Make Dirname (de)serialization conformant to RFC 4514 (#274)

* Adjust dirName serialization to RFC 4514. * Adjust deserialization to RFC 4514. * Add changelog fragment. * Use Unicode strings, and work around Python 2 and Python 3 differences and problems with old cryptography versions. * Work with bytes, not Unicode strings, to handle escaping of Unicode endpoints correctly.
2026-05-07 22:03:01 +00:00 · 2021-09-28 18:15:38 +02:00
parent f644db3c79
commit 838bdd711b
5 changed files with 161 additions and 44 deletions
--- a/tests/integration/targets/openssl_csr/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr/tasks/impl.yml
@@ -590,8 +590,8 @@
      - "RID:1.2.3.4"
      - "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71"
      - "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:bob@localhost"
-      - "dirName:O = Example Net, CN = example.net"
-      - "dirName:/O=Example Com/CN=example.com"
+      - "dirName:CN = example.net, O = Example Net"
+      - "dirName:CN=example.com,O=Example Com"
    value_for_name_constraints_permitted:
      - "DNS:www.example.com"
      - "IP:1.2.3.0/24"
@@ -675,8 +675,8 @@
      - "RID:1.2.3.4"
      - "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71"
      - "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:bob@localhost"
-      - "dirName:O=Example Net,CN=example.net"
-      - "dirName:/O = Example Com/CN = example.com"
+      - "dirName:CN=example.net,O=Example Net"
+      - "dirName:CN = example.com,O = Example Com"
    value_for_name_constraints_permitted:
      - "DNS:www.example.com"
      - "IP:1.2.3.0/255.255.255.0"
@@ -761,8 +761,8 @@
      - "RID:1.2.3.4"
      - "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71"
      - "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:bob@localhost"
-      - "dirName:O  =Example Net,    CN= example.net"
-      - "dirName:/O  =Example Com/CN=  example.com"
+      - "dirName:CN= example.net,    O  =Example Net"
+      - "dirName:/CN=  example.com/O  =Example Com"
    value_for_name_constraints_permitted:
      - "DNS:www.example.com"
      - "IP:1.2.3.0/255.255.255.0"
--- a/tests/integration/targets/openssl_csr/tests/validate.yml
+++ b/tests/integration/targets/openssl_csr/tests/validate.yml
@@ -258,8 +258,8 @@
            "RID:1.2.3.4",
            "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71",
            "otherName:1.3.6.1.4.1.311.20.2.3;0c:0d:62:6f:62:40:6c:6f:63:61:6c:68:6f:73:74",
-            "dirName:/O=Example Net/CN=example.net",
-            "dirName:/O=Example Com/CN=example.com"
+            "dirName:CN=example.net,O=Example Net",
+            "dirName:CN=example.com,O=Example Com"
        ]
      - everything_info.subject_key_identifier == "00:11:22:33"
      - everything_info.extended_key_usage == [
--- a/tests/unit/plugins/module_utils/crypto/test_cryptography_support.py
+++ b/tests/unit/plugins/module_utils/crypto/test_cryptography_support.py
@@ -6,6 +6,12 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type

+import re
+import sys
+
+from distutils.version import LooseVersion
+
+import cryptography
 import pytest

 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
@@ -14,11 +20,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.basic impo

 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
    cryptography_get_name,
+    _parse_dn_component,
+    _parse_dn,
 )

+from cryptography.x509 import NameAttribute, oid
+

 def test_cryptography_get_name_invalid_prefix():
-    with pytest.raises(OpenSSLObjectError, match="Cannot parse Subject Alternative Name"):
+    with pytest.raises(OpenSSLObjectError, match="^Cannot parse Subject Alternative Name"):
        cryptography_get_name('fake:value')


@@ -31,3 +41,69 @@ def test_cryptography_get_name_other_name_utfstring():
    actual = cryptography_get_name('otherName:1.3.6.1.4.1.311.20.2.3;UTF8:Hello World')
    assert actual.type_id.dotted_string == '1.3.6.1.4.1.311.20.2.3'
    assert actual.value == b'\x0c\x0bHello World'
+
+
+@pytest.mark.parametrize('name, options, expected', [
+    (b'CN=x ', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'x '), b'')),
+    (b'CN=\\ ', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u' '), b'')),
+    (b'CN=\\#', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'#'), b'')),
+    (b'CN=#402032', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'@ 2'), b'')),
+    (b'CN = x ', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'x '), b'')),
+    (b'CN = x\\, ', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'x, '), b'')),
+    (b'CN = x\\40 ', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'x@ '), b'')),
+    (b'CN  =  \\  , / ', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'  '), b', / ')),
+    (b'CN  =  \\  , / ', {'sep': b'/'}, (NameAttribute(oid.NameOID.COMMON_NAME, u'  , '), b'/ ')),
+    (b'CN  =  \\  , / ', {'decode_remainder': False}, (NameAttribute(oid.NameOID.COMMON_NAME, u'\\  , / '), b'')),
+    # Some examples from https://datatracker.ietf.org/doc/html/rfc4514#section-4:
+    (b'CN=James \\"Jim\\" Smith\\, III', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'James "Jim" Smith, III'), b'')),
+    (b'CN=Before\\0dAfter', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'Before\x0dAfter'), b'')),
+    (b'1.3.6.1.4.1.1466.0=#04024869', {}, (NameAttribute(oid.ObjectIdentifier(u'1.3.6.1.4.1.1466.0'), u'\x04\x02Hi'), b'')),
+    (b'CN=Lu\\C4\\8Di\\C4\\87', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u'Lučić'), b'')),
+])
+def test_parse_dn_component(name, options, expected):
+    result = _parse_dn_component(name, **options)
+    print(result, expected)
+    assert result == expected
+
+
+# Cryptography < 2.9 does not allow empty strings
+# (https://github.com/pyca/cryptography/commit/87b2749c52e688c809f1861e55d958c64147493c)
+if LooseVersion(cryptography.__version__) >= LooseVersion('2.9'):
+    @pytest.mark.parametrize('name, options, expected', [
+        (b'CN=', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u''), b'')),
+        (b'CN= ', {}, (NameAttribute(oid.NameOID.COMMON_NAME, u''), b'')),
+    ])
+    def test_parse_dn_component_not_py26(name, options, expected):
+        result = _parse_dn_component(name, **options)
+        print(result, expected)
+        assert result == expected
+
+
+@pytest.mark.parametrize('name, options, message', [
+    (b'CN=\\0', {}, u'Hex escape sequence "\\0" incomplete at end of string'),
+    (b'CN=\\0,', {}, u'Hex escape sequence "\\0," has invalid second letter'),
+    (b'CN=#0,', {}, u'Invalid hex sequence entry "0,"'),
+])
+def test_parse_dn_component_failure(name, options, message):
+    with pytest.raises(OpenSSLObjectError, match=u'^%s$' % re.escape(message)):
+        result = _parse_dn_component(name, **options)
+
+
+@pytest.mark.parametrize('name, expected', [
+    (b'CN=foo', [NameAttribute(oid.NameOID.COMMON_NAME, u'foo')]),
+    (b'CN=foo,CN=bar', [NameAttribute(oid.NameOID.COMMON_NAME, u'foo'), NameAttribute(oid.NameOID.COMMON_NAME, u'bar')]),
+    (b'CN  =  foo ,  CN  =  bar', [NameAttribute(oid.NameOID.COMMON_NAME, u'foo '), NameAttribute(oid.NameOID.COMMON_NAME, u'bar')]),
+])
+def test_parse_dn(name, expected):
+    result = _parse_dn(name)
+    print(result, expected)
+    assert result == expected
+
+
+@pytest.mark.parametrize('name, message', [
+    (b'CN=\\0', u'Error while parsing distinguished name "CN=\\0": Hex escape sequence "\\0" incomplete at end of string'),
+    (b'CN=x,', u'Error while parsing distinguished name "CN=x,": unexpected end of string'),
+])
+def test_parse_dn_failure(name, message):
+    with pytest.raises(OpenSSLObjectError, match=u'^%s$' % re.escape(message)):
+        result = _parse_dn(name)