From 3eccd83891c2f91baf12ed91a33d677179201b4c Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Tue, 5 Mar 2019 17:07:07 +0100
Subject: [PATCH] openssl_csr: improve invalid SAN error messages (#53201)

* Improve invalid SAN error messages.

* Add changelog.

(cherry picked from commit 628326b8798e7309e935e9cda70a8cc156c5a8e5)
---
 .../fragments/53201-openssl_csr-improve-invalid-san.yml  | 2 ++
 lib/ansible/modules/crypto/openssl_csr.py                | 9 ++++++++-
 test/integration/targets/openssl_csr/tasks/main.yml      | 8 ++++++++
 test/integration/targets/openssl_csr/tests/validate.yml  | 6 ++++++
 4 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml

diff --git a/changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml b/changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml
new file mode 100644
index 0000000000..4fa09997a2
--- /dev/null
+++ b/changelogs/fragments/53201-openssl_csr-improve-invalid-san.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_csr - improve error messages for invalid SANs."
diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py
index 504f9df098..d1fc7162d9 100644
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@@ -378,7 +378,14 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
             extensions = []
             if self.subjectAltName:
                 altnames = ', '.join(self.subjectAltName)
-                extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
+                try:
+                    extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
+                except OpenSSL.crypto.Error as e:
+                    raise CertificateSigningRequestError(
+                        'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
+                            ', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
+                        )
+                    )
 
             if self.keyUsage:
                 usages = ', '.join(self.keyUsage)
diff --git a/test/integration/targets/openssl_csr/tasks/main.yml b/test/integration/targets/openssl_csr/tasks/main.yml
index 9cbe27058a..23197b1e3e 100644
--- a/test/integration/targets/openssl_csr/tasks/main.yml
+++ b/test/integration/targets/openssl_csr/tasks/main.yml
@@ -133,6 +133,14 @@
         privatekey_path: '{{ output_dir }}/privatekey.pem'
         commonName: www.ansible.com
 
+    - name: Generate CSR with invalid SAN
+      openssl_csr:
+        path: '{{ output_dir }}/csrinvsan.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject_alt_name: invalid-san.example.com
+      register: generate_csr_invalid_san
+      ignore_errors: yes
+
     - name: Generate CSR with OCSP Must Staple
       openssl_csr:
         path: '{{ output_dir }}/csr_ocsp.csr'
diff --git a/test/integration/targets/openssl_csr/tests/validate.yml b/test/integration/targets/openssl_csr/tests/validate.yml
index 68293b91e1..89074d2b8d 100644
--- a/test/integration/targets/openssl_csr/tests/validate.yml
+++ b/test/integration/targets/openssl_csr/tests/validate.yml
@@ -53,6 +53,12 @@
       - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
       - csr_oldapi_modulus.stdout == privatekey_modulus.stdout
 
+- name: Validate invalid SAN
+  assert:
+    that:
+      - generate_csr_invalid_san is failed
+      - "'Subject Alternative Name' in generate_csr_invalid_san.msg"
+
 - name: Validate OCSP Must Staple CSR (test - everything)
   shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
   register: csr_ocsp