openssl_csr: improve invalid SAN error messages (#53201)
* Improve invalid SAN error messages.
* Add changelog.
(cherry picked from commit 628326b879)
This commit is contained in:
Felix Fontein
Toshio Kuratomi
parent
3d351c5367
commit
3eccd83891
4 changed files with 24 additions and 1 deletions
|
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- "openssl_csr - improve error messages for invalid SANs."
|
||||||
|
|
@ -378,7 +378,14 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
|
||||||
extensions = []
|
extensions = []
|
||||||
if self.subjectAltName:
|
if self.subjectAltName:
|
||||||
altnames = ', '.join(self.subjectAltName)
|
altnames = ', '.join(self.subjectAltName)
|
||||||
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
|
try:
|
||||||
|
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
|
||||||
|
except OpenSSL.crypto.Error as e:
|
||||||
|
raise CertificateSigningRequestError(
|
||||||
|
'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
|
||||||
|
', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
if self.keyUsage:
|
if self.keyUsage:
|
||||||
usages = ', '.join(self.keyUsage)
|
usages = ', '.join(self.keyUsage)
|
||||||
|
|
|
||||||
|
|
@ -133,6 +133,14 @@
|
||||||
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
||||||
commonName: www.ansible.com
|
commonName: www.ansible.com
|
||||||
|
|
||||||
|
- name: Generate CSR with invalid SAN
|
||||||
|
openssl_csr:
|
||||||
|
path: '{{ output_dir }}/csrinvsan.csr'
|
||||||
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
||||||
|
subject_alt_name: invalid-san.example.com
|
||||||
|
register: generate_csr_invalid_san
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
- name: Generate CSR with OCSP Must Staple
|
- name: Generate CSR with OCSP Must Staple
|
||||||
openssl_csr:
|
openssl_csr:
|
||||||
path: '{{ output_dir }}/csr_ocsp.csr'
|
path: '{{ output_dir }}/csr_ocsp.csr'
|
||||||
|
|
|
||||||
|
|
@ -53,6 +53,12 @@
|
||||||
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
|
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
|
||||||
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout
|
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout
|
||||||
|
|
||||||
|
- name: Validate invalid SAN
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- generate_csr_invalid_san is failed
|
||||||
|
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
|
||||||
|
|
||||||
- name: Validate OCSP Must Staple CSR (test - everything)
|
- name: Validate OCSP Must Staple CSR (test - everything)
|
||||||
shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
|
shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
|
||||||
register: csr_ocsp
|
register: csr_ocsp
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue