Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_csr extendedKeyUsage should support custom oid #39

Closed
rmja opened this issue Apr 29, 2020 · 7 comments · Fixed by #91
Closed

openssl_csr extendedKeyUsage should support custom oid #39

rmja opened this issue Apr 29, 2020 · 7 comments · Fixed by #91

Comments

@rmja
Copy link

rmja commented Apr 29, 2020

SUMMARY

The openssl_csr module should support custom OID's for extendedKeyUsage, example:

      openssl_csr:
        ...
        # 1.3.6.1.5.5.8.2.2 = iKEIntermediate, see http://oid-info.com/get/1.3.6.1.5.5.8.2.2
        extended_key_usage:
          - serverAuth
          - "1.3.6.1.5.5.8.2.2"
        ...

Applying this file currently returns:

  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 1088, in main
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 541, in generate
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 783, in _generate_csr
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 783, in <listcomp>
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/module_utils/crypto.py", line 1753, in cryptography_name_to_oid
    raise OpenSSLObjectError('Cannot find OID for "{0}"'.format(name))
ISSUE TYPE
  • Feature Idea
COMPONENT NAME

openssl_csr

ADDITIONAL INFORMATION

The cryptography_name_to_oid should probably determine if the name passed in is already an oid, and return the input it if it was not found in the lookup table. There is also the inverse function which should simply return the oid if no name is found.

(this issue is migrated from ansible/ansible#69232)
@MarkusTeufelberger
Copy link
Contributor

Maybe we could circumvent the lookup if a value is prefixed with OID: and hope that OpenSSL never gets the idea of prefixing one of their names that way?

Kinda like this:

  openssl_csr:
    ...
    # 1.3.6.1.5.5.8.2.2 = iKEIntermediate, see http://oid-info.com/get/1.3.6.1.5.5.8.2.2
    extended_key_usage:
      - serverAuth
      - "OID:1.3.6.1.5.5.8.2.2"
    ...

In this case however cryptography seems to insist on https://cryptography.io/en/latest/x509/reference/#cryptography.x509.oid.ExtendedKeyUsageOID for example - is this even really a valid OID in this context?

@rmja
Copy link
Author

rmja commented Apr 29, 2020

The prefix breaks parity with openssl where it is simply specified with the dotted notation. How about a simple regex test before the lookup?

@MarkusTeufelberger
Copy link
Contributor

Do you have an example for such a simple regex in mind?

@rmja
Copy link
Author

rmja commented Apr 29, 2020 via email

@rmja
Copy link
Author

rmja commented Apr 29, 2020 via email

@felixfontein
Copy link
Contributor

This should be relatively simple to implement (probably updating cryptography_name_to_oid and maybe also cryptography_oid_to_name accordingly suffices). It doesn't make sense to work on it though before #27 hasn't been finished.

@felixfontein felixfontein mentioned this issue Jul 20, 2020
Merged
@felixfontein
Copy link
Contributor

PR #91 implements this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support arbitrary dotted notation for OIDs in cryptography backend felixfontein/community.crypto
3 participants
@MarkusTeufelberger @rmja @felixfontein