diff --git a/changelogs/fragments/pkcs12.yml b/changelogs/fragments/pkcs12.yml new file mode 100644 index 000000000..b3424ece2 --- /dev/null +++ b/changelogs/fragments/pkcs12.yml @@ -0,0 +1,2 @@ +bugfixes: + - "openssl_pkcs12 - modify autodetect to not detect pyOpenSSL >= 23.3.0, which removed PKCS#12 support (https://github.com/ansible-collections/community.crypto/pull/666)." diff --git a/plugins/modules/openssl_pkcs12.py b/plugins/modules/openssl_pkcs12.py index 1d3c22ea1..e3b993083 100644 --- a/plugins/modules/openssl_pkcs12.py +++ b/plugins/modules/openssl_pkcs12.py @@ -24,7 +24,7 @@ # Please note that the C(pyopenssl) backend has been deprecated in community.crypto x.y.0, # and will be removed in community.crypto (x+1).0.0. requirements: - - PyOpenSSL >= 0.15 or cryptography >= 3.0 + - PyOpenSSL >= 0.15, < 23.3.0 or cryptography >= 3.0 extends_documentation_fragment: - ansible.builtin.files - community.crypto.attributes @@ -302,11 +302,13 @@ MINIMAL_CRYPTOGRAPHY_VERSION = '3.0' MINIMAL_PYOPENSSL_VERSION = '0.15' +MAXIMAL_PYOPENSSL_VERSION = '23.3.0' PYOPENSSL_IMP_ERR = None try: import OpenSSL from OpenSSL import crypto + from OpenSSL.crypto import load_pkcs12 as _load_pkcs12 # this got removed in pyOpenSSL 23.3.0 PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() @@ -711,7 +713,11 @@ def select_backend(module, backend): if backend == 'auto': # Detection what is possible can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION) - can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION) + can_use_pyopenssl = ( + PYOPENSSL_FOUND and + PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION) and + PYOPENSSL_VERSION < LooseVersion(MAXIMAL_PYOPENSSL_VERSION) + ) # If no restrictions are provided, first try cryptography, then pyOpenSSL if ( @@ -728,14 +734,17 @@ def select_backend(module, backend): # Success? if backend == 'auto': module.fail_json(msg=("Cannot detect any of the required Python libraries " - "cryptography (>= {0}) or PyOpenSSL (>= {1})").format( + "cryptography (>= {0}) or PyOpenSSL (>= {1}, < {2})").format( MINIMAL_CRYPTOGRAPHY_VERSION, - MINIMAL_PYOPENSSL_VERSION)) + MINIMAL_PYOPENSSL_VERSION, + MAXIMAL_PYOPENSSL_VERSION)) if backend == 'pyopenssl': if not PYOPENSSL_FOUND: - module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)), - exception=PYOPENSSL_IMP_ERR) + msg = missing_required_lib( + 'pyOpenSSL >= {0}, < {1}'.format(MINIMAL_PYOPENSSL_VERSION, MAXIMAL_PYOPENSSL_VERSION) + ) + module.fail_json(msg=msg, exception=PYOPENSSL_IMP_ERR) # module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated', # version='x.0.0', collection_name='community.crypto') return backend, PkcsPyOpenSSL(module) diff --git a/tests/integration/targets/openssl_pkcs12/tasks/main.yml b/tests/integration/targets/openssl_pkcs12/tasks/main.yml index 7116c8674..cad051c6c 100644 --- a/tests/integration/targets/openssl_pkcs12/tasks/main.yml +++ b/tests/integration/targets/openssl_pkcs12/tasks/main.yml @@ -69,7 +69,10 @@ vars: select_crypto_backend: pyopenssl - when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') + when: >- + (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') + and + (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<') - block: - name: Running tests with cryptography backend @@ -79,4 +82,11 @@ when: cryptography_version.stdout is version('3.0', '>=') - when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') or cryptography_version.stdout is version('3.0', '>=') + when: >- + ( + (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') + and + (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<') + ) + or + cryptography_version.stdout is version('3.0', '>=')