[stable-1] cryptography support: improve Python 2 Unicode handling (#314

)

* Improve Python 2 Unicode handling. (#313)

(cherry picked from commit eb8dabc)

* Remove test since it doesn't work with pyOpenSSL.

* Completely remove test.

* Update plugins/module_utils/crypto/cryptography_support.py

changelogs/fragments/313-unicode-names.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313)."

plugins/module_utils/crypto/cryptography_support.py

@@ -311,11 +311,11 @@ def _dn_escape_value(value):
     '''
     Escape Distinguished Name's attribute value.
     '''
-    value = value.replace('\\', '\\\\')
-    for ch in [',', '#', '+', '<', '>', ';', '"', '=', '/']:
-        value = value.replace(ch, '\\%s' % ch)
-    if value.startswith(' '):
-        value = r'\ ' + value[1:]
+    value = value.replace(u'\\', u'\\\\')
+    for ch in [u',', u'#', u'+', u'<', u'>', u';', u'"', u'=', u'/']:
+        value = value.replace(ch, u'\\%s' % ch)
+    if value.startswith(u' '):
+        value = u'\\ ' + value[1:]
     return value
 
 
@@ -325,24 +325,24 @@ def cryptography_decode_name(name):
     Raises an OpenSSLObjectError if the name is not supported.
     '''
     if isinstance(name, x509.DNSName):
-        return 'DNS:{0}'.format(name.value)
+        return u'DNS:{0}'.format(name.value)
     if isinstance(name, x509.IPAddress):
         if isinstance(name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network)):
-            return 'IP:{0}/{1}'.format(name.value.network_address.compressed, name.value.prefixlen)
-        return 'IP:{0}'.format(name.value.compressed)
+            return u'IP:{0}/{1}'.format(name.value.network_address.compressed, name.value.prefixlen)
+        return u'IP:{0}'.format(name.value.compressed)
     if isinstance(name, x509.RFC822Name):
-        return 'email:{0}'.format(name.value)
+        return u'email:{0}'.format(name.value)
     if isinstance(name, x509.UniformResourceIdentifier):
-        return 'URI:{0}'.format(name.value)
+        return u'URI:{0}'.format(name.value)
     if isinstance(name, x509.DirectoryName):
-        return 'dirName:' + ''.join([
-            '/{0}={1}'.format(cryptography_oid_to_name(attribute.oid, short=True), _dn_escape_value(attribute.value))
+        return u'dirName:' + u''.join([
+            u'/{0}={1}'.format(to_text(cryptography_oid_to_name(attribute.oid, short=True)), _dn_escape_value(attribute.value))
             for attribute in name.value
         ])
     if isinstance(name, x509.RegisteredID):
-        return 'RID:{0}'.format(name.value.dotted_string)
+        return u'RID:{0}'.format(name.value.dotted_string)
     if isinstance(name, x509.OtherName):
-        return 'otherName:{0};{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
+        return u'otherName:{0};{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
     raise OpenSSLObjectError('Cannot decode name "{0}"'.format(name))
 
 

tests/integration/targets/x509_certificate_info/tasks/impl.yml

@@ -19,6 +19,13 @@
       - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
       - result.public_key_type == 'RSA'
       - result.public_key_data.size == (default_rsa_key_size_certifiates | int)
+      - "result.subject_alt_name == [
+          'DNS:www.ansible.com',
+          'IP:1.2.3.4',
+          'IP:::1',
+          'email:test@example.org',
+          'URI:https://example.org/test/index.html'
+        ]"
 
 - name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
   assert: