From 8510db4935a27fd190614a2cb7d41628a0f24def Mon Sep 17 00:00:00 2001 From: Matt Martz Date: Thu, 7 Oct 2021 14:04:48 -0500 Subject: Allow ca_path to point to a bundle (#75894) * Allow ca_path to point to a bundle. Fixes #75015 --- lib/ansible/module_utils/urls.py | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) (limited to 'lib/ansible/module_utils/urls.py') diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py index 5ba945931d..c6b194d680 100644 --- a/lib/ansible/module_utils/urls.py +++ b/lib/ansible/module_utils/urls.py @@ -475,6 +475,11 @@ zKPZsZ2miVGclicJHzm5q080b1p/sZtuKIEZk6vZqEg= -----END CERTIFICATE----- """ +b_PEM_CERT_RE = re.compile( + br'^-----BEGIN CERTIFICATE-----\n.+?-----END CERTIFICATE-----$', + flags=re.M | re.S +) + # # Exceptions # @@ -745,6 +750,11 @@ def generic_urlparse(parts): return generic_parts +def extract_pem_certs(b_data): + for match in b_PEM_CERT_RE.finditer(b_data): + yield match.group(0) + + class RequestWithMethod(urllib_request.Request): ''' Workaround for using DELETE/PUT/etc with urllib2 @@ -918,11 +928,12 @@ class SSLValidationHandler(urllib_request.BaseHandler): paths_checked = [self.ca_path] with open(to_bytes(self.ca_path, errors='surrogate_or_strict'), 'rb') as f: if HAS_SSLCONTEXT: - cadata.extend( - ssl.PEM_cert_to_DER_cert( - to_native(f.read(), errors='surrogate_or_strict') + for b_pem in extract_pem_certs(f.read()): + cadata.extend( + ssl.PEM_cert_to_DER_cert( + to_native(b_pem, errors='surrogate_or_strict') + ) ) - ) return self.ca_path, cadata, paths_checked if not HAS_SSLCONTEXT: @@ -981,11 +992,12 @@ class SSLValidationHandler(urllib_request.BaseHandler): b_cert = cert_file.read() if HAS_SSLCONTEXT: try: - cadata.extend( - ssl.PEM_cert_to_DER_cert( - to_native(b_cert, errors='surrogate_or_strict') + for b_pem in extract_pem_certs(b_cert): + cadata.extend( + ssl.PEM_cert_to_DER_cert( + to_native(b_pem, errors='surrogate_or_strict') + ) ) - ) except Exception: continue else: -- cgit v1.2.1