Return certificate fingerprints from x509_certificate_info (#121)

* Return certificate fingerprints from x509_certificate_info.

* Update plugins/modules/x509_certificate_info.py

Co-authored-by: MarkusTeufelberger <mteufelberger@mgit.at>

Co-authored-by: MarkusTeufelberger <mteufelberger@mgit.at>

changelogs/fragments/121-x509_certificate_info-fingerprints.yml

@@ -0,0 +1,2 @@
+minor_changes:
+- "x509_certificate_info - add ``fingerprints`` return value which returns certificate fingerprints (https://github.com/ansible-collections/community.crypto/pull/121)."

plugins/modules/x509_certificate_info.py

@@ -233,6 +233,15 @@ public_key_fingerprints:
     type: dict
     sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
               'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
+fingerprints:
+    description:
+        - Fingerprints of the DER-encoded form of the whole certificate.
+        - For every hash algorithm available, the fingerprint is computed.
+    returned: success
+    type: dict
+    sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
+              'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
+    version_added: 1.2.0
 signature_algorithm:
     description: The signature algorithm used to sign the certificate.
     returned: success
@@ -401,6 +410,10 @@ class CertificateInfo(OpenSSLObject):
         # Empty method because OpenSSLObject wants this
         pass
 
+    @abc.abstractmethod
+    def _get_der_bytes(self):
+        pass
+
     @abc.abstractmethod
     def _get_signature_algorithm(self):
         pass
@@ -506,6 +519,8 @@ class CertificateInfo(OpenSSLObject):
         pk = self._get_public_key(binary=True)
         result['public_key_fingerprints'] = get_fingerprint_of_bytes(pk) if pk is not None else dict()
 
+        result['fingerprints'] = get_fingerprint_of_bytes(self._get_der_bytes())
+
         if self.backend != 'pyopenssl':
             ski = self._get_subject_key_identifier()
             if ski is not None:
@@ -533,6 +548,9 @@ class CertificateInfoCryptography(CertificateInfo):
     def __init__(self, module):
         super(CertificateInfoCryptography, self).__init__(module, 'cryptography')
 
+    def _get_der_bytes(self):
+        return self.cert.public_bytes(serialization.Encoding.DER)
+
     def _get_signature_algorithm(self):
         return cryptography_oid_to_name(self.cert.signature_algorithm_oid)
 
@@ -689,6 +707,9 @@ class CertificateInfoPyOpenSSL(CertificateInfo):
     def __init__(self, module):
         super(CertificateInfoPyOpenSSL, self).__init__(module, 'pyopenssl')
 
+    def _get_der_bytes(self):
+        return crypto.dump_certificate(crypto.FILETYPE_ASN1, self.cert)
+
     def _get_signature_algorithm(self):
         return to_text(self.cert.get_signature_algorithm())
 

tests/integration/targets/x509_certificate_info/tasks/impl.yml

@@ -114,6 +114,11 @@
     that:
       - "'ocsp_uri' in result"
       - "result.ocsp_uri == 'http://ocsp.int-x3.letsencrypt.org'"
+- name: Check fingerprints
+  assert:
+    that:
+      - (result.fingerprints.sha256 == '57:7c:f1:f5:dd:cc:6e:e9:f3:17:28:73:17:e4:25:c7:69:74:3e:f7:9a:df:58:20:7a:5a:e4:aa:de:bf:24:5b' if result.fingerprints.sha256 is defined else true)
+      - (result.fingerprints.sha1 == 'b7:79:64:f4:2b:e0:ae:45:74:d4:f3:08:f6:53:cb:39:26:fa:52:6b' if result.fingerprints.sha1 is defined else true)
 
 - name: Update result list
   set_fact: