Allow multiple values per key in name fields in openssl_certificate/csr (#30338)

* allow multiple values per key in name fields in openssl_certificate * check correct side of comparison * trigger only on lists * add subject parameter to openssl_csr * fix key: value mapping not skipping None elements * temporary fix for undefined "subject" field * fix iteration over subject entries * fix docs * quote sample string * allow csr with only subject defined * fix integration test * look up NIDs before comparing, add hidden _strict params * deal with empty issuer/subject fields * adapt integration tests * also normalize output from pyopenssl * fix issue with _sanitize_inputs * don't convert empty lists * workaround for pyopenssl limitations * properly encode the input to the txt2nid function * another to_bytes fix * make subject, commonname and subjecAltName completely optional * don't compare hashes of keys in openssl_csr integration tests * add integration test for old API in openssl_csr * compare keys directly in certificate and publickey integration tests * fix typo
2025-10-22 20:13:59 -07:00 · 2017-12-12 13:35:22 +01:00 · 2017-12-12 13:35:22 +01:00 · 9ea1b18ff7
commit 9ea1b18ff7
parent 7dac82e2e2
8 changed files with 141 additions and 63 deletions
--- a/test/integration/targets/openssl_certificate/tasks/main.yml
+++ b/test/integration/targets/openssl_certificate/tasks/main.yml
@ -7,7 +7,8 @@
      openssl_csr:
        path: '{{ output_dir }}/csr.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        commonName: 'www.ansible.com'
+        subject:
+          commonName: www.example.com

    - name: Generate selfsigned certificate
      openssl_certificate:
@ -27,6 +28,8 @@
        signature_algorithms:
          - sha256WithRSAEncryption
          - sha256WithECDSAEncryption
+        subject:
+          commonName: www.example.com

    - name: Generate selfsigned v2 certificate
      openssl_certificate:
@ -43,14 +46,17 @@

    - name: Generate CSR2
      openssl_csr:
-        C: US
-        ST: California
-        L: Los Angeles
-        O: ACME Inc.
-        OU: Roadrunner pest control
+        subject:
+          CN: www.example.com
+          C: US
+          ST: California
+          L: Los Angeles
+          O: ACME Inc.
+          OU:
+            - Roadrunner pest control
+            - Pyrotechnics
        path: '{{ output_dir }}/csr2.csr'
        privatekey_path: '{{ output_dir }}/privatekey2.pem'
-        CN: 'www.example.com'
        keyUsage:
          - digitalSignature
        extendedKeyUsage:
@ -76,12 +82,14 @@
          - sha256WithRSAEncryption
          - sha256WithECDSAEncryption
        subject:
-          CN: www.example.com
+          commonName: www.example.com
          C: US
          ST: California
          L: Los Angeles
          O: ACME Inc.
-          OU: Roadrunner pest control
+          OU:
+            - Roadrunner pest control
+            - Pyrotechnics
        keyUsage:
          - digitalSignature
        extendedKeyUsage:
--- a/test/integration/targets/openssl_certificate/tests/validate.yml
+++ b/test/integration/targets/openssl_certificate/tests/validate.yml
@ -1,9 +1,9 @@
 - name: Validate certificate (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem | openssl md5'
+  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
  register: privatekey_modulus

 - name: Validate certificate (test - certificate modulus)
-  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert.pem | openssl md5'
+  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert.pem'
  register: cert_modulus

 - name: Validate certificate (test - certficate version == default == 3)
@ -26,11 +26,11 @@
      - cert_v2_version.stdout == '2'

 - name: Validate certificate2 (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem | openssl md5'
+  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem'
  register: privatekey2_modulus

 - name: Validate certificate2 (test - certificate modulus)
-  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert2.pem | openssl md5'
+  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert2.pem'
  register: cert2_modulus

 - name: Validate certificate2 (assert)
--- a/test/integration/targets/openssl_csr/tasks/main.yml
+++ b/test/integration/targets/openssl_csr/tasks/main.yml
@ -7,7 +7,8 @@
      openssl_csr:
        path: '{{ output_dir }}/csr.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        commonName: 'www.ansible.com'
+        subject:
+          commonName: www.ansible.com

    # keyUsage longname and shortname should be able to be used
    # interchangeably. Hence the long name is specified here
@ -17,7 +18,8 @@
      openssl_csr:
        path: '{{ output_dir }}/csr_ku_xku.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        commonName: 'www.ansible.com'
+        subject:
+          CN: www.ansible.com
        keyUsage:
          - digitalSignature
          - keyAgreement
@ -31,7 +33,8 @@
      openssl_csr:
        path: '{{ output_dir }}/csr_ku_xku.csr'
        privatekey_path: '{{ output_dir }}/privatekey.pem'
-        commonName: 'www.ansible.com'
+        subject:
+          commonName: 'www.ansible.com'
        keyUsage:
          - digitalSignature
          - keyAgreement
@ -42,6 +45,12 @@
          - Biometric Info
      register: csr_ku_xku

+    - name: Generate CSR with old API
+      openssl_csr:
+        path: '{{ output_dir }}/csr_oldapi.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        commonName: www.ansible.com
+
    - import_tasks: ../tests/validate.yml

  when: pyopenssl_version.stdout is version('0.15', '>=')
--- a/test/integration/targets/openssl_csr/tests/validate.yml
+++ b/test/integration/targets/openssl_csr/tests/validate.yml
@ -1,5 +1,5 @@
 - name: Validate CSR (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem | openssl md5'
+  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
  register: privatekey_modulus

 - name: Validate CSR (test - Common Name)
@ -7,7 +7,7 @@
  register: csr_cn

 - name: Validate CSR (test - csr modulus)
-  shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr | openssl md5'
+  shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr'
  register: csr_modulus

 - name: Validate CSR (assert)
@ -20,3 +20,17 @@
  assert:
    that:
      - csr_ku_xku.changed == False
+
+- name: Validate old_API CSR (test - Common Name)
+  shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
+  register: csr_oldapi_cn
+
+- name: Validate old_API CSR (test - csr modulus)
+  shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
+  register: csr_oldapi_modulus
+
+- name: Validate old_API CSR (assert)
+  assert:
+    that:
+      - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
+      - csr_oldapi_modulus.stdout == privatekey_modulus.stdout
--- a/test/integration/targets/openssl_publickey/tests/validate.yml
+++ b/test/integration/targets/openssl_publickey/tests/validate.yml
@ -1,9 +1,9 @@
 - name: Validate public key (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem | openssl md5'
+  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
  register: privatekey_modulus

 - name: Validate public key (test - publickey modulus)
-  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub  | openssl md5'
+  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub'
  register: publickey_modulus

 - name: Validate public key (assert)
@ -46,12 +46,12 @@


 - name: Validate publickey3 (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible | openssl md5'
+  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible'
  register: privatekey3_modulus
  when: openssl_version.stdout is version('0.9.8zh', '>=')

 - name: Validate publickey3 (test - publickey modulus)
-  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub  | openssl md5'
+  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub'
  register: publickey3_modulus
  when: openssl_version.stdout is version('0.9.8zh', '>=')

@ -67,12 +67,12 @@
      - publickey3_idempotence is not changed

 - name: Validate publickey4 (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem | openssl md5'
+  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
  register: privatekey4_modulus
  when: openssl_version.stdout is version('0.9.8zh', '>=')

 - name: Validate publickey4 (test - publickey modulus)
-  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub  | openssl md5'
+  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub'
  register: publickey4_modulus
  when: openssl_version.stdout is version('0.9.8zh', '>=')