ansible-collections · felixfontein · Oct 13, 2020 · Oct 9, 2020 · Oct 10, 2020
diff --git a/changelogs/fragments/121-x509_certificate_info-fingerprints.yml b/changelogs/fragments/121-x509_certificate_info-fingerprints.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- "x509_certificate_info - add ``fingerprints`` return value which returns certificate fingerprints (https:/ansible-collections/community.crypto/pull/121)."
diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py
@@ -233,6 +233,15 @@
  type: dict
  sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
  'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
+fingerprints:
+ description:
+ - Fingerprints of the DER-encoded form of the whole certificate.
+ - For every hash algorithm available, the fingerprint is computed.
+ returned: success
+ type: dict
+ sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
+ 'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
+ version_added: 1.2.0
 signature_algorithm:
  description: The signature algorithm used to sign the certificate.
  returned: success
@@ -401,6 +410,10 @@ def dump(self):
  # Empty method because OpenSSLObject wants this
  pass
 
+ @abc.abstractmethod
+ def _get_der_bytes(self):
+ pass
+
  @abc.abstractmethod
  def _get_signature_algorithm(self):
  pass
@@ -506,6 +519,8 @@ def get_info(self):
  pk = self._get_public_key(binary=True)
  result['public_key_fingerprints'] = get_fingerprint_of_bytes(pk) if pk is not None else dict()
 
+ result['fingerprints'] = get_fingerprint_of_bytes(self._get_der_bytes())
+
  if self.backend != 'pyopenssl':
  ski = self._get_subject_key_identifier()
  if ski is not None:
@@ -533,6 +548,9 @@ class CertificateInfoCryptography(CertificateInfo):
  def __init__(self, module):
  super(CertificateInfoCryptography, self).__init__(module, 'cryptography')
 
+ def _get_der_bytes(self):
+ return self.cert.public_bytes(serialization.Encoding.DER)
+
  def _get_signature_algorithm(self):
  return cryptography_oid_to_name(self.cert.signature_algorithm_oid)
 
@@ -689,6 +707,9 @@ class CertificateInfoPyOpenSSL(CertificateInfo):
  def __init__(self, module):
  super(CertificateInfoPyOpenSSL, self).__init__(module, 'pyopenssl')
 
+ def _get_der_bytes(self):
+ return crypto.dump_certificate(crypto.FILETYPE_ASN1, self.cert)
+
  def _get_signature_algorithm(self):
  return to_text(self.cert.get_signature_algorithm())
 

diff --git a/tests/integration/targets/x509_certificate_info/tasks/impl.yml b/tests/integration/targets/x509_certificate_info/tasks/impl.yml
@@ -114,6 +114,11 @@
  that:
  - "'ocsp_uri' in result"
  - "result.ocsp_uri == 'http://ocsp.int-x3.letsencrypt.org'"
+- name: Check fingerprints
+ assert:
+ that:
+ - (result.fingerprints.sha256 == '57:7c:f1:f5:dd:cc:6e:e9:f3:17:28:73:17:e4:25:c7:69:74:3e:f7:9a:df:58:20:7a:5a:e4:aa:de:bf:24:5b' if result.fingerprints.sha256 is defined else true)
+ - (result.fingerprints.sha1 == 'b7:79:64:f4:2b:e0:ae:45:74:d4:f3:08:f6:53:cb:39:26:fa:52:6b' if result.fingerprints.sha1 is defined else true)
 
 - name: Update result list
  set_fact: