ACME: use Cryptography (if a new enough version is available) instead of OpenSSL (#42170)

* Collecting PEM -> DER conversions.

* Using cryptography instead of OpenSSL binary in some situations.

* Moving key-to-disk writing for key content to parse_account_key.

* Rename parse_account_key -> parse_key.

* Move OpenSSL specific code for key parsing and request signing into global functions.

* Also using cryptography for key parsing and request signing.

* Remove assert statements.

* Fixing handling of key contents for cryptography code path.

* Allow to disable the use of cryptography.

* Updating documentation.

* 1.5 seems to work as well (earlier versions don't have EC sign function). Making Python 2.x adjustments.

* Changing option to select_crypto_backend.

* Python 2.6 compatibility.

* Trying to test both backends separately for acme_account.

* Also testing both backends separately for acme_certificate and acme_certificate_revoke.

* Adding changelog entry which informs about select_crypto_backend option in case autodetect fails.

* Fixing YAML.

lib/ansible/utils/module_docs_fragments/acme.py

@@ -8,9 +8,18 @@ class ModuleDocFragment(object):
 
     # Standard files documentation fragment
     DOCUMENTATION = """
+description:
+  - "Note that if a new enough version of the C(cryptography) library
+     is available (see Requirements for details), it will be used
+     instead of the C(openssl) binary. This can be explicitly disabled
+     or enabled with the C(select_crypto_backend) option. Note that using
+     the C(openssl) binary will be slower and less secure, as private key
+     contents always have to be stored on disk (see
+     C(account_key_content))."
 requirements:
   - "python >= 2.6"
-  - openssl
+  - "either openssl, ..."
+  - "... or L(cryptography,https://cryptography.io/) >= 1.5"
 options:
   account_key_src:
     description:
@@ -32,6 +41,10 @@ options:
          important private key — it can be used to change the account key,
          or to revoke your certificates without knowing their private keys
          —, this might not be acceptable."
+      - "In case C(cryptography) is used, the content is not written into a
+         temporary file. It can still happen that it is written to disk by
+         Ansible in the process of moving the module with its argument to
+         the node where it is executed."
     version_added: "2.5"
   acme_version:
     description:
@@ -64,5 +77,20 @@ options:
          for example when testing against a local Pebble server."
     type: bool
     default: 'yes'
-    version_added: 2.5
+    version_added: "2.5"
+  select_crypto_backend:
+    description:
+      - "Determines which crypto backend to use. The default choice is C(auto),
+         which tries to use C(cryptography) if available, and falls back to
+         C(openssl)."
+      - "If set to C(openssl), will try to use the C(openssl) binary."
+      - "If set to C(cryptography), will try to use the
+         L(cryptography,https://cryptography.io/) library."
+    type: str
+    default: 'auto'
+    choices:
+      - auto
+      - cryptography
+      - openssl
+    version_added: "2.7"
 """