CHANGELOG.rst

Community Crypto Release Notes

Topics

• v1.3.0
  • Release Summary
  • Minor Changes
  • Bugfixes
  • New Modules
• v1.2.0
  • Release Summary
  • Minor Changes
  • Security Fixes
  • Bugfixes
• v1.1.1
  • Release Summary
  • Bugfixes
• v1.1.0
  • Release Summary
  • Minor Changes
  • Bugfixes
  • New Modules
• v1.0.0
  • Release Summary
  • Minor Changes
  • Deprecated Features
  • Removed Features (previously deprecated)
  • Bugfixes
  • New Modules

v1.3.0

Release Summary

Contains new modules openssl_privatekey_pipe, openssl_csr_pipe and x509_certificate_pipe which allow to create or update private keys, CSRs and X.509 certificates without having to write them to disk.

Minor Changes

• openssh_cert - add module parameter use_agent to enable using signing keys stored in ssh-agent (ansible-collections#116).
• openssl_csr - refactor module to allow code re-use by openssl_csr_pipe (ansible-collections#123).
• openssl_privatekey - refactor module to allow code re-use by openssl_privatekey_pipe (ansible-collections#119).
• openssl_privatekey - the elliptic curve secp192r1 now triggers a security warning. Elliptic curves of at least 224 bits should be used for new keys; see here (ansible-collections#132).
• x509_certificate - for the selfsigned provider, a CSR is not required anymore. If no CSR is provided, the module behaves as if a minimal CSR which only contains the public key has been provided (ansible-collections#32, ansible-collections#129).
• x509_certificate - refactor module to allow code re-use by x509_certificate_pipe (ansible-collections#135).

Bugfixes

• openssl_pkcs12 - report the correct state when action is parse (ansible-collections#143).
• support code - improve handling of certificate and certificate signing request (CSR) loading with the cryptography backend when errors occur (ansible-collections#138, ansible-collections#139).
• x509_certificate - fix entrust provider, which was broken since community.crypto 0.1.0 due to a feature added before the collection move (ansible-collections#135).

New Modules

• openssl_csr_pipe - Generate OpenSSL Certificate Signing Request (CSR)
• openssl_privatekey_pipe - Generate OpenSSL private keys without disk access
• x509_certificate_pipe - Generate and/or check OpenSSL certificates

v1.2.0

Release Summary

Please note that this release fixes a security issue (CVE-2020-25646).

Minor Changes

• acme_certificate - allow to pass CSR file as content with new option csr_content (ansible-collections#115).
• x509_certificate_info - add fingerprints return value which returns certificate fingerprints (ansible-collections#121).

Security Fixes

• openssl_csr - the option privatekey_content was not marked as no_log, resulting in it being dumped into the system log by default, and returned in the registered results in the invocation field (CVE-2020-25646, ansible-collections#125).
• openssl_privatekey_info - the option content was not marked as no_log, resulting in it being dumped into the system log by default, and returned in the registered results in the invocation field (CVE-2020-25646, ansible-collections#125).
• openssl_publickey - the option privatekey_content was not marked as no_log, resulting in it being dumped into the system log by default, and returned in the registered results in the invocation field (CVE-2020-25646, ansible-collections#125).
• openssl_signature - the option privatekey_content was not marked as no_log, resulting in it being dumped into the system log by default, and returned in the registered results in the invocation field (CVE-2020-25646, ansible-collections#125).
• x509_certificate - the options privatekey_content and ownca_privatekey_content were not marked as no_log, resulting in it being dumped into the system log by default, and returned in the registered results in the invocation field (CVE-2020-25646, ansible-collections#125).
• x509_crl - the option privatekey_content was not marked as no_log, resulting in it being dumped into the system log by default, and returned in the registered results in the invocation field (CVE-2020-25646, ansible-collections#125).

Bugfixes

• openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private key and/or no main certificate (ansible-collections#103).

v1.1.1

Release Summary

Bugfixes for Ansible 2.10.0.

Bugfixes

• meta/runtime.yml - convert Ansible version numbers for old names of modules to collection version numbers (ansible-collections#108).
• openssl_csr - improve handling of IDNA errors (ansible-collections#105).

v1.1.0

Release Summary

Release for Ansible 2.10.0.

Minor Changes

• acme_account - add external_account_binding option to allow creation of ACME accounts with External Account Binding (ansible-collections#89).
• acme_certificate - allow new selector test_certificates: first for select_chain parameter (ansible-collections#102).
• cryptography backends - support arbitrary dotted OIDs (ansible-collections#39).
• get_certificate - add support for SNI (ansible-collections#69).
• luks_device - add support for encryption options on container creation (ansible-collections#97).
• openssh_cert - add support for PKCS#11 tokens (ansible-collections#95).
• openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (ansible-collections#76).
• openssl_csr - add support for name constraints extension (ansible-collections#46).
• openssl_csr_info - add support for name constraints extension (ansible-collections#46).

Bugfixes

• acme_inspect - fix problem with Python 3.5 that JSON was not decoded (ansible-collections#86).
• get_certificate - fix ca_cert option handling when proxy_host is used (ansible-collections#84).
• openssl_*, x509_* modules - fix handling of general names which refer to IP networks and not IP addresses (ansible-collections#92).

New Modules

• openssl_signature - Sign data with openssl
• openssl_signature_info - Verify signatures with openssl

v1.0.0

Release Summary

This is the first proper release of the community.crypto collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0.

Minor Changes

• luks_device - accept passphrase, new_passphrase and remove_passphrase.
• luks_device - add keysize parameter to set key size at LUKS container creation
• luks_device - added support to use UUIDs, and labels with LUKS2 containers
• luks_device - added the type option that allows user explicit define the LUKS container format version
• openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with force=yes.
• openssh_keypair - the regenerate option allows to configure the module's behavior when it should or needs to regenerate private keys.
• openssl_* modules - the cryptography backend now properly supports dirName, otherName and RID (Registered ID) names.
• openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let's Encrypt instead of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time being, so no action should be neccessary.)
• openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
• openssl_certificate - allow to provide content of some input files via the csr_content, privatekey_content, ownca_privatekey_content and ownca_content options.
• openssl_certificate - allow to return the existing/generated certificate directly as certificate by setting return_content to yes.
• openssl_certificate_info - allow to provide certificate content via content option (ansible/ansible#64776).
• openssl_csr - Add support for specifying the SAN otherName value in the OpenSSL ASN.1 UTF8 string format, otherName:<OID>;UTF8:string value.
• openssl_csr - allow to provide private key content via private_key_content option.
• openssl_csr - allow to return the existing/generated CSR directly as csr by setting return_content to yes.
• openssl_csr_info - allow to provide CSR content via content option.
• openssl_dhparam - allow to return the existing/generated DH params directly as dhparams by setting return_content to yes.
• openssl_dhparam - now supports a cryptography-based backend. Auto-detection can be overwritten with the select_crypto_backend option.
• openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as pkcs12 by setting return_content to yes.
• openssl_privatekey - add format and format_mismatch options.
• openssl_privatekey - allow to return the existing/generated private key directly as privatekey by setting return_content to yes.
• openssl_privatekey - the regenerate option allows to configure the module's behavior when it should or needs to regenerate private keys.
• openssl_privatekey_info - allow to provide private key content via content option.
• openssl_publickey - allow to provide private key content via private_key_content option.
• openssl_publickey - allow to return the existing/generated public key directly as publickey by setting return_content to yes.

Deprecated Features

• openssl_csr - all values for the version option except 1 are deprecated. The value 1 denotes the current only standardized CSR version.

Removed Features (previously deprecated)

• The letsencrypt module has been removed. Use acme_certificate instead.

Bugfixes

• ACME modules: fix bug in ACME v1 account update code
• ACME modules: make sure some connection errors are handled properly
• ACME modules: support Buypass' ACME v1 endpoint
• acme_certificate - fix crash when module is used with Python 2.x.
• acme_certificate - fix misbehavior when ACME v1 is used with modify_account set to false.
• ecs_certificate - Always specify header connection: keep-alive for ECS API connections.
• ecs_certificate - Fix formatting of contents of full_chain_path.
• get_certificate - Fix cryptography backend when pyopenssl is unavailable (ansible/ansible#67900)
• openssh_keypair - add logic to avoid breaking password protected keys.
• openssh_keypair - fixes idempotence issue with public key (ansible/ansible#64969).
• openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key.
• openssl_* modules - prevent crash on fingerprint determination in FIPS mode (ansible/ansible#67213).
• openssl_certificate - When provider is entrust, use a connection: keep-alive header for ECS API connections.
• openssl_certificate - provider option was documented as required, but it was not checked whether it was provided. It is now only required when state is present.
• openssl_certificate - fix assertonly provider certificate verification, causing 'private key mismatch' and 'subject mismatch' errors.
• openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for cryptography backend. This probably needs at least cryptography 2.8, since older versions have problems with signing certificates or CSRs with such keys. (ansible/ansible#59039, PR ansible/ansible#63984)
• openssl_csr - a warning is issued if an unsupported value for version is used for the cryptography backend.
• openssl_csr - the module will now enforce that privatekey_path is specified when state=present.
• openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (ansible/ansible#67035).

New Modules

• ecs_domain - Request validation of a domain with the Entrust Certificate Services (ECS) API
• x509_crl - Generate Certificate Revocation Lists (CRLs)
• x509_crl_info - Retrieve information on Certificate Revocation Lists (CRLs)