crypto/openssl_*: Standardize implementaton and add support keyUsage, extenededKeyUsage (#27281)

* openssl_csr: make subjectAltNames a list * csr module now uses the new standard way to build openssl crypto modules * add check functions for subject and subjectAltNames * added support for keyUsage and extendedKeyUsage * check if CSR signature is correct (aka the privatekey belongs to the CSR) * fixes for first PR review * fixes for second PR review * openssl_csr: there is no need to pass on privatekey as it can be accessed directly * openssl_csr: documentation fixes
2025-06-20 23:30:22 -07:00 · 2017-08-03 13:27:17 +02:00 · 2017-08-03 13:27:17 +02:00 · 1ce2bf56a2
commit 1ce2bf56a2
parent e0f482a8c5
2 changed files with 192 additions and 50 deletions
--- a/lib/ansible/module_utils/crypto.py
+++ b/lib/ansible/module_utils/crypto.py
@ -84,6 +84,39 @@ def load_certificate(path):
        raise OpenSSLObjectError(exc)


+def load_certificate_request(path):
+    """Load the specified certificate signing request."""
+
+    try:
+        csr_content = open(path, 'rb').read()
+        csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content)
+        return csr
+    except (IOError, OSError) as exc:
+        raise OpenSSLObjectError(exc)
+
+
+keyUsageLong = {
+    "digitalSignature": "Digital Signature",
+    "nonRepudiation": "Non Repudiation",
+    "keyEncipherment": "Key Encipherment",
+    "dataEncipherment": "Data Encipherment",
+    "keyAgreement": "Key Agreement",
+    "keyCertSign": "Certificate Sign",
+    "cRLSign": "CRL Sign",
+    "encipherOnly": "Encipher Only",
+    "decipherOnly": "Decipher Only",
+}
+
+extendedKeyUsageLong = {
+    "serverAuth": "TLS Web Server Authentication",
+    "clientAuth": "TLS Web Client Authentication",
+    "codeSigning": "Code Signing",
+    "emailProtection": "E-mail Protection",
+    "timeStamping": "Time Stamping",
+    "OCSPSigning": "OCSP Signing",
+}
+
+
@six.add_metaclass(abc.ABCMeta)
 class OpenSSLObject(object):