a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix idempotency for non-ASCII string comparisons. (#271)

pull/279/head
Felix Fontein 2021-09-14 07:06:35 +02:00 committed by GitHub
parent 170fa40014
commit 03427e35a7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 39 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/271-openssl_csr-utf8.yml Normal file
View File

@ -0,0 +1,2 @@
bugfixes:
- "openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used to compare strings with the cryptography backend. This fixes idempotency problems with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270, https://github.com/ansible-collections/community.crypto/pull/271)."

18
plugins/module_utils/crypto/module_backends/csr.py
View File

@ -592,7 +592,7 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
def _check_csr(self): def _check_csr(self):
"""Check whether provided parameters, assuming self.existing_csr and self.privatekey have been populated.""" """Check whether provided parameters, assuming self.existing_csr and self.privatekey have been populated."""
def _check_subject(csr): def _check_subject(csr):
subject = [(cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.subject] subject = [(cryptography_name_to_oid(entry[0]), to_text(entry[1])) for entry in self.subject]
current_subject = [(sub.oid, sub.value) for sub in csr.subject] current_subject = [(sub.oid, sub.value) for sub in csr.subject]
return set(subject) == set(current_subject) return set(subject) == set(current_subject)
@ -604,8 +604,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
def _check_subjectAltName(extensions): def _check_subjectAltName(extensions):
current_altnames_ext = _find_extension(extensions, cryptography.x509.SubjectAlternativeName) current_altnames_ext = _find_extension(extensions, cryptography.x509.SubjectAlternativeName)
current_altnames = [str(altname) for altname in current_altnames_ext.value] if current_altnames_ext else [] current_altnames = [to_text(altname) for altname in current_altnames_ext.value] if current_altnames_ext else []
altnames = [str(cryptography_get_name(altname)) for altname in self.subjectAltName] if self.subjectAltName else [] altnames = [to_text(cryptography_get_name(altname)) for altname in self.subjectAltName] if self.subjectAltName else []
if set(altnames) != set(current_altnames): if set(altnames) != set(current_altnames):
return False return False
if altnames: if altnames:
@ -678,10 +678,10 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
def _check_nameConstraints(extensions): def _check_nameConstraints(extensions):
current_nc_ext = _find_extension(extensions, cryptography.x509.NameConstraints) current_nc_ext = _find_extension(extensions, cryptography.x509.NameConstraints)
current_nc_perm = [str(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else [] current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
current_nc_excl = [str(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else [] current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []
nc_perm = [str(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted] nc_perm = [to_text(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
nc_excl = [str(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded] nc_excl = [to_text(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
if set(nc_perm) != set(current_nc_perm) or set(nc_excl) != set(current_nc_excl): if set(nc_perm) != set(current_nc_perm) or set(nc_excl) != set(current_nc_excl):
return False return False
if nc_perm or nc_excl: if nc_perm or nc_excl:
@ -710,9 +710,9 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
aci = None aci = None
csr_aci = None csr_aci = None
if self.authority_cert_issuer is not None: if self.authority_cert_issuer is not None:
aci = [str(cryptography_get_name(n, 'authority cert issuer')) for n in self.authority_cert_issuer] aci = [to_text(cryptography_get_name(n, 'authority cert issuer')) for n in self.authority_cert_issuer]
if ext.value.authority_cert_issuer is not None: if ext.value.authority_cert_issuer is not None:
csr_aci = [str(n) for n in ext.value.authority_cert_issuer] csr_aci = [to_text(n) for n in ext.value.authority_cert_issuer]
return (ext.value.key_identifier == self.authority_key_identifier return (ext.value.key_identifier == self.authority_key_identifier
and csr_aci == aci and csr_aci == aci
and ext.value.authority_cert_serial_number == self.authority_cert_serial_number) and ext.value.authority_cert_serial_number == self.authority_cert_serial_number)

44
tests/integration/targets/openssl_csr/tasks/impl.yml
View File

@ -536,14 +536,14 @@
commonName: www.example.com commonName: www.example.com
C: de C: de
L: Somewhere L: Somewhere
ST: Zurich ST: Zürich
streetAddress: Welcome Street streetAddress: Welcome Street N° 5
O: Ansible O: Ansiblé
organizationalUnitName: Crypto Department organizationalUnitName: Crÿpto Depârtment ☺
serialNumber: "1234" serialNumber: "1234"
SN: Last Name SN: Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr.
GN: First Name GN: First Name
title: Chief title: Chïeff
pseudonym: test pseudonym: test
UID: asdf UID: asdf
emailAddress: test@example.com emailAddress: test@example.com
@ -641,17 +641,17 @@
path: '{{ remote_tmp_dir }}/csr_everything.csr' path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject: subject:
commonName: www.example.com CN: www.example.com
C: de countryName: de
L: Somewhere L: Somewhere
ST: Zurich ST: Zürich
streetAddress: Welcome Street streetAddress: Welcome Street N° 5
O: Ansible organizationName: Ansiblé
organizationalUnitName: Crypto Department organizationalUnitName: Crÿpto Depârtment ☺
serialNumber: "1234" serialNumber: "1234"
SN: Last Name SN: Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr.
GN: First Name GN: First Name
title: Chief title: Chïeff
pseudonym: test pseudonym: test
UID: asdf UID: asdf
emailAddress: test@example.com emailAddress: test@example.com
@ -750,17 +750,17 @@
path: '{{ remote_tmp_dir }}/csr_everything.csr' path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject: subject:
commonName: www.example.com CN: www.example.com
C: de countryName: de
L: Somewhere L: Somewhere
ST: Zurich ST: Zürich
streetAddress: Welcome Street streetAddress: Welcome Street N° 5
O: Ansible organizationName: Ansiblé
organizationalUnitName: Crypto Department organizationalUnitName: Crÿpto Depârtment ☺
serialNumber: "1234" serialNumber: "1234"
SN: Last Name SN: Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr.
GN: First Name GN: First Name
title: Chief title: Chïeff
pseudonym: test pseudonym: test
UID: asdf UID: asdf
emailAddress: test@example.com emailAddress: test@example.com

12
tests/integration/targets/openssl_csr/tests/validate.yml
View File

@ -224,16 +224,16 @@
- everything_info.subject.emailAddress == "test@example.com" - everything_info.subject.emailAddress == "test@example.com"
- everything_info.subject.givenName == "First Name" - everything_info.subject.givenName == "First Name"
- everything_info.subject.localityName == "Somewhere" - everything_info.subject.localityName == "Somewhere"
- everything_info.subject.organizationName == "Ansible" - everything_info.subject.organizationName == "Ansiblé"
- everything_info.subject.organizationalUnitName == "Crypto Department" - everything_info.subject.organizationalUnitName == "Crÿpto Depârtment ☺"
- everything_info.subject.postalAddress == "1234 Somewhere" - everything_info.subject.postalAddress == "1234 Somewhere"
- everything_info.subject.postalCode == "1234" - everything_info.subject.postalCode == "1234"
- everything_info.subject.pseudonym == "test" - everything_info.subject.pseudonym == "test"
- everything_info.subject.serialNumber == "1234" - everything_info.subject.serialNumber == "1234"
- everything_info.subject.stateOrProvinceName == "Zurich" - everything_info.subject.stateOrProvinceName == "Zürich"
- everything_info.subject.streetAddress == "Welcome Street" - everything_info.subject.streetAddress == "Welcome Street N° 5"
- everything_info.subject.surname == "Last Name" - everything_info.subject.surname == "Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr."
- everything_info.subject.title == "Chief" - everything_info.subject.title == "Chïeff"
- everything_info.subject.userId == "asdf" - everything_info.subject.userId == "asdf"
- everything_info.subject | length == 16 - everything_info.subject | length == 16
- everything_info.subject_alt_name_critical == false - everything_info.subject_alt_name_critical == false