From c8f13eb88fb55529ab6a0fee44ef1b9719cd128c Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Mon, 18 Apr 2022 08:17:27 +0200
Subject: [PATCH] Fix crash in x509_crl when certificate issuer is specified
 (#441)

* Fix x509_crl certificate issuer issue.

* Add tests.

* Add changelog fragment.

(cherry picked from commit 9d03178b003ac3145f0af0c18c21ffca4992305c)
---
 .../fragments/441-x509-crl-cert-issuer.yml    |  2 ++
 plugins/modules/x509_crl.py                   |  4 +---
 .../targets/x509_crl/tasks/impl.yml           | 22 +++++++++++++++++++
 .../targets/x509_crl/tests/validate.yml       |  8 +++++++
 4 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/441-x509-crl-cert-issuer.yml

diff --git a/changelogs/fragments/441-x509-crl-cert-issuer.yml b/changelogs/fragments/441-x509-crl-cert-issuer.yml
new file mode 100644
index 000000000..ce1706d44
--- /dev/null
+++ b/changelogs/fragments/441-x509-crl-cert-issuer.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "x509_crl - fix crash when ``issuer`` for a revoked certificate is specified (https://github.com/ansible-collections/community.crypto/pull/441)."
diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py
index e34a1fd39..c22eb2643 100644
--- a/plugins/modules/x509_crl.py
+++ b/plugins/modules/x509_crl.py
@@ -664,9 +664,7 @@ def _generate_crl(self):
             revoked_cert = revoked_cert.revocation_date(entry['revocation_date'])
             if entry['issuer'] is not None:
                 revoked_cert = revoked_cert.add_extension(
-                    x509.CertificateIssuer([
-                        cryptography_get_name(name, 'issuer') for name in entry['issuer']
-                    ]),
+                    x509.CertificateIssuer(entry['issuer']),
                     entry['issuer_critical']
                 )
             if entry['reason'] is not None:
diff --git a/tests/integration/targets/x509_crl/tasks/impl.yml b/tests/integration/targets/x509_crl/tasks/impl.yml
index 4fa6bbd35..32cf408bc 100644
--- a/tests/integration/targets/x509_crl/tasks/impl.yml
+++ b/tests/integration/targets/x509_crl/tasks/impl.yml
@@ -456,3 +456,25 @@
     path: '{{ remote_tmp_dir }}/ca-crl2.crl'
     list_revoked_certificates: false
   register: crl_2_info_1
+
+- name: Create CRL 3
+  x509_crl:
+    path: '{{ remote_tmp_dir }}/ca-crl3.crl'
+    privatekey_path: '{{ remote_tmp_dir }}/ca.key'
+    issuer:
+      CN: Ansible
+    last_update: +0d
+    next_update: +0d
+    revoked_certificates:
+      - serial_number: 1234
+        revocation_date: 20191001000000Z
+        issuer:
+          - "DNS:ca.example.org"
+        issuer_critical: true
+  register: crl_3
+
+- name: Retrieve CRL 3 infos
+  x509_crl_info:
+    path: '{{ remote_tmp_dir }}/ca-crl3.crl'
+    list_revoked_certificates: true
+  register: crl_3_info
diff --git a/tests/integration/targets/x509_crl/tests/validate.yml b/tests/integration/targets/x509_crl/tests/validate.yml
index b495f26ee..065fd900b 100644
--- a/tests/integration/targets/x509_crl/tests/validate.yml
+++ b/tests/integration/targets/x509_crl/tests/validate.yml
@@ -90,3 +90,11 @@
   assert:
     that:
       - "'revoked_certificates' not in crl_2_info_1"
+
+- name: Validate CRL 3 info
+  assert:
+    that:
+      - crl_3.revoked_certificates == crl_3_info.revoked_certificates
+      - crl_3.revoked_certificates[0].issuer == [
+          "DNS:ca.example.org",
+        ]