-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl_csr cryptography backend, try II #50894
openssl_csr cryptography backend, try II #50894
Conversation
…sible#50324)"" This reverts commit bbd2e31.
can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION) | ||
|
||
# Decision | ||
if module.params['cipher'] and module.params['passphrase'] and module.params['cipher'] != 'auto': |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line seems to be copy-pasted from openssl_privatekey
- but this module here doesn't have these parameters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I know, I already prepared a commit, but wanted to wait until the first testing round finishes... which took like forever :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those lemurs at shippable sure need to work harder! ;-)
cryptography doesn't seem to like arbitrary strings for |
Feels to me like an issue with something missing at the beginning of SubjectAlternativeNames (see around line 400 in your code how it should be prefixed with "DNS:"). Alternatively you can patch out automatically adding SANs to CSRs (I think there's an open bug about this). |
FAILED SUCCESS (CI image / OpenSSL version / cryptography version) |
The strange thing is that with older, newer and the same versions of both OpenSSL and cryptography, it works fine. |
The bug about automatic SANs is #36690 btw. |
If this new test (which tests arbitrary commonName) fails everywhere where the cryptography backend tests are run, then I'll fix #36690 by adding a option to disable this behavior next ;-) |
All tests pass now (except a sanity one which I'll fix), see here for shippable output. I'll now rebase and remove that commit which forced all tests to run (and include the |
1391d2c
to
d9542e9
Compare
88490df
to
d9542e9
Compare
backend = 'pyopenssl' | ||
|
||
# Success? | ||
if backend == 'auto': |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couldn't this just be the else
of lines 985-988?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it could. I would still prefer this not to be an else
, so that the failure code is somewhat separated from the detection code.
Does anyone mind if this gets merged? |
Not me... shipit |
@felixfontein Thanks for the PR Merged into |
@MarkusTeufelberger thanks for reviewing! |
* Revert "Revert "openssl_csr: Allow to use cryptography as backend (ansible#50324)"" This reverts commit bbd2e31. * Remove more complicated selection copy'n'pasted from openssl_privatekey. * Add tests for backend selection. * Add openssl_csr test for arbitrary string commonName. * Allow to disable commonName -> SAN copying (fixes ansible#36690).
SUMMARY
The new cryptography backend for
openssl_csr
(#50324) failed for some integration tests of other modules; see here.This PR is for debugging that issue and fixing it. I've added a test commit (ffb07c6d4a004ad42acb95671834d5823bf392e4) which touches all tests usingopenssl_csr
so that CI should reproduce the failure.This PR also contains a fix (in form of a new feature) for #36690.
CC @mattclay
ISSUE TYPE
COMPONENT NAME
openssl_csr