openssl_pkcs12 files can't be imported on some older systems

[zoredache]

SUMMARY

The community.crypto.openssl_pkcs12 seems to generate files that can't be imported on some older systems. Specifically it seems to default to using SHA256 which is good idea generally but doesn't seem to be supported on some older systems.

Not really sure if there is enough demand for this to be worth fixing, but I figured I would add the issue since it might at lease document the problem for someone else.

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.crypto.openssl_pkcs12

ANSIBLE VERSION

ansible --version
ansible [core 2.13.1]
  config file = None
  configured module search path = [...]
  ansible python module location = ...
  ansible collection location = ...
  executable location = /usr/local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

ansible-galaxy collection list community.crypto

# ~/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.7.1  

# /usr/local/ansible/stable/lib/python3.9/site-packages/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.4.0  

OS / ENVIRONMENT

Task is being executed on localhost which has ansible installed via pip in an env. The host is running on Debian 11

STEPS TO REPRODUCE

If I have a task like this

- name: Generate pkcs12
  community.crypto.openssl_pkcs12:
    action: export
    path: "{{ cert.name }}.p12"
    friendly_name: "{{ cert.name }}"
    privatekey_path: "{{ cert.name }}.key"
    certificate_path: "{{ cert.name }}.cert"
    ca_certificates: "intermediate.pem"
    state: present
    mode: '0600'

Will give me a file like this

$ openssl pkcs12 -in legacy-host.example.org.p12 -info
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Data
Certificate bag
Bag Attributes

If I want a file that works on my old system I can run a have to run a command like this.

- name: Generate pkcs12
  ansible.builtin.shell: >
    openssl pkcs12 -export -macalg sha1
    -out {{ cert.name }}.p12
    -inkey {{ cert.name }}.key
    -in intermediate.pem
    -in {{ cert.name }}.cert
    -name {{ cert.name }}
    -passout pass:

Which gives me this, which can be imported

$ openssl pkcs12 -in legacy-host.example.org.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
...

[felixfontein]

This is basically a restriction of cryptography; it is now possible to implement that thanks to pyca/cryptography#7560.

[felixfontein]

I started implementing this in #523.