openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489)

* Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
2025-10-04 23:44:00 -07:00 · 2019-03-08 17:21:18 +01:00 · 2019-03-08 17:21:18 +01:00 · caf7fd2245
commit caf7fd2245
parent 1d91e03119
20 changed files with 427 additions and 36 deletions
--- a/lib/ansible/modules/crypto/openssl_privatekey.py
+++ b/lib/ansible/modules/crypto/openssl_privatekey.py
@ -365,6 +365,8 @@ class PrivateKeyPyOpenSSL(PrivateKeyBase):
            return True
        except crypto.Error:
            return False
+        except crypto_utils.OpenSSLBadPassphraseError as exc:
+            return False

    def _check_size_and_type(self):
        def _check_size(privatekey):
@ -373,7 +375,10 @@ class PrivateKeyPyOpenSSL(PrivateKeyBase):
        def _check_type(privatekey):
            return self.type == privatekey.type()

-        privatekey = crypto_utils.load_privatekey(self.path, self.passphrase)
+        try:
+            privatekey = crypto_utils.load_privatekey(self.path, self.passphrase)
+        except crypto_utils.OpenSSLBadPassphraseError as exc:
+            raise PrivateKeyError(exc)

        return _check_size(privatekey) and _check_type(privatekey)

@ -513,10 +518,19 @@ class PrivateKeyCryptography(PrivateKeyBase):

    def _check_passphrase(self):
        try:
-            self._load_privatekey()
+            with open(self.path, 'rb') as f:
+                return cryptography.hazmat.primitives.serialization.load_pem_private_key(
+                    f.read(),
+                    None if self.passphrase is None else to_bytes(self.passphrase),
+                    backend=self.cryptography_backend
+                )
            return True
-        except crypto.Error:
-            return False
+        except TypeError as e:
+            if 'Password' in str(e) and 'encrypted' in str(e):
+                return False
+            raise PrivateKeyError(e)
+        except Exception as e:
+            raise PrivateKeyError(e)

    def _check_size_and_type(self):
        privatekey = self._load_privatekey()