From c4748fd011d14dbdde83fb3a7556e5186de26635 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Thu, 7 Mar 2019 16:29:35 +0100 Subject: [PATCH] openssl_csr: improve subject validation (#53198) * Improve subject field validation. * Add country name idempotency test. * Add failed country name test. * Add changelog. (cherry picked from commit b2e992cecd93fbedc260d86fcb25bc39191e0b5b) --- .../53198-openssl_csr-subject-validation.yml | 2 ++ lib/ansible/modules/crypto/openssl_csr.py | 6 +++- .../targets/openssl_csr/tasks/main.yml | 31 +++++++++++++++++++ .../targets/openssl_csr/tests/validate.yml | 8 +++++ 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/53198-openssl_csr-subject-validation.yml diff --git a/changelogs/fragments/53198-openssl_csr-subject-validation.yml b/changelogs/fragments/53198-openssl_csr-subject-validation.yml new file mode 100644 index 00000000000..b5f92e7517a --- /dev/null +++ b/changelogs/fragments/53198-openssl_csr-subject-validation.yml @@ -0,0 +1,2 @@ +bugfixes: +- "openssl_csr - improve ``subject`` validation." diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py index f354ea43be6..5223851f081 100644 --- a/lib/ansible/modules/crypto/openssl_csr.py +++ b/lib/ansible/modules/crypto/openssl_csr.py @@ -374,7 +374,11 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject): if entry[1] is not None: # Workaround for https://github.com/pyca/pyopenssl/issues/165 nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0])) - OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0) + if nid == 0: + raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(entry[0])) + res = OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0) + if res == 0: + raise CertificateSigningRequestError('Invalid value for subject field identifier "{0}": {1}'.format(entry[0], entry[1])) extensions = [] if self.subjectAltName: diff --git a/test/integration/targets/openssl_csr/tasks/main.yml b/test/integration/targets/openssl_csr/tasks/main.yml index 23197b1e3eb..fcbf03b22cb 100644 --- a/test/integration/targets/openssl_csr/tasks/main.yml +++ b/test/integration/targets/openssl_csr/tasks/main.yml @@ -156,6 +156,37 @@ ocsp_must_staple: true register: csr_ocsp_idempotency + - name: Generate CSR with country name + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + country_name: de + register: country_idempotent_1 + + - name: Generate CSR with country name (idempotent) + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + country_name: de + register: country_idempotent_2 + + - name: Generate CSR with country name (idempotent 2) + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + subject: + C: de + register: country_idempotent_3 + + - name: Generate CSR with country name (bad country name) + openssl_csr: + path: '{{ output_dir }}/csr4.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + subject: + C: dex + register: country_fail_4 + ignore_errors: yes + - import_tasks: ../tests/validate.yml when: pyopenssl_version.stdout is version('0.15', '>=') diff --git a/test/integration/targets/openssl_csr/tests/validate.yml b/test/integration/targets/openssl_csr/tests/validate.yml index 89074d2b8d6..e7d379f23ea 100644 --- a/test/integration/targets/openssl_csr/tests/validate.yml +++ b/test/integration/targets/openssl_csr/tests/validate.yml @@ -73,3 +73,11 @@ assert: that: - csr_ocsp_idempotency is not changed + +- name: Validate country name idempotency and validation + assert: + that: + - country_idempotent_1 is changed + - country_idempotent_2 is not changed + - country_idempotent_3 is not changed + - country_fail_4 is failed