Try SpotterProvide information for OpenSSL private keys
Authors: Felix Fontein (@felixfontein), Yanis Guenane (@Spredzy)
Install with ansible-galaxy collection install community.crypto:==2.18.0
collections:
- name: community.crypto
version: 2.18.0This module allows one to query information on OpenSSL private keys.
In case the key consistency checks fail, the module will fail as this indicates a faked private key. In this case, all return variables are still returned. Note that key consistency checks are not available all key types; if none is available, V(none) is returned for RV(key_is_consistent).
It uses the cryptography python library to interact with OpenSSL.
- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
community.crypto.openssl_privatekey:
path: /etc/ssl/private/ansible.com.pem
- name: Get information on generated key
community.crypto.openssl_privatekey_info:
path: /etc/ssl/private/ansible.com.pem
register: result
- name: Dump information
ansible.builtin.debug:
var: result
path:
description:
- Remote absolute path where the private key file is loaded from.
type: path
content:
description:
- Content of the private key file.
- Either O(path) or O(content) must be specified, but not both.
type: str
version_added: 1.0.0
version_added_collection: community.crypto
passphrase:
description:
- The passphrase for the private key.
type: str
check_consistency:
default: false
description:
- Whether to check consistency of the private key.
- In community.crypto < 2.0.0, consistency was always checked.
- Since community.crypto 2.0.0, the consistency check has been disabled by default
to avoid private key material to be transported around and computed with, and only
do so when requested explicitly. This can potentially prevent L(side-channel attacks,https://en.wikipedia.org/wiki/Side-channel_attack).
- Note that consistency checks only work for certain key types, and might depend on
the version of the cryptography library. For example, with cryptography 42.0.0 and
newer consistency of RSA keys can no longer be checked.
type: bool
version_added: 2.0.0
version_added_collection: community.crypto
select_crypto_backend:
choices:
- auto
- cryptography
default: auto
description:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/)
library.
type: str
return_private_key_data:
default: false
description:
- Whether to return private key data.
- Only set this to V(true) when you want private information about this key to leave
the remote machine.
- B(WARNING:) you have to make sure that private key data is not accidentally logged!
type: bool
can_load_key:
description: Whether the module was able to load the private key from disk.
returned: always
type: bool
can_parse_key:
description: Whether the module was able to parse the private key.
returned: always
type: bool
key_is_consistent:
description:
- Whether the key is consistent. Can also return V(none) next to V(true) and V(false),
to indicate that consistency could not be checked.
- In case the check returns V(false), the module will fail.
returned: when O(check_consistency=true)
type: bool
private_data:
description:
- Private key data. Depends on key type.
returned: success and when O(return_private_key_data) is set to V(true)
type: dict
public_data:
contains:
curve:
description:
- The curve's name for ECC.
returned: When RV(type=ECC)
type: str
exponent:
description:
- The RSA key's public exponent.
returned: When RV(type=RSA)
type: int
exponent_size:
description:
- The maximum number of bits of a private key. This is basically the bit size
of the subgroup used.
returned: When RV(type=ECC)
type: int
g:
description:
- The C(g) value for DSA.
- This is the element spanning the subgroup of the multiplicative group of the
prime field used.
returned: When RV(type=DSA)
type: int
modulus:
description:
- The RSA key's modulus.
returned: When RV(type=RSA)
type: int
p:
description:
- The C(p) value for DSA.
- This is the prime modulus upon which arithmetic takes place.
returned: When RV(type=DSA)
type: int
q:
description:
- The C(q) value for DSA.
- This is a prime that divides C(p - 1), and at the same time the order of the
subgroup of the multiplicative group of the prime field used.
returned: When RV(type=DSA)
type: int
size:
description:
- Bit size of modulus (RSA) or prime number (DSA).
returned: When RV(type=RSA) or RV(type=DSA)
type: int
x:
description:
- The C(x) coordinate for the public point on the elliptic curve.
returned: When RV(type=ECC)
type: int
y:
description:
- For RV(type=ECC), this is the C(y) coordinate for the public point on the
elliptic curve.
- For RV(type=DSA), this is the publicly known group element whose discrete
logarithm w.r.t. C(g) is the private key.
returned: When RV(type=DSA) or RV(type=ECC)
type: int
description:
- Public key data. Depends on key type.
returned: success
type: dict
public_key:
description: Private key's public key in PEM format.
returned: success
sample: '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...'
type: str
public_key_fingerprints:
description:
- Fingerprints of private key's public key.
- For every hash algorithm available, the fingerprint is computed.
returned: success
sample: '{''sha256'': ''d4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63'',
''sha512'': ''f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...'
type: dict
type:
description:
- The key's type.
- One of V(RSA), V(DSA), V(ECC), V(Ed25519), V(X25519), V(Ed448), or V(X448).
- Will start with V(unknown) if the key type cannot be determined.
returned: success
sample: RSA
type: str