openssl_csr: add support for name constraints extension (#92)

* Add support for name constraints extension to openssl_csr. * Linting. * Add tests. * Fix IP address general name handling.
2026-05-07 05:43:06 +00:00 · 2020-08-18 12:23:37 +02:00
parent d03e723fe0
commit 84342fce4e
8 changed files with 242 additions and 9 deletions
--- a/tests/integration/targets/openssl_csr/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr/tasks/impl.yml
@@ -556,6 +556,11 @@
      - "CA:TRUE"
      - "pathlen:23"
    basic_constraints_critical: yes
+    name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
+    name_constraints_excluded:
+      - "DNS:.example.com"
+      - "DNS:.org"
+    name_constraints_critical: yes
    ocsp_must_staple: yes
    subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
    authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
@@ -611,6 +616,13 @@
      - "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:bob@localhost"
      - "dirName:O = Example Net, CN = example.net"
      - "dirName:/O=Example Com/CN=example.com"
+    value_for_name_constraints_permitted:
+      - "DNS:www.example.com"
+      - "IP:1.2.3.0/24"
+      - "IP:::1:0:0/112"
+    value_for_name_constraints_permitted_pyopenssl:
+      - "DNS:www.example.com"
+      - "IP:1.2.3.0/255.255.255.0"
  register: everything_1

 - name: Generate CSR with everything (idempotent, check mode)
@@ -652,6 +664,11 @@
      - "CA:TRUE"
      - "pathlen:23"
    basic_constraints_critical: yes
+    name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
+    name_constraints_excluded:
+      - "DNS:.org"
+      - "DNS:.example.com"
+    name_constraints_critical: yes
    ocsp_must_staple: yes
    subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
    authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
@@ -707,6 +724,13 @@
      - "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:bob@localhost"
      - "dirName:O=Example Net,CN=example.net"
      - "dirName:/O = Example Com/CN = example.com"
+    value_for_name_constraints_permitted:
+      - "DNS:www.example.com"
+      - "IP:1.2.3.0/255.255.255.0"
+      - "IP:0::0:1:0:0/112"
+    value_for_name_constraints_permitted_pyopenssl:
+      - "DNS:www.example.com"
+      - "IP:1.2.3.0/255.255.255.0"
  check_mode: yes
  register: everything_2

@@ -749,6 +773,11 @@
      - "CA:TRUE"
      - "pathlen:23"
    basic_constraints_critical: yes
+    name_constraints_permitted: '{{ value_for_name_constraints_permitted if select_crypto_backend != "pyopenssl" else value_for_name_constraints_permitted_pyopenssl }}'
+    name_constraints_excluded:
+      - "DNS:.org"
+      - "DNS:.example.com"
+    name_constraints_critical: yes
    ocsp_must_staple: yes
    subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
    authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
@@ -804,6 +833,13 @@
      - "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:bob@localhost"
      - "dirName:O  =Example Net,    CN= example.net"
      - "dirName:/O  =Example Com/CN=  example.com"
+    value_for_name_constraints_permitted:
+      - "DNS:www.example.com"
+      - "IP:1.2.3.0/255.255.255.0"
+      - "IP:0::0:1:0:0/112"
+    value_for_name_constraints_permitted_pyopenssl:
+      - "DNS:www.example.com"
+      - "IP:1.2.3.0/255.255.255.0"
  register: everything_3

 - name: Get info from CSR with everything
--- a/tests/integration/targets/openssl_csr/tests/validate.yml
+++ b/tests/integration/targets/openssl_csr/tests/validate.yml
@@ -200,7 +200,7 @@
            "Key Agreement",
            "Key Encipherment",
            "Non Repudiation"
-        ],
+        ]
      - everything_info.key_usage_critical == true
      - everything_info.ocsp_must_staple == true
      - everything_info.ocsp_must_staple_critical == false
@@ -223,6 +223,11 @@
      - everything_info.subject.userId == "asdf"
      - everything_info.subject | length == 16
      - everything_info.subject_alt_name_critical == false
+      - everything_info.name_constraints_excluded == [
+          "DNS:.example.com",
+          "DNS:.org",
+        ]
+      - everything_info.name_constraints_critical == true

 - name: Check CSR with everything (pyOpenSSL specific)
  assert:
@@ -249,6 +254,10 @@
            "dvcs",
            "qcStatements",
        ]
+      - everything_info.name_constraints_permitted == [
+          "DNS:www.example.com",
+          "IP:1.2.3.0/24",
+        ]
  when: select_crypto_backend == 'pyopenssl'

 - name: Check CSR with everything (non-pyOpenSSL specific)
@@ -288,6 +297,11 @@
            "dvcs",
            "qcStatements",
        ]
+      - everything_info.name_constraints_permitted == [
+          "DNS:www.example.com",
+          "IP:1.2.3.0/24",
+          "IP:::1:0:0/112",
+        ]
  when: select_crypto_backend != 'pyopenssl'

 - name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)