internet/community.general
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-05-08 14:22:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

openssl: remove static dict for keyUsage (#30339)

Browse Source 
keyUsage and extendedKeyUsage are currently statically limited via a
static dict defined in modules_utils/crypto.py. If one specify a value
that isn't in there, idempotency won't work.

Instead of having static dict, we uses keyUsage and extendedKyeUsage
values OpenSSL NID and compare those rather than comparing strings.

Fixes: https://github.com/ansible/ansible/issues/30316
This commit is contained in:
Yanis Guenane
2017-09-14 18:03:00 +02:00
committed by Sam Doran
parent 1950bcc14e
commit 0648e339a7
6 changed files with 63 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/ansible/modules/crypto/openssl_csr.py
View File

@@ -227,9 +227,10 @@ import os
from ansible.module_utils import crypto as crypto_utils
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_native
from ansible.module_utils._text import to_native, to_bytes
try:
import OpenSSL
from OpenSSL import crypto
except ImportError:
pyopenssl_found = False
@@ -348,22 +349,22 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
return True
def _check_keyUsage_(extensions, extName, expected, critical, long):
def _check_keyUsage_(extensions, extName, expected, critical):
usages_ext = [ext for ext in extensions if ext.get_short_name() == extName]
if (not usages_ext and expected) or (usages_ext and not expected):
return False
elif not usages_ext and not expected:
return True
else:
current = [usage.strip() for usage in str(usages_ext[0]).split(',')]
expected = [long[usage] if usage in long else usage for usage in expected]
current = [OpenSSL._util.lib.OBJ_txt2nid(to_bytes(usage.strip())) for usage in str(usages_ext[0]).split(',')]
expected = [OpenSSL._util.lib.OBJ_txt2nid(to_bytes(usage)) for usage in expected]
return set(current) == set(expected) and usages_ext[0].get_critical() == critical
def _check_keyUsage(extensions):
return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical, crypto_utils.keyUsageLong)
return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical)
def _check_extenededKeyUsage(extensions):
return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical, crypto_utils.extendedKeyUsageLong)
return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical)
def _check_extensions(csr):
extensions = csr.get_extensions()