community.crypto.openssl_privatekey_info – Provide information for OpenSSL private keys

Note

This plugin is part of the community.crypto collection (version 2.0.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.crypto.

To use it in a playbook, specify: community.crypto.openssl_privatekey_info.

Synopsis

  • This module allows one to query information on OpenSSL private keys.

  • In case the key consistency checks fail, the module will fail as this indicates a faked private key. In this case, all return variables are still returned. Note that key consistency checks are not available all key types; if none is available, none is returned for key_is_consistent.

  • It uses the cryptography python library to interact with OpenSSL.

Requirements

The below requirements are needed on the host that executes this module.

  • cryptography >= 1.2.3

Parameters

Parameter Choices/Defaults Comments
check_consistency
boolean
added in 2.0.0 of community.crypto
    Choices:
  • no ←
  • yes
Whether to check consistency of the private key.
In community.crypto < 2.0.0, consistency was always checked.
Since community.crypto 2.0.0, the consistency check has been disabled by default to avoid private key material to be transported around and computed with, and only do so when requested explicitly. This can potentially prevent side-channel attacks.
content
string
added in 1.0.0 of community.crypto
Content of the private key file.
Either path or content must be specified, but not both.
passphrase
string
The passphrase for the private key.
path
path
Remote absolute path where the private key file is loaded from.
return_private_key_data
boolean
    Choices:
  • no ←
  • yes
Whether to return private key data.
Only set this to yes when you want private information about this key to leave the remote machine.
WARNING: you have to make sure that private key data isn't accidentally logged!
select_crypto_backend
string
    Choices:
  • auto ←
  • cryptography
Determines which crypto backend to use.
The default choice is auto, which tries to use cryptography if available.
If set to cryptography, will try to use the cryptography library.

Notes

Note

  • Supports check_mode.

See Also

See also

community.crypto.openssl_privatekey

The official documentation on the community.crypto.openssl_privatekey module.

community.crypto.openssl_privatekey_pipe

The official documentation on the community.crypto.openssl_privatekey_pipe module.

Examples

- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
  community.crypto.openssl_privatekey:
    path: /etc/ssl/private/ansible.com.pem

- name: Get information on generated key
  community.crypto.openssl_privatekey_info:
    path: /etc/ssl/private/ansible.com.pem
  register: result

- name: Dump information
  ansible.builtin.debug:
    var: result

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
can_load_key
boolean
always
Whether the module was able to load the private key from disk.

can_parse_key
boolean
always
Whether the module was able to parse the private key.

key_is_consistent
boolean
when check_consistency=true
Whether the key is consistent. Can also return none next to yes and no, to indicate that consistency could not be checked.
In case the check returns no, the module will fail.

private_data
dictionary
success and when return_private_key_data is set to yes
Private key data. Depends on key type.

public_data
dictionary
success
Public key data. Depends on key type.

 
curve
string
When type=ECC
The curve's name for ECC.

 
exponent
integer
When type=RSA
The RSA key's public exponent.

 
exponent_size
integer
When type=ECC
The maximum number of bits of a private key. This is basically the bit size of the subgroup used.

 
g
integer
When type=DSA
The g value for DSA.
This is the element spanning the subgroup of the multiplicative group of the prime field used.

 
modulus
integer
When type=RSA
The RSA key's modulus.

 
p
integer
When type=DSA
The p value for DSA.
This is the prime modulus upon which arithmetic takes place.

 
q
integer
When type=DSA
The q value for DSA.
This is a prime that divides p - 1, and at the same time the order of the subgroup of the multiplicative group of the prime field used.

 
size
integer
When type=RSA or type=DSA
Bit size of modulus (RSA) or prime number (DSA).

 
x
integer
When type=ECC
The x coordinate for the public point on the elliptic curve.

 
y
integer
When type=DSA or type=ECC
For type=ECC, this is the y coordinate for the public point on the elliptic curve.
For type=DSA, this is the publicly known group element whose discrete logarithm w.r.t. g is the private key.

public_key
string
success
Private key's public key in PEM format.

Sample:
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A...
public_key_fingerprints
dictionary
success
Fingerprints of private key's public key.
For every hash algorithm available, the fingerprint is computed.

Sample:
{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1...
type
string
success
The key's type.
One of RSA, DSA, ECC, Ed25519, X25519, Ed448, or X448.
Will start with unknown if the key type cannot be determined.

Sample:
RSA


Authors

  • Felix Fontein (@felixfontein)

  • Yanis Guenane (@Spredzy)