From e20ce2064111a6b60181e457c737305995a81e1c Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 31 Oct 2021 10:14:07 +0100 Subject: [PATCH 1/2] Add warning that ASN.1 encoded extension values returned by some modules might not reflect the exact byte sequence in the source file anymore depending on the cryptography version. --- changelogs/fragments/318-extension-value-note.yml | 6 ++++++ plugins/modules/get_certificate.py | 8 +++++++- plugins/modules/openssl_csr_info.py | 8 +++++++- plugins/modules/x509_certificate_info.py | 8 +++++++- 4 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/318-extension-value-note.yml diff --git a/changelogs/fragments/318-extension-value-note.yml b/changelogs/fragments/318-extension-value-note.yml new file mode 100644 index 000000000..df3484e92 --- /dev/null +++ b/changelogs/fragments/318-extension-value-note.yml @@ -0,0 +1,6 @@ +breaking_changes: + - "get_certificate, openssl_csr_info, x509_certificate_info - depending on the ``cryptography`` version used, + the modules might not return the ASN.1 value for an extension as contained in the certificate respectively CSR, + but a re-encoded version of it. This should usually be identical to the value contained in the source file, + unless the value was malformed. For extensions not handled by C(cryptography) always the value contained in + the source file is returned (https://github.com/ansible-collections/community.crypto/pull/318)." diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py index 2436917ba..fbc6e472a 100644 --- a/plugins/modules/get_certificate.py +++ b/plugins/modules/get_certificate.py @@ -99,7 +99,13 @@ asn1_data: returned: success type: str - description: The Base64 encoded ASN.1 content of the extnesion. + description: + - The Base64 encoded ASN.1 content of the extension. + - B(Note) that depending on the C(cryptography) version used, it is + not possible to extract the ASN.1 content of the extension, but only + to provide the re-encoded content of the extension in case it was + parsed by C(cryptography). This should usually result in exactly the + same value, except if the original extension value was malformed. name: returned: success type: str diff --git a/plugins/modules/openssl_csr_info.py b/plugins/modules/openssl_csr_info.py index 4f78b476d..8e48f1c47 100644 --- a/plugins/modules/openssl_csr_info.py +++ b/plugins/modules/openssl_csr_info.py @@ -103,7 +103,13 @@ returned: success type: bool value: - description: The Base64 encoded value (in DER format) of the extension + description: + - The Base64 encoded value (in DER format) of the extension + - B(Note) that depending on the C(cryptography) version used, it is + not possible to extract the ASN.1 content of the extension, but only + to provide the re-encoded content of the extension in case it was + parsed by C(cryptography). This should usually result in exactly the + same value, except if the original extension value was malformed. returned: success type: str sample: "MAMCAQU=" diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py index ae252df39..a666bb04b 100644 --- a/plugins/modules/x509_certificate_info.py +++ b/plugins/modules/x509_certificate_info.py @@ -147,7 +147,13 @@ returned: success type: bool value: - description: The Base64 encoded value (in DER format) of the extension. + description: + - The Base64 encoded value (in DER format) of the extension. + - B(Note) that depending on the C(cryptography) version used, it is + not possible to extract the ASN.1 content of the extension, but only + to provide the re-encoded content of the extension in case it was + parsed by C(cryptography). This should usually result in exactly the + same value, except if the original extension value was malformed. returned: success type: str sample: "MAMCAQU=" From d8f97a78e68770ebbda9972dc3732a70d494c9aa Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 31 Oct 2021 14:15:12 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Ajpantuso --- changelogs/fragments/318-extension-value-note.yml | 4 ++-- plugins/modules/openssl_csr_info.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/changelogs/fragments/318-extension-value-note.yml b/changelogs/fragments/318-extension-value-note.yml index df3484e92..11ab62037 100644 --- a/changelogs/fragments/318-extension-value-note.yml +++ b/changelogs/fragments/318-extension-value-note.yml @@ -2,5 +2,5 @@ breaking_changes: - "get_certificate, openssl_csr_info, x509_certificate_info - depending on the ``cryptography`` version used, the modules might not return the ASN.1 value for an extension as contained in the certificate respectively CSR, but a re-encoded version of it. This should usually be identical to the value contained in the source file, - unless the value was malformed. For extensions not handled by C(cryptography) always the value contained in - the source file is returned (https://github.com/ansible-collections/community.crypto/pull/318)." + unless the value was malformed. For extensions not handled by C(cryptography) the value contained in + the source file is always returned unaltered (https://github.com/ansible-collections/community.crypto/pull/318)." diff --git a/plugins/modules/openssl_csr_info.py b/plugins/modules/openssl_csr_info.py index 8e48f1c47..62527bc5a 100644 --- a/plugins/modules/openssl_csr_info.py +++ b/plugins/modules/openssl_csr_info.py @@ -104,7 +104,7 @@ type: bool value: description: - - The Base64 encoded value (in DER format) of the extension + - The Base64 encoded value (in DER format) of the extension. - B(Note) that depending on the C(cryptography) version used, it is not possible to extract the ASN.1 content of the extension, but only to provide the re-encoded content of the extension in case it was