From 7d0e5e814e9a361a107338fae28316851e4f0379 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 13 Oct 2020 10:41:09 +0200 Subject: [PATCH] Return certificate fingerprints from x509_certificate_info (#121) * Return certificate fingerprints from x509_certificate_info. * Update plugins/modules/x509_certificate_info.py Co-authored-by: MarkusTeufelberger Co-authored-by: MarkusTeufelberger --- ...121-x509_certificate_info-fingerprints.yml | 2 ++ plugins/modules/x509_certificate_info.py | 21 +++++++++++++++++++ .../x509_certificate_info/tasks/impl.yml | 5 +++++ 3 files changed, 28 insertions(+) create mode 100644 changelogs/fragments/121-x509_certificate_info-fingerprints.yml diff --git a/changelogs/fragments/121-x509_certificate_info-fingerprints.yml b/changelogs/fragments/121-x509_certificate_info-fingerprints.yml new file mode 100644 index 00000000..3f03a2e7 --- /dev/null +++ b/changelogs/fragments/121-x509_certificate_info-fingerprints.yml @@ -0,0 +1,2 @@ +minor_changes: +- "x509_certificate_info - add ``fingerprints`` return value which returns certificate fingerprints (https://github.com/ansible-collections/community.crypto/pull/121)." diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py index 1c7806ad..9f14e339 100644 --- a/plugins/modules/x509_certificate_info.py +++ b/plugins/modules/x509_certificate_info.py @@ -233,6 +233,15 @@ public_key_fingerprints: type: dict sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..." +fingerprints: + description: + - Fingerprints of the DER-encoded form of the whole certificate. + - For every hash algorithm available, the fingerprint is computed. + returned: success + type: dict + sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63', + 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..." + version_added: 1.2.0 signature_algorithm: description: The signature algorithm used to sign the certificate. returned: success @@ -401,6 +410,10 @@ class CertificateInfo(OpenSSLObject): # Empty method because OpenSSLObject wants this pass + @abc.abstractmethod + def _get_der_bytes(self): + pass + @abc.abstractmethod def _get_signature_algorithm(self): pass @@ -506,6 +519,8 @@ class CertificateInfo(OpenSSLObject): pk = self._get_public_key(binary=True) result['public_key_fingerprints'] = get_fingerprint_of_bytes(pk) if pk is not None else dict() + result['fingerprints'] = get_fingerprint_of_bytes(self._get_der_bytes()) + if self.backend != 'pyopenssl': ski = self._get_subject_key_identifier() if ski is not None: @@ -533,6 +548,9 @@ class CertificateInfoCryptography(CertificateInfo): def __init__(self, module): super(CertificateInfoCryptography, self).__init__(module, 'cryptography') + def _get_der_bytes(self): + return self.cert.public_bytes(serialization.Encoding.DER) + def _get_signature_algorithm(self): return cryptography_oid_to_name(self.cert.signature_algorithm_oid) @@ -689,6 +707,9 @@ class CertificateInfoPyOpenSSL(CertificateInfo): def __init__(self, module): super(CertificateInfoPyOpenSSL, self).__init__(module, 'pyopenssl') + def _get_der_bytes(self): + return crypto.dump_certificate(crypto.FILETYPE_ASN1, self.cert) + def _get_signature_algorithm(self): return to_text(self.cert.get_signature_algorithm()) diff --git a/tests/integration/targets/x509_certificate_info/tasks/impl.yml b/tests/integration/targets/x509_certificate_info/tasks/impl.yml index 91804288..91838bd4 100644 --- a/tests/integration/targets/x509_certificate_info/tasks/impl.yml +++ b/tests/integration/targets/x509_certificate_info/tasks/impl.yml @@ -114,6 +114,11 @@ that: - "'ocsp_uri' in result" - "result.ocsp_uri == 'http://ocsp.int-x3.letsencrypt.org'" +- name: Check fingerprints + assert: + that: + - (result.fingerprints.sha256 == '57:7c:f1:f5:dd:cc:6e:e9:f3:17:28:73:17:e4:25:c7:69:74:3e:f7:9a:df:58:20:7a:5a:e4:aa:de:bf:24:5b' if result.fingerprints.sha256 is defined else true) + - (result.fingerprints.sha1 == 'b7:79:64:f4:2b:e0:ae:45:74:d4:f3:08:f6:53:cb:39:26:fa:52:6b' if result.fingerprints.sha1 is defined else true) - name: Update result list set_fact: