cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Support basicConstraints in openssl_csr (#32632)

Browse source
This commit is contained in:
Thom Wiggers 2017-11-30 14:50:45 +01:00 committed by Abhijeet Kasurde
parent 1ca7929f96
commit 04877f4969
1 changed files with 31 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
lib/ansible/modules/crypto/openssl_csr.py
View file

@ -131,6 +131,18 @@ options:
aliases: [ 'extKeyUsage_critical', 'extendedKeyUsage_critical' ]
description:
- Should the extkeyUsage extension be considered as critical
basic_constraints:
required: false
aliases: ['basicConstraints']
description:
- Indicates basic constraints, such as if the certificate is a CA.
version_added: 2.5
basic_constraints_critical:
required: false
aliases: [ 'basicConstraints_critical' ]
description:
- Should the basicConstraints extension be considered as critical
version_added: 2.5
extends_documentation_fragment: files
notes:
@ -221,6 +233,11 @@ extendedKeyUsage:
returned: changed or success
type: list
sample: [ 'clientAuth' ]
basicConstraints:
description: Indicates if the certificate belongs to a CA
returned: changed or success
type: list
sample: ['CA:TRUE', 'pathLenConstraint:0']
'''
import os
@ -261,6 +278,8 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
self.keyUsage_critical = module.params['keyUsage_critical']
self.extendedKeyUsage = module.params['extendedKeyUsage']
self.extendedKeyUsage_critical = module.params['extendedKeyUsage_critical']
self.basicConstraints = module.params['basicConstraints']
self.basicConstraints_critical = module.params['basicConstraints_critical']
self.request = None
self.privatekey = None
@ -301,6 +320,10 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
usages = ', '.join(self.extendedKeyUsage)
extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii')))
if self.basicConstraints:
usages = ', '.join(self.basicConstraints)
extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii')))
req.add_extensions(extensions)
req.set_pubkey(self.privatekey)
@ -366,9 +389,13 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
def _check_extenededKeyUsage(extensions):
return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical)
def _check_basicConstraints(extensions):
return _check_keyUsage_(extensions, b'basicConstraints', self.basicConstraints, self.basicConstraints_critical)
def _check_extensions(csr):
extensions = csr.get_extensions()
return _check_subjectAltName(extensions) and _check_keyUsage(extensions) and _check_extenededKeyUsage(extensions)
return (_check_subjectAltName(extensions) and _check_keyUsage(extensions) and
_check_extenededKeyUsage(extensions) and _check_basicConstraints(extensions))
def _check_signature(csr):
try:
@ -393,6 +420,7 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
'subjectAltName': self.subjectAltName,
'keyUsage': self.keyUsage,
'extendedKeyUsage': self.extendedKeyUsage,
'basicConstraints': self.basicConstraints,
'changed': self.changed
}
@ -422,6 +450,8 @@ def main():
keyUsage_critical=dict(aliases=['key_usage_critical'], default=False, type='bool'),
extendedKeyUsage=dict(aliases=['extKeyUsage', 'extended_key_usage'], type='list'),
extendedKeyUsage_critical=dict(aliases=['extKeyUsage_critical', 'extended_key_usage_critical'], default=False, type='bool'),
basicConstraints=dict(aliases=['basic_constraints'], type='list'),
basicConstraints_critical=dict(aliases=['basic_constraints_critical'], default=False, type='bool'),
),
add_file_common_args=True,
supports_check_mode=True,