openssl_csr: improve invalid SAN error messages (#53201)

* Improve invalid SAN error messages.

* Add changelog.
pull/53342/head
Felix Fontein 6 years ago committed by John R Barker
parent af6e4cc75b
commit 628326b879

@ -0,0 +1,2 @@
bugfixes:
- "openssl_csr - improve error messages for invalid SANs."

@ -489,7 +489,14 @@ class CertificateSigningRequestPyOpenSSL(CertificateSigningRequestBase):
extensions = [] extensions = []
if self.subjectAltName: if self.subjectAltName:
altnames = ', '.join(self.subjectAltName) altnames = ', '.join(self.subjectAltName)
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii'))) try:
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
except OpenSSL.crypto.Error as e:
raise CertificateSigningRequestError(
'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
)
)
if self.keyUsage: if self.keyUsage:
usages = ', '.join(self.keyUsage) usages = ', '.join(self.keyUsage)

@ -158,6 +158,15 @@
commonName: www.ansible.com commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
- name: Generate CSR with invalid SAN
openssl_csr:
path: '{{ output_dir }}/csrinvsan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject_alt_name: invalid-san.example.com
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_invalid_san
ignore_errors: yes
- name: Generate CSR with OCSP Must Staple - name: Generate CSR with OCSP Must Staple
openssl_csr: openssl_csr:
path: '{{ output_dir }}/csr_ocsp.csr' path: '{{ output_dir }}/csr_ocsp.csr'

@ -54,6 +54,12 @@
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com' - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout - csr_oldapi_modulus.stdout == privatekey_modulus.stdout
- name: Validate invalid SAN
assert:
that:
- generate_csr_invalid_san is failed
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
- name: Validate OCSP Must Staple CSR (test - everything) - name: Validate OCSP Must Staple CSR (test - everything)
shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text" shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
register: csr_ocsp register: csr_ocsp

Loading…
Cancel
Save