From b658ea8da20d9f249f332495cf094aa8f4c26432 Mon Sep 17 00:00:00 2001 From: Yanis Guenane Date: Wed, 16 Aug 2017 14:35:25 +0200 Subject: [PATCH] openssl_csr: Ensure array comparison is deterministic (#28265) When comparing expected and current value for keyUsage and extendedKeyUsage current behavior is not deterministic. As we compare two arrays, based on the order the value have been specified, False might be returned when the two arrays actually matches. In order to have a deterministic comparison we compare sets rather than arrays. --- lib/ansible/modules/crypto/openssl_csr.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py index 376a9c0e250..4fd3e331dd4 100644 --- a/lib/ansible/modules/crypto/openssl_csr.py +++ b/lib/ansible/modules/crypto/openssl_csr.py @@ -354,7 +354,7 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject): else: current = [usage.strip() for usage in str(usages_ext[0]).split(',')] expected = [long[usage] if usage in long else usage for usage in expected] - return current == expected and usages_ext[0].get_critical() == critical + return set(current) == set(expected) and usages_ext[0].get_critical() == critical def _check_keyUsage(extensions): return _check_keyUsage_(extensions, b'keyUsage', self.keyUsage, self.keyUsage_critical, crypto_utils.keyUsageLong)