internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-03-26 21:33:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

openssl_csr*: fix crash for key_usage idempotency check (#935)

Browse Source 
* Fix crash for key_usage idempotency check.

* Add test.
This commit is contained in:
Felix Fontein
2025-07-17 19:37:46 +02:00
committed by GitHub
parent e294890a5e
commit 55ae448036
4 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelogs/fragments/395-csr-key_usage.yml Normal file
View File

@@ -0,0 +1,3 @@
bugfixes:
- "openssl_csr and openssl_csr_pipe - the idempotency check for ``key_usage`` resulted in a crash if ``Key Agreement``/``keyAgreement`` was not set
(https://github.com/ansible-collections/community.crypto/issues/934, https://github.com/ansible-collections/community.crypto/pull/935)."

9
plugins/module_utils/_crypto/module_backends/csr.py
View File

@@ -546,7 +546,14 @@ class CertificateSigningRequestBackend:
return False return False
params = cryptography_parse_key_usage_params(self.key_usage) params = cryptography_parse_key_usage_params(self.key_usage)
for param, value in params.items(): for param, value in params.items():
if getattr(current_keyusage_ext.value, param) != value: try:
# param in ('encipher_only', 'decipher_only') can result in ValueError()
# being raised if key_agreement == False.
current_value = getattr(current_keyusage_ext.value, param)
except ValueError:
# In that case, assume that the value is False.
current_value = False
if current_value != value:
return False return False
return current_keyusage_ext.critical == self.key_usage_critical return current_keyusage_ext.critical == self.key_usage_critical

15
tests/integration/targets/openssl_csr/tasks/impl.yml
View File

@@ -165,6 +165,21 @@
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_ku_xku_change_2 register: csr_ku_xku_change_2
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (idempotency 2)"
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: 'www.ansible.com'
keyUsage:
- digitalSignature
extendedKeyUsage:
- ipsecUser
- qcStatements
- Biometric Info
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_ku_xku_change_2_idempotency
- name: "({{ select_crypto_backend }}) Generate CSR with old API" - name: "({{ select_crypto_backend }}) Generate CSR with old API"
community.crypto.openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_oldapi.csr' path: '{{ remote_tmp_dir }}/csr_oldapi.csr'

1
tests/integration/targets/openssl_csr/tests/validate.yml
View File

@@ -56,6 +56,7 @@
- csr_ku_xku is not changed - csr_ku_xku is not changed
- csr_ku_xku_change is changed - csr_ku_xku_change is changed
- csr_ku_xku_change_2 is changed - csr_ku_xku_change_2 is changed
- csr_ku_xku_change_2_idempotency is not changed
- name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)" - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq" ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"