Linux.yaroslavl.ru

Usage

This is an example playbook:

---

- hosts: all
  roles:
    - weareinteractive.openssl
  vars:
    openssl_keys:
      - name: foobar.com.key
        key: "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhSsYh36iAShzd\nNM0dSxiVXFe3WCZbePTQSNQ0hnFyBF1AfQKzpo9kFP3h+/IxzUNcPREAqOjmIfl4\ndVTXicyqVrqwt1su90+DitRmvYU0e4PDAA9pwQAxdT1qGBnzBFMgs/JpwQNQetCz\nzISDYn0QbaBGLXs6+UkDGyKu8LCX/T0vOLQ/LecDleZrXf6ubqK7H9SGtGsPLlDw\nonAe+KKieDYJlfHX9omaC953fp8aKDA7V5g/3KbkhsERDl6b/++fNjlestgnZMms\nYdDsM6MzBlt+3f0YQQXzVsmO8LGJxLMSMEmmg76e1VegPq+FyjMQp8r+8i2y/Tvz\nadL0bnivAgMBAAECggEBAKhbp4rCx/nu6HkKL0n3x4w+cLJrpmZvEovgEOybl4V7\n62/4u58jFj7VTRCmpcw/t1njrKQQldL8iqBRFjDoIlEc9PCAZRzI5dvIUIfikvuw\nXbvIfLwr5YgQM+/nyOSJU9G5h6st+NsYnIPwjwpb/FfdhItNC6z7g2tVyOpwpZc9\n2WwJadASIew3GOSd3gLoZLiO+r6XdPc//VcAxaNhu1B5RMHpQxeKa7KQ9T3CzCj4\nTBvIxV5LKAiGMlE26WZR7X2xkLzWswCsk8SAv9ulqbuKlSoPMh86BadM5H6SeGuP\ncsTcTGgoAmhbNmUN/j3lOjHJed7oUKEQGVgGIh4W1OkCgYEA+ECUtXl/sQzUiAYz\nKy556wb31v31D+tVftYU5BzwB/YO7T1ApY1/Bzs/KbnXiKu3eb3IyfEVe/CTcyE9\nhTrJJr5b6Nesa4n0PMpxHfZbWloGoewyfVl7Dgu6/KFctKFm17QcFSG7NsGraE6L\nBQ80gWo94Fyt1nXN9+myUeKga5sCgYEA6FLAgUFS7ykFA0bh5MLV1Q9IZav86Hky\nOmgM1ysd/B9ObRAxKaQezvK+4uyaUW55d8pQZJE2YQo84KPX1wFiAPkR5dwm/C1J\nuH9fz5OycXTUS0LJYGFLmeyKSQ4N+V+8Ex5laFqhHXE8Rzpi/QbYuf4V2EDPlY4g\n6kQgtzS/qn0CgYAQfDlj062nFDMI1WCQfYWbFdtfa33akMYcphq9Cy7lWHGlT2v7\nkmndERIgszac3MpSS0gKIPhMQq2H960eK8kvyXRRAgFxIrgVUVwxoSpv1YqbNhQk\nPsztIdpI7G47kHxD1rIGtTa5bCL1ykFxFJFoBqYVQBJLK4eB7wLobSQ6AQKBgEiB\n+z7cCmxGGyBosPvaqy4x9OB2ixprKPf9nXRSKquTgcCcOxvJ8yuXq2fbfFZJ6nMu\nm2SnxZcHwPRDbovWDKZNFf7tdOVjpQyGBHsel6S9V7ydfYgtFZFWt9oRHt9jt6kn\n5XJqRrqPqsZ4PIjH6EA0QtEZeTAuCavT03oaZm9pAoGBAPVuxRWNqfF7fWbLZiHG\nq3ykwooYtbSfixRe2y/h7IHrQyCbAEG/V2FBPKTNhh0zwHpRTS4PFRL3h+ZQNYrr\n/n+zN/OJl/75P53NDlZ5n1m1eYPMbVjDvvTDDdWqkESLUvTRT7JnyiXApRY0EWTA\nArNAJBxDBD66sa5BM9hZV9fG\n-----END PRIVATE KEY-----\n"
    openssl_certs:
      - name: foobar.com.crt
        cert: "-----BEGIN CERTIFICATE-----\nMIIDuTCCAqGgAwIBAgIJAO7EaRwLzPYyMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV\nBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxEDAOBgNV\nBAoMB0ZvbyBCYXIxEzARBgNVBAMMCmZvb2Jhci5jb20xGjAYBgkqhkiG9w0BCQEW\nC2Zvb0BiYXIuY29tMB4XDTE0MDgwMjE1NTMxNloXDTI0MDczMDE1NTMxNlowczEL\nMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11bmljaDEQ\nMA4GA1UECgwHRm9vIEJhcjETMBEGA1UEAwwKZm9vYmFyLmNvbTEaMBgGCSqGSIb3\nDQEJARYLZm9vQGJhci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDhSsYh36iAShzdNM0dSxiVXFe3WCZbePTQSNQ0hnFyBF1AfQKzpo9kFP3h+/Ix\nzUNcPREAqOjmIfl4dVTXicyqVrqwt1su90+DitRmvYU0e4PDAA9pwQAxdT1qGBnz\nBFMgs/JpwQNQetCzzISDYn0QbaBGLXs6+UkDGyKu8LCX/T0vOLQ/LecDleZrXf6u\nbqK7H9SGtGsPLlDwonAe+KKieDYJlfHX9omaC953fp8aKDA7V5g/3KbkhsERDl6b\n/++fNjlestgnZMmsYdDsM6MzBlt+3f0YQQXzVsmO8LGJxLMSMEmmg76e1VegPq+F\nyjMQp8r+8i2y/TvzadL0bnivAgMBAAGjUDBOMB0GA1UdDgQWBBTMI1BoL1dh9tov\nQxJHM6GnZfBhMTAfBgNVHSMEGDAWgBTMI1BoL1dh9tovQxJHM6GnZfBhMTAMBgNV\nHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQALezxaXABZEQE6RDmtfBE7jdGy\nxWJVLxSoH0+YNNVXDYNCwNdDMBbjcH6B//aaGLc6Zqif7+HlRfmr4SVfjIP8UQZR\nSQ2s/tcftR6Wp2aadIdUZZkIvmaWvyFfBrrm8F6Ot22Y8EIgjSl/y4kewM6qD1MY\nxC7qAwze2k0yPqVdAXFYJh/+thRTV4YA9R8OCVVRO4xoEOGsTOsHQYH7+/lR3U+o\nbmBu+k1pPK+LYCoQyIrIB6xHqRYf4nHirxlbu4+aAY1Rc57Okbk68g6ThA27r8Ay\n/14Fu1Ry6NAq/1zeSzX4JrFQOlZDNtqF0UXgph2RehMZjtQG2b4B8gLpwPRe\n-----END CERTIFICATE-----\n"
    openssl_self_signed:
      - name: fooboar.org
        subject:
           C: DE
           ST: Bavaria
           L: Munich
           O: Foo Bar Inc
           CN: foobar.org
           emailAddress: null@foobar.org
    openssl_keys_path: /etc/my-ssl/private
    openssl_certs_path: /etc/my-ssl/certs
    openssl_default_key_owner: root
    openssl_default_key_group: root
    openssl_default_cert_owner: root
    openssl_default_cert_group: root
    openssl_config:
      default_bits: 2048
      countryName_default: DE
      stateOrProvinceName_default: Bavaria
      localityName_default: Munich
      organizationName_default: 'My Organization'
      organizationalUnitName_default: 'My Organization Unit'
      commonName_default: 'foobar.com'
    openssl_cacert_import: yes
    openssl_generate_csr: yes

Using the provider

After the provider has been registered all that is necessary to use it to get the SSLContext:

The SSLContext can then be used as normal, and should provide a drop in replacement for JSSE.

Building

The java side of the project uses maven and can be build as normal (). The native code should be build
as part of the standard build process.

Windows

To do the Windows build you need to run the build from a visual studio native tools command prompt. If you want to build
the 32 bit natives you must use the 32 bit prompt (and have JAVA_HOME pointed to a 32 bit JVM), otherwise both the prompt
and the JVM must be 64 bit.

Configuring Your Environment

1. • Install OpenSSL, ideally both 32 and 64 bit versions.
   • Optional: Configure a and permanent environment variable.

2. Next ensure you have both a 32 and 64 bit JDK installed.

   • It seems to be easiest to download the zips.

3. Make sure you install the native tools for the command prompt too.

Building 32-bit Natives

Navigate to the executable. Generally you can navigate to this through
the start menu. For Visual Studio 2019 Community the location is
.

Once the command prompt is open make sure you set your to the 32-bit JDK. Then update the
environment variable to include the OpenSSL headers.

Example:

Building 64-bit Natives

Navigate to the executable. Generally you can navigate to this through
the start menu. For Visual Studio 2019 Community the location is
.

Once the command prompt is open make sure you set your to the 64-bit JDK. Then update the
environment variable to include the OpenSSL headers.

Example:

Maven artifact

There are two Maven artifacts to choose between, which one you use will depend on your use case:

The artifact does not contain any native code. To use it you will need to either place the native library
somewhere that it can be found by , or include a maven artifact that has the library packaged (such as one of
the platform specific artifacts built by this project).

The artifact contains binaries for Mac, Linux and Windows (all for x86_64). If no other version of these
native libraries is found then these will be extracted to a temporary directory and loaded. This should allow it to run without
having to worry about how to deal with the native code.

Installing the native library

If you are running on x86_64 Mac, Windows or Linux then you can use the out of the box support provided by the
artifact.

There are two different native libraries that must be loaded, the binary provided by this project, and OpenSSL
itself. is loaded through a standard java.lang.System.loadLibrary() invocation, so should be located somewhere
where it can be discovered by the JVM. Alternatively you can specify the system property
to specify the full path to the library.

OpenSSL is loaded dynamically, and its location can be specified by the system property. If
this property is not present the standard system library search path with be used instead. Because the library is loaded
dynamically it should be possible to use different versions of OpenSSL without needed to recompile.

Variables

Here is a list of all the default variables for this role, which are also available in .

---
# openssl_keys:
#   - name: mykey.key
#     key: "mykeycontents"
#   - name: myotherkey.key
#     cert: "myotherkeycontents"
#     mode: "0664"
#     owner: "www-data"
#     group: "www-data"
# openssl_certs:
#   - name: mycert.crt
#     cert: "mycertcontents"
#   - name: myothercert.crt
#     cert: "myothercertcontents"
#     mode: "0664"
#     owner: "www-data"
#     group: "www-data"
# openssl_self_signed:
#   - name: foobar.com
#     subject:
#        C: DE
#        ST: Bavaria
#        L: Munich
#        O: Foo Bar Inc
#        CN: foobar.org
#        emailAddress: null@foobar.org
# openssl_config:
#   default_bits: 2048
#   countryName_default: DE
#   stateOrProvinceName_default: Bavaria
#   localityName_default: Munich
#   organizationName_default: 'My Organization'
#   organizationalUnitName_default: 'My Organization Unit'
#   commonName_default: 'foobar.com'
# openssl_config_template: templates/openssl.cnf.j2

# keys to import
openssl_keys: []
# certificates to import
openssl_certs: []
# path to certificates
openssl_certs_path: /etc/ssl/certs
# path to keys
openssl_keys_path: /etc/ssl/private
# default key owner
openssl_default_key_owner: ssl-cert
# default key group
openssl_default_key_group: root
# default cert owner
openssl_default_cert_owner: root
# default cert group
openssl_default_cert_group: root
# self signed certificates
openssl_self_signed: []
# config variables
openssl_config: {}
# config template to install, relative to the ansible repository root
openssl_config_template:
# generate a CSR for each self signed certificate
openssl_generate_csr: no
# path to certificate signing requests
openssl_csrs_path: /etc/ssl/csrs
# should CAcert certificates be downloaded and added to the keyring?
openssl_cacert_import: no
# overrides for the file checksum when the CACert root certificates are downloaded.
# must be the output of 'sha256sum <name of certificate>'
openssl_cacert_class_one_key_sha256: 'c0e0773a79dceb622ef6410577c19c1e177fb2eb9c623a49340de3c9f1de2560'
openssl_cacert_class_three_key_sha256: 'f5badaa5da1cc05b110a9492455a2c2790d00c7175dcf3a7bcb5441af71bf84f'