diff options
| author | Felix Fontein <felix@fontein.de> | 2019-03-07 16:29:35 +0100 |
|---|---|---|
| committer | Toshio Kuratomi <a.badger@gmail.com> | 2019-03-11 11:52:43 -0700 |
| commit | c4748fd011d14dbdde83fb3a7556e5186de26635 (patch) | |
| tree | 9a6dc88e5f76f9b169aebf1e5a4a566c257c1799 | |
| parent | 9135dbd820582a98ecc69c1bb87e0b04f0405122 (diff) | |
| download | ansible-c4748fd011d14dbdde83fb3a7556e5186de26635.tar.gz | |
openssl_csr: improve subject validation (#53198)
* Improve subject field validation.
* Add country name idempotency test.
* Add failed country name test.
* Add changelog.
(cherry picked from commit b2e992cecd93fbedc260d86fcb25bc39191e0b5b)
4 files changed, 46 insertions, 1 deletions
diff --git a/changelogs/fragments/53198-openssl_csr-subject-validation.yml b/changelogs/fragments/53198-openssl_csr-subject-validation.yml new file mode 100644 index 0000000000..b5f92e7517 --- /dev/null +++ b/changelogs/fragments/53198-openssl_csr-subject-validation.yml @@ -0,0 +1,2 @@ +bugfixes: +- "openssl_csr - improve ``subject`` validation." diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py index f354ea43be..5223851f08 100644 --- a/lib/ansible/modules/crypto/openssl_csr.py +++ b/lib/ansible/modules/crypto/openssl_csr.py @@ -374,7 +374,11 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject): if entry[1] is not None: # Workaround for https://github.com/pyca/pyopenssl/issues/165 nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0])) - OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0) + if nid == 0: + raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(entry[0])) + res = OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0) + if res == 0: + raise CertificateSigningRequestError('Invalid value for subject field identifier "{0}": {1}'.format(entry[0], entry[1])) extensions = [] if self.subjectAltName: diff --git a/test/integration/targets/openssl_csr/tasks/main.yml b/test/integration/targets/openssl_csr/tasks/main.yml index 23197b1e3e..fcbf03b22c 100644 --- a/test/integration/targets/openssl_csr/tasks/main.yml +++ b/test/integration/targets/openssl_csr/tasks/main.yml @@ -156,6 +156,37 @@ ocsp_must_staple: true register: csr_ocsp_idempotency + - name: Generate CSR with country name + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + country_name: de + register: country_idempotent_1 + + - name: Generate CSR with country name (idempotent) + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + country_name: de + register: country_idempotent_2 + + - name: Generate CSR with country name (idempotent 2) + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + subject: + C: de + register: country_idempotent_3 + + - name: Generate CSR with country name (bad country name) + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + subject: + C: dex + register: country_fail_4 + ignore_errors: yes + - import_tasks: ../tests/validate.yml when: pyopenssl_version.stdout is version('0.15', '>=') diff --git a/test/integration/targets/openssl_csr/tests/validate.yml b/test/integration/targets/openssl_csr/tests/validate.yml index 89074d2b8d..e7d379f23e 100644 --- a/test/integration/targets/openssl_csr/tests/validate.yml +++ b/test/integration/targets/openssl_csr/tests/validate.yml @@ -73,3 +73,11 @@ assert: that: - csr_ocsp_idempotency is not changed + +- name: Validate country name idempotency and validation + assert: + that: + - country_idempotent_1 is changed + - country_idempotent_2 is not changed + - country_idempotent_3 is not changed + - country_fail_4 is failed |