From 0846bb85d38e12208aec99b05ae586b5c5b1aae4 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 12 Nov 2019 02:23:54 +0100 Subject: [PATCH] Backportable subset of: openssl_csr: deprecate version option (#63432) (#63675) Cherry-picked from ba686154b98194de04a0c37970a3b997394ab7be. --- changelogs/fragments/63432-openssl_csr-version.yml | 2 ++ lib/ansible/modules/crypto/openssl_csr.py | 4 ++++ 2 files changed, 6 insertions(+) create mode 100644 changelogs/fragments/63432-openssl_csr-version.yml diff --git a/changelogs/fragments/63432-openssl_csr-version.yml b/changelogs/fragments/63432-openssl_csr-version.yml new file mode 100644 index 00000000000..4b8858df762 --- /dev/null +++ b/changelogs/fragments/63432-openssl_csr-version.yml @@ -0,0 +1,2 @@ +bugfixes: +- "openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend." diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py index f9fd162f7e7..ba7c7d79cbe 100644 --- a/lib/ansible/modules/crypto/openssl_csr.py +++ b/lib/ansible/modules/crypto/openssl_csr.py @@ -54,6 +54,8 @@ options: version: description: - The version of the certificate signing request. + - "The only allowed value according to L(RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1) + is 1." type: int default: 1 force: @@ -653,6 +655,8 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase): def __init__(self, module): super(CertificateSigningRequestCryptography, self).__init__(module) self.cryptography_backend = cryptography.hazmat.backends.default_backend() + if self.version != 1: + module.warn('The cryptography backend only supports version 1. (The only valid value according to RFC 2986.)') def _generate_csr(self): csr = cryptography.x509.CertificateSigningRequestBuilder()