fix #529 issuer_uri in x509_certificate_info (#530)

The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is. Handling is exactly the same since they reside in the same OID space and have the same data type. Tests have also been added based on the integration test certificates. Signed-off-by: benaryorg <binary@benary.org> Signed-off-by: benaryorg <binary@benary.org>
2022-11-17 11:40:44 +00:00 · 2022-11-17 11:40:44 +00:00 · 2a746115ca
parent 37fddc61d8
commit 2a746115ca
4 changed files with 26 additions and 0 deletions
--- a/changelogs/fragments/aia_issuer.yaml
+++ b/changelogs/fragments/aia_issuer.yaml
@ -0,0 +1,2 @@
 minor_changes:
  - x509_certificate_info - adds ``issuer_uri`` field in return value based on Authority Information Access data (https://github.com/ansible-collections/community.crypto/pull/530).
--- a/plugins/module_utils/crypto/module_backends/certificate_info.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_info.py
@ -139,6 +139,10 @@ class CertificateInfoRetrieval(object):
    def _get_ocsp_uri(self):
        pass
    @abc.abstractmethod
    def _get_issuer_uri(self):
        pass
    def get_info(self, prefer_one_fingerprint=False):
        result = dict()
        self.cert = load_certificate(None, content=self.content, backend=self.backend)
@ -200,6 +204,7 @@ class CertificateInfoRetrieval(object):
        result['serial_number'] = self._get_serial_number()
        result['extensions_by_oid'] = self._get_all_extensions()
        result['ocsp_uri'] = self._get_ocsp_uri()
        result['issuer_uri'] = self._get_issuer_uri()
        return result
@ -365,6 +370,17 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval):
            pass
        return None
    def _get_issuer_uri(self):
        try:
            ext = self.cert.extensions.get_extension_for_class(x509.AuthorityInformationAccess)
            for desc in ext.value:
                if desc.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS:
                    if isinstance(desc.access_location, x509.UniformResourceIdentifier):
                        return desc.access_location.value
        except x509.ExtensionNotFound as dummy:
            pass
        return None
 def get_certificate_info(module, backend, content, prefer_one_fingerprint=False):
    if backend == 'cryptography':
--- a/plugins/modules/x509_certificate_info.py
+++ b/plugins/modules/x509_certificate_info.py
@ -378,6 +378,12 @@ ocsp_uri:
                 C(none) if no OCSP responder URI is included.
    returned: success
    type: str
 issuer_uri:
    description: The Issuer URI, if included in the certificate. Will be
                 C(none) if no issuer URI is included.
    returned: success
    type: str
    version_added: 2.9.0
 '''
--- a/tests/integration/targets/x509_certificate_info/tasks/impl.yml
+++ b/tests/integration/targets/x509_certificate_info/tasks/impl.yml
@ -180,6 +180,8 @@
    that:
      - "'ocsp_uri' in result"
      - "result.ocsp_uri == 'http://ocsp.int-x3.letsencrypt.org'"
      - "'issuer_uri' in result"
      - "result.issuer_uri == 'http://cert.int-x3.letsencrypt.org/'"
      - result.extensions_by_oid | length == 9
      # Precert Signed Certificate Timestamps
      - result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].critical == false
		`@ -0,0 +1,2 @@`
							`minor_changes:`
							- x509_certificate_info - adds ``issuer_uri`` field in return value based on Authority Information Access data (https://github.com/ansible-collections/community.crypto/pull/530).