test/integration/targets/openssl_certificate/tests/validate_ownca.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

---
- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - verify CA)
  shell: 'openssl verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"'
  register: ownca_verify_ca

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate modulus)
  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem'
  register: ownca_cert_modulus

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca issuer value)
  shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
  register: ownca_cert_issuer

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certficate version == default == 3)
  shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
  register: ownca_cert_version

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (assert)
  assert:
    that:
      - ownca_verify_ca.stdout == 'OK'
      - ownca_cert_modulus.stdout == privatekey_modulus.stdout
      - ownca_cert_version.stdout == '3'
      # openssl 1.1.x adds a space between the output
      - ownca_cert_issuer.stdout in ['CN=Example CA', 'CN = Example CA']

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate idempotence
  assert:
    that:
      - ownca_certificate.serial_number == ownca_certificate_idempotence.serial_number
      - ownca_certificate.notBefore == ownca_certificate_idempotence.notBefore
      - ownca_certificate.notAfter == ownca_certificate_idempotence.notAfter

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca data return
  assert:
    that:
      - ownca_certificate.certificate == lookup('file', output_dir ~ '/ownca_cert.pem', rstrip=False)
      - ownca_certificate.certificate == ownca_certificate_idempotence.certificate

- block:
  - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2)
    shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
    register: ownca_cert_v2_version

  - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate version 2 (assert)
    assert:
      that:
        - ownca_cert_v2_version.stdout == '2'
  when: "select_crypto_backend != 'cryptography'"

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2)
  assert:
    that:
      - ownca_v2_certificate is failed
      - "'The cryptography backend does not support v2 certificates' in ownca_v2_certificate.msg"
  when: "select_crypto_backend == 'cryptography'"


- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (test - ownca certificate modulus)
  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem'
  register: ownca_cert2_modulus

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (assert)
  assert:
    that:
      - ownca_cert2_modulus.stdout == privatekey2_modulus.stdout

- name: (OwnCA validation, {{select_crypto_backend}}) Validate owncal certificate3 (test - notBefore)
  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
  register: ownca_cert3_notBefore

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (test - notAfter)
  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
  register: ownca_cert3_notAfter

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (assert - notBefore)
  assert:
    that:
      - ownca_cert3_notBefore.stdout == 'Oct 23 13:37:42 2018'

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (assert - notAfter)
  assert:
    that:
      - ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey)
  shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem'
  register: ownca_cert_ecc_pubkey

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca issuer value)
  shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
  register: ownca_cert_ecc_issuer

- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (assert)
  assert:
    that:
      - ownca_cert_ecc_pubkey.stdout == privatekey_ecc_pubkey.stdout
      # openssl 1.1.x adds a space between the output
      - ownca_cert_ecc_issuer.stdout in ['CN=Example CA', 'CN = Example CA']

- name: (OwnCA validation, {{select_crypto_backend}})
  assert:
    that:
      - passphrase_error_1 is failed
      - "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
      - passphrase_error_2 is failed
      - "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
      - passphrase_error_3 is failed
      - "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"

- name: (OwnCA validation, {{select_crypto_backend}})Verify that broken certificate will be regenerated
  assert:
    that:
      - ownca_broken is changed

- name: (OwnCA validation, {{select_crypto_backend}}) Check backup
  assert:
    that:
      - ownca_backup_1 is changed
      - ownca_backup_1.backup_file is undefined
      - ownca_backup_2 is not changed
      - ownca_backup_2.backup_file is undefined
      - ownca_backup_3 is changed
      - ownca_backup_3.backup_file is string
      - ownca_backup_4 is changed
      - ownca_backup_4.backup_file is string
      - ownca_backup_5 is not changed
      - ownca_backup_5.backup_file is undefined

- name: (OwnCA validation, {{select_crypto_backend}}) Check create subject key identifier
  assert:
    that:
      - ownca_subject_key_identifier_1 is changed
      - ownca_subject_key_identifier_2 is not changed
      - ownca_subject_key_identifier_3 is changed
      - ownca_subject_key_identifier_4 is not changed
      - ownca_subject_key_identifier_5 is changed
  when: select_crypto_backend != 'pyopenssl'

- name: (OwnCA validation, {{select_crypto_backend}}) Check create authority key identifier
  assert:
    that:
      - ownca_authority_key_identifier_1 is changed
      - ownca_authority_key_identifier_2 is not changed
      - ownca_authority_key_identifier_3 is changed
      - ownca_authority_key_identifier_4 is not changed
      - ownca_authority_key_identifier_5 is changed
  when: select_crypto_backend != 'pyopenssl'

- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
  assert:
    that:
      - ownca_certificate_ed25519_ed448.results[0] is failed
      - ownca_certificate_ed25519_ed448.results[1] is failed
      - ownca_certificate_ed25519_ed448_idempotence.results[0] is failed
      - ownca_certificate_ed25519_ed448_idempotence.results[1] is failed
      - ownca_certificate_ed25519_ed448_2.results[0] is failed
      - ownca_certificate_ed25519_ed448_2.results[1] is failed
      - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is failed
      - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is failed
  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ownca_certificate_ed25519_ed448_privatekey is not failed

- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
  assert:
    that:
      - ownca_certificate_ed25519_ed448 is succeeded
      - ownca_certificate_ed25519_ed448.results[0] is changed
      - ownca_certificate_ed25519_ed448.results[1] is changed
      - ownca_certificate_ed25519_ed448_idempotence is succeeded
      - ownca_certificate_ed25519_ed448_idempotence.results[0] is not changed
      - ownca_certificate_ed25519_ed448_idempotence.results[1] is not changed
      - ownca_certificate_ed25519_ed448_2 is succeeded
      - ownca_certificate_ed25519_ed448_2.results[0] is changed
      - ownca_certificate_ed25519_ed448_2.results[1] is changed
      - ownca_certificate_ed25519_ed448_2_idempotence is succeeded
      - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is not changed
      - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is not changed
  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ownca_certificate_ed25519_ed448_privatekey is not failed