Skip to content

Commit

Permalink
fix(private-key): Fixes an issue with csr origin service and private …
Browse files Browse the repository at this point in the history 
…key types

Fixes an issue whereby setting csr_origin to SERVICE ignored the private key type and size/curve. This caused all service generated CSR's to use RSA 2048 as default key type.
  • Loading branch information
@rvelaVenafi
rvelaVenafi committed Nov 9, 2023
1 parent fd17f64 commit 86a3f1f
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 12 deletions.
7 changes: 7 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,10 @@ ansible-molecule:

unit-test:
PYTHONPATH=./:$PYTHONPATH pytest ./tests/certificate/test_venafi_certificate.py

install:
ansible-galaxy collection build --force
ansible-galaxy collection install venafi-machine_identity-1.0.1.tar.gz --force

uninstall:
rm -rf ~/.ansible/collections/ansible_collections/venafi
33 changes: 21 additions & 12 deletions plugins/modules/venafi_certificate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,8 @@ def enroll(self):
self.module.fail_json(msg="Missing parameter for Service Generated CSR: %s" % F_PK_PASSPHRASE)
request.include_private_key = True
self.serialize_private_key = True
if self.privatekey_type is not None:
request.key_type = self._get_key_type()

elif self.csr_origin == CSR_ORIGIN_PROVIDED:
if not self.csr_path:
Expand All @@ -465,17 +467,7 @@ def enroll(self):
private_key = to_text(open(self.privatekey_filename, "rb").read())
request.private_key = private_key
elif self.privatekey_type:
key_type = {"RSA": "rsa", "ECDSA": "ec", "EC": "ec"}.get(self.privatekey_type)
if not key_type:
self.module.fail_json(msg=("Failed to determine key type: %s. Must be RSA or ECDSA"
% self.privatekey_type))
if key_type == "rsa":
request.key_type = KeyType(KeyType.RSA, self.privatekey_size)
elif key_type == "ecdsa" or key_type == "ec":
request.key_type = KeyType(KeyType.ECDSA, self.privatekey_curve)
else:
self.module.fail_json(msg=("Failed to determine key type: %s. Must be RSA or ECDSA"
% self.privatekey_type))
request.key_type = self._get_key_type()
self.serialize_private_key = True
else:
self.module.fail_json(msg="Failed to determine %s: %s" % (F_CSR_ORIGIN, self.csr_origin))
Expand Down Expand Up @@ -506,6 +498,23 @@ def enroll(self):
if self.serialize_private_key and cert.key is not None:
self._atomic_write(self.privatekey_filename, cert.key)

def _get_key_type(self):
"""
:rtype: KeyType
"""
key_type = {"RSA": "rsa", "ECDSA": "ec", "EC": "ec"}.get(self.privatekey_type)
if not key_type:
self.module.fail_json(msg=("Failed to determine key type: %s. Must be RSA or ECDSA"
% self.privatekey_type))
if key_type == "rsa":
return KeyType(KeyType.RSA, self.privatekey_size)
elif key_type == "ecdsa" or key_type == "ec":
return KeyType(KeyType.ECDSA, self.privatekey_curve)
else:
self.module.fail_json(msg=("Failed to determine key type: %s. Must be RSA or ECDSA"
% self.privatekey_type))

def _get_pkcs12_cert_path(self):
"""
Expand Down Expand Up @@ -783,7 +792,7 @@ def main():
module.exit_json(**change_dump)

if not vcert.check_dirs_existed():
module.fail_json(msg="Dirs not existed")
module.fail_json(msg="directories do not exist")
if change_dump['changed']:
# TODO: Cover it by tests
"""
Expand Down

0 comments on commit 86a3f1f

Please sign in to comment.