Add asn1_base64 option. (#592)

2026-05-07 05:43:06 +00:00 · 2023-04-16 13:34:45 +02:00
parent ec354a8a91
commit 30756b12ea
3 changed files with 33 additions and 4 deletions
--- a/plugins/modules/get_certificate.py
+++ b/plugins/modules/get_certificate.py
@@ -91,6 +91,15 @@ options:
      type: list
      elements: str
      version_added: 2.11.0
+    asn1_base64:
+      description:
+        - Whether to encode the ASN.1 values in the C(extensions) return value with Base64 or not.
+        - The documentation claimed for a long time that the values are Base64 encoded, but they
+          never were. For compatibility this option is set to C(false), but that value will eventually
+          be deprecated and changed to C(true).
+      type: bool
+      default: false
+      version_added: 2.12.0

 notes:
    - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
@@ -123,7 +132,12 @@ extensions:
            returned: success
            type: str
            description:
-              - The Base64 encoded ASN.1 content of the extension.
+              - The ASN.1 content of the extension.
+              - If I(asn1_base64=true) this will be Base64 encoded, otherwise the raw
+                binary value will be returned.
+              - Please note that the raw binary value might not survive JSON serialization
+                to the Ansible controller, and also might cause failures when displaying it.
+                See U(https://github.com/ansible/ansible/issues/80258) for more information.
              - B(Note) that depending on the C(cryptography) version used, it is
                not possible to extract the ASN.1 content of the extension, but only
                to provide the re-encoded content of the extension in case it was
@@ -258,6 +272,7 @@ def main():
            select_crypto_backend=dict(type='str', choices=['auto', 'cryptography'], default='auto'),
            starttls=dict(type='str', choices=['mysql']),
            ciphers=dict(type='list', elements='str'),
+            asn1_base64=dict(type='bool', default=False),
        ),
    )

@@ -270,6 +285,7 @@ def main():
    server_name = module.params.get('server_name')
    start_tls_server_type = module.params.get('starttls')
    ciphers = module.params.get('ciphers')
+    asn1_base64 = module.params['asn1_base64']

    backend = module.params.get('select_crypto_backend')
    if backend == 'auto':
@@ -366,11 +382,14 @@ def main():
        result['extensions'] = []
        for dotted_number, entry in cryptography_get_extensions_from_cert(x509).items():
            oid = cryptography.x509.oid.ObjectIdentifier(dotted_number)
-            result['extensions'].append({
+            ext = {
                'critical': entry['critical'],
-                'asn1_data': base64.b64decode(entry['value']),
+                'asn1_data': entry['value'],
                'name': cryptography_oid_to_name(oid, short=True),
-            })
+            }
+            if not asn1_base64:
+                ext['asn1_data'] = base64.b64decode(ext['asn1_data'])
+            result['extensions'].append(ext)

        result['issuer'] = {}
        for attribute in x509.issuer: