Add asn1_base64 option. (#592)

2023-04-16 13:34:45 +02:00 · 2023-04-16 13:34:45 +02:00 · 30756b12ea
parent ec354a8a91
commit 30756b12ea
3 changed files with 33 additions and 4 deletions
--- a/changelogs/fragments/592-get_certificate-base64.yml
+++ b/changelogs/fragments/592-get_certificate-base64.yml
@ -0,0 +1,2 @@
 minor_changes:
  - "get_certificate - add ``asn1_base64`` option to control whether the ASN.1 included in the ``extensions`` return value is binary data or Base64 encoded (https://github.com/ansible-collections/community.crypto/pull/592)."
--- a/plugins/modules/get_certificate.py
+++ b/plugins/modules/get_certificate.py
@ -91,6 +91,15 @@ options:
      type: list
      elements: str
      version_added: 2.11.0
    asn1_base64:
      description:
        - Whether to encode the ASN.1 values in the C(extensions) return value with Base64 or not.
        - The documentation claimed for a long time that the values are Base64 encoded, but they
          never were. For compatibility this option is set to C(false), but that value will eventually
          be deprecated and changed to C(true).
      type: bool
      default: false
      version_added: 2.12.0
 notes:
    - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
@ -123,7 +132,12 @@ extensions:
            returned: success
            type: str
            description:
-              - The Base64 encoded ASN.1 content of the extension.
+              - The ASN.1 content of the extension.
              - If I(asn1_base64=true) this will be Base64 encoded, otherwise the raw
                binary value will be returned.
              - Please note that the raw binary value might not survive JSON serialization
                to the Ansible controller, and also might cause failures when displaying it.
                See U(https://github.com/ansible/ansible/issues/80258) for more information.
              - B(Note) that depending on the C(cryptography) version used, it is
                not possible to extract the ASN.1 content of the extension, but only
                to provide the re-encoded content of the extension in case it was
@ -258,6 +272,7 @@ def main():
            select_crypto_backend=dict(type='str', choices=['auto', 'cryptography'], default='auto'),
            starttls=dict(type='str', choices=['mysql']),
            ciphers=dict(type='list', elements='str'),
            asn1_base64=dict(type='bool', default=False),
        ),
    )
@ -270,6 +285,7 @@ def main():
    server_name = module.params.get('server_name')
    start_tls_server_type = module.params.get('starttls')
    ciphers = module.params.get('ciphers')
    asn1_base64 = module.params['asn1_base64']
    backend = module.params.get('select_crypto_backend')
    if backend == 'auto':
@ -366,11 +382,14 @@ def main():
        result['extensions'] = []
        for dotted_number, entry in cryptography_get_extensions_from_cert(x509).items():
            oid = cryptography.x509.oid.ObjectIdentifier(dotted_number)
-            result['extensions'].append({
+            ext = {
                'critical': entry['critical'],
-                'asn1_data': base64.b64decode(entry['value']),
+                'asn1_data': entry['value'],
                'name': cryptography_oid_to_name(oid, short=True),
-            })
+            }
            if not asn1_base64:
                ext['asn1_data'] = base64.b64decode(ext['asn1_data'])
            result['extensions'].append(ext)
        result['issuer'] = {}
        for attribute in x509.issuer:
--- a/tests/integration/targets/get_certificate/tests/validate.yml
+++ b/tests/integration/targets/get_certificate/tests/validate.yml
@ -8,6 +8,7 @@
    host: "{{ httpbin_host }}"
    port: 443
    server_name: "{{ sni_host }}"
    asn1_base64: true
  register: result
 - debug: var=result
@ -25,6 +26,7 @@
    host: "{{ sni_host }}"
    port: 443
    server_name: "{{ httpbin_host }}"
    asn1_base64: true
  register: result
 - debug: var=result
@ -42,6 +44,7 @@
    host: "{{ httpbin_host }}"
    port: 443
    select_crypto_backend: "{{ select_crypto_backend }}"
    asn1_base64: true
  register: result
 - debug: var=result
@ -59,6 +62,7 @@
    host: "{{ httpbin_host }}"
    port: 80
    select_crypto_backend: "{{ select_crypto_backend }}"
    asn1_base64: true
  register: result
  ignore_errors: true
@ -75,6 +79,7 @@
    port: 1234
    timeout: 1
    select_crypto_backend: "{{ select_crypto_backend }}"
    asn1_base64: true
  register: result
  ignore_errors: true
@ -91,6 +96,7 @@
    port: 443
    ca_cert: dn.e
    select_crypto_backend: "{{ select_crypto_backend }}"
    asn1_base64: true
  register: result
  ignore_errors: true
@ -112,6 +118,7 @@
    host: "{{ httpbin_host }}"
    port: 443
    select_crypto_backend: "{{ select_crypto_backend }}"
    asn1_base64: true
  register: result
 - assert:
@ -150,6 +157,7 @@
    host: "{{ httpbin_host }}"
    port: 443
    select_crypto_backend: "{{ select_crypto_backend }}"
    asn1_base64: true
  register: result
  ignore_errors: true
		`@ -0,0 +1,2 @@`
							`minor_changes:`
							- "get_certificate - add ``asn1_base64`` option to control whether the ASN.1 included in the ``extensions`` return value is binary data or Base64 encoded (https://github.com/ansible-collections/community.crypto/pull/592)."