From 96925a09b6e70c43e15ded0bc057d07237f13750 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 17 Mar 2019 23:03:32 +0100 Subject: [PATCH] openssl_csr: fix SAN handling for cryptography backend (#53927) * Fix IP address support for openssl_csr. * Remove DirName support, which doesn't work as this and seems harder to fix. Also, I don't know of an example of how it actually works. --- lib/ansible/modules/crypto/openssl_csr.py | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py index 48cb4483e40..6edf48d9612 100644 --- a/lib/ansible/modules/crypto/openssl_csr.py +++ b/lib/ansible/modules/crypto/openssl_csr.py @@ -353,6 +353,7 @@ try: import cryptography.hazmat.backends import cryptography.hazmat.primitives.serialization import cryptography.hazmat.primitives.hashes + import ipaddress CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__) except ImportError: CRYPTOGRAPHY_IMP_ERR = traceback.format_exc() @@ -673,16 +674,17 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase): raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(id)) def _get_san(self, name): - if name.startswith('DNS:'): - return cryptography.x509.DNSName(to_text(name[4:])) - if name.startswith('IP:'): - return cryptography.x509.IPAddress(to_text(name[3:])) - if name.startswith('email:'): - return cryptography.x509.RFC822Name(to_text(name[6:])) - if name.startswith('URI:'): - return cryptography.x509.UniformResourceIdentifier(to_text(name[4:])) - if name.startswith('DirName:'): - return cryptography.x509.DirectoryName(to_text(name[8:])) + try: + if name.startswith('DNS:'): + return cryptography.x509.DNSName(to_text(name[4:])) + if name.startswith('IP:'): + return cryptography.x509.IPAddress(ipaddress.ip_address(to_text(name[3:]))) + if name.startswith('email:'): + return cryptography.x509.RFC822Name(to_text(name[6:])) + if name.startswith('URI:'): + return cryptography.x509.UniformResourceIdentifier(to_text(name[4:])) + except Exception as e: + raise CertificateSigningRequestError('Cannot parse Subject Alternative Name "{0}": {1}'.format(name, e)) if ':' not in name: raise CertificateSigningRequestError('Cannot parse Subject Alternative Name "{0}" (forgot "DNS:" prefix?)'.format(name)) raise CertificateSigningRequestError('Cannot parse Subject Alternative Name "{0}" (potentially unsupported by cryptography backend)'.format(name))