openssl_csr: improve invalid SAN error messages (#53201)

* Improve invalid SAN error messages.

* Add changelog.

(cherry picked from commit 628326b879)
This commit is contained in:
Felix Fontein 2019-03-05 17:07:07 +01:00 committed by Toshio Kuratomi
parent 3d351c5367
commit 3eccd83891
4 changed files with 24 additions and 1 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- "openssl_csr - improve error messages for invalid SANs."

View file

@ -378,7 +378,14 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
extensions = [] extensions = []
if self.subjectAltName: if self.subjectAltName:
altnames = ', '.join(self.subjectAltName) altnames = ', '.join(self.subjectAltName)
try:
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii'))) extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
except OpenSSL.crypto.Error as e:
raise CertificateSigningRequestError(
'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
)
)
if self.keyUsage: if self.keyUsage:
usages = ', '.join(self.keyUsage) usages = ', '.join(self.keyUsage)

View file

@ -133,6 +133,14 @@
privatekey_path: '{{ output_dir }}/privatekey.pem' privatekey_path: '{{ output_dir }}/privatekey.pem'
commonName: www.ansible.com commonName: www.ansible.com
- name: Generate CSR with invalid SAN
openssl_csr:
path: '{{ output_dir }}/csrinvsan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject_alt_name: invalid-san.example.com
register: generate_csr_invalid_san
ignore_errors: yes
- name: Generate CSR with OCSP Must Staple - name: Generate CSR with OCSP Must Staple
openssl_csr: openssl_csr:
path: '{{ output_dir }}/csr_ocsp.csr' path: '{{ output_dir }}/csr_ocsp.csr'

View file

@ -53,6 +53,12 @@
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com' - csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout - csr_oldapi_modulus.stdout == privatekey_modulus.stdout
- name: Validate invalid SAN
assert:
that:
- generate_csr_invalid_san is failed
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
- name: Validate OCSP Must Staple CSR (test - everything) - name: Validate OCSP Must Staple CSR (test - everything)
shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text" shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
register: csr_ocsp register: csr_ocsp