Fix crash in x509_crl when certificate issuer is specified (#441) (#442)

* Fix x509_crl certificate issuer issue. * Add tests. * Add changelog fragment. (cherry picked from commit 9d03178b00)
2026-05-06 21:33:00 +00:00 · 2022-04-18 10:19:27 +02:00
parent 03df636e5e
commit 096262b6f1
4 changed files with 33 additions and 3 deletions
--- a/changelogs/fragments/441-x509-crl-cert-issuer.yml
+++ b/changelogs/fragments/441-x509-crl-cert-issuer.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "x509_crl - fix crash when ``issuer`` for a revoked certificate is specified (https://github.com/ansible-collections/community.crypto/pull/441)."
--- a/plugins/modules/x509_crl.py
+++ b/plugins/modules/x509_crl.py
@@ -664,9 +664,7 @@ class CRL(OpenSSLObject):
            revoked_cert = revoked_cert.revocation_date(entry['revocation_date'])
            if entry['issuer'] is not None:
                revoked_cert = revoked_cert.add_extension(
-                    x509.CertificateIssuer([
-                        cryptography_get_name(name, 'issuer') for name in entry['issuer']
-                    ]),
+                    x509.CertificateIssuer(entry['issuer']),
                    entry['issuer_critical']
                )
            if entry['reason'] is not None:
--- a/tests/integration/targets/x509_crl/tasks/impl.yml
+++ b/tests/integration/targets/x509_crl/tasks/impl.yml
@@ -456,3 +456,25 @@
    path: '{{ remote_tmp_dir }}/ca-crl2.crl'
    list_revoked_certificates: false
  register: crl_2_info_1
+
+- name: Create CRL 3
+  x509_crl:
+    path: '{{ remote_tmp_dir }}/ca-crl3.crl'
+    privatekey_path: '{{ remote_tmp_dir }}/ca.key'
+    issuer:
+      CN: Ansible
+    last_update: +0d
+    next_update: +0d
+    revoked_certificates:
+      - serial_number: 1234
+        revocation_date: 20191001000000Z
+        issuer:
+          - "DNS:ca.example.org"
+        issuer_critical: true
+  register: crl_3
+
+- name: Retrieve CRL 3 infos
+  x509_crl_info:
+    path: '{{ remote_tmp_dir }}/ca-crl3.crl'
+    list_revoked_certificates: true
+  register: crl_3_info
--- a/tests/integration/targets/x509_crl/tests/validate.yml
+++ b/tests/integration/targets/x509_crl/tests/validate.yml
@@ -90,3 +90,11 @@
  assert:
    that:
      - "'revoked_certificates' not in crl_2_info_1"
+
+- name: Validate CRL 3 info
+  assert:
+    that:
+      - crl_3.revoked_certificates == crl_3_info.revoked_certificates
+      - crl_3.revoked_certificates[0].issuer == [
+          "DNS:ca.example.org",
+        ]