openssl_csr: idempotency doesn't work correctly for keyUsage (#50361)

* Fix key usage idempotency bug. * Extend tests. * Add changelog. (cherry picked from commit a5bf71ac6a)
2019-01-03 12:34:24 +01:00 · 2019-01-03 12:34:24 +01:00 · 7ced444af8
commit 7ced444af8
parent 755761e3a4
4 changed files with 82 additions and 3 deletions
--- a/changelogs/fragments/50361-openssl_csr-idempotency.yml
+++ b/changelogs/fragments/50361-openssl_csr-idempotency.yml
@ -0,0 +1,2 @@
 bugfixes:
 - "openssl_csr - fix problem with idempotency of keyUsage option."
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@ -456,7 +456,18 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
                return set(current) == set(expected) and usages_ext[0].get_critical() == critical
        def _check_keyUsage(extensions):
-            return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical)
+            usages_ext = [ext for ext in extensions if ext.get_short_name() == b'keyUsage']
            if (not usages_ext and self.keyUsage) or (usages_ext and not self.keyUsage):
                return False
            elif not usages_ext and not self.keyUsage:
                return True
            else:
                # OpenSSL._util.lib.OBJ_txt2nid() always returns 0 for all keyUsage values
                # (since keyUsage has a fixed bitfield for these values and is not extensible).
                # Therefore, we create an extension for the wanted values, and compare the
                # data of the extensions (which is the serialized bitfield).
                expected_ext = crypto.X509Extension(b"keyUsage", False, ', '.join(self.keyUsage).encode('ascii'))
                return usages_ext[0].get_data() == expected_ext.get_data() and usages_ext[0].get_critical() == self.keyUsage_critical
        def _check_extenededKeyUsage(extensions):
            return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical)
--- a/test/integration/targets/openssl_csr/tasks/main.yml
+++ b/test/integration/targets/openssl_csr/tasks/main.yml
@ -3,12 +3,39 @@
      openssl_privatekey:
        path: '{{ output_dir }}/privatekey.pem'
    - name: Generate CSR (check mode)
      openssl_csr:
        path: '{{ output_dir }}/csr.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        subject:
          commonName: www.ansible.com
      check_mode: yes
      register: generate_csr_check
    - name: Generate CSR
      openssl_csr:
        path: '{{ output_dir }}/csr.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        subject:
          commonName: www.ansible.com
      register: generate_csr
    - name: Generate CSR (idempotent)
      openssl_csr:
        path: '{{ output_dir }}/csr.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        subject:
          commonName: www.ansible.com
      register: generate_csr_check_idempotent
    - name: Generate CSR (idempotent, check mode)
      openssl_csr:
        path: '{{ output_dir }}/csr.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        subject:
          commonName: www.ansible.com
      check_mode: yes
      register: generate_csr_check_idempotent_check
    # keyUsage longname and shortname should be able to be used
    # interchangeably. Hence the long name is specified here
@ -36,8 +63,8 @@
        subject:
          commonName: 'www.ansible.com'
        keyUsage:
          - Key Agreement
          - digitalSignature
          - keyAgreement
        extendedKeyUsage:
          - ipsecUser
          - qcStatements
@ -45,6 +72,35 @@
          - Biometric Info
      register: csr_ku_xku
    - name: Generate CSR with KU and XKU (test XKU change)
      openssl_csr:
        path: '{{ output_dir }}/csr_ku_xku.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        subject:
          commonName: 'www.ansible.com'
        keyUsage:
          - digitalSignature
          - keyAgreement
        extendedKeyUsage:
          - ipsecUser
          - qcStatements
          - Biometric Info
      register: csr_ku_xku_change
    - name: Generate CSR with KU and XKU (test KU change)
      openssl_csr:
        path: '{{ output_dir }}/csr_ku_xku.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
        subject:
          commonName: 'www.ansible.com'
        keyUsage:
          - digitalSignature
        extendedKeyUsage:
          - ipsecUser
          - qcStatements
          - Biometric Info
      register: csr_ku_xku_change_2
    - name: Generate CSR with old API
      openssl_csr:
        path: '{{ output_dir }}/csr_oldapi.csr'
--- a/test/integration/targets/openssl_csr/tests/validate.yml
+++ b/test/integration/targets/openssl_csr/tests/validate.yml
@ -16,10 +16,20 @@
      - csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
      - csr_modulus.stdout == privatekey_modulus.stdout
- name: Validate CSR_KU_XKU (assert idempotency)
+- name: Validate CSR (check mode, idempotency)
  assert:
    that:
      - generate_csr_check is changed
      - generate_csr is changed
      - generate_csr_check_idempotent is not changed
      - generate_csr_check_idempotent_check is not changed
 - name: Validate CSR_KU_XKU (assert idempotency, change)
  assert:
    that:
      - csr_ku_xku is not changed
      - csr_ku_xku_change is changed
      - csr_ku_xku_change_2 is changed
 - name: Validate old_API CSR (test - Common Name)
  shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
		`@ -0,0 +1,2 @@`
							`bugfixes:`
							`- "openssl_csr - fix problem with idempotency of keyUsage option."`