cryptography backend: parse dirName, RID and otherName names (#9)

2026-05-06 13:22:58 +00:00 · 2020-06-21 22:47:48 +02:00
parent 8651a6af6c
commit cb384443e4
9 changed files with 276 additions and 79 deletions
--- a/plugins/module_utils/crypto/cryptography_support.py
+++ b/plugins/module_utils/crypto/cryptography_support.py
@@ -21,6 +21,7 @@ __metaclass__ = type

 import base64
 import binascii
+import re

 from ansible.module_utils._text import to_text

@@ -124,6 +125,66 @@ def cryptography_oid_to_name(oid, short=False):
        return NORMALIZE_NAMES.get(name, name)


+def _get_hex(bytesstr):
+    if bytesstr is None:
+        return bytesstr
+    data = binascii.hexlify(bytesstr)
+    data = to_text(b':'.join(data[i:i + 2] for i in range(0, len(data), 2)))
+    return data
+
+
+def _parse_hex(bytesstr):
+    if bytesstr is None:
+        return bytesstr
+    data = ''.join([('0' * (2 - len(p)) + p) if len(p) < 2 else p for p in to_text(bytesstr).split(':')])
+    data = binascii.unhexlify(data)
+    return data
+
+
+def _parse_dn(name):
+    '''
+    Parse a Distinguished Name.
+
+    Can be of the form ``CN=Test, O = Something`` or ``CN = Test,O= Something``.
+    '''
+    original_name = name
+    name = name.lstrip()
+    sep = ','
+    if name.startswith('/'):
+        sep = '/'
+        name = name[1:]
+    sep_str = sep + '\\'
+    result = []
+    start_re = re.compile(r'^ *([a-zA-z0-9]+) *= *')
+    while name:
+        m = start_re.match(name)
+        if not m:
+            raise OpenSSLObjectError('Error while parsing distinguished name "{0}": cannot start part in "{1}"'.format(original_name, name))
+        oid = cryptography_name_to_oid(m.group(1))
+        idx = len(m.group(0))
+        decoded_name = []
+        length = len(name)
+        while idx < length:
+            i = idx
+            while i < length and name[i] not in sep_str:
+                i += 1
+            if i > idx:
+                decoded_name.append(name[idx:i])
+                idx = i
+            while idx + 1 < length and name[idx] == '\\':
+                decoded_name.append(name[idx + 1])
+                idx += 2
+            if idx < length and name[idx] == sep:
+                break
+        result.append(x509.NameAttribute(oid, ''.join(decoded_name)))
+        name = name[idx:]
+        if name:
+            if name[0] != sep or len(name) < 2:
+                raise OpenSSLObjectError('Error while parsing distinguished name "{0}": unexpected end of string'.format(original_name))
+            name = name[1:]
+    return result
+
+
 def cryptography_get_name(name):
    '''
    Given a name string, returns a cryptography x509.Name object.
@@ -138,6 +199,18 @@ def cryptography_get_name(name):
            return x509.RFC822Name(to_text(name[6:]))
        if name.startswith('URI:'):
            return x509.UniformResourceIdentifier(to_text(name[4:]))
+        if name.startswith('RID:'):
+            m = re.match(r'^([0-9]+(?:\.[0-9]+)*)$', to_text(name[4:]))
+            if not m:
+                raise OpenSSLObjectError('Cannot parse Subject Alternative Name "{0}"'.format(name))
+            return x509.RegisteredID(x509.oid.ObjectIdentifier(m.group(1)))
+        if name.startswith('otherName:'):
+            m = re.match(r'^([0-9]+(?:\.[0-9]+)*);([0-9a-fA-F]{1,2}(?::[0-9a-fA-F]{1,2})*)$', to_text(name[10:]))
+            if not m:
+                raise OpenSSLObjectError('Cannot parse Subject Alternative Name "{0}"'.format(name))
+            return x509.OtherName(x509.oid.ObjectIdentifier(m.group(1)), _parse_hex(m.group(2)))
+        if name.startswith('dirName:'):
+            return x509.DirectoryName(x509.Name(_parse_dn(to_text(name[8:]))))
    except Exception as e:
        raise OpenSSLObjectError('Cannot parse Subject Alternative Name "{0}": {1}'.format(name, e))
    if ':' not in name:
@@ -145,12 +218,16 @@ def cryptography_get_name(name):
    raise OpenSSLObjectError('Cannot parse Subject Alternative Name "{0}" (potentially unsupported by cryptography backend)'.format(name))


-def _get_hex(bytesstr):
-    if bytesstr is None:
-        return bytesstr
-    data = binascii.hexlify(bytesstr)
-    data = to_text(b':'.join(data[i:i + 2] for i in range(0, len(data), 2)))
-    return data
+def _dn_escape_value(value):
+    '''
+    Escape Distinguished Name's attribute value.
+    '''
+    value = value.replace('\\', '\\\\')
+    for ch in [',', '#', '+', '<', '>', ';', '"', '=', '/']:
+        value = value.replace(ch, '\\%s' % ch)
+    if value.startswith(' '):
+        value = r'\ ' + value[1:]
+    return value


 def cryptography_decode_name(name):
@@ -167,14 +244,14 @@ def cryptography_decode_name(name):
    if isinstance(name, x509.UniformResourceIdentifier):
        return 'URI:{0}'.format(name.value)
    if isinstance(name, x509.DirectoryName):
-        # FIXME: test
-        return 'DirName:' + ''.join(['/{0}:{1}'.format(attribute.oid._name, attribute.value) for attribute in name.value])
+        return 'dirName:' + ''.join([
+            '/{0}={1}'.format(cryptography_oid_to_name(attribute.oid, short=True), _dn_escape_value(attribute.value))
+            for attribute in name.value
+        ])
    if isinstance(name, x509.RegisteredID):
-        # FIXME: test
-        return 'RegisteredID:{0}'.format(name.value)
+        return 'RID:{0}'.format(name.value.dotted_string)
    if isinstance(name, x509.OtherName):
-        # FIXME: test
-        return '{0}:{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
+        return 'otherName:{0};{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
    raise OpenSSLObjectError('Cannot decode name "{0}"'.format(name))


--- a/plugins/module_utils/crypto/pyopenssl_support.py
+++ b/plugins/module_utils/crypto/pyopenssl_support.py
@@ -23,6 +23,8 @@ import base64

 from ansible.module_utils._text import to_bytes, to_text

+from ansible_collections.community.crypto.plugins.module_utils.compat import ipaddress as compat_ipaddress
+
 try:
    import OpenSSL
 except ImportError:
@@ -48,6 +50,23 @@ def pyopenssl_normalize_name(name, short=False):
        return NORMALIZE_NAMES.get(name, name)


+def pyopenssl_normalize_name_attribute(san):
+    # apparently openssl returns 'IP address' not 'IP' as specifier when converting the subjectAltName to string
+    # although it won't accept this specifier when generating the CSR. (https://github.com/openssl/openssl/issues/4004)
+    if san.startswith('IP Address:'):
+        san = 'IP:' + san[len('IP Address:'):]
+    if san.startswith('IP:'):
+        ip = compat_ipaddress.ip_address(san[3:])
+        san = 'IP:{0}'.format(ip.compressed)
+
+    if san.startswith('Registered ID:'):
+        san = 'RID:' + san[len('Registered ID:'):]
+    # Some versions of OpenSSL apparently forgot the colon. Happens in CI with Ubuntu 16.04 and FreeBSD 11.1
+    if san.startswith('Registered ID'):
+        san = 'RID:' + san[len('Registered ID'):]
+    return san
+
+
 def pyopenssl_get_extensions_from_cert(cert):
    # While pyOpenSSL allows us to get an extension's DER value, it won't
    # give us the dotted string for an OID. So we have to do some magic to