ANS-4: generate a new private key to sign the csr + return the key

AdrienDucourthial · AdrienDucourthial · commit 964d9c77b5dd · 2025-01-22T11:02:57.000+01:00
diff --git a/plugins/action/horizon_renew.py b/plugins/action/horizon_renew.py
@@ -34,24 +34,33 @@ def run(self, tmp=None, task_vars=None):
 
             # In pop renewal, generate empty csr in decentralized mode
             if should_generate_csr:                
-                key_data = client.load_file_or_string(content["private_key"])
-                if isinstance(key_data, str):
-                    key_data = key_data.encode("utf-8")
-                private_key = load_pem_private_key(key_data, None)
-                csr = HorizonCrypto.generate_pckcs10(subject={"cn.1": ""}, private_key=private_key)
-                content["csr"] = csr
+                try:
+                    pem_data = client.load_file_or_string(content["certificate_pem"])
+                    key_type = HorizonCrypto.get_key_type(pem_data)
+                    private_key, public_key = HorizonCrypto.generate_key_pair(key_type)
+                    csr = HorizonCrypto.generate_pckcs10(subject={"cn.1": ""}, private_key=private_key)
+                    content['csr'] = csr
+                except Exception as e:
+                    raise AnsibleError(e)
 
             response = client.renew(**content)
 
             if "certificate" in response:
                 result["certificate"] = response["certificate"]
                 result["chain"] = client.chain(result["certificate"]["certificate"])
 
-            if "pkcs12" in response.keys():
+            if should_generate_csr:
+                result["key"] = HorizonCrypto.get_key_bytes(private_key)
+                p12, p12_password = HorizonCrypto.get_p12_from_key(result["key"], result["certificate"]["certificate"], content["password"])
+                result["p12"] = p12
+                result["p12_password"] = p12_password
+            elif "pkcs12" in response.keys():
                 result["p12"] = response["pkcs12"]["value"]
                 result["p12_password"] = response["password"]["value"]
                 result["key"] = HorizonCrypto.get_key_from_p12(response["pkcs12"]["value"],
                                                                response["password"]["value"])
+            
+            
 
         except HorizonError as e:
             raise AnsibleError(e.full_message)
diff --git a/plugins/module_utils/horizon.py b/plugins/module_utils/horizon.py
@@ -359,7 +359,7 @@ def certificate(self, certificate_pem, fields=None):
         :rtype: dict
         """
         pem = self.load_file_or_string(certificate_pem)
-        pem = urllib.parse.quote(pem, safe='')
+        pem = urllib.parse.quote(str(pem), safe='')
 
         response = self.get(self.CERTIFICATES_SHOW_URL + pem)
 
diff --git a/plugins/module_utils/horizon_crypto.py b/plugins/module_utils/horizon_crypto.py
@@ -172,3 +172,11 @@ def generate_jwt_token(cert, private_key, nonce=""):
 
         return jwt_token
 
+    @staticmethod
+    def get_key_type(pem_data):
+        cert = x509.load_pem_x509_certificate(pem_data.encode('utf-8'))
+        public_key = cert.public_key()
+        if isinstance(public_key, rsa.RSAPublicKey):
+            return "rsa-" + str(public_key.key_size)
+        elif isinstance(public_key, ec.EllipticCurvePublicKey):
+            return "ec-" + str(public_key.curve.name)
