Decode IDNA in _compress_entry() to avoid comparison screw-ups.

ansible-collections · Apr 18, 2022 · 7c8c79a · 7c8c79a
1 parent 2a11d6c
commit 7c8c79a
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py
@@ -600,11 +600,20 @@ def remove(self):
  super(CRL, self).remove(self.module)
 
  def _compress_entry(self, entry):
+ issuer = None
+ if entry['issuer'] is not None:
+ # Normalize to IDNA. If this is used-provided, it was already converted to
+ # IDNA (by cryptography_get_name) and thus the `idna` library is present.
+ # If this is coming from cryptography and isn't already in IDNA (i.e. ascii),
+ # cryptography < 2.1 must be in use, which depends on `idna`. So this should
+ # not require `idna` except if it was already used by code earlier during
+ # this invocation.
+ issuer = tuple(cryptography_decode_name(issuer, idn_rewrite='idna') for issuer in entry['issuer'])
  if self.ignore_timestamps:
  # Throw out revocation_date
  return (
  entry['serial_number'],
- tuple(entry['issuer']) if entry['issuer'] is not None else None,
+ issuer,
  entry['issuer_critical'],
  entry['reason'],
  entry['reason_critical'],
@@ -615,7 +624,7 @@ def _compress_entry(self, entry):
  return (
  entry['serial_number'],
  entry['revocation_date'],
- tuple(entry['issuer']) if entry['issuer'] is not None else None,
+ issuer,
  entry['issuer_critical'],
  entry['reason'],
  entry['reason_critical'],