Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ECC key creation support #95

Merged
merged 15 commits into from
Jul 22, 2024
Merged

Add ECC key creation support #95

merged 15 commits into from
Jul 22, 2024

Conversation

avalor1
Copy link
Collaborator

@avalor1 avalor1 commented May 31, 2023

Defaults for key size and curve are oriented on recomendations from https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_privatekey_module.html#parameter-curve
and https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8.

If a type is used which does not use curves the openssl modul seems to ignore the value thus does not affect the creation of other key types. I tested it with RSA.

@avalor1 avalor1 linked an issue May 31, 2023 that may be closed by this pull request
[Enhancement] Support creating ECC Keys #87
Closed
Andreas Hering added 3 commits May 31, 2023 15:43
Linting: var-naming[no-role-prefix]
fa79c8d 
- Prefix variable names with role_name

- Make registered variables naming more clear with the result suffix
Adjust challenge variable naming for every challenge provider
3978364
Add key curve variable to documentation
813c79a
@avalor1 avalor1 marked this pull request as ready for review May 31, 2023 14:00
@rndmh3ro
Copy link
Collaborator

rndmh3ro commented Jun 2, 2023

LGTM!

However this would be a breaking change, right? Existing keys will be recreated..

As per docs from community.crypto.openssl_privatekey:

By default, the key will be regenerated when it does not match the module's options, except when the key cannot be read or the passphrase does not match.

@schurzi schurzi changed the title Add Ecc creation support Add ECC creation support Jun 2, 2023
schurzi
schurzi reviewed Jun 2, 2023
View reviewed changes
Copy link
Collaborator

@schurzi schurzi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from reviewing the code of community.crypto I think that the parameters for size and curve are mutually exclusive. Not in a way that generates an error, but when we use ECC keys, we only need to specify the curve, and when wie use RSA we need to specify the keysize. Specifying both is not expected and not needed.

see: https://github.com/ansible-collections/community.crypto/blob/0d30a3793ad03fd4a920c2236cceb679a756372d/plugins/module_utils/crypto/module_backends/privatekey.py#L322-L350

@schurzi schurzi changed the title Add ECC creation support Add ECC key creation support Jun 2, 2023
rndmh3ro
rndmh3ro reviewed Jun 15, 2023
View reviewed changes
docs/role-acme.md Outdated Show resolved Hide resolved
docs/role-acme.md Outdated Show resolved Hide resolved
@rndmh3ro rndmh3ro added major breaking Breaking change: old configurations will not work anymore labels Jun 15, 2023
schurzi
schurzi reviewed Jun 15, 2023
View reviewed changes
roles/acme/defaults/main.yml Outdated Show resolved Hide resolved
roles/acme/defaults/main.yml Outdated Show resolved Hide resolved
@avalor1 @rndmh3ro @schurzi
Apply suggestions from code review
59c377e 
Set 4096bit default keysize in case RSA is used

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
schurzi
schurzi approved these changes Jul 9, 2023
View reviewed changes
Copy link
Collaborator

@schurzi schurzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nitpick: please correct spaces in readme

@darkspadez
Copy link

Is this something that will be merged soon? or if we need we should just cherry-pick it?

@avalor1
Copy link
Collaborator Author

avalor1 commented Jul 22, 2024

Hi, @darkspadez i will resolve conflicts and merge this PR today or in the next days. Sorry for the wait

@avalor1 avalor1 requested a review from a team as a code owner July 22, 2024 06:46
schurzi
schurzi reviewed Jul 22, 2024
View reviewed changes
docs/role-acme.md Outdated Show resolved Hide resolved
roles/acme/tasks/challenge/dns-01/autodns.yml Outdated Show resolved Hide resolved
roles/acme/tasks/challenge/dns-01/hetzner.yml Outdated Show resolved Hide resolved
roles/acme/tasks/challenge/dns-01/hetzner.yml Outdated Show resolved Hide resolved
@avalor1 avalor1 merged commit 4e8095f into main Jul 22, 2024
17 checks passed
@avalor1 avalor1 deleted the ecc_creation_support branch July 22, 2024 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rndmh3ro rndmh3ro rndmh3ro left review comments

@z-bsod z-bsod z-bsod left review comments

@schurzi schurzi schurzi approved these changes

@beechesII beechesII Awaiting requested review from beechesII

Assignees
No one assigned
Labels
breaking Breaking change: old configurations will not work anymore major
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Enhancement] Support creating ECC Keys
5 participants
@avalor1 @rndmh3ro @darkspadez @schurzi @z-bsod