Vh3ddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlmZmZddlmZmZddlmZmZdd lmZdd lmZdd lmZmZmZdd l m!Z!m"Z"dd l#m$Z$dZ%dZ&dZ'dZ( ddl)Z)ddl)m*Z*ddl+m,Z-e$e)j\Z/dZ0dZ4 ddl5Z5ddl6m7Z7ddl8m9Z9e$e5j\Z:dZ;dZ< ddl6m=Z=ddl8m>Z>e7j~jjje>jje=jdZFdZHGddeZIGddeZJGddeJZKGd d!eJZLd"ZMd#ZNeOd$k(reNyy#e1e2f$rejfZ(dZ0YwxYw#e1$rejfZ4dZ;YwxYw#eG$rejfZ= 0.15, < 23.3.0 or cryptography >= 3.0 extends_documentation_fragment: - ansible.builtin.files - community.crypto.attributes - community.crypto.attributes.files attributes: check_mode: support: full diff_mode: support: none safe_file_operations: support: full idempotent: support: partial details: - The module is not idempotent if O(force=true). options: action: description: - V(export) or V(parse) a PKCS#12. type: str default: export choices: [export, parse] other_certificates: description: - List of other certificates to include. Pre Ansible 2.8 this parameter was called O(ca_certificates). - Assumes there is one PEM-encoded certificate per file. If a file contains multiple PEM certificates, set O(other_certificates_parse_all) to V(true). - Mutually exclusive with O(other_certificates_content). type: list elements: path aliases: [ca_certificates] other_certificates_content: description: - List of other certificates to include. - Assumes there is one PEM-encoded certificate per item. If an item contains multiple PEM certificates, set O(other_certificates_parse_all) - Mutually exclusive with O(other_certificates). type: list elements: str version_added: "2.26.0" other_certificates_parse_all: description: - If set to V(true), assumes that the files mentioned in O(other_certificates)/O(other_certificates_content) can contain more than one certificate per file/item (or even none per file/item). type: bool default: false version_added: 1.4.0 certificate_path: description: - The path to read certificates and private keys from. - Must be in PEM format. - Mutually exclusive with O(certificate_content). type: path certificate_content: description: - Content of the certificate file in PEM format. - Mutually exclusive with O(certificate_path). type: str version_added: "2.26.0" force: description: - Should the file be regenerated even if it already exists. type: bool default: false friendly_name: description: - Specifies the friendly name for the certificate and private key. type: str aliases: [name] iter_size: description: - Number of times to repeat the encryption step. - This is B(not considered during idempotency checks). - This is only used by the C(pyopenssl) backend, or when O(encryption_level=compatibility2022). - When using it, the default is V(2048) for C(pyopenssl) and V(50000) for C(cryptography). type: int maciter_size: description: - Number of times to repeat the MAC step. - This is B(not considered during idempotency checks). - This is only used by the C(pyopenssl) backend. When using it, the default is V(1). type: int encryption_level: description: - Determines the encryption level used. - V(auto) uses the default of the selected backend. For C(cryptography), this is what the cryptography library's specific version considers the best available encryption. - V(compatibility2022) uses compatibility settings for older software in 2022. This is only supported by the C(cryptography) backend if cryptography >= 38.0.0 is available. - B(Note) that this option is B(not used for idempotency). choices: - auto - compatibility2022 default: auto type: str version_added: 2.8.0 passphrase: description: - The PKCS#12 password. - B(Note:) PKCS12 encryption is typically not secure and should not be used as a security mechanism. If you need to store or send a PKCS12 file safely, you should additionally encrypt it with something else. (L(Source, https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates)). type: str path: description: - Filename to write the PKCS#12 file to. type: path required: true privatekey_passphrase: description: - Passphrase source to decrypt any input private keys with. type: str privatekey_path: description: - File to read private key from. - Mutually exclusive with O(privatekey_content). type: path privatekey_content: description: - Content of the private key file. - Mutually exclusive with O(privatekey_path). type: str version_added: "2.3.0" state: description: - Whether the file should exist or not. All parameters except O(path) are ignored when state is V(absent). choices: [absent, present] default: present type: str src: description: - PKCS#12 file path to parse. type: path backup: description: - Create a backup file including a timestamp so you can get the original output file back if you overwrote it with a new one by accident. type: bool default: false return_content: description: - If set to V(true), will return the (current or generated) PKCS#12's content as RV(pkcs12). type: bool default: false version_added: "1.0.0" select_crypto_backend: description: - Determines which crypto backend to use. - The default choice is V(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl). If O(iter_size) is used together with O(encryption_level) is not V(compatibility2022), or if O(maciter_size) is used, V(auto) will always result in C(pyopenssl) to be chosen for backwards compatibility. - If set to V(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library. - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. - B(Note) that the V(pyopenssl) backend is deprecated and will be removed from community.crypto 3.0.0. type: str default: auto choices: [auto, cryptography, pyopenssl] version_added: 1.7.0 seealso: - module: community.crypto.x509_certificate - module: community.crypto.openssl_csr - module: community.crypto.openssl_dhparam - module: community.crypto.openssl_privatekey - module: community.crypto.openssl_publickey a --- - name: Generate PKCS#12 file community.crypto.openssl_pkcs12: action: export path: /opt/certs/ansible.p12 friendly_name: raclette privatekey_path: /opt/certs/keys/key.pem certificate_path: /opt/certs/cert.pem other_certificates: /opt/certs/ca.pem # Note that if /opt/certs/ca.pem contains multiple certificates, # only the first one will be used. See the other_certificates_parse_all # option for changing this behavior. state: present - name: Generate PKCS#12 file community.crypto.openssl_pkcs12: action: export path: /opt/certs/ansible.p12 friendly_name: raclette privatekey_content: '{{ private_key_contents }}' certificate_path: /opt/certs/cert.pem other_certificates_parse_all: true other_certificates: - /opt/certs/ca_bundle.pem # Since we set other_certificates_parse_all to true, all # certificates in the CA bundle are included and not just # the first one. - /opt/certs/intermediate.pem # In case this file has multiple certificates in it, # all will be included as well. state: present - name: Change PKCS#12 file permission community.crypto.openssl_pkcs12: action: export path: /opt/certs/ansible.p12 friendly_name: raclette privatekey_path: /opt/certs/keys/key.pem certificate_path: /opt/certs/cert.pem other_certificates: /opt/certs/ca.pem state: present mode: '0600' - name: Regen PKCS#12 file community.crypto.openssl_pkcs12: action: export src: /opt/certs/ansible.p12 path: /opt/certs/ansible.p12 friendly_name: raclette privatekey_path: /opt/certs/keys/key.pem certificate_path: /opt/certs/cert.pem other_certificates: /opt/certs/ca.pem state: present mode: '0600' force: true - name: Dump/Parse PKCS#12 file community.crypto.openssl_pkcs12: action: parse src: /opt/certs/ansible.p12 path: /opt/certs/ansible.pem state: present - name: Remove PKCS#12 file community.crypto.openssl_pkcs12: path: /opt/certs/ansible.p12 state: absent a filename: description: Path to the generate PKCS#12 file. returned: changed or success type: str sample: /opt/certs/ansible.p12 privatekey: description: Path to the TLS/SSL private key the public key was generated from. returned: changed or success type: str sample: /etc/ssl/private/ansible.com.pem backup_file: description: Name of backup file created. returned: changed and if O(backup) is V(true) type: str sample: /path/to/ansible.com.pem.2019-03-09@11:22~ pkcs12: description: The (current or generated) PKCS#12's content Base64 encoded. returned: if O(state) is V(present) and O(return_content) is V(true) type: str version_added: "1.0.0" N) AnsibleModulemissing_required_lib)to_bytes to_native)OpenSSLBadPassphraseErrorOpenSSLObjectError) parse_pkcs12split_pem_list) OpenSSLObjectload_certificateload_privatekey)load_file_if_exists write_file) LooseVersionz3.0z0.15z23.3.0)crypto) load_pkcs12TF) serialization)serialize_key_and_certificates)hashes)PBESc t|d5}|jjd}dddtDcgc]}t d|j d|!c}S#1swY=xYwcc}w)zX Load list of concatenated PEM files, and return a list of parsed certificates. rbzutf-8Ncontentbackend)openreaddecoderrencode)filenamerfdatacerts s/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/crypto/plugins/modules/openssl_pkcs12.pyload_certificate_setr)osq h (vvxw'(#4(   t{{7';WM (( s A)$A5)A2c eZdZy) PkcsErrorN)__name__ __module__ __qualname__r(r+r+{sr0r+c(eZdZdfd Zej dZej dZej dZej dZ ej dZ ej dZ dfd Z d Z fd Zd Zd Zdd ZxZS)Pkcsc tt| |jd|jd|jd|j||_|jd|_|jd|_|jd|_|jd|_ |jd|_ |jd |_ |jd |_ |jd xs||_ |jd xsd |_|jd|_|jd|_d|_|jd|_|jd|_|jd|_d|_|jd|_|jd|_|jdd|jd<|jd|_d|_|j6 t5|jd5}|j7|_ dddn&|jt?|j|_ |j&6 t5|j&d5}|j7|_dddn&|j(t?|j(|_|jr|jrStA|j}g|_|D]1}|jjCtE||j 3y|jDcgc]}tG||j c}|_y|jr||j} |jr/tAtHjJjMd| D} | Dcgc]#}tGdt?||j %c}|_yy#1swYxYw#t8t:f$r}t=|d}~wwxYw#1swYxYw#t8t:f$r}t=|d}~wwxYwcc}wcc}w)Npathstateforceactionother_certificatesother_certificates_parse_allother_certificates_contentcertificate_pathcertificate_content friendly_name iter_size maciter_sizeencryption_level passphraseprivatekey_passphraseprivatekey_pathprivatekey_contentreturn_contentsrcmode0400backupr)rc32K|]}t|ywNr ).0rs r( z Pkcs.__init__..s24;w/2sr)'superr2__init__params check_moderr7r8r9r:r;r<r=r>r?rArBpkcs12rCrDrE pkcs12_bytesrFrGrJ backup_filer r!IOErrorOSErrorr+rlistextendr)r itertoolschain from_iterable) selfmoduleriter_size_defaultfhexc filenamesother_cert_bundle other_certcerts __class__s r(rPz Pkcs.__init__s dD" MM& ! MM' " MM' "      mmH- "(--0D"E,2MM *- )+1--8T*U' & .@ A#)==1F#G #]]?;{3H7H"MM.9>Q & .@ A -- 5 %+]]3J%K"%}}->?"(--0D"E $mm,<===' == ($*FMM& !mmH-   , %$//69"/1wwyD,9 % % 1'/0H0H'ID $    + %$..58.0ggiD+8 $ $ 0&.t/F/F&GD #  " "00 !8!89 *,')2%++22,-> M'+&=&=+"%ZF+' , ,33E00OO112?D2#( '!(:"6 'D #-;99W% %n$ %88W% %n$ %+'sl,O%OO%P*PP(P6&(P;O"O%%P4 O??PP PP3# P..P3cy)Generate PKCS#12 file archive.Nr/)r]r^s r(generate_byteszPkcs.generate_bytess r0cyrLr/)r]pkcs12_contents r( parse_byteszPkcs.parse_bytes r0cyrLr/r]rSs r(_dump_privatekeyzPkcs._dump_privatekeyrmr0cyrLr/ros r(_dump_certificatezPkcs._dump_certificatermr0cyrLr/ros r(_dump_other_certificateszPkcs._dump_other_certificatesrmr0cyrLr/ros r(_get_friendly_namezPkcs._get_friendly_namermr0c tt ||}fd}|s|Stjj jr|j ddk(rj|j_ j\}}}}|-j!jj} || k7r#yt|tjk7ry|-j!j!j} || k7r#yt|tjk7ry|?j"3j%j} t'|t'| k7r#yt|tj"k7ry|r=j)j} | || |k7ryt| t|k7ry|S|j ddk(rtjj jrtjj jrr j\} }}} t+dj-| |g|zDcgc]}| t/|c}}t1jd}||k7ry|Sy#t$rYywxYw#t$rYywxYwcc}w) z,Ensure the resource is in its desired state.cjr/ tdjjjyy#t$rYywxYw)NrrBrFT)rCrrErr r]sr(_check_pkey_passphrasez*Pkcs.check.._check_pkey_passphrasesN))!# $ 7 7#'#=#= $ *! !s-> A  A r7exportFparseT ignore_errors)rOr2checkosr4existsrQrirGr}r rErprSboolr<rrr8rtsetrvrjoinr r)r]r^perms_requiredstate_and_permsr{pkcs12_privatekeypkcs12_certificatepkcs12_other_certificatespkcs12_friendly_name expected_pkey expected_certexpected_other_certsr=pkeyr' other_certspemexpected_contentdumped_contentrfs` r(rz Pkcs.checks d1&.I " " 77>>$)) $x)@H)L    'yyDH  JJL %&-("-''3 $ 5 5dkk B $ 5 '(D1H1H,II".((4 $ 6 6t{{ C %6 ()T$2J2J-KK)5''3'+'D'DT[['Q$01S9M5NN /0D9P9P4QQ !% 7 7 D !-4H4T$(<<$-(D1E,FF 2&''/ MM( #w .txx(tyy) 9=6dK (%)$<+#=?"#  1$ON>1&''y&  Z&  s*J7K3K 7 KK KKcVd|ji}|jr|j|d<|jr|j|d<|jrX|jt |jd|_|jrt j|jnd|d<|S)z'Serialize the object into a dictionary.r$rDrUNTrrS)r4rDrUrFrTrbase64 b64encode)r]results r(dumpz Pkcs.dumpIs      (,(<(r?)r]r^ras r(rizPkcsPyOpenSSL.generate_bytessmmo  " " KK + +D,C,C D  # # KK ' ' $":":DLL     KK ( ($2D2D)E F  " " % **# $ 7 7#'#=#= $ {{!!$//4>>4CTCTUU- %n$ %sAE E3# E..E3c@ tj||j}|j}|$tjtj |}|j }|$tjtj |}g}|j?|jDcgc]&}tjtj |(}}|j}||||fScc}w#tj$r}t|d}~wwxYwrL) rrrBget_privatekeydump_privatekey FILETYPE_PEMget_certificatedump_certificateget_ca_certificatesget_friendlynameErrorr+) r]rkp12rcrtrrdr=ras r(rlzPkcsPyOpenSSL.parse_bytess !$$^T__EC%%'D--f.A.A4H%%'C--f.A.A3GK&&(4'*&=&=&?"++F,?,?L   002M#{M: :|| !C.  !s*B0C:2+C5C:5C::D DDcr|j}|r$tjtj|SdSrL)rrrr)r]rSpks r(rpzPkcsPyOpenSSL._dump_privatekeys0  " " $BDv%%f&9&92>N$Nr0cr|j}|r$tjtj|SdSrL)rrrr)r]rSr's r(rrzPkcsPyOpenSSL._dump_certificates0%%'EIv&&v':':DAStSr0c|jgS|jDcgc]&}tjtj|(c}Scc}wrL)rrrrr]rSrds r(rtz&PkcsPyOpenSSL._dump_other_certificatessT  % % ' /I%88:   # #F$7$7 D   s+Ac"|jSrL)rros r(rvz PkcsPyOpenSSL._get_friendly_names&&((r0 r,r-r.rPrirlrprrrtrvrrs@r(rrws*V@!,OT )r0rcBeZdZfdZdZdZdZdZdZdZ xZ S)PkcsCryptographyctt| |dd|jdk(rts|j dt yyy)N cryptographyiP)r_compatibility2022zThe installed cryptography version does not support encryption_level = compatibility2022. You need cryptography >= 38.0.0 and support for SHA1r exception)rOrrPrA"CRYPTOGRAPHY_HAS_COMPATIBILITY2022r"CRYPTOGRAPHY_COMPATIBILITY2022_ERRrs r(rPzPkcsCryptography.__init__sY . Ne /   ! !%8 86   H<  7 9r0cd}|jr. td|j|j|j}d}|j r"td|j |j}|jt|jnd}|||j|f|_ |jstj}n|jdk(rtj j"j%j'|j(j+t,j.j1t3j4j7t|j}n(tj8t|j}t;||||j|S#t$r}t |d}~wwxYw)rhNryrr)rErrCrr r+r<rr=rr8rSrBr NoEncryptionrA PrivateFormatrencryption_builder kdf_roundsr>key_cert_algorithmrPBESv1SHA1And3KeyTripleDESCBC hmac_hashrSHA1buildBestAvailableEncryptionr)r]r^rrar'r= encryptions r(rizPkcsCryptography.generate_bytess  " " %& 33#99 LL   # ##d66 D -1,>,>,JHT'' (PT  T4#:#:MJ &335J  " "&9 9++22EEGDNN+##D$F$FG6;;=)x01 '>>)J.     # #    ?- %n$ %s-F88 G G  Gc  t||j\}}}}d}|V|jtjj tj jtj}d}|)|jtjj }g}|6|D cgc]+} | jtjj -}} ||||fScc} w#t$r} t| d} ~ wwxYw)Nencodingformatencryption_algorithm) r rB private_bytesrEncodingPEMrTraditionalOpenSSLr public_bytes ValueErrorr+) r]rk private_key certificateadditional_certificatesr=rrrrdras r(rlzPkcsCryptography.parse_bytes s  !^T__= MK&=}D&"00*3377(66II)6)C)C)E1 C&!..}/E/E/I/IJK&2'>"++M,B,B,F,FG  #{M: :   !C.  !s*B*C),0C$C)$C)) D2 C==Dc|drY|djtjjtjj tj SdS)Nrr)rrrrrrrros r(rpz!PkcsCryptography._dump_privatekey+s]ay 1I # #&//33$22EE%2%?%?%A $   r0ch|dr,|djtjjSdS)Nr@rrrrros r(rrz"PkcsCryptography._dump_certificate6s/EKAYvay%%m&<&<&@&@AXTXXr0c|dDcgc]+}|jtjj-c}Scc}w)Nrrs r(rtz)PkcsCryptography._dump_other_certificates9s?%Qi   # #M$:$:$>$> ?   s0;c |dS)Nr/ros r(rvz#PkcsCryptography._get_friendly_name?s ayr0rrs@r(rrs) 0 d!B  Y r0rc*|dk(rtxrtttk\}txr.t tt k\xrt ttk}|jd|jddk7s|jdd}n |rd}n|rd}|dk(r/|jdjtt t |dk(rats:td jt t}|j|t |jd d d|t|fS|dk(rFts3|jtdjtt |t!|fSt#dj|)Nrr>rArr?rrzeCannot detect any of the required Python libraries cryptography (>= {0}) or PyOpenSSL (>= {1}, < {2})rzpyOpenSSL >= {0}, < {1}rzKThe module is using the PyOpenSSL backend. This backend has been deprecatedz3.0.0zcommunity.crypto)versioncollection_namezcryptography >= {0}z"Unsupported value for backend: {0})CRYPTOGRAPHY_FOUNDCRYPTOGRAPHY_VERSIONrMINIMAL_CRYPTOGRAPHY_VERSIONPYOPENSSL_FOUNDPYOPENSSL_VERSIONMINIMAL_PYOPENSSL_VERSIONMAXIMAL_PYOPENSSL_VERSIONrQrrrPYOPENSSL_IMP_ERR deprecaterCRYPTOGRAPHY_IMP_ERRrr)r^rcan_use_cryptographycan_use_pyopensslrs r(select_backendrCs&  S$ 5Q(RR   L!\2K%LL L!L1J$KK  MM+ & 2 015HH ]]> * 6!G !$G !G f    I&0--  +&)00-/HC   0A  B Y.   f--- N "!   ()001MN/   (000=DDWMNNr0c  td:idtddddgdtddd g d td d dtdddtddtddtd d dtddgdtdddgddtddtddtdd !dtdd "d#tdd !d$tdd%tdd !d&tdd'd(d'gd)tdd*td d d+td d d,tddgd-}ddd)ggg}d$d%gddgddgg}td |||d .}t||jd,\}}tj j |jdxsd/}tj j|s|j|d0|z1 d }|jd&d'k(rx|jrH|j}|jdxs|j| |d2<|jd:i||j|d 3r|jdr|jddk(rH|jds|jd45|j|} |j|| d6d }na|j\} } } } d7j!| | g| zDcgc]}| t#|c}}|j|t%|d }|j'|j}|j)|drd }n|j+||rd }n|jrQ|j}tj j-|jd|d2<|jd:i|tj j-|jdr|j/|d }|j}||d2<tj j-|jdrGd8t1j2t j0|jdj4z}||d9<|jd:i|ycc}w#t6$r%}|jt#|5Yd}~yd}~wwxYw);Nr7strr|r})typedefaultchoicesr8rXr4ca_certificates)relementsaliasesr9rF)rrr:)rrr;)rr<r6r=name)rr rArr)rrrr>intr?rBT)rno_log)rrequiredrCrDrEr5presentabsentrGrJrFselect_crypto_backend)rrr)add_file_common_args argument_spec required_ifmutually_exclusivesupports_check_mode.z@The directory '%s' does not exist or the path is not a directory)r rchanged)rzFriendly_name is requiredrir~z%04orHr/)dictrrrQrr4dirnameisdirrrRrr exit_jsonrirr}rr rload_file_common_argumentscheck_file_absent_if_check_modeset_fs_attributes_if_differentrrstatS_IMODEst_moder )rrrr^rrSbase_dirrrrkrr'rr=r dump_content file_args file_moderas r(mainr&s8W:MN&3D2E  &*vu%E  $(Ve#D 6*!e,.x8)< =v E"u% U40!"v -#$#d;%&&)'( U48)*y8Y:OP+, f -.//0712#0U 3M> 7UG$K 01 23 ;< !#- F%VV]];R-STOGVwwv}}V45<H 77== "R  3- == !Y .  $*MM'$:$V&,,vBV>Vy!   *6*<<u<=wAW==*h6!==9((-H(I%+%:%:6%BNLL?"G=C\\^:D$ ]#%77)-d|k'A #"&cN$LLL,)?@"G99&--HI55i6GH66y'J  $&GGNN6==3H$Iy!   *6*ww~~fmmF34 f%#y 77>>&--/ 0bggfmmF6K.L.T.T!UUI&F6N"6"=> -Ys^,,-s,DR&+R!?F!R&!R&& S/SS__main__)P __future__rrrr __metaclass__ DOCUMENTATIONEXAMPLESRETURNrrrZrr tracebackansible.module_utils.basicrr+ansible.module_utils.common.text.convertersrr Fansible_collections.community.crypto.plugins.module_utils.crypto.basicr r Uansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_supportr Dansible_collections.community.crypto.plugins.module_utils.crypto.pemrHansible_collections.community.crypto.plugins.module_utils.crypto.supportrrrr@sA@ o bD L .  JK  %"$ %W%8%89 O <( (@(@A %)" .5H&&99;NN **i   *.&  " u(=u(pO)DO)dwtwt>OBn-b zFW ^$, ,,.O/9//1/)=)=)=)?&).&/s70"E*"F >A'F(*FF F%$F%(GG