-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using umlauts in the CSR subject break idempotency #270
Comments
Hmm, this seems like a broader issue with the current approach to comparing Subject attributes. In this particular case the issue can be addressed by applying From RFC 5280
However I think there are more transformations that should be applied for comparison. |
I was only able to replicate this with the cryptography backend and Python 2.7. For PyOpenSSL or Python 3, this doesn't seem to be a problem. The main issue here is that unicode strings are compared with byte strings in this specific case. In Python 3, all strings involved are unicode strings, and the PyOpenSSL code converts everything to byte strings before comparing (at least for the subject). @Ajpantuso I don't think normalization is the problem here, and in fact one can argue that it shouldn't be, since the module's job is not necessarily to do normalization, but to put into the CSR what the user provides. (Though I guess one could provide (an) option(s) to allow to configure this behavior, both for processing input and for normalizing for comparisons.) |
Ah, that makes sense. My concern was that Unicode was being normalized by OpenSSL so user input would lose idempotency over multiple runs in which case normalization during comparison would help. Not sure if the trick of filtering the option value through |
I would expect OpenSSL to simply ignore this issue (especially when used as a library). If OpenSSL would do normalization itself that's not required by the RFCs, this would make it impossible to do certain (valid) things with it. Also as you mentioned, Unicode is complicated, so trying to handle normalization on such a low level is a recipie for disaster ;-) (Same for PyOpenSSL and cryptography, they should rather avoid that matter and leave it to the application level.) In any case, I don't think |
I created #271 to fix this issue. (It also comes with some tests :) ) |
Thank you very much for the fast feedback and already creating a PR. I will be able to check if this works for my use case on monday. :) |
The PR works as intended. :) When might this change be released through Ansible Galaxy? |
I'll create a 1.9.3 release later today. |
I have issues using umlauts in a CSR.
Example:
Leads to the following message when running the play for the FIRST time:
Leads to the following message when running the play for the SECOND or THIRD time:
After this the CSR file has the same content but the last modified timestamp has changed.
This issue seems to be encoding related. When I encode the string "Baden-Württemberg" as "Baden-W\xC3\xBCrttemberg" in my play it works as intended.
The text was updated successfully, but these errors were encountered: