From 2a746115cad54708dcc428dfdd1ba2521ac5a009 Mon Sep 17 00:00:00 2001 From: Katze Date: Thu, 17 Nov 2022 11:40:44 +0000 Subject: [PATCH] fix #529 issuer_uri in x509_certificate_info (#530) The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is. Handling is exactly the same since they reside in the same OID space and have the same data type. Tests have also been added based on the integration test certificates. Signed-off-by: benaryorg Signed-off-by: benaryorg --- changelogs/fragments/aia_issuer.yaml | 2 ++ .../crypto/module_backends/certificate_info.py | 16 ++++++++++++++++ plugins/modules/x509_certificate_info.py | 6 ++++++ .../targets/x509_certificate_info/tasks/impl.yml | 2 ++ 4 files changed, 26 insertions(+) create mode 100644 changelogs/fragments/aia_issuer.yaml diff --git a/changelogs/fragments/aia_issuer.yaml b/changelogs/fragments/aia_issuer.yaml new file mode 100644 index 00000000..2909b4df --- /dev/null +++ b/changelogs/fragments/aia_issuer.yaml @@ -0,0 +1,2 @@ +minor_changes: + - x509_certificate_info - adds ``issuer_uri`` field in return value based on Authority Information Access data (https://github.com/ansible-collections/community.crypto/pull/530). diff --git a/plugins/module_utils/crypto/module_backends/certificate_info.py b/plugins/module_utils/crypto/module_backends/certificate_info.py index f0669913..8c13faaf 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_info.py +++ b/plugins/module_utils/crypto/module_backends/certificate_info.py @@ -139,6 +139,10 @@ class CertificateInfoRetrieval(object): def _get_ocsp_uri(self): pass + @abc.abstractmethod + def _get_issuer_uri(self): + pass + def get_info(self, prefer_one_fingerprint=False): result = dict() self.cert = load_certificate(None, content=self.content, backend=self.backend) @@ -200,6 +204,7 @@ class CertificateInfoRetrieval(object): result['serial_number'] = self._get_serial_number() result['extensions_by_oid'] = self._get_all_extensions() result['ocsp_uri'] = self._get_ocsp_uri() + result['issuer_uri'] = self._get_issuer_uri() return result @@ -365,6 +370,17 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval): pass return None + def _get_issuer_uri(self): + try: + ext = self.cert.extensions.get_extension_for_class(x509.AuthorityInformationAccess) + for desc in ext.value: + if desc.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS: + if isinstance(desc.access_location, x509.UniformResourceIdentifier): + return desc.access_location.value + except x509.ExtensionNotFound as dummy: + pass + return None + def get_certificate_info(module, backend, content, prefer_one_fingerprint=False): if backend == 'cryptography': diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py index 5696767b..477124a2 100644 --- a/plugins/modules/x509_certificate_info.py +++ b/plugins/modules/x509_certificate_info.py @@ -378,6 +378,12 @@ ocsp_uri: C(none) if no OCSP responder URI is included. returned: success type: str +issuer_uri: + description: The Issuer URI, if included in the certificate. Will be + C(none) if no issuer URI is included. + returned: success + type: str + version_added: 2.9.0 ''' diff --git a/tests/integration/targets/x509_certificate_info/tasks/impl.yml b/tests/integration/targets/x509_certificate_info/tasks/impl.yml index 54958b12..37ad5ce1 100644 --- a/tests/integration/targets/x509_certificate_info/tasks/impl.yml +++ b/tests/integration/targets/x509_certificate_info/tasks/impl.yml @@ -180,6 +180,8 @@ that: - "'ocsp_uri' in result" - "result.ocsp_uri == 'http://ocsp.int-x3.letsencrypt.org'" + - "'issuer_uri' in result" + - "result.issuer_uri == 'http://cert.int-x3.letsencrypt.org/'" - result.extensions_by_oid | length == 9 # Precert Signed Certificate Timestamps - result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].critical == false