-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl_* module_utils/crypto.py: add full list of OIDs known to current OpenSSL #54943
Conversation
eff2dcc
to
08b28b0
Compare
'0.9.2342.19200300': ('ucl', ), | ||
'0.9.2342.19200300.100': ('pilot', ), | ||
'0.9.2342.19200300.100.1': ('pilotAttributeType', ), | ||
'0.9.2342.19200300.100.1.1': ('userId', 'UID'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uid number 1
and...
'0.9.2342.19200300.100.1.41': ('mobileTelephoneNumber', ), | ||
'0.9.2342.19200300.100.1.42': ('pagerTelephoneNumber', ), | ||
'0.9.2342.19200300.100.1.43': ('friendlyCountryName', ), | ||
'0.9.2342.19200300.100.1.44': ('uniqueIdentifier', 'uid'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uid number 2. Which one will end up mapping to the OID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm. That's unfortunate. I was hoping I can ignore case, to work around the problem that OpenSSL uses userId
, while cryptography uses userID
(or was it vice versa?). Maybe we should remove the lower()
everywhere and manually add the alias userID
for userId
. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing lower()
(and maybe adding a few mappings by hand) seems like the safer/cleaner option... uid != UID
and mail != Mail
is already bad enough in OpenSSL's OID mapping...
lib/ansible/module_utils/crypto.py
Outdated
for name in names[1:]: | ||
_NORMALIZE_NAMES[name] = names[0] | ||
for name in names: | ||
_NORMALIZE_NAMES[name.lower()] = names[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe something along these lines might be useful?
_NORMALIZE_NAMES[name.lower()] = names[0] | |
assert name.lower() not in _NORMALIZE_NAMES or _NORMALIZE_NAMES[name.lower()] == names[0] | |
_NORMALIZE_NAMES[name.lower()] = names[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, those just map the shorter names to the longer ones...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually yes. If there aren't collisions, such as uid
and UID
...
There's also another collision: both 1.3.6.1.7
('Mail'
) and 0.9.2342.19200300.100.1.3
('rfc822Mailbox', 'mail'
) have the lowercase name mail
. Besides these two, there are no more collisions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually yes. If there aren't collisions, such as uid
and UID
...
There's also another collision: both 1.3.6.1.7
('Mail'
) and 0.9.2342.19200300.100.1.3
('rfc822Mailbox', 'mail'
) have the lowercase name mail
. Besides these two, there are no more collisions.
@@ -27,7 +27,7 @@ | |||
GN: First Name | |||
title: Chief | |||
pseudonym: test | |||
UID: asdf | |||
x500UniqueIdentifier: asdf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would have been a "UserID" (OID 0.9.2342.19200300.100.1.1
) before - I guess this change is intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was, though I'm not sure whether it is still necessary (or whether that problem was caused by lowercasing). I'll add a commit to revert this, let's see what happens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like it isn't necessary anymore. I've removed the same change from #54921.
Looks great! shipit |
1956b6d
to
50f9785
Compare
The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Red Hat legal have suggested two changes.
ready_for_review |
@MarkusTeufelberger can you take another look? The only things I changed are the copyright notice (according to RedHat legal team wishes) and I rebased and applied the same changes needed for |
🚢 it / shipit |
YMMD :D |
Red Hat legal have given this a +1, so merging |
@MarkusTeufelberger thanks for reviewing! |
SUMMARY
Adds a full list of OIDs known to OpenSSL. Created from https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt by https://gist.github.com/felixfontein/376748017ad65ead093d56a45a5bf376
This is a large piece over 1050 lines, but then at least we can serve the same names for all items listed independent of the concrete OpenSSL library used by the module.
I hope I've attributed this part correctly. While the numbers and names in this collection are kind of public, the collection itself should be copyrightable.
ISSUE TYPE
COMPONENT NAME
lib/ansible/module_utils/crypto.py