openssl: remove static dict for keyUsage (#30339)

keyUsage and extendedKeyUsage are currently statically limited via a static dict defined in modules_utils/crypto.py. If one specify a value that isn't in there, idempotency won't work. Instead of having static dict, we uses keyUsage and extendedKyeUsage values OpenSSL NID and compare those rather than comparing strings. Fixes: https://github.com/ansible/ansible/issues/30316
2025-10-10 18:34:03 -07:00 · 2017-09-14 18:03:00 +02:00 · 2017-09-14 18:03:00 +02:00 · 0648e339a7
commit 0648e339a7
parent 1950bcc14e
6 changed files with 63 additions and 40 deletions
--- a/lib/ansible/modules/crypto/openssl_certificate.py
+++ b/lib/ansible/modules/crypto/openssl_certificate.py
@ -538,9 +538,10 @@ class AssertOnlyCertificate(Certificate):
                for extension_idx in range(0, self.cert.get_extension_count()):
                    extension = self.cert.get_extension(extension_idx)
                    if extension.get_short_name() == 'keyUsage':
-                        keyUsage = [crypto_utils.keyUsageLong.get(keyUsage, keyUsage) for keyUsage in self.keyUsage]
-                        if (not self.keyUsage_strict and not all(x in str(extension).split(', ') for x in keyUsage)) or \
-                           (self.keyUsage_strict and not set(keyUsage) == set(str(extension).split(', '))):
+                        keyUsage = [OpenSSL._util.lib.OBJ_txt2nid(keyUsage) for keyUsage in self.keyUsage]
+                        current_ku = [OpenSSL._util.lib.OBJ_txt2nid(usage.strip()) for usage in str(extension).split(',')]
+                        if (not self.keyUsage_strict and not all(x in current_ku for x in keyUsage)) or \
+                           (self.keyUsage_strict and not set(keyUsage) == set(current_ku)):
                            self.message.append(
                                'Invalid keyUsage component (got %s, expected all of %s to be present)' % (str(extension).split(', '), keyUsage)
                            )
@ -550,9 +551,10 @@ class AssertOnlyCertificate(Certificate):
                for extension_idx in range(0, self.cert.get_extension_count()):
                    extension = self.cert.get_extension(extension_idx)
                    if extension.get_short_name() == 'extendedKeyUsage':
-                        extKeyUsage = [crypto_utils.extendedKeyUsageLong.get(keyUsage, keyUsage) for keyUsage in self.extendedKeyUsage]
-                        if (not self.extendedKeyUsage_strict and not all(x in str(extension).split(', ') for x in extKeyUsage)) or \
-                           (self.extendedKeyUsage_strict and not set(extKeyUsage) == set(str(extension).split(', '))):
+                        extKeyUsage = [OpenSSL._util.lib.OBJ_txt2nid(keyUsage) for keyUsage in self.extendedKeyUsage]
+                        current_xku = [OpenSSL._util.lib.OBJ_txt2nid(usage.strip()) for usage in str(extension).split(',')]
+                        if (not self.extendedKeyUsage_strict and not all(x in current_xku for x in extKeyUsage)) or \
+                           (self.extendedKeyUsage_strict and not set(extKeyUsage) == set(current_xku)):
                            self.message.append(
                                'Invalid extendedKeyUsage component (got %s, expected all of %s to be present)' % (str(extension).split(', '), extKeyUsage)
                            )