openssl_csr: catch errors on bad SANs (#106)

* Catch errors on bad SANs. * Add changelog fragment. * Adjust cryptography version and error message.
2026-05-08 06:13:03 +00:00 · 2020-09-08 06:24:30 +02:00
parent ccc9e4dab2
commit a2f36f426a
4 changed files with 40 additions and 2 deletions
--- a/tests/integration/targets/openssl_csr/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr/tasks/impl.yml
@@ -162,7 +162,7 @@
    commonName: www.ansible.com
    select_crypto_backend: '{{ select_crypto_backend }}'

- name: Generate CSR with invalid SAN
+- name: Generate CSR with invalid SAN (1/2)
  openssl_csr:
    path: '{{ output_dir }}/csrinvsan.csr'
    privatekey_path: '{{ output_dir }}/privatekey.pem'
@@ -171,6 +171,15 @@
  register: generate_csr_invalid_san
  ignore_errors: yes

+- name: Generate CSR with invalid SAN (2/2)
+  openssl_csr:
+    path: '{{ output_dir }}/csrinvsan2.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject_alt_name: "DNS:system:kube-controller-manager"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: generate_csr_invalid_san_2
+  ignore_errors: yes
+
 - name: Generate CSR with OCSP Must Staple
  openssl_csr:
    path: '{{ output_dir }}/csr_ocsp.csr'
--- a/tests/integration/targets/openssl_csr/tests/validate.yml
+++ b/tests/integration/targets/openssl_csr/tests/validate.yml
@@ -62,12 +62,21 @@
      - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
      - csr_oldapi_modulus.stdout == privatekey_modulus.stdout

- name: Validate invalid SAN
+- name: Validate invalid SAN (1/2)
  assert:
    that:
      - generate_csr_invalid_san is failed
      - "'Subject Alternative Name' in generate_csr_invalid_san.msg"

+- name: Validate invalid SAN (2/2)
+  # Note that pyOpenSSL simply accepts this name, and modern cryptography versions do so as well.
+  # The error has been observed with cryptography 1.7.2 and 1.9, but not with 2.3 and newer.
+  assert:
+    that:
+      - generate_csr_invalid_san_2 is failed
+      - "'The label system:kube-controller-manager is not a valid A-label' in generate_csr_invalid_san_2.msg"
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.0', '<')
+
 - name: Validate OCSP Must Staple CSR (test - everything)
  shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
  register: csr_ocsp