openssl_certificate/csr_info: add ordered issuer/subject return value (#60708)

* Add ordered issuer/subject return value.

* Add changelog.

changelogs/fragments/60708-openssl_certificate_csr_info-ordered-issuer-subject.yml

@@ -0,0 +1,3 @@
+minor_changes:
+- "openssl_certificate_info - added ``issuer_ordered`` and ``subject_ordered`` return values."
+- "openssl_csr_info - added ``subject_ordered`` return value."

lib/ansible/modules/crypto/openssl_certificate_info.py

@@ -169,15 +169,31 @@ ocsp_must_staple_critical:
     returned: success
     type: bool
 issuer:
-    description: The certificate's issuer.
+    description:
+        - The certificate's issuer.
+        - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"organizationName": "Ansible"}'
+    sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
+issuer_ordered:
+    description: The certificate's issuer as an ordered list of tuples.
+    returned: success
+    type: list
+    sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
+    version_added: "2.9"
 subject:
-    description: The certificate's subject.
+    description:
+        - The certificate's subject as a dictionary.
+        - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
     sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}'
+subject_ordered:
+    description: The certificate's subject as an ordered list of tuples.
+    returned: success
+    type: list
+    sample: '[["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]'
+    version_added: "2.9"
 not_after:
     description: C(notAfter) date as ASN.1 TIME
     returned: success
@@ -333,11 +349,11 @@ class CertificateInfo(crypto_utils.OpenSSLObject):
         pass
 
     @abc.abstractmethod
-    def _get_subject(self):
+    def _get_subject_ordered(self):
         pass
 
     @abc.abstractmethod
-    def _get_issuer(self):
+    def _get_issuer_ordered(self):
         pass
 
     @abc.abstractmethod
@@ -389,8 +405,16 @@ class CertificateInfo(crypto_utils.OpenSSLObject):
         self.cert = crypto_utils.load_certificate(self.path, backend=self.backend)
 
         result['signature_algorithm'] = self._get_signature_algorithm()
-        result['subject'] = self._get_subject()
-        result['issuer'] = self._get_issuer()
+        subject = self._get_subject_ordered()
+        issuer = self._get_issuer_ordered()
+        result['subject'] = dict()
+        for k, v in subject:
+            result['subject'][k] = v
+        result['subject_ordered'] = subject
+        result['issuer'] = dict()
+        for k, v in issuer:
+            result['issuer'][k] = v
+        result['issuer_ordered'] = issuer
         result['version'] = self._get_version()
         result['key_usage'], result['key_usage_critical'] = self._get_key_usage()
         result['extended_key_usage'], result['extended_key_usage_critical'] = self._get_extended_key_usage()
@@ -427,16 +451,16 @@ class CertificateInfoCryptography(CertificateInfo):
     def _get_signature_algorithm(self):
         return crypto_utils.cryptography_oid_to_name(self.cert.signature_algorithm_oid)
 
-    def _get_subject(self):
-        result = dict()
+    def _get_subject_ordered(self):
+        result = []
         for attribute in self.cert.subject:
-            result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
+            result.append([crypto_utils.cryptography_oid_to_name(attribute.oid), attribute.value])
         return result
 
-    def _get_issuer(self):
-        result = dict()
+    def _get_issuer_ordered(self):
+        result = []
         for attribute in self.cert.issuer:
-            result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
+            result.append([crypto_utils.cryptography_oid_to_name(attribute.oid), attribute.value])
         return result
 
     def _get_version(self):
@@ -556,15 +580,15 @@ class CertificateInfoPyOpenSSL(CertificateInfo):
         return to_text(self.cert.get_signature_algorithm())
 
     def __get_name(self, name):
-        result = dict()
+        result = []
         for sub in name.get_components():
-            result[crypto_utils.pyopenssl_normalize_name(sub[0])] = to_text(sub[1])
+            result.append([crypto_utils.pyopenssl_normalize_name(sub[0]), to_text(sub[1])])
         return result
 
-    def _get_subject(self):
+    def _get_subject_ordered(self):
         return self.__get_name(self.cert.get_subject())
 
-    def _get_issuer(self):
+    def _get_issuer_ordered(self):
         return self.__get_name(self.cert.get_issuer())
 
     def _get_version(self):

lib/ansible/modules/crypto/openssl_csr_info.py

@@ -135,10 +135,18 @@ ocsp_must_staple_critical:
     returned: success
     type: bool
 subject:
-    description: The CSR's subject.
+    description:
+        - The CSR's subject as a dictionary.
+        - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
     sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}'
+subject_ordered:
+    description: The CSR's subject as an ordered list of tuples.
+    returned: success
+    type: list
+    sample: '[["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]'
+    version_added: "2.9"
 public_key:
     description: CSR's public key in PEM format
     returned: success
@@ -225,7 +233,7 @@ class CertificateSigningRequestInfo(crypto_utils.OpenSSLObject):
         pass
 
     @abc.abstractmethod
-    def _get_subject(self):
+    def _get_subject_ordered(self):
         pass
 
     @abc.abstractmethod
@@ -264,7 +272,11 @@ class CertificateSigningRequestInfo(crypto_utils.OpenSSLObject):
         result = dict()
         self.csr = crypto_utils.load_certificate_request(self.path, backend=self.backend)
 
-        result['subject'] = self._get_subject()
+        subject = self._get_subject_ordered()
+        result['subject'] = dict()
+        for k, v in subject:
+            result['subject'][k] = v
+        result['subject_ordered'] = subject
         result['key_usage'], result['key_usage_critical'] = self._get_key_usage()
         result['extended_key_usage'], result['extended_key_usage_critical'] = self._get_extended_key_usage()
         result['basic_constraints'], result['basic_constraints_critical'] = self._get_basic_constraints()
@@ -291,10 +303,10 @@ class CertificateSigningRequestInfoCryptography(CertificateSigningRequestInfo):
     def __init__(self, module):
         super(CertificateSigningRequestInfoCryptography, self).__init__(module, 'cryptography')
 
-    def _get_subject(self):
-        result = dict()
+    def _get_subject_ordered(self):
+        result = []
         for attribute in self.csr.subject:
-            result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
+            result.append([crypto_utils.cryptography_oid_to_name(attribute.oid), attribute.value])
         return result
 
     def _get_key_usage(self):
@@ -398,12 +410,12 @@ class CertificateSigningRequestInfoPyOpenSSL(CertificateSigningRequestInfo):
         super(CertificateSigningRequestInfoPyOpenSSL, self).__init__(module, 'pyopenssl')
 
     def __get_name(self, name):
-        result = dict()
+        result = []
         for sub in name.get_components():
-            result[crypto_utils.pyopenssl_normalize_name(sub[0])] = to_text(sub[1])
+            result.append([crypto_utils.pyopenssl_normalize_name(sub[0]), to_text(sub[1])])
         return result
 
-    def _get_subject(self):
+    def _get_subject_ordered(self):
         return self.__get_name(self.csr.get_subject())
 
     def _get_extension(self, short_name):

test/integration/targets/openssl_certificate_info/tasks/impl.yml

@@ -8,6 +8,16 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
+- name: Check whether issuer and subject behave as expected
+  assert:
+    that:
+      - result.issuer.organizationalUnitName == 'ACME Department'
+      - "['organizationalUnitName', 'Crypto Department'] in result.issuer_ordered"
+      - "['organizationalUnitName', 'ACME Department'] in result.issuer_ordered"
+      - result.subject.organizationalUnitName == 'ACME Department'
+      - "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
+      - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"

test/integration/targets/openssl_certificate_info/tasks/main.yml

@@ -21,7 +21,9 @@
       ST: Zurich
       streetAddress: Welcome Street
       O: Ansible
-      organizationalUnitName: Crypto Department
+      organizationalUnitName:
+        - Crypto Department
+        - ACME Department
       serialNumber: "1234"
       SN: Last Name
       GN: First Name

test/integration/targets/openssl_csr_info/tasks/impl.yml

@@ -8,6 +8,13 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
+- name: Check whether subject behaves as expected
+  assert:
+    that:
+      - result.subject.organizationalUnitName == 'ACME Department'
+      - "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
+      - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"

test/integration/targets/openssl_csr_info/tasks/main.yml

@@ -21,7 +21,9 @@
       ST: Zurich
       streetAddress: Welcome Street
       O: Ansible
-      organizationalUnitName: Crypto Department
+      organizationalUnitName:
+        - Crypto Department
+        - ACME Department
       serialNumber: "1234"
       SN: Last Name
       GN: First Name