cryptography backend: parse dirName, RID and otherName names (#9)

2026-05-06 13:22:58 +00:00 · 2020-06-21 22:47:48 +02:00
parent 8651a6af6c
commit cb384443e4
9 changed files with 276 additions and 79 deletions
--- a/tests/integration/targets/openssl_csr/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr/tasks/impl.yml
@@ -563,12 +563,7 @@
      - DVCS
      - IPSec User
      - biometricInfo
-    subject_alt_name:
-      - "DNS:www.ansible.com"
-      - "IP:1.2.3.4"
-      - "IP:::1"
-      - "email:test@example.org"
-      - "URI:https://example.org/test/index.html"
+    subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
    basic_constraints:
      - "CA:TRUE"
      - "pathlen:23"
@@ -583,6 +578,23 @@
    value_for_authority_cert_issuer:
      - "DNS:ca.example.org"
      - "IP:1.2.3.4"
+    value_for_san_pyopenssl:
+      - "DNS:www.ansible.com"
+      - "IP:1.2.3.4"
+      - "IP:::1"
+      - "email:test@example.org"
+      - "URI:https://example.org/test/index.html"
+      - "RID:1.2.3.4"
+    value_for_san:
+      - "DNS:www.ansible.com"
+      - "IP:1.2.3.4"
+      - "IP:::1"
+      - "email:test@example.org"
+      - "URI:https://example.org/test/index.html"
+      - "RID:1.2.3.4"
+      - "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71"
+      - "dirName:O = Example Net, CN = example.net"
+      - "dirName:/O=Example Com/CN=example.com"
  register: everything_1

 - name: Generate CSR with everything (idempotent, check mode)
@@ -631,12 +643,7 @@
      - DVCS
      - IPSec User
      - biometricInfo
-    subject_alt_name:
-      - "DNS:www.ansible.com"
-      - "IP:1.2.3.4"
-      - "IP:::1"
-      - "email:test@example.org"
-      - "URI:https://example.org/test/index.html"
+    subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
    basic_constraints:
      - "CA:TRUE"
      - "pathlen:23"
@@ -651,6 +658,23 @@
    value_for_authority_cert_issuer:
      - "DNS:ca.example.org"
      - "IP:1.2.3.4"
+    value_for_san_pyopenssl:
+      - "DNS:www.ansible.com"
+      - "IP:1.2.3.4"
+      - "IP:::1"
+      - "email:test@example.org"
+      - "URI:https://example.org/test/index.html"
+      - "RID:1.2.3.4"
+    value_for_san:
+      - "DNS:www.ansible.com"
+      - "IP:1.2.3.4"
+      - "IP:::1"
+      - "email:test@example.org"
+      - "URI:https://example.org/test/index.html"
+      - "RID:1.2.3.4"
+      - "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71"
+      - "dirName:O=Example Net,CN=example.net"
+      - "dirName:/O = Example Com/CN = example.com"
  check_mode: yes
  register: everything_2

@@ -700,12 +724,7 @@
      - DVCS
      - IPSec User
      - biometricInfo
-    subject_alt_name:
-      - "DNS:www.ansible.com"
-      - "IP:1.2.3.4"
-      - "IP:::1"
-      - "email:test@example.org"
-      - "URI:https://example.org/test/index.html"
+    subject_alt_name: '{{ value_for_san if select_crypto_backend != "pyopenssl" else value_for_san_pyopenssl }}'
    basic_constraints:
      - "CA:TRUE"
      - "pathlen:23"
@@ -720,8 +739,31 @@
    value_for_authority_cert_issuer:
      - "DNS:ca.example.org"
      - "IP:1.2.3.4"
+    value_for_san_pyopenssl:
+      - "DNS:www.ansible.com"
+      - "IP:1.2.3.4"
+      - "IP:::1"
+      - "email:test@example.org"
+      - "URI:https://example.org/test/index.html"
+      - "RID:1.2.3.4"
+    value_for_san:
+      - "DNS:www.ansible.com"
+      - "IP:1.2.3.4"
+      - "IP:::1"
+      - "email:test@example.org"
+      - "URI:https://example.org/test/index.html"
+      - "RID:1.2.3.4"
+      - "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71"
+      - "dirName:O  =Example Net,    CN= example.net"
+      - "dirName:/O  =Example Com/CN=  example.com"
  register: everything_3

+- name: Get info from CSR with everything
+  community.crypto.openssl_csr_info:
+    path: '{{ output_dir }}/csr_everything.csr'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: everything_info
+
 - name: Ed25519 and Ed448 tests (for cryptography >= 2.6)
  block:
    - name: Generate privatekeys
--- a/tests/integration/targets/openssl_csr/tests/validate.yml
+++ b/tests/integration/targets/openssl_csr/tests/validate.yml
@@ -184,6 +184,95 @@
      - everything_1 is changed
      - everything_2 is not changed
      - everything_3 is not changed
+      - everything_info.basic_constraints == [
+          "CA:TRUE",
+          "pathlen:23",
+        ]
+      - everything_info.basic_constraints_critical == true
+      - everything_info.extended_key_usage == [
+            "Any Extended Key Usage",
+            "Biometric Info",
+            "Code Signing",
+            "E-mail Protection",
+            "IPSec User",
+            "OCSP Signing",
+            "TLS Web Client Authentication",
+            "TLS Web Server Authentication",
+            "TLS Web Server Authentication",
+            "Time Stamping",
+            "dvcs",
+            "qcStatements",
+        ]
+      - everything_info.extended_key_usage_critical == false
+      - everything_info.key_usage == [
+            "CRL Sign",
+            "Certificate Sign",
+            "Data Encipherment",
+            "Decipher Only",
+            "Digital Signature",
+            "Encipher Only",
+            "Key Agreement",
+            "Key Encipherment",
+            "Non Repudiation"
+        ],
+      - everything_info.key_usage_critical == true
+      - everything_info.ocsp_must_staple == true
+      - everything_info.ocsp_must_staple_critical == false
+      - everything_info.signature_valid == true
+      - everything_info.subject.commonName == "www.example.com"
+      - everything_info.subject.countryName == "de"
+      - everything_info.subject.emailAddress == "test@example.com"
+      - everything_info.subject.givenName == "First Name"
+      - everything_info.subject.localityName == "Somewhere"
+      - everything_info.subject.organizationName == "Ansible"
+      - everything_info.subject.organizationalUnitName == "Crypto Department"
+      - everything_info.subject.postalAddress == "1234 Somewhere"
+      - everything_info.subject.postalCode == "1234"
+      - everything_info.subject.pseudonym == "test"
+      - everything_info.subject.serialNumber == "1234"
+      - everything_info.subject.stateOrProvinceName == "Zurich"
+      - everything_info.subject.streetAddress == "Welcome Street"
+      - everything_info.subject.surname == "Last Name"
+      - everything_info.subject.title == "Chief"
+      - everything_info.subject.userId == "asdf"
+      - everything_info.subject | length == 16
+      - everything_info.subject_alt_name_critical == false
+
+- name: Check CSR with everything (pyOpenSSL specific)
+  assert:
+    that:
+      - everything_info.subject_alt_name == [
+            "DNS:www.ansible.com",
+            "IP:1.2.3.4",
+            "IP:::1",
+            "email:test@example.org",
+            "URI:https://example.org/test/index.html",
+            "RID:1.2.3.4",
+        ]
+  when: select_crypto_backend == 'pyopenssl'
+
+- name: Check CSR with everything (non-pyOpenSSL specific)
+  assert:
+    that:
+      - everything_info.authority_cert_issuer == [
+            "DNS:ca.example.org",
+            "IP:1.2.3.4"
+        ]
+      - everything_info.authority_cert_serial_number == 12345
+      - everything_info.authority_key_identifier == "44:55:66:77"
+      - everything_info.subject_alt_name == [
+            "DNS:www.ansible.com",
+            "IP:1.2.3.4",
+            "IP:::1",
+            "email:test@example.org",
+            "URI:https://example.org/test/index.html",
+            "RID:1.2.3.4",
+            "otherName:1.2.3.4;0c:07:63:65:72:74:72:65:71",
+            "dirName:/O=Example Net/CN=example.net",
+            "dirName:/O=Example Com/CN=example.com"
+        ]
+      - everything_info.subject_key_identifier == "00:11:22:33"
+  when: select_crypto_backend != 'pyopenssl'

 - name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
  assert: