[PR #331/3f40795a backport][stable-1] Extension parsing: add new fallback code which uses the new cryptography API (#345)

* Extension parsing: add new fallback code which uses the new cryptography API (#331) * Add new code as fallback which re-serializes de-serialized extensions using the new cryptography API. * Forgot Base64 encoding. * Add extension by OID tests. * There's one value which is different with the new code. * Differences in CI. * Working around older Jinjas. * Value depends on which SAN was included. * Force complete CI run now since cryptography 36.0.0 is out. ci_complete (cherry picked from commit 3f40795a98) * Adjust tests. Co-authored-by: Felix Fontein <felix@fontein.de>
2026-05-08 14:22:56 +00:00 · 2021-11-22 08:54:08 +01:00
parent cb08f56066
commit 3e6815d73f
4 changed files with 167 additions and 72 deletions
--- a/tests/integration/targets/openssl_csr_info/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr_info/tasks/impl.yml
@@ -8,7 +8,7 @@
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result

- name: "({{ select_crypto_backend }}) Check whether subject behaves as expected"
+- name: "({{ select_crypto_backend }}) Check whether subject and extensions behaves as expected"
  assert:
    that:
      - result.subject.organizationalUnitName == 'ACME Department'
@@ -16,6 +16,21 @@
      - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
      - result.public_key_type == 'RSA'
      - result.public_key_data.size == default_rsa_key_size
+      # TLS Feature
+      - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].critical == false
+      - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].value == 'MAMCAQU='
+      # Key Usage
+      - result.extensions_by_oid['2.5.29.15'].critical == true
+      - result.extensions_by_oid['2.5.29.15'].value in ['AwMA/4A=', 'AwMH/4A=']
+      # Subject Alternative Names
+      - result.extensions_by_oid['2.5.29.17'].critical == false
+      - result.extensions_by_oid['2.5.29.17'].value == 'MGCCD3d3dy5hbnNpYmxlLmNvbYcEAQIDBIcQAAAAAAAAAAAAAAAAAAAAAYEQdGVzdEBleGFtcGxlLm9yZ4YjaHR0cHM6Ly9leGFtcGxlLm9yZy90ZXN0L2luZGV4Lmh0bWw='
+      # Basic Constraints
+      - result.extensions_by_oid['2.5.29.19'].critical == true
+      - result.extensions_by_oid['2.5.29.19'].value == 'MAYBAf8CARc='
+      # Extended Key Usage
+      - result.extensions_by_oid['2.5.29.37'].critical == false
+      - result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='

 - name: "({{ select_crypto_backend }}) Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
  assert:
@@ -24,6 +39,10 @@
      - result.authority_key_identifier == "44:55:66:77"
      - result.authority_cert_issuer == expected_authority_cert_issuer
      - result.authority_cert_serial_number == 12345
+      # Subject Key Identifier
+      - result.extensions_by_oid['2.5.29.14'].critical == false
+      # Authority Key Identifier
+      - result.extensions_by_oid['2.5.29.35'].critical == false
  vars:
    expected_authority_cert_issuer:
      - "DNS:ca.example.org"