openssl_csr: allow to specify CRL distribution endpoints (#167)

* Improve error messages for name decoding (not all names appear in SANs). * Refactor DN parsing, add relative DN parsing code. * Allow to specify CRL distribution points. * Add changelog fragment. * Fix typo. * Make sure value argument to x509.NameAttribute is a text. * Update changelogs/fragments/167-openssl_csr-crl-distribution-points.yml Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> * Add example. Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2026-05-08 14:22:56 +00:00 · 2021-01-26 09:57:40 +01:00
parent a7c06b2ec4
commit d8ccebce60
8 changed files with 306 additions and 43 deletions
--- a/tests/integration/targets/openssl_csr/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr/tasks/impl.yml
@@ -902,3 +902,96 @@
          ignore_errors: yes

  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')
+
+- name: "({{ select_crypto_backend }}) CRL distribution endpoints (for cryptography >= 1.6)"
+  block:
+    - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
+      openssl_csr:
+        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject:
+          commonName: www.ansible.com
+        crl_distribution_points:
+          - full_name:
+              - "URI:https://ca.example.com/revocations.crl"
+            crl_issuer:
+              - "URI:https://ca.example.com/"
+            reasons:
+              - key_compromise
+              - ca_compromise
+              - cessation_of_operation
+          - relative_name:
+              - CN=ca.example.com
+            reasons:
+              - certificate_hold
+          - {}
+        select_crypto_backend: '{{ select_crypto_backend }}'
+      register: crl_distribution_endpoints_1
+
+    - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (idempotence)"
+      openssl_csr:
+        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject:
+          commonName: www.ansible.com
+        crl_distribution_points:
+          - full_name:
+              - "URI:https://ca.example.com/revocations.crl"
+            crl_issuer:
+              - "URI:https://ca.example.com/"
+            reasons:
+              - key_compromise
+              - ca_compromise
+              - cessation_of_operation
+          - relative_name:
+              - CN=ca.example.com
+            reasons:
+              - certificate_hold
+          - {}
+        select_crypto_backend: '{{ select_crypto_backend }}'
+      register: crl_distribution_endpoints_2
+
+    - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (change)"
+      openssl_csr:
+        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject:
+          commonName: www.ansible.com
+        crl_distribution_points:
+          - full_name:
+              - "URI:https://ca.example.com/revocations.crl"
+            crl_issuer:
+              - "URI:https://ca.example.com/"
+            reasons:
+              - key_compromise
+              - ca_compromise
+              - cessation_of_operation
+          - relative_name:
+              - CN=ca.example.com
+            reasons:
+              - certificate_hold
+        select_crypto_backend: '{{ select_crypto_backend }}'
+      register: crl_distribution_endpoints_3
+
+    - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (no endpoints)"
+      openssl_csr:
+        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject:
+          commonName: www.ansible.com
+        select_crypto_backend: '{{ select_crypto_backend }}'
+      register: crl_distribution_endpoints_4
+
+    - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
+      openssl_csr:
+        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject:
+          commonName: www.ansible.com
+        crl_distribution_points:
+          - full_name:
+              - "URI:https://ca.example.com/revocations.crl"
+        select_crypto_backend: '{{ select_crypto_backend }}'
+      register: crl_distribution_endpoints_5
+
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.6', '>=')
--- a/tests/integration/targets/openssl_csr/tests/validate.yml
+++ b/tests/integration/targets/openssl_csr/tests/validate.yml
@@ -334,3 +334,13 @@
      - generate_csr_ed25519_ed448_idempotent.results[0] is not changed
      - generate_csr_ed25519_ed448_idempotent.results[1] is not changed
  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and generate_csr_ed25519_ed448_privatekey is not failed
+
+- name: "({{ select_crypto_backend }}) Verify CRL distribution endpoints (for cryptography >= 1.6)"
+  assert:
+    that:
+      - crl_distribution_endpoints_1 is changed
+      - crl_distribution_endpoints_2 is not changed
+      - crl_distribution_endpoints_3 is changed
+      - crl_distribution_endpoints_4 is changed
+      - crl_distribution_endpoints_5 is changed
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.6', '>=')