a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

openssl_csr: fix bad tests, avoid accepting invalid crl_distribution_points records (#560) 

* Improve error handling.

* Remove invalid tests.

* Add changelog fragment.

* Fix tests.

* Improve exception catching.

Co-authored-by: Kristian Heljas <11139388+kristianheljas@users.noreply.github.com>

* Prevent empty full_name.

* Fix condition. Make sure errors are caught.

* Add more checks.

Co-authored-by: Kristian Heljas <11139388+kristianheljas@users.noreply.github.com>
pull/562/head
Felix Fontein 2023-01-02 15:52:59 +01:00 committed by GitHub
parent 095434a4c1
commit ddfb18b609
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/560-openssl_csr-crl_distribution_points.yml Normal file
View File

@ -0,0 +1,2 @@
bugfixes:
- "openssl_csr, openssl_csr_pipe - prevent invalid values for ``crl_distribution_points`` that do not have one of ``full_name``, ``relative_name``, and ``crl_issuer`` (https://github.com/ansible-collections/community.crypto/pull/560)."

11
plugins/module_utils/crypto/module_backends/csr.py
View File

@ -270,8 +270,12 @@ def parse_crl_distribution_points(module, crl_distribution_points):
reasons=None, reasons=None,
) )
if parse_crl_distribution_point['full_name'] is not None: if parse_crl_distribution_point['full_name'] is not None:
if not parse_crl_distribution_point['full_name']:
raise OpenSSLObjectError('full_name must not be empty')
params['full_name'] = [cryptography_get_name(name, 'full name') for name in parse_crl_distribution_point['full_name']] params['full_name'] = [cryptography_get_name(name, 'full name') for name in parse_crl_distribution_point['full_name']]
if parse_crl_distribution_point['relative_name'] is not None: if parse_crl_distribution_point['relative_name'] is not None:
if not parse_crl_distribution_point['relative_name']:
raise OpenSSLObjectError('relative_name must not be empty')
try: try:
params['relative_name'] = cryptography_parse_relative_distinguished_name(parse_crl_distribution_point['relative_name']) params['relative_name'] = cryptography_parse_relative_distinguished_name(parse_crl_distribution_point['relative_name'])
except Exception: except Exception:
@ -280,6 +284,8 @@ def parse_crl_distribution_points(module, crl_distribution_points):
raise OpenSSLObjectError('Cannot specify relative_name for cryptography < 1.6') raise OpenSSLObjectError('Cannot specify relative_name for cryptography < 1.6')
raise raise
if parse_crl_distribution_point['crl_issuer'] is not None: if parse_crl_distribution_point['crl_issuer'] is not None:
if not parse_crl_distribution_point['crl_issuer']:
raise OpenSSLObjectError('crl_issuer must not be empty')
params['crl_issuer'] = [cryptography_get_name(name, 'CRL issuer') for name in parse_crl_distribution_point['crl_issuer']] params['crl_issuer'] = [cryptography_get_name(name, 'CRL issuer') for name in parse_crl_distribution_point['crl_issuer']]
if parse_crl_distribution_point['reasons'] is not None: if parse_crl_distribution_point['reasons'] is not None:
reasons = [] reasons = []
@ -287,7 +293,7 @@ def parse_crl_distribution_points(module, crl_distribution_points):
reasons.append(REVOCATION_REASON_MAP[reason]) reasons.append(REVOCATION_REASON_MAP[reason])
params['reasons'] = frozenset(reasons) params['reasons'] = frozenset(reasons)
result.append(cryptography.x509.DistributionPoint(**params)) result.append(cryptography.x509.DistributionPoint(**params))
except OpenSSLObjectError as e: except (OpenSSLObjectError, ValueError) as e:
raise OpenSSLObjectError('Error while parsing CRL distribution point #{index}: {error}'.format(index=index, error=e)) raise OpenSSLObjectError('Error while parsing CRL distribution point #{index}: {error}'.format(index=index, error=e))
return result return result
@ -651,7 +657,8 @@ def get_csr_argument_spec():
'aa_compromise', 'aa_compromise',
]), ]),
), ),
mutually_exclusive=[('full_name', 'relative_name')] mutually_exclusive=[('full_name', 'relative_name')],
required_one_of=[('full_name', 'relative_name', 'crl_issuer')],
), ),
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography']), select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography']),
), ),

5
plugins/modules/openssl_csr.py
View File

@ -339,9 +339,10 @@ def main():
if not os.path.isdir(base_dir): if not os.path.isdir(base_dir):
module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir) module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir)
backend = module.params['select_crypto_backend']
backend, module_backend = select_backend(module, backend)
try: try:
backend = module.params['select_crypto_backend']
backend, module_backend = select_backend(module, backend)
csr = CertificateSigningRequestModule(module, module_backend) csr = CertificateSigningRequestModule(module, module_backend)
if module.params['state'] == 'present': if module.params['state'] == 'present':
csr.generate(module) csr.generate(module)

5
plugins/modules/openssl_csr_pipe.py
View File

@ -167,9 +167,10 @@ def main():
supports_check_mode=True, supports_check_mode=True,
) )
backend = module.params['select_crypto_backend']
backend, module_backend = select_backend(module, backend)
try: try:
backend = module.params['select_crypto_backend']
backend, module_backend = select_backend(module, backend)
csr = CertificateSigningRequestModule(module, module_backend) csr = CertificateSigningRequestModule(module, module_backend)
csr.generate(module) csr.generate(module)
result = csr.dump() result = csr.dump()

6
tests/integration/targets/openssl_csr/tasks/impl.yml
View File

@ -950,7 +950,6 @@
- CN=ca.example.com - CN=ca.example.com
reasons: reasons:
- certificate_hold - certificate_hold
- {}
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
register: crl_distribution_endpoints_1 register: crl_distribution_endpoints_1
@ -973,7 +972,6 @@
- CN=ca.example.com - CN=ca.example.com
reasons: reasons:
- certificate_hold - certificate_hold
- {}
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
register: crl_distribution_endpoints_2 register: crl_distribution_endpoints_2
@ -984,9 +982,7 @@
subject: subject:
commonName: www.ansible.com commonName: www.ansible.com
crl_distribution_points: crl_distribution_points:
- full_name: - crl_issuer:
- "URI:https://ca.example.com/revocations.crl"
crl_issuer:
- "URI:https://ca.example.com/" - "URI:https://ca.example.com/"
reasons: reasons:
- key_compromise - key_compromise