openssl_csr: ignore empty strings in altnames (#51473)
* Ignore empty strings in altnames.
* Add changelog.
* Add idempotence check without SAN.
* Fix bug in cryptography backend.
(cherry picked from commit 9b1cbcf3a4)
This commit is contained in:
Felix Fontein
Toshio Kuratomi
parent
e7e47ca1fc
commit
0093b69935
4 changed files with 37 additions and 1 deletions
2
changelogs/fragments/51473-openssl_csr-idempotence.yaml
Normal file
2
changelogs/fragments/51473-openssl_csr-idempotence.yaml
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
bugfixes:
|
||||
- "openssl_csr - fixes idempotence problem with PyOpenSSL backend when no Subject Alternative Names were specified."
|
||||
|
|
@ -431,7 +431,7 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
|
|||
|
||||
def _check_subjectAltName(extensions):
|
||||
altnames_ext = next((ext for ext in extensions if ext.get_short_name() == b'subjectAltName'), '')
|
||||
altnames = [altname.strip() for altname in str(altnames_ext).split(',')]
|
||||
altnames = [altname.strip() for altname in str(altnames_ext).split(',') if altname.strip() if altname.strip()]
|
||||
# apperently openssl returns 'IP address' not 'IP' as specifier when converting the subjectAltName to string
|
||||
# although it won't accept this specifier when generating the CSR. (https://github.com/openssl/openssl/issues/4004)
|
||||
altnames = [name if not name.startswith('IP Address:') else "IP:" + name.split(':', 1)[1] for name in altnames]
|
||||
|
|
|
|||
|
|
@ -37,6 +37,32 @@
|
|||
check_mode: yes
|
||||
register: generate_csr_check_idempotent_check
|
||||
|
||||
- name: Generate CSR without SAN (check mode)
|
||||
openssl_csr:
|
||||
path: '{{ output_dir }}/csr-nosan.csr'
|
||||
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
||||
check_mode: yes
|
||||
register: generate_csr_nosan_check
|
||||
|
||||
- name: Generate CSR without SAN
|
||||
openssl_csr:
|
||||
path: '{{ output_dir }}/csr-nosan.csr'
|
||||
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
||||
register: generate_csr_nosan
|
||||
|
||||
- name: Generate CSR without SAN (idempotent)
|
||||
openssl_csr:
|
||||
path: '{{ output_dir }}/csr-nosan.csr'
|
||||
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
||||
register: generate_csr_nosan_check_idempotent
|
||||
|
||||
- name: Generate CSR without SAN (idempotent, check mode)
|
||||
openssl_csr:
|
||||
path: '{{ output_dir }}/csr-nosan.csr'
|
||||
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
||||
check_mode: yes
|
||||
register: generate_csr_nosan_check_idempotent_check
|
||||
|
||||
# keyUsage longname and shortname should be able to be used
|
||||
# interchangeably. Hence the long name is specified here
|
||||
# but the short name is used to test idempotency for ipsecuser
|
||||
|
|
|
|||
|
|
@ -24,6 +24,14 @@
|
|||
- generate_csr_check_idempotent is not changed
|
||||
- generate_csr_check_idempotent_check is not changed
|
||||
|
||||
- name: Validate CSR without SAN (check mode, idempotency)
|
||||
assert:
|
||||
that:
|
||||
- generate_csr_nosan_check is changed
|
||||
- generate_csr_nosan is changed
|
||||
- generate_csr_nosan_check_idempotent is not changed
|
||||
- generate_csr_nosan_check_idempotent_check is not changed
|
||||
|
||||
- name: Validate CSR_KU_XKU (assert idempotency, change)
|
||||
assert:
|
||||
that:
|
||||
|
|
|
|||
Loading…
Reference in a new issue