ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

openssl_csr: improve invalid SAN error messages (#53201)

Browse source 
* Improve invalid SAN error messages.

* Add changelog.
This commit is contained in:
Felix Fontein 2019-03-05 17:07:07 +01:00 committed by John R Barker
parent af6e4cc75b
commit 628326b879
4 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- "openssl_csr - improve error messages for invalid SANs."

9
lib/ansible/modules/crypto/openssl_csr.py
View file

@ -489,7 +489,14 @@ class CertificateSigningRequestPyOpenSSL(CertificateSigningRequestBase):
extensions = [] extensions = []
if self.subjectAltName: if self.subjectAltName:
altnames = ', '.join(self.subjectAltName) altnames = ', '.join(self.subjectAltName)
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii'))) try:
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
except OpenSSL.crypto.Error as e:
raise CertificateSigningRequestError(
'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
)
)
if self.keyUsage: if self.keyUsage:
usages = ', '.join(self.keyUsage) usages = ', '.join(self.keyUsage)

9
test/integration/targets/openssl_csr/tasks/impl.yml
View file

@ -158,6 +158,15 @@
commonName: www.ansible.com commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate CSR with invalid SAN
openssl_csr:
path: '{{ output_dir }}/csrinvsan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject_alt_name: invalid-san.example.com
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_invalid_san
ignore_errors: yes
- name: Generate CSR with OCSP Must Staple - name: Generate CSR with OCSP Must Staple
openssl_csr: openssl_csr:
path: '{{ output_dir }}/csr_ocsp.csr' path: '{{ output_dir }}/csr_ocsp.csr'

6
test/integration/targets/openssl_csr/tests/validate.yml
View file

@ -54,6 +54,12 @@
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com' - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout - csr_oldapi_modulus.stdout == privatekey_modulus.stdout
- name: Validate invalid SAN
assert:
that:
- generate_csr_invalid_san is failed
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
- name: Validate OCSP Must Staple CSR (test - everything) - name: Validate OCSP Must Staple CSR (test - everything)
shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text" shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
register: csr_ocsp register: csr_ocsp