Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for PKCS#11 tokens to openssh_cert. #95

Merged
merged 1 commit into from
Aug 4, 2020
Merged

Add support for PKCS#11 tokens to openssh_cert. #95

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/openssh_cert-pkcs11.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- "openssh_cert - add support for PKCS#11 tokens (https:/ansible-collections/community.crypto/pull/95)."
23 changes: 23 additions & 0 deletions plugins/modules/openssh_cert.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,16 @@
signing_key:
description:
- The path to the private openssh key that is used for signing the public key in order to generate the certificate.
- If the private key is on a PKCS#11 token (I(pkcs11_provider)), set this to the path to the public key instead.
- Required if I(state) is C(present).
type: path
pkcs11_provider:
description:
- To use a signing key that resides on a PKCS#11 token, set this to the name (or full path) of the shared library to use with the token.
Usually C(libpkcs11.so).
- If this is set, I(signing_key) needs to point to a file containing the public key of the CA.
type: str
s-hamann marked this conversation as resolved.
Show resolved Hide resolved
version_added: 1.1.0
public_key:
description:
- The path to the public key that will be signed with the signing key in order to generate the certificate.
Expand Down Expand Up @@ -170,6 +178,16 @@
- "clear"
- "force-command=/tmp/bla/foo"

- name: Generate an OpenSSH user certificate using a PKCS#11 token
community.crypto.openssh_cert:
type: user
signing_key: /path/to/ca_public_key.pub
pkcs11_provider: libpkcs11.so
public_key: /path/to/public_key.pub
path: /path/to/certificate
valid_from: always
valid_to: forever

'''

RETURN = '''
Expand Down Expand Up @@ -217,6 +235,7 @@ def __init__(self, module):
self.force = module.params['force']
self.type = module.params['type']
self.signing_key = module.params['signing_key']
self.pkcs11_provider = module.params['pkcs11_provider']
self.public_key = module.params['public_key']
self.path = module.params['path']
self.identifier = module.params['identifier']
Expand Down Expand Up @@ -251,6 +270,9 @@ def generate(self, module):
'-s', self.signing_key
]

if self.pkcs11_provider:
args.extend(['-D', self.pkcs11_provider])

validity = ""

if not (self.valid_from == "always" and self.valid_to == "forever"):
Expand Down Expand Up @@ -525,6 +547,7 @@ def main():
force=dict(type='bool', default=False),
type=dict(type='str', choices=['host', 'user']),
signing_key=dict(type='path'),
pkcs11_provider=dict(type='str'),
public_key=dict(type='path'),
path=dict(type='path', required=True),
identifier=dict(type='str'),
Expand Down