wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-05 19:43:22 +02:00
Code Issues Projects Releases Wiki Activity

Fix Jinja2 template syntax error in OpenSSL certificate generation

Browse source 
Removed inline comments from within Jinja2 expressions in the name_constraints_permitted
and name_constraints_excluded fields. Jinja2 doesn't support comments within expressions
using the # character, which was causing template rendering to fail.

Moved explanatory comments outside the Jinja2 expressions to maintain documentation
while fixing the syntax error.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Dan Guido 2025-08-06 18:04:13 -07:00
parent e62b2ea55b
commit 6665384cec
1 changed files with 9 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
roles/strongswan/tasks/openssl.yml
View file

@ -60,22 +60,25 @@
extended_key_usage_critical: true extended_key_usage_critical: true
# Name Constraints: Defense-in-depth security restricting certificate scope to prevent misuse # Name Constraints: Defense-in-depth security restricting certificate scope to prevent misuse
# Limits CA to only issue certificates for this specific VPN deployment's resources # Limits CA to only issue certificates for this specific VPN deployment's resources
# Per-deployment UUID prevents cross-deployment reuse, unique email domain isolates certificate scope
name_constraints_permitted: >- name_constraints_permitted: >-
{{ [ {{ [
subjectAltName_type + ':' + IP_subject_alt_name + ('/255.255.255.255' if subjectAltName_type == 'IP' else ''), subjectAltName_type + ':' + IP_subject_alt_name + ('/255.255.255.255' if subjectAltName_type == 'IP' else ''),
'DNS:' + openssl_constraint_random_id, # Per-deployment UUID prevents cross-deployment reuse 'DNS:' + openssl_constraint_random_id,
'email:' + openssl_constraint_random_id # Unique email domain isolates certificate scope 'email:' + openssl_constraint_random_id
] + ( ] + (
['IP:' + ansible_default_ipv6['address'] + '/128'] if ipv6_support else [] ['IP:' + ansible_default_ipv6['address'] + '/128'] if ipv6_support else []
) }} ) }}
# Block public domains/networks to prevent certificate abuse for impersonation attacks # Block public domains/networks to prevent certificate abuse for impersonation attacks
# Public TLD exclusion, Email domain exclusion, RFC 1918: prevents lateral movement
# IPv6: ULA/link-local/doc ranges or all
name_constraints_excluded: >- name_constraints_excluded: >-
{{ [ {{ [
'DNS:.com', 'DNS:.org', 'DNS:.net', 'DNS:.gov', 'DNS:.edu', 'DNS:.mil', 'DNS:.int', # Public TLD exclusion 'DNS:.com', 'DNS:.org', 'DNS:.net', 'DNS:.gov', 'DNS:.edu', 'DNS:.mil', 'DNS:.int',
'email:.com', 'email:.org', 'email:.net', 'email:.gov', 'email:.edu', 'email:.mil', 'email:.int', # Email domain exclusion 'email:.com', 'email:.org', 'email:.net', 'email:.gov', 'email:.edu', 'email:.mil', 'email:.int',
'IP:10.0.0.0/255.0.0.0', 'IP:172.16.0.0/255.240.0.0', 'IP:192.168.0.0/255.255.0.0' # RFC 1918: prevents lateral movement 'IP:10.0.0.0/255.0.0.0', 'IP:172.16.0.0/255.240.0.0', 'IP:192.168.0.0/255.255.0.0'
] + ( ] + (
['IP:fc00::/7', 'IP:fe80::/10', 'IP:2001:db8::/32'] if ipv6_support else ['IP:::/0'] # IPv6: ULA/link-local/doc ranges or all ['IP:fc00::/7', 'IP:fe80::/10', 'IP:2001:db8::/32'] if ipv6_support else ['IP:::/0']
) }} ) }}
name_constraints_critical: true name_constraints_critical: true
register: ca_csr register: ca_csr