Choosing Cipher In openssl_privatekey Module With Cryptography Back End

With the pyOpenSSL back end of the openssl_privatekey module deprecated in Ansible 2.9, a colleague started looking at the cryptography back end. According to the documentation:

openssl_privatekey – Generate OpenSSL private keys
[https://docs.ansible.com/ansible/latest/modules/openssl_privatekey_module.html]

…the “cipher” parameter must be set to “auto” when using the cryptography back end. There does not seem to be a way, using the cryptography back end, to specify the cipher used to encrypt the private key.

Does anybody know why? I don’t see that as a feature request:

[https://github.com/ansible/ansible/issues?q=is%3Aissue+is%3Aopen+openssl_privatekey]

…so should I file one? Thanks!

Hi,

With the pyOpenSSL back end of the openssl_privatekey module
deprecated in Ansible 2.9, a colleague started looking at the
cryptography back end. According to the documentation:

openssl_privatekey – Generate OpenSSL private keys
[https://docs.ansible.com/ansible/latest/modules/openssl_privatekey_module.html\]

...the "cipher" parameter must be set to "auto" when using the
cryptography back end. There does not seem to be a way, using the
cryptography back end, to specify the cipher used to encrypt the
private key.

Does anybody know why? I don't see that as a feature request:

[https://github.com/ansible/ansible/issues?q=is%3Aissue+is%3Aopen+openssl_privatekey]

...so should I file one? Thanks!

the reason is that cryptography (https://cryptography.io/en/latest/)
only supports two states: unencrypted, and encrypted with its own
choice of algorithm ("best available algorithm"):
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types

Cheers,
Felix

Thank you, Felix! I guess I'll have to submit a pull request[1].
      Is there a particular reason Ansible is deprecating pyOpenSSL? It seems it has more features and is still an active project[2]. (The last change was not too long ago in November 2019.)

[1][https://github.com/pyca/cryptography/pulls\]

[2][https://www.pyopenssl.org/en/stable/changelog.html\]

Hi,

> the reason is that cryptography (https://cryptography.io/en/latest/)
> only supports two states: unencrypted, and encrypted with its own
> choice of algorithm ("best available algorithm"):
> https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
>

      Thank you, Felix! I guess I'll have to submit a pull
request[1]. Is there a particular reason Ansible is deprecating
pyOpenSSL? It seems it has more features and is still an active
project[2]. (The last change was not too long ago in November 2019.)

well, there's the big fat note in
https://github.com/pyca/pyopenssl/blob/master/README.rst:

**Note:** The Python Cryptographic Authority **strongly suggests** the
use of pyca/cryptography where possible. If you are using pyOpenSSL for
anything other than making a TLS connection **you should move to
cryptography and drop your pyOpenSSL dependency**.

Besides that, working with pyOpenSSL is really not that much fun. I'd
rather get rid of the pyOpenSSL backends yesterday than somewhen in the
future...

Cheers,
Felix

I missed that; thank you. That was super helpful.