internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-06 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Regenerate certificate on CA's subject change. (#402)

Browse Source
This commit is contained in:
Felix Fontein
2022-02-14 18:04:29 +01:00
committed by GitHub
parent 11a14543c8
commit 3ebc132c03
4 changed files with 68 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
plugins/module_utils/crypto/module_backends/certificate_ownca.py
View File

@@ -173,6 +173,12 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
if super(OwnCACertificateBackendCryptography, self).needs_regeneration(not_before=self.notBefore, not_after=self.notAfter):
return True
self._ensure_existing_certificate_loaded()
# Check subject
if self.ca_cert.subject != self.existing_certificate.issuer:
return True
# Check AuthorityKeyIdentifier
if self.create_authority_key_identifier:
try:
@@ -185,7 +191,6 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
except cryptography.x509.ExtensionNotFound:
expected_ext = x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_cert.public_key())
self._ensure_existing_certificate_loaded()
try:
ext = self.existing_certificate.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
if ext.value != expected_ext: