27 @@ path: "{{ output_dir }}/cert3.pem" csr_path: "{{ output_dir }}/csr3.pem" privatekey_path: "{{ output_dir }}/privatekey3.pem" - + +- name: Generate privatekey + openssl_privatekey: + path: '{{ output_dir }}/privatekey_ecc.pem' + type: ECC + curve: secp256k1 + +- name: Generate CSR + openssl_csr: + path: '{{ output_dir }}/csr_ecc.csr' + privatekey_path: '{{ output_dir }}/privatekey_ecc.pem' + subject: + commonName: www.example.com + +- name: Generate selfsigned certificate + openssl_certificate: + path: '{{ output_dir }}/cert_ecc.pem' + csr_path: '{{ output_dir }}/csr_ecc.csr' + privatekey_path: '{{ output_dir }}/privatekey_ecc.pem' + provider: selfsigned + selfsigned_digest: sha256 + register: selfsigned_certificate_ecc + - import_tasks: ../tests/validate_selfsigned.yml diff --git a/test/integration/targets/openssl_certificate/tests/validate_ownca.yml b/test/integration/targets/openssl_certificate/tests/validate_ownca.yml index d54287ecd9..05b6b2e57f 100644 --- a/test/integration/targets/openssl_certificate/tests/validate_ownca.yml +++ b/test/integration/targets/openssl_certificate/tests/validate_ownca.yml @@ -1,3 +1,4 @@ +--- - name: Validate ownca certificate (test - verify CA) shell: 'openssl verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"' register: ownca_verify_ca @@ -65,3 +66,18 @@ assert: that: - ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019' + +- name: Validate ownca ECC certificate (test - ownca certificate pubkey) + shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem' + register: ownca_cert_ecc_pubkey + +- name: Validate ownca ECC certificate (test - ownca issuer value) + shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"' + register: ownca_cert_ecc_issuer + +- name: Validate ownca ECC certificate (assert) + assert: + that: + - ownca_cert_ecc_pubkey.stdout == privatekey_ecc_pubkey.stdout + # openssl 1.1.x adds a space between the output + - ownca_cert_ecc_issuer.stdout in ['CN=Example CA', 'CN = Example CA'] diff --git a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml index f98d6f191e..25cef100d9 100644 --- a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml +++ b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml @@ -1,3 +1,4 @@ +--- - name: Validate certificate (test - privatekey modulus) shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus @@ -68,3 +69,16 @@ assert: that: - cert3_notAfter.stdout == 'Oct 23 13:37:42 2019' + +- name: Validate ECC certificate (test - privatekey's pubkey) + shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey_ecc.pem' + register: privatekey_ecc_pubkey + +- name: Validate ECC certificate (test - certificate pubkey) + shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem' + register: cert_ecc_pubkey + +- name: Validate ECC certificate (assert) + assert: + that: + - cert_ecc_pubkey.stdout == privatekey_ecc_pubkey.stdout diff --git a/test/integration/targets/openssl_csr/tasks/main.yml b/test/integration/targets/openssl_csr/tasks/main.yml index 1476467cfd..2347ab1eb8 100644 --- a/test/integration/targets/openssl_csr/tasks/main.yml +++ b/test/integration/targets/openssl_csr/tasks/main.yml @@ -1,3 +1,4 @@ +--- - block: - name: Generate privatekey openssl_privatekey: @@ -66,6 +67,19 @@ ocsp_must_staple: true register: csr_ocsp_idempotency + - name: Generate ECC privatekey + openssl_privatekey: + path: '{{ output_dir }}/privatekey2.pem' + type: ECC + curve: secp256k1 + + - name: Generate CSR with ECC privatekey + openssl_csr: + path: '{{ output_dir }}/csr2.csr' + privatekey_path: '{{ output_dir }}/privatekey2.pem' + subject: + commonName: www.ansible.com + - import_tasks: ../tests/validate.yml when: pyopenssl_version.stdout is version('0.15', '>=') diff --git a/test/integration/targets/openssl_csr/tests/validate.yml b/test/integration/targets/openssl_csr/tests/validate.yml index ff205734c3..dc77b0ff6c 100644 --- a/test/integration/targets/openssl_csr/tests/validate.yml +++ b/test/integration/targets/openssl_csr/tests/validate.yml @@ -1,3 +1,4 @@ +--- - name: Validate CSR (test - privatekey modulus) shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus @@ -49,3 +50,21 @@ assert: that: - csr_ocsp_idempotency is not changed + +- name: Validate ECC CSR (test - privatekey's public key) + shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem' + register: privatekey_ecc_key + +- name: Validate ECC CSR (test - Common Name) + shell: "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq" + register: csr_ecc_cn + +- name: Validate ECC CSR (test - CSR pubkey) + shell: 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr' + register: csr_ecc_pubkey + +- name: Validate ECC CSR (assert) + assert: + that: + - csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com' + - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout diff --git a/test/integration/targets/openssl_publickey/tasks/main.yml b/test/integration/targets/openssl_publickey/tasks/main.yml index 7cb45c7ab8..b8e93933c8 100644 --- a/test/integration/targets/openssl_publickey/tasks/main.yml +++ b/test/integration/targets/openssl_publickey/tasks/main.yml @@ -1,3 +1,4 @@ +--- - block: - name: Generate privatekey openssl_privatekey: @@ -66,6 +67,17 @@ path: '{{ output_dir }}/publickey4.pub' privatekey_path: '{{ output_dir }}/privatekey.pem' + - name: Generate privatekey 5 (ECC) + openssl_privatekey: + path: '{{ output_dir }}/privatekey5.pem' + type: ECC + curve: secp256k1 + + - name: Generate publickey 5 - PEM format + openssl_publickey: + path: '{{ output_dir }}/publickey5.pub' + privatekey_path: '{{ output_dir }}/privatekey5.pem' + - import_tasks: ../tests/validate.yml when: pyopenssl_version.stdout is version('16.0.0', '>=') diff --git a/test/integration/targets/openssl_publickey/tests/validate.yml b/test/integration/targets/openssl_publickey/tests/validate.yml index 477a6cb99e..6e42294638 100644 --- a/test/integration/targets/openssl_publickey/tests/validate.yml +++ b/test/integration/targets/openssl_publickey/tests/validate.yml @@ -1,3 +1,4 @@ +--- - name: Validate public key (test - privatekey modulus) shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus @@ -81,3 +82,17 @@ that: - publickey4_modulus.stdout == privatekey4_modulus.stdout when: openssl_version.stdout is version('0.9.8zh', '>=') + +- name: Validate public key 5 (test - privatekey's pubkey) + command: 'openssl ec -in {{ output_dir }}/privatekey5.pem -pubout' + register: privatekey5_pubkey + +- name: Validate public key 5 (test - publickey pubkey) + # Fancy way of writing "cat {{ output_dir }}/publickey5.pub" + command: 'openssl ec -pubin -in {{ output_dir }}/publickey5.pub -pubout' + register: publickey5_pubkey + +- name: Validate public key 5 (assert) + assert: + that: + - publickey5_pubkey.stdout == privatekey5_pubkey.stdout