mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-05-03 07:41:30 -07:00
openssl_certificate, openssl_csr: refactoring / cleanup (#54287)
* Moving common cryptography-related code to module_utils/crypto.py. * Fix typo / linting.
This commit is contained in:
Felix Fontein
Martin Krizek
parent
5d460ae865
commit
9c355e5c52
3 changed files with 205 additions and 323 deletions
|
|
@ -659,7 +659,7 @@ class Certificate(crypto_utils.OpenSSLObject):
|
|||
csr_ext = csr_exts.get_extension_for_oid(cert_ext.oid)
|
||||
if cert_ext != csr_ext:
|
||||
return False
|
||||
except cryptography.x509.ExtensionNotFound as e:
|
||||
except cryptography.x509.ExtensionNotFound as dummy:
|
||||
return False
|
||||
return True
|
||||
|
||||
|
|
@ -1097,156 +1097,6 @@ class AssertOnlyCertificateCryptography(Certificate):
|
|||
self.valid_in = module.params['valid_in'],
|
||||
self.message = []
|
||||
|
||||
def _get_name_oid(self, id):
|
||||
if id in ('CN', 'commonName'):
|
||||
return cryptography.x509.oid.NameOID.COMMON_NAME
|
||||
if id in ('C', 'countryName'):
|
||||
return cryptography.x509.oid.NameOID.COUNTRY_NAME
|
||||
if id in ('L', 'localityName'):
|
||||
return cryptography.x509.oid.NameOID.LOCALITY_NAME
|
||||
if id in ('ST', 'stateOrProvinceName'):
|
||||
return cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME
|
||||
if id in ('street', 'streetAddress'):
|
||||
return cryptography.x509.oid.NameOID.STREET_ADDRESS
|
||||
if id in ('O', 'organizationName'):
|
||||
return cryptography.x509.oid.NameOID.ORGANIZATION_NAME
|
||||
if id in ('OU', 'organizationalUnitName'):
|
||||
return cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME
|
||||
if id in ('serialNumber', ):
|
||||
return cryptography.x509.oid.NameOID.SERIAL_NUMBER
|
||||
if id in ('SN', 'surname'):
|
||||
return cryptography.x509.oid.NameOID.SURNAME
|
||||
if id in ('GN', 'givenName'):
|
||||
return cryptography.x509.oid.NameOID.GIVEN_NAME
|
||||
if id in ('title', ):
|
||||
return cryptography.x509.oid.NameOID.TITLE
|
||||
if id in ('generationQualifier', ):
|
||||
return cryptography.x509.oid.NameOID.GENERATION_QUALIFIER
|
||||
if id in ('x500UniqueIdentifier', ):
|
||||
return cryptography.x509.oid.NameOID.X500_UNIQUE_IDENTIFIER
|
||||
if id in ('dnQualifier', ):
|
||||
return cryptography.x509.oid.NameOID.DN_QUALIFIER
|
||||
if id in ('pseudonym', ):
|
||||
return cryptography.x509.oid.NameOID.PSEUDONYM
|
||||
if id in ('UID', 'userId'):
|
||||
return cryptography.x509.oid.NameOID.USER_ID
|
||||
if id in ('DC', 'domainComponent'):
|
||||
return cryptography.x509.oid.NameOID.DOMAIN_COMPONENT
|
||||
if id in ('emailAddress', ):
|
||||
return cryptography.x509.oid.NameOID.EMAIL_ADDRESS
|
||||
if id in ('jurisdictionC', 'jurisdictionCountryName'):
|
||||
return cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME
|
||||
if id in ('jurisdictionL', 'jurisdictionLocalityName'):
|
||||
return cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME
|
||||
if id in ('jurisdictionST', 'jurisdictionStateOrProvinceName'):
|
||||
return cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME
|
||||
if id in ('businessCategory', ):
|
||||
return cryptography.x509.oid.NameOID.BUSINESS_CATEGORY
|
||||
if id in ('postalAddress', ):
|
||||
return cryptography.x509.oid.NameOID.POSTAL_ADDRESS
|
||||
if id in ('postalCode', ):
|
||||
return cryptography.x509.oid.NameOID.POSTAL_CODE
|
||||
|
||||
def _get_san(self, name):
|
||||
if name.startswith('DNS:'):
|
||||
return cryptography.x509.DNSName(to_native(name[4:]))
|
||||
if name.startswith('IP:'):
|
||||
return cryptography.x509.IPAddress(to_native(name[3:]))
|
||||
if name.startswith('email:'):
|
||||
return cryptography.x509.RFC822Name(to_native(name[6:]))
|
||||
if name.startswith('URI:'):
|
||||
return cryptography.x509.UniformResourceIdentifier(to_native(name[4:]))
|
||||
if name.startswith('DirName:'):
|
||||
return cryptography.x509.DirectoryName(to_native(name[8:]))
|
||||
if ':' not in name:
|
||||
raise CertificateError('Cannot parse Subject Alternative Name "{0}" (forgot "DNS:" prefix?)'.format(name))
|
||||
raise CertificateError('Cannot parse Subject Alternative Name "{0}" (potentially unsupported by cryptography backend)'.format(name))
|
||||
|
||||
def _get_keyusage(self, usage):
|
||||
if usage in ('Digital Signature', 'digitalSignature'):
|
||||
return 'digital_signature'
|
||||
if usage in ('Non Repudiation', 'nonRepudiation'):
|
||||
return 'content_commitment'
|
||||
if usage in ('Key Encipherment', 'keyEncipherment'):
|
||||
return 'key_encipherment'
|
||||
if usage in ('Data Encipherment', 'dataEncipherment'):
|
||||
return 'data_encipherment'
|
||||
if usage in ('Key Agreement', 'keyAgreement'):
|
||||
return 'key_agreement'
|
||||
if usage in ('Certificate Sign', 'keyCertSign'):
|
||||
return 'key_cert_sign'
|
||||
if usage in ('CRL Sign', 'cRLSign'):
|
||||
return 'crl_sign'
|
||||
if usage in ('Encipher Only', 'encipherOnly'):
|
||||
return 'encipher_only'
|
||||
if usage in ('Decipher Only', 'decipherOnly'):
|
||||
return 'decipher_only'
|
||||
raise CertificateError('Unknown key usage "{0}"'.format(usage))
|
||||
|
||||
def _get_ext_keyusage(self, usage):
|
||||
if usage in ('serverAuth', 'TLS Web Server Authentication'):
|
||||
return cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH
|
||||
if usage in ('clientAuth', 'TLS Web Client Authentication'):
|
||||
return cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH
|
||||
if usage in ('codeSigning', 'Code Signing'):
|
||||
return cryptography.x509.oid.ExtendedKeyUsageOID.CODE_SIGNING
|
||||
if usage in ('emailProtection', 'E-mail Protection'):
|
||||
return cryptography.x509.oid.ExtendedKeyUsageOID.EMAIL_PROTECTION
|
||||
if usage in ('timeStamping', 'Time Stamping'):
|
||||
return cryptography.x509.oid.ExtendedKeyUsageOID.TIME_STAMPING
|
||||
if usage in ('OCSPSigning', 'OCSP Signing'):
|
||||
return cryptography.x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING
|
||||
if usage in ('anyExtendedKeyUsage', 'Any Extended Key Usage'):
|
||||
return cryptography.x509.oid.ExtendedKeyUsageOID.ANY_EXTENDED_KEY_USAGE
|
||||
if usage in ('qcStatements', ):
|
||||
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.1.3")
|
||||
if usage in ('DVCS', ):
|
||||
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.3.10")
|
||||
if usage in ('IPSec User', 'ipsecUser'):
|
||||
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.3.7")
|
||||
if usage in ('Biometric Info', 'biometricInfo'):
|
||||
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.1.2")
|
||||
# FIXME need some more, probably all from https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.3
|
||||
raise CertificateError('Unknown extended key usage "{0}"'.format(usage))
|
||||
|
||||
def _get_basic_constraints(self, constraints):
|
||||
ca = False
|
||||
path_length = None
|
||||
if constraints:
|
||||
for constraint in constraints:
|
||||
if constraint.startswith('CA:'):
|
||||
if constraint == 'CA:TRUE':
|
||||
ca = True
|
||||
elif constraint == 'CA:FALSE':
|
||||
ca = False
|
||||
else:
|
||||
raise CertificateError('Unknown basic constraint value "{0}" for CA'.format(constraint[3:]))
|
||||
elif constraint.startswith('pathlen:'):
|
||||
v = constraint[len('pathlen:'):]
|
||||
try:
|
||||
path_length = int(v)
|
||||
except Exception as e:
|
||||
raise CertificateError('Cannot parse path length constraint "{0}" ({1})'.format(v, e))
|
||||
else:
|
||||
raise CertificateError('Unknown basic constraint "{0}"'.format(constraint))
|
||||
return ca, path_length
|
||||
|
||||
def _parse_key_usage(self):
|
||||
params = dict(
|
||||
digital_signature=False,
|
||||
content_commitment=False,
|
||||
key_encipherment=False,
|
||||
data_encipherment=False,
|
||||
key_agreement=False,
|
||||
key_cert_sign=False,
|
||||
crl_sign=False,
|
||||
encipher_only=False,
|
||||
decipher_only=False,
|
||||
)
|
||||
for usage in self.keyUsage:
|
||||
params[self._get_keyusage(usage)] = True
|
||||
return params
|
||||
|
||||
def assertonly(self):
|
||||
self.cert = crypto_utils.load_certificate(self.path, backend=self.backend)
|
||||
|
||||
|
|
@ -1260,7 +1110,7 @@ class AssertOnlyCertificateCryptography(Certificate):
|
|||
|
||||
def _validate_subject():
|
||||
if self.subject:
|
||||
expected_subject = Name([NameAttribute(oid=self._get_name_oid(sub[0]), value=to_text(sub[1]))
|
||||
expected_subject = Name([NameAttribute(oid=crypto_utils.cryptography_get_name_oid(sub[0]), value=to_text(sub[1]))
|
||||
for sub in self.subject])
|
||||
cert_subject = self.cert.subject
|
||||
if (not self.subject_strict and not all(x in cert_subject for x in expected_subject)) or \
|
||||
|
|
@ -1272,7 +1122,7 @@ class AssertOnlyCertificateCryptography(Certificate):
|
|||
|
||||
def _validate_issuer():
|
||||
if self.issuer:
|
||||
expected_issuer = Name([NameAttribute(oid=self._get_name_oid(iss[0]), value=to_text(iss[1]))
|
||||
expected_issuer = Name([NameAttribute(oid=crypto_utils.cryptography_get_name_oid(iss[0]), value=to_text(iss[1]))
|
||||
for iss in self.issuer])
|
||||
cert_issuer = self.cert.issuer
|
||||
if (not self.issuer_strict and not all(x in cert_issuer for x in expected_issuer)) or \
|
||||
|
|
@ -1303,7 +1153,7 @@ class AssertOnlyCertificateCryptography(Certificate):
|
|||
if self.keyUsage:
|
||||
try:
|
||||
current_keyusage = self.cert.extensions.get_extension_for_class(x509.KeyUsage).value
|
||||
expected_keyusage = x509.KeyUsage(**self._parse_key_usage())
|
||||
expected_keyusage = x509.KeyUsage(**crypto_utils.cryptography_parse_key_usage_params(self.keyUsage))
|
||||
test_keyusage = dict(
|
||||
digital_signature=current_keyusage.digital_signature,
|
||||
content_commitment=current_keyusage.content_commitment,
|
||||
|
|
@ -1324,7 +1174,8 @@ class AssertOnlyCertificateCryptography(Certificate):
|
|||
decipher_only=False
|
||||
))
|
||||
|
||||
if (not self.keyUsage_strict and not all(self._parse_key_usage()[x] == test_keyusage[x] for x in self._parse_key_usage())) or \
|
||||
key_usages = crypto_utils.cryptography_parse_key_usage_params(self.keyUsage)
|
||||
if (not self.keyUsage_strict and not all(key_usages[x] == test_keyusage[x] for x in key_usages)) or \
|
||||
(self.keyUsage_strict and current_keyusage != expected_keyusage):
|
||||
self.message.append(
|
||||
'Invalid keyUsage components (got %s, expected all of %s to be present)' %
|
||||
|
|
@ -1338,7 +1189,7 @@ class AssertOnlyCertificateCryptography(Certificate):
|
|||
if self.extendedKeyUsage:
|
||||
try:
|
||||
current_ext_keyusage = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage).value
|
||||
usages = [self._get_ext_keyusage(usage) for usage in self.extendedKeyUsage]
|
||||
usages = [crypto_utils.cryptography_get_ext_keyusage(usage) for usage in self.extendedKeyUsage]
|
||||
expected_ext_keyusage = x509.ExtendedKeyUsage(usages)
|
||||
if (not self.extendedKeyUsage_strict and not all(x in expected_ext_keyusage for x in current_ext_keyusage)) or \
|
||||
(self.extendedKeyUsage_strict and not current_ext_keyusage == expected_ext_keyusage):
|
||||
|
|
@ -1354,7 +1205,7 @@ class AssertOnlyCertificateCryptography(Certificate):
|
|||
if self.subjectAltName:
|
||||
try:
|
||||
current_san = self.cert.extensions.get_extension_for_class(x509.SubjectAlternativeName).value
|
||||
expected_san = [self._get_san(san) for san in self.subjectAltName]
|
||||
expected_san = [crypto_utils.cryptography_get_name(san) for san in self.subjectAltName]
|
||||
if (not self.subjectAltName_strict and not all(x in current_san for x in expected_san)) or \
|
||||
(self.subjectAltName_strict and not set(current_san) == set(expected_san)):
|
||||
self.message.append(
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue