openssl_csr: improve subject validation (#53198)

* Improve subject field validation. * Add country name idempotency test. * Add failed country name test. * Add changelog. (cherry picked from commit b2e992cecd)
2019-03-07 16:29:35 +01:00 · 2019-03-07 16:29:35 +01:00 · c4748fd011
commit c4748fd011
parent 9135dbd820
4 changed files with 46 additions and 1 deletions
--- a/changelogs/fragments/53198-openssl_csr-subject-validation.yml
+++ b/changelogs/fragments/53198-openssl_csr-subject-validation.yml
@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_csr - improve ``subject`` validation."
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@ -374,7 +374,11 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
                if entry[1] is not None:
                    # Workaround for https://github.com/pyca/pyopenssl/issues/165
                    nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0]))
-                    OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0)
+                    if nid == 0:
+                        raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(entry[0]))
+                    res = OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0)
+                    if res == 0:
+                        raise CertificateSigningRequestError('Invalid value for subject field identifier "{0}": {1}'.format(entry[0], entry[1]))

            extensions = []
            if self.subjectAltName:
--- a/test/integration/targets/openssl_csr/tasks/main.yml
+++ b/test/integration/targets/openssl_csr/tasks/main.yml
@ -156,6 +156,37 @@
        ocsp_must_staple: true
      register: csr_ocsp_idempotency

+    - name: Generate CSR with country name
+      openssl_csr:
+        path: '{{ output_dir }}/csr4.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        country_name: de
+      register: country_idempotent_1
+
+    - name: Generate CSR with country name (idempotent)
+      openssl_csr:
+        path: '{{ output_dir }}/csr4.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        country_name: de
+      register: country_idempotent_2
+
+    - name: Generate CSR with country name (idempotent 2)
+      openssl_csr:
+        path: '{{ output_dir }}/csr4.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject:
+          C: de
+      register: country_idempotent_3
+
+    - name: Generate CSR with country name (bad country name)
+      openssl_csr:
+        path: '{{ output_dir }}/csr4.csr'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        subject:
+          C: dex
+      register: country_fail_4
+      ignore_errors: yes
+
    - import_tasks: ../tests/validate.yml

  when: pyopenssl_version.stdout is version('0.15', '>=')
--- a/test/integration/targets/openssl_csr/tests/validate.yml
+++ b/test/integration/targets/openssl_csr/tests/validate.yml
@ -73,3 +73,11 @@
  assert:
    that:
      - csr_ocsp_idempotency is not changed
+
+- name: Validate country name idempotency and validation
+  assert:
+    that:
+      - country_idempotent_1 is changed
+      - country_idempotent_2 is not changed
+      - country_idempotent_3 is not changed
+      - country_fail_4 is failed