mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-22 21:00:22 -07:00
openssl_certificate: make sure extensions are present when they are queried by assertonly (#53207)
* Make sure extensions are present when they are queried by assertonly provider. * Add changelog.
This commit is contained in:
parent
aba4bed803
commit
6249bb8ea4
4 changed files with 72 additions and 0 deletions
|
@ -886,9 +886,11 @@ class AssertOnlyCertificate(Certificate):
|
|||
|
||||
def _validate_keyUsage():
|
||||
if self.keyUsage:
|
||||
found = False
|
||||
for extension_idx in range(0, self.cert.get_extension_count()):
|
||||
extension = self.cert.get_extension(extension_idx)
|
||||
if extension.get_short_name() == b'keyUsage':
|
||||
found = True
|
||||
keyUsage = [OpenSSL._util.lib.OBJ_txt2nid(keyUsage) for keyUsage in self.keyUsage]
|
||||
current_ku = [OpenSSL._util.lib.OBJ_txt2nid(usage.strip()) for usage in
|
||||
to_bytes(extension, errors='surrogate_or_strict').split(b',')]
|
||||
|
@ -897,12 +899,16 @@ class AssertOnlyCertificate(Certificate):
|
|||
self.message.append(
|
||||
'Invalid keyUsage component (got %s, expected all of %s to be present)' % (str(extension).split(', '), self.keyUsage)
|
||||
)
|
||||
if not found:
|
||||
self.message.append('Found no keyUsage extension')
|
||||
|
||||
def _validate_extendedKeyUsage():
|
||||
if self.extendedKeyUsage:
|
||||
found = False
|
||||
for extension_idx in range(0, self.cert.get_extension_count()):
|
||||
extension = self.cert.get_extension(extension_idx)
|
||||
if extension.get_short_name() == b'extendedKeyUsage':
|
||||
found = True
|
||||
extKeyUsage = [OpenSSL._util.lib.OBJ_txt2nid(keyUsage) for keyUsage in self.extendedKeyUsage]
|
||||
current_xku = [OpenSSL._util.lib.OBJ_txt2nid(usage.strip()) for usage in
|
||||
to_bytes(extension, errors='surrogate_or_strict').split(b',')]
|
||||
|
@ -912,12 +918,16 @@ class AssertOnlyCertificate(Certificate):
|
|||
'Invalid extendedKeyUsage component (got %s, expected all of %s to be present)' % (str(extension).split(', '),
|
||||
self.extendedKeyUsage)
|
||||
)
|
||||
if not found:
|
||||
self.message.append('Found no extendedKeyUsage extension')
|
||||
|
||||
def _validate_subjectAltName():
|
||||
if self.subjectAltName:
|
||||
found = False
|
||||
for extension_idx in range(0, self.cert.get_extension_count()):
|
||||
extension = self.cert.get_extension(extension_idx)
|
||||
if extension.get_short_name() == b'subjectAltName':
|
||||
found = True
|
||||
l_altnames = [altname.replace(b'IP Address', b'IP') for altname in
|
||||
to_bytes(extension, errors='surrogate_or_strict').split(b', ')]
|
||||
if (not self.subjectAltName_strict and not all(x in l_altnames for x in self.subjectAltName)) or \
|
||||
|
@ -925,6 +935,8 @@ class AssertOnlyCertificate(Certificate):
|
|||
self.message.append(
|
||||
'Invalid subjectAltName component (got %s, expected all of %s to be present)' % (l_altnames, self.subjectAltName)
|
||||
)
|
||||
if not found:
|
||||
self.message.append('Found no subjectAltName extension')
|
||||
|
||||
def _validate_notBefore():
|
||||
if self.notBefore:
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue