Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_* module_utils/crypto.py: add full list of OIDs known to current OpenSSL #54943

Merged
merged 8 commits into from
Apr 10, 2019
Merged

openssl_* module_utils/crypto.py: add full list of OIDs known to current OpenSSL #54943

merged 8 commits into from
Apr 10, 2019

Conversation

felixfontein
Copy link
Contributor

SUMMARY

Adds a full list of OIDs known to OpenSSL. Created from https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt by https://gist.github.com/felixfontein/376748017ad65ead093d56a45a5bf376

This is a large piece over 1050 lines, but then at least we can serve the same names for all items listed independent of the concrete OpenSSL library used by the module.

I hope I've attributed this part correctly. While the numbers and names in this collection are kind of public, the collection itself should be copyrightable.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

lib/ansible/module_utils/crypto.py

@ansibot
Copy link
Contributor

ansibot commented Apr 6, 2019

cc @MarkusTeufelberger @Shaps @Spredzy @Xyon @puiterwijk @resmo
click here for bot help

@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 crypto Crypto community (ACME, openssl, letsencrypt) feature This issue/PR relates to a feature request. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. needs_triage Needs a first human triage before being processed. owner_pr This PR is made by the module's maintainer. support:community This issue/PR relates to code supported by the Ansible community. labels Apr 6, 2019
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. module This issue/PR relates to a module. needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. community_review In order to be merged, this PR must follow the community review workflow. labels Apr 6, 2019
@ansibot ansibot added test This PR relates to tests. community_review In order to be merged, this PR must follow the community review workflow. and removed needs_triage Needs a first human triage before being processed. owner_pr This PR is made by the module's maintainer. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 6, 2019
MarkusTeufelberger
MarkusTeufelberger reviewed Apr 6, 2019
View reviewed changes
lib/ansible/module_utils/crypto.py
'0.9.2342.19200300': ('ucl', ),
'0.9.2342.19200300.100': ('pilot', ),
'0.9.2342.19200300.100.1': ('pilotAttributeType', ),
'0.9.2342.19200300.100.1.1': ('userId', 'UID'),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uid number 1

and...

MarkusTeufelberger
MarkusTeufelberger reviewed Apr 6, 2019
View reviewed changes
lib/ansible/module_utils/crypto.py
'0.9.2342.19200300.100.1.41': ('mobileTelephoneNumber', ),
'0.9.2342.19200300.100.1.42': ('pagerTelephoneNumber', ),
'0.9.2342.19200300.100.1.43': ('friendlyCountryName', ),
'0.9.2342.19200300.100.1.44': ('uniqueIdentifier', 'uid'),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uid number 2. Which one will end up mapping to the OID?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm. That's unfortunate. I was hoping I can ignore case, to work around the problem that OpenSSL uses userId, while cryptography uses userID (or was it vice versa?). Maybe we should remove the lower() everywhere and manually add the alias userID for userId. What do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing lower() (and maybe adding a few mappings by hand) seems like the safer/cleaner option... uid != UID and mail != Mail is already bad enough in OpenSSL's OID mapping...

MarkusTeufelberger
MarkusTeufelberger reviewed Apr 6, 2019
View reviewed changes
lib/ansible/module_utils/crypto.py Outdated
for name in names[1:]:
_NORMALIZE_NAMES[name] = names[0]
for name in names:
_NORMALIZE_NAMES[name.lower()] = names[0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe something along these lines might be useful?

Suggested change
_NORMALIZE_NAMES[name.lower()] = names[0]
assert name.lower() not in _NORMALIZE_NAMES or _NORMALIZE_NAMES[name.lower()] == names[0]
_NORMALIZE_NAMES[name.lower()] = names[0]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, those just map the shorter names to the longer ones...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually yes. If there aren't collisions, such as uid and UID...

There's also another collision: both 1.3.6.1.7 ('Mail') and 0.9.2342.19200300.100.1.3 ('rfc822Mailbox', 'mail') have the lowercase name mail. Besides these two, there are no more collisions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually yes. If there aren't collisions, such as uid and UID...

There's also another collision: both 1.3.6.1.7 ('Mail') and 0.9.2342.19200300.100.1.3 ('rfc822Mailbox', 'mail') have the lowercase name mail. Besides these two, there are no more collisions.

MarkusTeufelberger
MarkusTeufelberger reviewed Apr 7, 2019
View reviewed changes
test/integration/targets/openssl_certificate_info/tasks/main.yml Outdated
@@ -27,7 +27,7 @@
GN: First Name
title: Chief
pseudonym: test
UID: asdf
x500UniqueIdentifier: asdf
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would have been a "UserID" (OID 0.9.2342.19200300.100.1.1) before - I guess this change is intentional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was, though I'm not sure whether it is still necessary (or whether that problem was caused by lowercasing). I'll add a commit to revert this, let's see what happens.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like it isn't necessary anymore. I've removed the same change from #54921.

@ansibot ansibot added the owner_pr This PR is made by the module's maintainer. label Apr 7, 2019
@MarkusTeufelberger
Copy link
Contributor

Looks great!

shipit

@ansibot ansibot added new_module This PR includes a new module. new_plugin This PR includes a new plugin. and removed needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html owner_pr This PR is made by the module's maintainer. labels Apr 9, 2019
@felixfontein
Copy link
Contributor Author

The new_module / new_plugin is incorrect; I've just rebased to update to current devel, where a new module was recently merged (and which this PR now also modifies; ansible/ansibullbot#1167).

gundalow
gundalow requested changes Apr 9, 2019
View reviewed changes
Copy link
Contributor

@gundalow gundalow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Red Hat legal have suggested two changes.

lib/ansible/module_utils/crypto.py Outdated Show resolved Hide resolved
lib/ansible/module_utils/crypto.py Show resolved Hide resolved
@ansibot ansibot added owner_pr This PR is made by the module's maintainer. and removed new_module This PR includes a new module. labels Apr 9, 2019
@felixfontein
Copy link
Contributor Author

ready_for_review

@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 10, 2019
@felixfontein
Copy link
Contributor Author

@MarkusTeufelberger can you take another look? The only things I changed are the copyright notice (according to RedHat legal team wishes) and I rebased and applied the same changes needed for openssl_certificate_info to openssl_csr_info.

@MarkusTeufelberger
Copy link
Contributor

🚢 it / :shipit:

shipit

@felixfontein
Copy link
Contributor Author

:shipit:

YMMD :D

@ansibot ansibot added shipit This PR is ready to be merged by Core and removed community_review In order to be merged, this PR must follow the community review workflow. labels Apr 10, 2019
@gundalow
Copy link
Contributor

Red Hat legal have given this a +1, so merging

@gundalow gundalow merged commit c411883 into ansible:devel Apr 10, 2019
@felixfontein felixfontein deleted the openssl-oids branch April 10, 2019 11:46
@felixfontein
Copy link
Contributor Author

@MarkusTeufelberger thanks for reviewing!
@gundalow thanks for asking Red Hat legal, and thanks for merging!

@ansible ansible locked and limited conversation to collaborators Jul 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@MarkusTeufelberger MarkusTeufelberger MarkusTeufelberger left review comments

@gundalow gundalow gundalow approved these changes

Assignees
No one assigned
Labels
affects_2.8 This issue/PR affects Ansible v2.8 crypto Crypto community (ACME, openssl, letsencrypt) feature This issue/PR relates to a feature request. module This issue/PR relates to a module. new_plugin This PR includes a new plugin. owner_pr This PR is made by the module's maintainer. shipit This PR is ready to be merged by Core support:community This issue/PR relates to code supported by the Ansible community. test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@felixfontein @ansibot @MarkusTeufelberger @gundalow