ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-22 21:00:22 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

openssl_csr: idempotency doesn't work correctly for keyUsage (#50361)

Browse source 
* Fix key usage idempotency bug.

* Extend tests.

* Add changelog.
This commit is contained in:
Felix Fontein 2019-01-03 12:34:24 +01:00 committed by Abhijit Menon-Sen
commit a5bf71ac6a
4 changed files with 82 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
lib/ansible/modules/crypto/openssl_csr.py
View file

@ -456,7 +456,18 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
return set(current) == set(expected) and usages_ext[0].get_critical() == critical
def _check_keyUsage(extensions):
return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical)
usages_ext = [ext for ext in extensions if ext.get_short_name() == b'keyUsage']
if (not usages_ext and self.keyUsage) or (usages_ext and not self.keyUsage):
return False
elif not usages_ext and not self.keyUsage:
return True
else:
# OpenSSL._util.lib.OBJ_txt2nid() always returns 0 for all keyUsage values
# (since keyUsage has a fixed bitfield for these values and is not extensible).
# Therefore, we create an extension for the wanted values, and compare the
# data of the extensions (which is the serialized bitfield).
expected_ext = crypto.X509Extension(b"keyUsage", False, ', '.join(self.keyUsage).encode('ascii'))
return usages_ext[0].get_data() == expected_ext.get_data() and usages_ext[0].get_critical() == self.keyUsage_critical
def _check_extenededKeyUsage(extensions):
return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical)