openssl_csr: Ensure array comparison is deterministic (#28265)

When comparing expected and current value for keyUsage and
extendedKeyUsage current behavior is not deterministic.

As we compare two arrays, based on the order the value have been
specified, False might be returned when the two arrays actually matches.
In order to have a deterministic comparison we compare sets rather than
arrays.
This commit is contained in:
Yanis Guenane 2017-08-16 14:35:25 +02:00 committed by René Moser
parent 665257ef18
commit b658ea8da2

View file

@ -354,7 +354,7 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
else: else:
current = [usage.strip() for usage in str(usages_ext[0]).split(',')] current = [usage.strip() for usage in str(usages_ext[0]).split(',')]
expected = [long[usage] if usage in long else usage for usage in expected] expected = [long[usage] if usage in long else usage for usage in expected]
return current == expected and usages_ext[0].get_critical() == critical return set(current) == set(expected) and usages_ext[0].get_critical() == critical
def _check_keyUsage(extensions): def _check_keyUsage(extensions):
return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical, crypto_utils.keyUsageLong) return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical, crypto_utils.keyUsageLong)